A group of deputies from the United Russia faction has submitted a package of bills to the State Duma aimed at strengthening penalties for the leakage of personal data. The details of the draft were presented by Deputy Alexander Khinshtein in a personal statement shared via his telegram channel. The proposed measures are designed to address what lawmakers view as a rising problem of unauthorized data disclosures and the ensuing risks to individuals.
The core of the package involves amendments to two main legal instruments: the Code of Administrative Offenses and the Criminal Code of the Russian Federation. The intent is to raise penalties for operators who fail to protect personal data adequately or who engage in or enable data leaks. In terms of financial penalties for legal entities, the bill suggests a range from 3 million to 15 million rubles, with the precise amount depending on the scale of the responsible legal entities. In cases of repeated data breaches, a turnover-based penalty is envisaged, calculated at 0.1% to 3% of the calendar year’s income, but capped at 500 million rubles.
Instructional notes accompanying the proposal indicate that administrative fines could fall within the range of 800 thousand to 2 million rubles, as explained by Andrei Turchak, the First Deputy Chairman of the Federation Council, in conversations with officials. The package also introduces criminal liability for individuals who knowingly seek to profit from the leakage of personal data. Special emphasis is placed on the export of information about Russian citizens abroad, with potential imprisonment of up to eight years. When the leakage results in harm to life or health, or involves an organized crime group, the sentence could rise to as much as ten years for all participants.
The draft broadens the scope of accountability by applying fines and potential imprisonment of up to five years to persons who conduct business activities based on leaked data. This addition signals a strategic move to deter commercial exploitation of personal information and to deter the formation of data marketplaces that rely on sensitive material without consent.
Earlier, a Moscow court levied a fine on Apple for repeatedly refusing to localize Russians’ data within the country, an incident that underscored the ongoing regulatory focus on data localization and protection. These enforcement actions form part of a broader regulatory environment in which authorities seek to strengthen safeguards around personal information and to ensure that enterprises handling such data meet stricter standards of compliance.
In a related development, President Vladimir Putin signed a decree authorizing 46 companies to independently determine the composition and volume of information disclosed publicly. The decree is interpreted as granting these companies greater discretion over the disclosure process, potentially influencing how personal data is reported or shared with external entities. This move is occurring in parallel with the legislative package under discussion and contributes to the broader policy landscape governing data protection and corporate disclosure in Russia.