The new regulations may introduce significant compliance risks for data operators, including potential legal liabilities and operational challenges.
1.Russia introduces GDPR-like fines and criminal liability for data leaks (effective 30 May 2025)
On 30 May 2025 amendments to the Administrative Offence Code of the Russian Federation and amendments to the Criminal Code of the Russian Federation enter into force. These amendments introduce new types of administrative and criminal liability, including GDPR-like “turnover-based” fines:
Administrative Liability
The amendments to the Russian Administrative Code increase existing fines for violations of personal data legislation and introduce:
§ new types of liability for violations of personal data legislation (including a failure to notify of personal data processing and a failure to disclose personal data leaks);
§ GDPR-like “turnover-based” fines for repeated “leaks” of personal data.
A large administrative fine may be imposed for “data leaks”, the amount of which will depend on the number of affected personal data records. Therefore, if the “leak” affects the maximum amount, i.e. more than 100,000 subjects (or more than 1,000,000 data records), the fine for legal entities will be up to RUB 15 million (currently approx. USD 190,000).
If a legal entity operator commits such a violation again, a “turnover-based” fine may be imposed on it in the amount of up to 3% of the aggregate amount of revenue.
If the leak involves a special category of personal data, the administrative fine will amount to RUB 10 million+ regardless of the number of affected subjects.
The amendments also introduce “aggravating circumstances” and “mitigating circumstances” when deciding on the specific amount of the fine.
Criminal Liability
The amendments to the Russian Criminal Code introduce a new corpus delicti of crimes. It penalises the “illegal use, transfer, collection and storage of computer information containing personal data obtained through unauthorised access to the means of its processing, storage or other interference in its functioning or by other illegal means”. Different types of criminal liability are established for this type of crime, with the most severe being imprisonment for up to 10 years with a fine of up to RUB 3 million.
2. Ban on the use of foreign databases when collecting personal data (effective 1 July 2025)
The law previously required operators to use databases located in Russia when collecting personal data. Effective 1 July 2025, the following changes have been made to this provision:
§ this requirement will apply not only to operators (so-called “controllers”), but also to persons processing personal data as instructed (so-called “processors”, which include, for example, HR document management services and cloud HR systems);
§ a stricter requirement is formulated that any use of foreign databases for the collection of personal data is prohibited. In practice, various ways of formally using databases in Russia for the sole purpose of their further transfer abroad are currently often used, but from 1 July 2025, such practices may be deemed illegal.
3. Separate consent form for personal data processing (effective 1 September 2025)
On 24 June 2024, a law on the separate consent form for personal data processing was signed by the President.
Effective 1 September 2025, consent to personal data processing will have to be drawn up separately from any other information or documents signed or accepted by the data subject (i.e., the consent to personal data processing can no longer be “built into” other documents such as terms of use, etc., while a data subject may still give consent to data processing in any form that enables confirmation of receipt).
The new law may require companies to make adjustments to the way they process users’ personal data and, most likely, to make changes to the procedure for entering into user agreements. Non-compliance may result in administrative fines.
On 25 June 2025, a draft law (No. 951518-8), aiming to exclude a number of “unfriendly” foreign states from the list of countries “providing adequate protection of personal data”. If approved, not all member states of the Council of Europe’s 1981 Convention should be classified as “states ensuring adequate protection of the rights of personal data subjects”, meaning that transfers of the data to such countries excluded from the “safe countries list” will require more efforts (special notification procedure, written consent, etc.).
This legislative initiative could have a significant impact on the procedure for cross-border transfers of personal data and affect the operations of many data operators. For instance, Convention member states such as Germany, France, and the Netherlands- where the servers of many international companies are located- may be excluded from the “safe countries list” if the draft law is adopted.