As reported by Russian law firm Alrud, on November 21, 2019, the Russian State Duma passed a bill (the “Bill”) that would increase the minimum fines that may be imposed for violations of Russia’s data protection laws. The Bill would allow for maximum administrative fines of 18 million RUB (approximately $282,000 USD) for violations of Russia’s data localization requirement, which requires entities processing personal data of Russian citizens to process that data in databases located within the territory of Russia. This represents a significant departure from the maximum administrative fines that may be imposed for other data protection violations in Russia as it is significantly higher than other potential penalties.
In addition, the Bill would impose other civil penalty amounts for various data protection and telecommunications infringements, ranging from approximately 1 million RUB to 6 million RUB (approximately $15,660 to $93,690 USD). With respect to the data localization requirement, which took effect in 2015, previously the Russian data protection authority had taken steps to block websites in Russia to the extent they were found to be non-compliant with the localization rules. The Bill will next advance to the upper chamber of Russian Parliament; if approved, it will be sent to the Russian President for signature and, if signed, will take effect immediately upon its official publication.