Forte Tax & Law » News » Russia introduces stricter penalties and new fines for personal data protection violations
Russia introduces stricter penalties and new fines for personal data protection violations
Effective May 30, 2025, key changes introduced by Federal Law No. 420-FZ[1] will affect the processing and protection of personal data. The law will tighten control over the processing of personal data, introducing new types of offenses and record-high fines of up to RUB 500 million, or up to 3% of a company’s annual revenue. As you may remember, criminal penalties[2] for violating Russian personal data protection laws were established effective from December 11, 2024[3]. Criminalized actions include unauthorized access to, destruction, blocking, or modification of data as computer systems. Examples include hacking a database, deleting a file containing personal data, blocking access to them.
The main changes in administrative liability[4] pertain to compliance with personal data processing requirements. These are:
- For repeated and gross violations relating to the processing of personal data, legal entities will be subject to fines of up to 3% of their annual revenue (or up to RUB 500 million). Currently, this article provides for a maximum fine of RUB 18 million.
- A three-tier scale of liability has been introduced, depending on the amount of unlawfully transmitted data.
- A separate liability has been established for the leakage of biometric personal data and special personal data categories (a fine of up to RUB 20 million).
- A specific liability has been introduced for failure to notify the Russian Federal Service for the Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) of the intention to process personal data and of a leak. Currently, such violations are covered by the general Article 19.7 of the Russian Code of Administrative Offenses (failure to provide information requested by a government agency) that provides for a minimum fine of up to RUB 5,000 for officials.
Furthermore, state commercial courts will consider cases initiated under Article 13.11 of the Russian Code of Administrative Offenses against companies, their officials, and sole proprietorships (currently, it is justices of the peace that consider administrative offenses relating to personal data).
The new fines are now clearly comparable with the European penalties for personal data protection violations (GDPR). The introduction of new fines is not just a blind regulatory tightening, but a well-thought-out system designed to force data operators to pay more attention to the protection of personal data.
The industries most at risk include IT operators, banks, telecom companies, marketplaces, and any companies that work with personal data.
We recommend conducting an internal audit of the processing of personal data (including biometric data), preparing notices to Roskomnadzor, and implementing technical and organizational protection measures before the changes take effect.
The Forte Tax & Law team stands ready to assist you with risk assessment, audits, and compliance preparations.
Do you have any questions or would like to discuss something? Please send an email to Julia Talagaeva or Ekaterina Belyaeva.
[1] Federal Law No. 420-FZ dated November 30, 2024 On the Introduction of Amendments to the Russian Code of Administrative Offenses.
[2] Federal Law No. 421-FZ dated November 30, 2024 On the Introduction of Amendments to the Russian Criminal Code.
[3] Article 272.1 of the Russian Criminal Code.
[4] Article 13.11 of the Russian Code of Administrative Offenses.