Criminal and Administrative Liability in the Field of Personal Data
Starting December 11, 2024, a new law will come into force introducing criminal liability for illegal activities involving personal data, including storage, transfer, and the creation of resources facilitating such processes.
Basic violations will result in fines of up to 300,000 rubles, compulsory labor, or imprisonment for up to four years.
If the case involves minors’ data, biometric data, or sensitive personal information, the penalties will be more severe: fines of up to 700,000 rubles and imprisonment for up to five years.
Penalties for Serious Violations
- Financial gain, significant damage, group offenses, or abuse of official position: fines of up to 1 million rubles, imprisonment for up to six years, and a ban on holding certain positions for up to three years.
- Cross-border data transfer violations: imprisonment for up to eight years, fines of up to 2 million rubles, and bans on holding positions for up to four years.
- Organized crimes or severe consequences: imprisonment for up to 10 years, fines of up to 3 million rubles, and bans on professional activities for up to five years.
Penalties will also apply for creating websites or information systems aimed at the illegal storage or transfer of personal data.
New Fines Under the Administrative Code Starting May 2025
From May 30, 2025, fines for violations of personal data legislation will increase:
- For individuals: fines will rise to 15,000 rubles (from the current 2,000–6,000 rubles).
- For organizations: fines will increase to 500,000 rubles (from 60,000–100,000 rubles).
Repeat violations will incur even higher penalties.
For legal entities, fines include:
- Up to 15 million rubles for mass data leaks.
- Up to 3 million rubles for unauthorized data transfers.
- Up to 2 million rubles for processing data without proper accreditation.
Additionally, penalties are provided for violations of biometric data processing rules and for refusing services to clients who decline to use biometric identification.
Who Is Exempt?
The law does not apply to personal data used for personal or family purposes.
The law firm “Nadmitov, Ivanov & Partners” provides services related to personal data protection.