Russian
English
Is it possible for data storage fines in Russia to be higher than in Europe?
A year ago, news about a new European regulation replacing outdated legislation shook the Russian business community. The new General Data Protection Regulation (GDPR), with extraterritorial effect, imposed stringent requirements on companies dealing with users from the European Union, including Russian companies.
High penalties, up to €20 million, ensured serious attention to the regulation and a desire to meet the strict requirements of the European standard for processing personal data. One requirement is storing information containing user personal data under appropriate security conditions, specifically within the EU or in countries with a comparable level of personal data security.
In the Russian Federation, there is its own legislation on the protection of personal data, Federal Law 152-FZ. This law sets forth requirements for collecting, processing, and storing personal data. This includes requirements for storing and processing personal data on servers located within Russia.
The territorial requirement applies to companies regardless of where the company is registered and located when interacting with the personal data of Russian citizens.
Currently, sanctions for non-compliance with the requirements of Federal Law 152 consist of the following:
For failure to comply with localization requirements regarding databases and servers in the RF, Facebook and Twitter were fined 3,000 rubles each. The maximum fine for violating personal data protection requirements in Russia is 70,000 rubles, which is significantly lower compared to the measures of responsibility in the European Union.
Counter-measures:
Drawing on the European experience, it became logical for the Russian legislator to take measures to increase the level of responsibility for failing to comply with the law on the protection of personal data.
The most resonant event was the proposal to increase the amount of the fine for storing the data of Russian citizens outside the Russian Federation up to 6 million rubles for the first violation and 18 million rubles for repeated violations for legal entities.
This proposal has already been supported by the State Duma and has the potential to receive approval at all stages.
What else to expect:
Considering the regulatory framework of the Russian Federation in comparison with GDPR, it is worth noting that most provisions already meet the requirements of the regulation and are either at the same level or slightly inferior. Additionally, it is worth paying attention to the fact that it is quite possible that in the coming years, Federal Law 152-FZ will require controllers and processors of personal data to strictly adhere to its provisions, similarly to GDPR.
