5 Apr 2022 11:16

Turnover-based fines on businesses for personal data leaks may be introduced in Russia this year - minister

MOSCOW. April 5 (Interfax) - The Russian Ministry of Digital Development, Communications and Mass Media and the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) will propose to the State Duma this year that turnover-based fines be imposed on businesses for personal data leaks, Digital Development Minister Maksut Shadayev said.

"We understand, and the recent mass leaks prove that, of course, the fines we have doubled do not drastically change the situation. Thus, we will ask [the State Duma to consider] this year, and will put forward an initiative together with Roskomnadzor to impose large turnover-based fines on businesses that let personal data leaks happen," Shadayev said at an expanded meeting of the State Duma Information Policy Committee on Tuesday.

Turnover-based fines are fines that amount to a percentage of annual revenue of a company in Russia.

In other countries, "fines amount to tens of millions of dollars whenever businesses fail to protect sensitive information," Shadayev said, adding that no such penalties would be introduced for government agencies for now.

"If [data is leaked] from a government agency, there will be dismissals. As for fines in this case [...], government agencies are funded with taxpayer, budget money," Shadayev said in response to the relevant question.

Currently, businesses find it easier to pay a fine than to provide quality protection of personal data, Shadayev said. "They are not afraid of facing hefty financial liability. True, there are reputational losses. But, of course, we should punish them with larger fines," he said.

The fine size has yet to be approved, but it should be larger than the sum to be spent on infrastructure to protect personal data, Shadayev said.

State Duma Information Policy Committee Chairman Alexander Khinshtein supported the ministry's proposal. He believes that, in this case, "business will have solid reasons to put things in order and to build infrastructure that would technically prevent [any leaks from happening]."

For now, the maximum penalty for a personal data leak is 500,000 rubles (in case of a repeat offense). The Digital Development Ministry had proposed that turnover-based fines be imposed for personal data leaks before.