Maximum fines for leaking personal data in the new edition of the code of administrative offences (Cao) proposed to increase from 50 thousand to 500 thousand rbl. It is inhumane measure that during a pandemic may be too sensitive for small businesses, warns some experts. On the other hand, such data is too marketable commodity on the black market, so the real leakage control fines should be even higher, sure others.Fines for leaking personal data could increase from 50 thousand to 500 thousand rubles for legal entities, follows from the draft of the new edition of the administrative code, which was developed by the Ministry of justice of Russia on may 29 and was laid out for discussion at regulation.gov.ru. For individual entrepreneurs, the fines will increase from 20 thousand to 300 thousand rubles, officials — from 10 thousand to 100 thousand rubles, the rest of the citizens — from 2 thousand to 20 thousand rubles. the Ministry of justice a long time working on a new version of the administrative code, its previous version was published in January and did not contain provisions to increase the penalties. But the question on toughening of responsibility for the leaks raised more than once. In 2015, the state Duma considered the increase of fines up to 300 thousand. Now the amendment to increase the fines is also developing the state Duma Committee on information policy, information technologies and communication, said on 21 may 2020, its head Alexander Khinshtein.The project of the Ministry of justice after public comment and interagency coordination will be submitted to the government, reported the press service of the Ministry. It specified that the offense, providing for new penalties, were studied by the working group on the proposal of the Federation Council Committee on constitutional legislation and state construction.Data breaches happen more often. According InfoWatch, in 2019, their number in Russia grew by 40% compared to the previous year. The situation is deteriorating amid the isolation of coronavirus: as a result of mass transition to remote work the number of attempts of unauthorized access to data increased by about half, with about 30% of the incidents are clearly illegal attempts to copy the client database and pass them to the outside, including through messengers, and 10% of actions of hackers, says founder and CTO DeviceLock Oganesyan.But the appearance of so large a penalty without prior elaboration of detailed regulation in the sphere of privacy, and without the transition period during which operators of personal data could result in processing in accordance with the new requirements, raises questions, the measure can be described as premature and inhumane in the context of the General economic situation, says the Director of Deloitte Legal in CIS Catherine Portman.A fine of 500 thousand rubles. significant tolKo for small businesses, for large organizations it will be nothing more than a “little nuisance”, they are more concerned about the loss of reputation resulting from the breach, the Director of the legal Department of ICD Irina Gudkova.The value of databases for sale on the darknet is much higher proposed penalties, therefore, this measure will not deter criminals from draining database for sale, said the Chairman of the Commission on legal empowerment of the digital economy of the Moscow branch of Association of lawyers of Russia Alexander Zhuravlev. For example, the cost of databases of retail banks on the darknet in 2019 ranged from 70 rubles for a single entry in the database size up to 150 thousand records, that is to 10.5 million rubles at the given volumes, specify DeviceLock. In Europe, fines for data breaches of up to 4% of the company’s turnover, in practice they reach €21 million and above, said Mr Zhuravlev. In Russia it is better to make it comparable to existing penalties for violation of database storage outside the territory of the Russian Federation, that is, from 6 million to 18 million rubles, said the head of “Information security” IT-CROC Andrey Zaikin.In companies operating large volumes of personal data, do not welcome the increase in penalties, but insist that so and provide a high level of security. Current legislation in the field of personal data already provides for stringent requirements for their protection, specify in the MTS, emphasizing that data security is a top priority for the company. “Rostelecom” with the protection of personal data of subscribers and employees is committed to fulfilling all legal requirements and authorities, said his press service. Tele2 is taking all measures to protect customer data, access to them is from a limited number of employees whose work is regulated and subject to strict control, said in the statement. Unofficially, one of the operators indicated that they considered it inappropriate to introduce in the code new violations in the field of personal data protection and increase the amount of fines.Yulia Stepanova
