On June 13, 2019, a new draft bill imposing multi-million Ruble (RUB) fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017.
The current version of the bill would set the maximum fine for legal entities under the data localization law to RUB 6 million (approx. USD 93,690). Repeated violations of the data localization law can incur increasing fines with a maximum penalty of RUB 18 million (approx. USD 281,070) for legal entities.
The Russian data localization law, effective since September 1, 2015, establishes that data operators processing data of Russian citizens, whether collected online or offline, are required to process that personal data in databases located within the territory of the Russian Federation (see our past coverage here). With the current level of fines relatively low, the major risk to date for noncompliance has been the risk of having one’s website blocked within Russia. The enforcement practice may change the risk calculation if the bill is adopted as proposed.
The bill also introduces increased fines for repeated violations of Russia’s Federal law No. 149-FZ of July 27, 2006 “On Information, information technology and protection of information”, in particular:
- failure to register with Roskomnadzor as an organizer of dissemination of information on the Internet may result in an administrative fine up to RUB 1 million (approx. USD 15,615) for legal entities;
- failure to provide Russian state authorities with information on users and their communications or decryption keys which are necessary to decrypt users’ communications may result in an administrative fine up to RUB 6 million (approx. USD 93,690) for legal entities;
- failure to install equipment required for conducting criminal investigations by Russian state authorities may result in an administrative fine up to RUB 6 million (approx. USD 93,690) for legal entities;
- failure to fulfill obligations imposed on video-on-demand service may result in an administrative fine up to RUB 5 million (approx. USD 78,075) for legal entities;
- failure to fulfill obligations imposed on instant messengers services may result in an administrative fine up to RUB 2 million (approx. UD 31,230) for legal entities;
- failure to fulfill obligations imposed on search engines may result in an administrative fine up to RUB 5 million (approx. USD 78,075) for legal entities.
During the recent St. Petersburg International Economic Forum, Alexander Zharov, the Head of the Russian data protection authority (Roskomnadzor) mentioned that the increase in fines would be intended to enhance companies’ compliance with Russian data protection law.
Still only a bill, this is of course not binding law. In our view, the final maximum fines are likely to be decreased after hearings on the bill, in particular because of the recognition that enforcement of the Russian data localization rule is done mostly based on non-official guidance of the applicable regulators, and there still are a number of key unanswered questions by Roskomnadzor about how to comply. Nevertheless, Roskomnadzor seems to have a strong interest in the bill becoming binding law, as it will increase the leverage it has in investigations.
To be adopted, the bill must pass three hearings in the State Duma, during which there is a good chance that the bill will be amended. Once passed by the State Duma, the bill must also pass the higher chamber of the Russian Parliament and signed by the President.
In the meanwhile, companies doing business in Russia may wish to take a look at their compliance with Russian data protection and localization law in order to mitigate the risks of increased fines if the bill is adopted into Russian law.