The State Duma is weighing steps to soften the liability burden on operators for personal data leaks. The public organization Business Russia is cited as the source proposing these changes, with coverage in Kommersant. The initiative reflects a broader push to recalibrate accountability norms in data protection, balancing the need to deter breaches with considerations of practical enforcement for businesses operating in today’s digital economy.
At the same time, social activists advocate for lower penalties, arguing for reductions from 500 million rubles to 50 million rubles. They also call for shared responsibility between the entity that caused the leak and the provider of the data protection technology used to prevent or mitigate harm. The cybersecurity market, however, raises objections, asserting that the operator remains ultimately responsible for how their chosen security tools perform and are implemented in real-world environments.
Experts and lawmakers alike caution that cutting penalties could weaken the effectiveness of the protective regime. They emphasize that penalties function as a critical component of risk management, incentivizing rigorous controls and prompt remediation when breaches occur. A deterrent effect remains a key element in ensuring that organizations take data security seriously and allocate adequate resources to safeguard personal information.
Under the current bill framework, the base fines for legal entities are set at 3-5 million rubles when a leak affects data from up to 10,000 organizations. If the breach concerns data from up to 100,000 assets, fines rise to 5-10 million rubles, and for volumes exceeding 100,000 issues, fines reach 10-15 million rubles. The maximum penalty for repeated leaks is proposed at 0.1-3% of annual revenue, but it cannot exceed 500 million rubles. This tiered approach aims to align penalties with the scale of impact while providing predictable consequences for noncompliance.
Delovaya Rossiya’s proposals introduce mitigating factors that could lessen operator liability, such as recognizing investments in cybersecurity equal to 0.1% of annual revenue sustained for three years or more prior to a breach. While these mitigation criteria were discussed during the bill’s drafting, the latest text does not yet incorporate them, leaving a gap between discourse and formal provisions. The debate thus centers on whether preemptive investments and ongoing security upgrades should be rewarded with reduced penalties, and how such incentives would be measured and verified across diverse business environments.
In a broader context, the dialogue around data protection in Russia mirrors global conversations on accountability, risk management, and the role of technology providers in safeguarding personal information. For readers in Canada and the United States, the exchange highlights shared concerns about how to balance robust privacy protections with practical compliance obligations for multinational operations. It also underscores the enduring tension between punitive fines and proactive security investments as mechanisms to drive better security outcomes across sectors without unduly hampering legitimate business activity.