The state will toughen penalties for leaks of personal data

tanjimajuha20 · Post by **tanjimajuha20** » Tue Jan 21, 2025 7:19 am

As RBK has learned, on April 22, the Russian government approved a second reading of amendments to the Criminal Code that toughen penalties for leaks of personal data. On the same day, the presidential administration also did not support easing penalties for data leaks for businesses, provided that companies allocate funds for cybersecurity and compensate for damages. The corresponding bill was introduced in December 2023 by the Chairman of the State Duma Committee on Information Policy, Information Technology and Communications Alexander Khinshtein, as well as senators Andrei Klishas and Andrei Turchak. In January 2024, the bill passed its first reading.

Read also

The main result of the work finland whatsapp resource of the State Duma Committee on Information Policy, Information Technology and Communications in 2023 was the signed bills on the introduction of turnover fines for personal data leaks. In addition, the committee is working on a proposal to introduce criminal liability for repeated violations.

At the end of December 2023, the Big Data Association sent a letter to the State Duma Committee on State Building and Legislation. In this document, the authors proposed clarifying a number of formulations and mitigating liability in a number of cases, including for companies that allocate funds to ensure data security and compensated for damages to victims.

Read also
Business asks to revise bill on criminal liability for data leaks
The Big Data Association (BDA) asked deputies to clarify the wording of the draft law on criminal liability for working with personal data. This initiative was submitted to the State Duma in December and suggests the possibility of imprisonment for up to 10 years for illegal collection or use of personal data.

As Igor Ashmanov, member of the Council under the President of the Russian Federation for the Development of Civil Society and Human Rights, President of Ashmanov and Partners LLC, noted at the XIII Safe Internet Forum, attempts to preserve, as far as possible, the existing status quo by the largest digital platforms, which are the founders of the Big Data Association, have not been successful. In his opinion, it is the large digital platforms that are behind the largest leaks of data of Russian residents, and they are extremely uninterested in tightening the legislation on the protection of personal data, since the transfer of responsibility from the administrative to the criminal plane will allow a full investigation of the incident, which, with a high degree of probability, will reveal facts of large-scale incompetence and negligence of the personnel of digital ecosystems and platforms. Fines, including turnover ones, as Igor Ashmanov emphasized, are not a serious punishment for large companies.

Vasily Stepanenko, CEO of the cloud provider Nubes, does not consider the position of the Big Data Association to be lobbying for mitigation of punishments: "There is no talk of lobbying for mitigation. The principle is important: punishment for an offense should only occur if it is proven that it was committed. And at the same time, responsibility should be proportionate to the offense. But in the current conditions, it is difficult to prove a data leak. We see a lot of false stories from hackers about high-profile hacks and leaks, and then it turns out that the "hacked and stolen" personal data databases are made up of different pieces of other databases and have no relation to the organization or company that was allegedly hacked. In addition, in most cases, only the hacker who broke the database can say exactly how much data was leaked. At the same time, if you tighten the screws on liability for personal data, a business simply will not be able to function normally, because without knowing the client, and therefore working with his PDn, it is almost impossible to develop in the digital world. Now is not the best time to put pressure on business."

Deputy CEO of the Garda Group of Companies Rustem Khairutdinov agrees that large amounts of data can leak only from large digital systems, although the statistics of incidents are somewhat one-sided and not everything gets into it: "Other sources simply do not have such volumes. However, the protection of infrastructure and data in large digital systems is an order of magnitude more mature and high-quality than that of small services. Compiling leaks from small online stores, regional registries, enriching them with open data is a fairly simple matter, and I would not undertake to compare the capacities of one and the other. Statistics on open sources are somewhat one-sided: only leaks that cause a wide resonance become public. Small regular leaks are of no interest to the press and therefore remain in the depths of the darknet, although they pose no less a threat, since they last a long time. Checking the relevance of data even in publicly available arrays is not an easy job. Therefore, I would rather say that leaks from large digital platforms that have become public cause greater public resonance than other leaks."