The Ministry of Digital Development proposed relating the volume of fines to the amount of the leaked information in the new version of the draft bill on turnover fines for personal data leaks. The document will specify the object of personal data leakage and describe the procedure for establishing the guilt of an organization that leaked information, since the same data can leak from different companies.

The fines will be imposed in two stages: for the first data leakage incident, the fines will be fixed, and will be directly related to the amount of leaked data; if the incident happens again, a turnover fine will be imposed. Experts also proposed setting limits for the amount of such fines.

Both mitigating and aggravating circumstances will be considered. Experts clarified that “if the company has made every effort to protect information, it will be regarded as a mitigating circumstance in determining the amount of the fine. But if the company conceals the leak, this fact can become an aggravating circumstance, and then the maximum penalty will be imposed”.

The Ministry of Digital Development also proposed to introduce a procedure for voluntary accreditation of companies according to information security criteria, which can become the “confirmation of measures taken to prevent data leakage”. This fact can also be considered a mitigating circumstance.

Original in Russian