1. NEW PENALTIES FOR DATA LEAKS

Amendments to the Code of Administrative Offenses (CAO RF) have introduced liability for personal data leaks. The amount of fines depends on the volume of compromised data and can reach up to 15 million rubles (~150,000 EUR). This poses a critical risk for companies processing large amounts of personal data.

2. STRICTER SANCTIONS FOR NON-LEAKAGE VIOLATIONS

A new administrative offense has been introduced, imposing liability for failure to notify the regulator of an intention to process personal data.

Additionally, penalties have been established for illegal processing of personal data unrelated to data leaks.

3. INTRODUCTION OF CRIMINAL LIABILITY

A new article in the Criminal Code establishes criminal liability for the unlawful use, transfer, collection, or storage of personal data obtained illegally. The maximum penalty for such offenses is up to four years of imprisonment.

4. NEW MANDATORY CONSENT FORMS FOR DATA PROCESSING

Effective January 1, 2025, a mandatory consent form will be required for processing personal data in the Unified Identification and Authentication System (UIAS) and the Unified Biometric System (UBS). The new templates apply to both paper and electronic documents.

Companies working with UIAS and UBS must ensure compliance with these new requirements, as errors in completing the consent form may result in fines.

5. LAUNCH OF THE STATE ANONYMIZED DATA PLATFORM IN 2025

Starting September 1, 2025, Russia will introduce a state platform for storing and processing anonymized personal data. The platform aims to facilitate artificial intelligence (AI) development and data analytics. Businesses will need to adapt to the new regulatory framework.

WHAT SHOULD BUSINESS DO IN 2025?

• Strengthen cybersecurity measures – Data leaks now carry financial and criminal liability risks.

• Update internal documentation – Ensure consent forms and data processing policies align with the new regulations.

• Implement rapid incident response systems – Establish procedures for notifying regulators about data leaks.

• Prepare for data depersonalization requirements – Companies handling personal data must establish processes for transferring anonymized data to the state.

• Stay updated on legal developments – Personal data regulations are becoming increasingly strict, with new rules potentially emerging at an accelerated pace.