According to the draft law, the amount of the fine for legal entities will depend on the volume of the “leak
Posted: Thu Jan 23, 2025 6:20 am
Qualification of violations
Sberbank also proposes to change the approach to punishment for leaks of personal data. According to the bank, the main criterion for qualifying a violation and assigning a punishment for leaking personal data should be their illegal distribution to an unlimited number of people. Currently, the bill provides that liability will be imposed for the actions (inactions) of the operator that resulted in the illegal transfer of information, including personal data.
"The new norms of ecuador whatsapp resource the Code of Administrative Offences should serve as the motivation to prevent such dissemination," the letter says. "It is advisable to specify the objective side of the administrative offence, stipulating that liability occurs for the actions (inaction) of the PDn operator, expressed in the illegal transfer of PDn or failure to apply the measures provided by law to ensure the security of PDn during their processing, which resulted in the dissemination of their PDn and (or) gaining access to their PDn by an unlimited number of persons."
Currently, companies that have allowed leaks are subject to administrative liability under the provisions of Part 1 of Article 13.11 of the Code of Administrative Offences, that is, for processing personal data in cases not provided for by Russian legislation, or for processing them in a way that is incompatible with the purposes of collecting such data, the bank notes.
In addition, a possible approach to assigning administrative punishment for processing personal data in cases not provided for by law, including provision to third parties, is proposed for discussion. It is proposed to discuss these approaches separately from the topic of "leaks", "taking into account the assessment of the real public danger" of such situations.
Volumes of leaks
To determine this, the document uses not only the amount of compromised personal data of subjects, but also the number of “unique designations of information about an individual necessary to identify such an individual (identifiers).”
For example, for a leak of 10 to 100 thousand unique identifiers of information about an individual, it is proposed to introduce a fine of 3 to 5 million rubles, for a leak of 100 thousand to 1 million - from 5 to 10 million rubles, for a leak of more than 1 million identifiers - a fine of 10 to 15 million.
Sberbank notes the need to clarify the term "unique designation of information about an individual", since it has a broad interpretation and not in every case compromised information will cause harm.
"We believe that the disclosure of such information in itself, for example, the serial number of information about a personal data subject used to identify a person in an information system, does not have the characteristics of a public danger," the letter says.
Discussion by market participants, regulators and legislators of issues of tightening liability for personal data leaks is taking place against the backdrop of an increase in their number, recorded by experts. Thus, according to the expert and analytical center of InfoWatch Group, 705 million personal data records were leaked in the Russian Federation in the first half of this year. This is 72% more than the same indicator in 2022. On average, one leak accounts for 2.45 million personal data records.
In reality, the number of compromised PD records may be even higher. "705 million records should be considered a minimum value, since many leak reports (more than 40% of such cases) do not indicate the exact amount of compromised data and there is no way to download and count it," the InfoWatch report emphasizes.
Sberbank also proposes to change the approach to punishment for leaks of personal data. According to the bank, the main criterion for qualifying a violation and assigning a punishment for leaking personal data should be their illegal distribution to an unlimited number of people. Currently, the bill provides that liability will be imposed for the actions (inactions) of the operator that resulted in the illegal transfer of information, including personal data.
"The new norms of ecuador whatsapp resource the Code of Administrative Offences should serve as the motivation to prevent such dissemination," the letter says. "It is advisable to specify the objective side of the administrative offence, stipulating that liability occurs for the actions (inaction) of the PDn operator, expressed in the illegal transfer of PDn or failure to apply the measures provided by law to ensure the security of PDn during their processing, which resulted in the dissemination of their PDn and (or) gaining access to their PDn by an unlimited number of persons."
Currently, companies that have allowed leaks are subject to administrative liability under the provisions of Part 1 of Article 13.11 of the Code of Administrative Offences, that is, for processing personal data in cases not provided for by Russian legislation, or for processing them in a way that is incompatible with the purposes of collecting such data, the bank notes.
In addition, a possible approach to assigning administrative punishment for processing personal data in cases not provided for by law, including provision to third parties, is proposed for discussion. It is proposed to discuss these approaches separately from the topic of "leaks", "taking into account the assessment of the real public danger" of such situations.
Volumes of leaks
To determine this, the document uses not only the amount of compromised personal data of subjects, but also the number of “unique designations of information about an individual necessary to identify such an individual (identifiers).”
For example, for a leak of 10 to 100 thousand unique identifiers of information about an individual, it is proposed to introduce a fine of 3 to 5 million rubles, for a leak of 100 thousand to 1 million - from 5 to 10 million rubles, for a leak of more than 1 million identifiers - a fine of 10 to 15 million.
Sberbank notes the need to clarify the term "unique designation of information about an individual", since it has a broad interpretation and not in every case compromised information will cause harm.
"We believe that the disclosure of such information in itself, for example, the serial number of information about a personal data subject used to identify a person in an information system, does not have the characteristics of a public danger," the letter says.
Discussion by market participants, regulators and legislators of issues of tightening liability for personal data leaks is taking place against the backdrop of an increase in their number, recorded by experts. Thus, according to the expert and analytical center of InfoWatch Group, 705 million personal data records were leaked in the Russian Federation in the first half of this year. This is 72% more than the same indicator in 2022. On average, one leak accounts for 2.45 million personal data records.
In reality, the number of compromised PD records may be even higher. "705 million records should be considered a minimum value, since many leak reports (more than 40% of such cases) do not indicate the exact amount of compromised data and there is no way to download and count it," the InfoWatch report emphasizes.