Kristina Mkrtchyan, a consultant in intellectual property practices at the law firm EBR and a lecturer at the Moscow Digital School, discussed the feasibility of turning turnover penalties into a tool for personal data leaks in Russia and offered alternative paths for consideration.
Russia’s framework for protecting personal data is undergoing rapid development. A pivotal step was the State Duma’s passage of a stricter draft on responsibility for personal data breaches at its first reading, signaling a shift in how incidents could be sanctioned.
The bill is anticipated to gain final approval by the end of 2024.
Nevertheless, since the first reading, business representatives and expert associations have voiced concerns about the scale of the penalties contemplated in the document. In response, the Ministry of Economic Development in October 2024 presented proposals that include substantial reductions in penalties and the introduction of mitigating conditions for companies.
The central question remains whether turnover penalties for personal data leaks are a prudent approach. At first glance, drastic measures may appear necessary to safeguard citizens’ rights and to heighten corporate accountability. Yet excessive fines can burden businesses, especially small and medium-sized enterprises, potentially dampening economic activity as a whole.
The urgency of the data-leak problem is underscored by recent analytics. FACCT’s data indicate that the number of incidents rose by 37 percent in the first three quarters of 2024 compared with the same period in 2023, with over two hundred significant cases recorded. Gard’s research shows Russians are growing less tolerant of data leaks. While 51 percent of victims tolerated the situation a year earlier, the share taking no action has fallen to 37 percent this year. Citizens are increasingly filing complaints with the leaking companies, supervisory authorities, and the courts, reflecting a shift toward greater accountability.
History also offers examples where large corporations treated standard penalties as a routine business cost. For instance, Intel faced a substantial European Commission fine of 1.06 billion euros, about 4.15 percent of annual turnover, after which internal silence and a pause in aggressive behavior followed. This underscores that penalties can drive strategic shifts within organizations, but they can also be absorbed as ordinary expenses by some players, depending on the size and resources involved.
The need to address leaks remains. But what is the best path forward?
In today’s business environment, reputation matters more than cash reserves. Data leaks can erode brand loyalty. In 2024, a notable portion of the population indicated they would stop using services from a company that mishandles personal data, according to Guard analytics. At the same time, imposing large turnover penalties—ranging from a fraction to several percent of annual revenue—could trigger domino effects: stock price declines, investor exit, and weakened credit ratings. Public companies, in particular, are vulnerable to such shocks, where regulatory issues can quickly affect market value. Rebuilding investor and partner trust after serious breaches typically demands sustained effort and substantial resources.
So how can a robust solution emerge? A viable path may lie in a smarter penalty framework that combines accountability with proportionality. Possible components include:
- Smart penalties that weigh not only turnover but also business margins. For example, a retailer with a 5–7% margin should face a lower penalty percentage of turnover than an IT firm with 30–40% margins. The system could ease the burden during crisis periods by factoring in seasonality and the broader economic cycle.
- Discounts for voluntary remediation of violations, similar to incentives in other regulatory contexts. A 40–60% reduction might apply if the violation is detected promptly and corrected within a set window, with additional cuts for adopting preventive measures to prevent recurrence.
- Partial substitution of penalties through socially beneficial investments. A portion of the fine could be redirected to regionally significant projects, training programs for employees, or enhancements to corporate compliance practices.
- Preventive control instead of punitive measures. Regulators could offer voluntary audits of business processes with temporary immunity from fines. The development of industry self-regulation checklists and ongoing consultations with supervisory authorities would help prevent violations before they occur.
In summary, effectively combating personal data leaks requires balancing strict liability with practical, business-friendly approaches that protect citizens while preserving the viability of enterprises.