Amendments have been made to the State Duma, within the framework of which it is proposed to tighten penalties for the leakage of personal data and introduce criminal liability for their “illegal” use. The relevant bills are published on the website of the lower house of parliament.
As part of the amendments to the Criminal Code, it is proposed to supplement it with Article 272.1. The first part of this article, if the bill is adopted, will establish liability for the illegal use, transfer, collection and storage of personal data obtained through “illegal access to information.” The maximum punishment is up to four years in prison or forced labor for the same period, as well as a fine of up to 300 thousand rubles.
Moreover, if the information obtained illegally contained special categories of personal data or biometric data, liability will arise under the second part of Article 272.1 of the Criminal Code. The maximum punishment under it is imprisonment or forced labor for up to five years or a fine of up to 700 thousand rubles.
The same acts committed “out of selfish interest” either by an organized group/by prior conspiracy, or using an official position , or if they caused major damage, they will be punished more severely: Part 3 of Article 272.1 of the Criminal Code provides for up to six years in prison or a fine of up to a million rubles.
In cases «cross-border movements» such data, the maximum sentence will be up to eight years in prison with a fine of up to two million rubles. If these actions led to grave consequences or were committed by an “organized group”, then the punishment will be up to ten years in prison with a fine of up to three million rubles.
For the creation of resources or programs intended for “illegal” storage and transfer information containing personal data will be punishable by imprisonment for up to five years or a fine of up to 700 thousand rubles.
In addition, the authorities proposed introducing amendments to the Code of Administrative Offences, adding to the article on violation of the legislation on personal data (Article 13.11 of the Code of Administrative Offences). The punishment under this article, if the bill is adopted, will vary depending on the volume of information leakage.
As one of the authors of the initiative, United Russia deputy Andrei Turchak, explained, the amount of fines for officials will range from 800 thousand to two million rubles, and for legal entities — from three to 15 million rubles. For a repeated violation, the organization will face a fine in the amount of 0.1% to 3% of revenue for a calendar year, but not less than 15 million and not more than 500 million rubles.
According to First Department lawyer Evgeny Smirnov, the adoption of the amendments will make it possible to prosecute journalists and investigators. As he clarified in a conversation with the Agency, the authors of the bill propose to assign the most severe punishment—up to ten years in prison with a fine of up to three million rubles—to members of an “organized group” that “illegally” used personal data. In his opinion, a group can be understood as those people who are related to the work on the material.