Newsletter

Concise and to the point with ALRUD: HR & DIGITAL (№6)

17 May 2024

The Russian government has approved draft amendments to the Russian Criminal Code that increase the severity of punishment for leaks of personal data (“PD”)


The amendments have changed slightly compared with the version adopted in the first reading. The Ministry of Internal Affairs (MVD) proposed mitigating liability for leaks and editing the wording so that penalties are imposed only in the event of the leakage of (1) data of 50 or more PD subjects, or (2) information about people’s private life, personal or family secrets, special categories of PD, or biometric PD.

The Ministry of Justice opposed such amendments, arguing that restricting the number to 50 PD subjects would result in attackers intentionally splitting up databases with leaked PD, while those who leak the PD of fewer people would be able to avoid criminal punishment.

Under the draft law, if a violation results in severe consequences, the guilty parties may be punished with a fine of up to 3 million RUB (approximately 32,730 USD or 30,476 EUR) and maximum prison sentence of up to 10 years, as well as forced labour and deprivation of the right to hold certain positions or engage in certain activities.

We are closely monitoring the consideration of this draft law and will keep you posted about the latest news.

Russia may soon have a mechanism to compensate for damages caused by the leakage of PD


The Federation Council has drafted a bill on mandatory insurance for PD leaks.

The law would clearly specify not only the insurance amount, limits and list of risks, but also a list of exceptions that should not be set by the actual insurance companies.

We understand that the legislators’ main goal is to encourage companies to pay closer attention to their IT infrastructure, in part to ensure the best possible protection of stored PD or to refuse to process it if it is not required for business.

Growing number of PD-related legal disputes


The number of disputes over the illegal use of PD is on the rise in Russia: since the start of 2024, their number has already increased by 17% compared with the beginning of 2023. There were a total of 17,400 cases across the country in 2023, an increase of 23% from 2022.

Last year, the greatest dynamics in this regard were seen in administrative and criminal cases. The disputes under the Russian Criminal Code concern the illegal receipt of PD about a particular person, which is due to increased attention to the problem of growing terrorist threats. Businesses, in turn, face claims from employees about the reliable storage of their information and the legality of processing their PD. On the one hand, this poses reputational risks, while, on the other hand, it attracts the attention of the Russian PD authority (Roskomnadzor).

We recommend that data controllers regularly conduct an audit of the processes of PD processing to bring them into compliance with the requirements of law and minimize financial, operational and reputational risks.


We hope that the information provided herein will be useful for you.

If any of your colleagues would also like to receive our newsletters, please send them the link to complete a Subscription Form .
Learn more about our practices:
Labour and Employment



Note: please be aware that all information provided in this letter is based on an analysis of publicly available information as well as our understanding and interpretation of legislation and law enforcement practices. Neither ALRUD Law Firm nor the authors of this letter bear any liability for the consequences of any decisions made in reliance upon this information.

If you have any questions, please, do not hesitate to contact us.

Sincerely,
ALRUD Law Firm