“Spring” fines in the digital environment
A new federal law came into effect on 27 March. It sets administrative fines for failure to fulfil obligations to ensure the stable, secure and coherent operation of the Internet in Russia (the “Law”).
One of the key new developments is a longer limitation period for administrative liability related to violations of Russian personal data laws. The limitation period is now one year instead of the previous three months from the date of the offense.
The law increases and, in some cases, provides for new fines:
- the fine for processing personal data in cases not stipulated by the law on personal data, or processing that is incompatible with the purposes of personal data collection where there are no signs of a criminal offense, for each data subject’s infringement by organisations, is up to RUB 100,000 ( EUR 1,100), and up to RUB 300,000 (approx. EUR 3,400) for repeat violation;
- the fines for processing personal data without the subject’s consent have been doubled, and, for each data subject’s infringement by organisations, the fine is up to RUB 150,000 ( EUR 1,700), and up to RUB 500,000 (approx. EUR 5,700) for repeat violation;
- the fine for not providing access to the personal data processing policy has been doubled. For example, if a company fails to provide unrestricted access to its personal data processing policy or information on the data protection requirements, the fine may be up to RUB 60,000 (approx. EUR 700);
- the fine for failure to provide information to a personal data subject has been doubled and organisations are fined up to RUB 80,000 (approx. EUR 900);
- the fine for the operator’s failure to timely comply with the requests of a personal data subject, their representative or authorised bodies has been doubled. The fine is up to RUB 90,000 (approx. EUR 1,000) for organisations, and up to RUB 500,000 (approx. EUR 5,700) for a repeat violation;
- the fine for failure to secure personal data contained on tangible media has been doubled and organisations could be fined up to RUB 100,000 (approx. EUR 1,100).
The Law introduces a new Article 19.7.10-3 of the Administrative Offences Code. That article specifies the liability for the owner of an information resource involved in violations of fundamental human rights and freedoms, including those of citizens of the Russian Federation, if the owner fails to comply with a warning to stop the unlawful actions.
- Owners of Internet resources (for example, YouTube, Facebook and Twitter) used by citizens of Russia may be deemed to be in violation if they restrict Internet users’ dissemination of socially significant information in Russia. This also covers restrictions related to foreign states’ political or economic sanctions against Russia, its citizens or organisations. Administrative fines for legal entities may be as high as RUB 1,000,000 (approx. EUR 11,200), and up to RUB 3,000,000 (approx. EUR 33,500) for repeat violations.
Internet providers can be liable for failure to comply with security rules on the Runet, for example, Internet providers will be punished for violating procedures for installing, operating and upgrading hardware meant to combat threats to the Runet.
- Organisations may face a fine of up to RUB 500,000 (approx. EUR 5,700) for a first-time violation, while the fine is up to RUB 1,000,000 (approx. EUR 11,200) for repeated failure to comply with the requirements within a year.
These changes are intended to encourage organisations to comply with personal data laws and to take steps to regulate security on the Runet.