Russia Data Privacy Laws: Federal Law 152-FZ Guide (2026)

Russia operates one of the strictest data privacy regimes in the world. Federal Law No. 152-FZ on Personal Data, originally enacted on July 27, 2006, has undergone a series of amendments that have transformed it from a basic framework into a comprehensive regulatory system with severe penalties for non-compliance.

The law applies to any organization or individual that collects, processes, or stores personal data of Russian citizens, regardless of where the operator is based. This extraterritorial reach, combined with Russia's aggressive data localization requirements and escalating enforcement, makes compliance a critical concern for any business with a Russian user base.

This guide covers the full scope of 152-FZ as it stands in 2026, including the landmark penalty increases that took effect in 2025.

Federal Law No. 152-FZ: Foundation of Russian Data Protection

Scope and Definitions

Federal Law No. 152-FZ defines "personal data" broadly as any information relating to a directly or indirectly identifiable natural person (data subject). This includes obvious identifiers like names, addresses, and phone numbers, but also extends to online identifiers, location data, and any combination of information that could identify an individual.

The law defines several key roles. An "operator" is any person or entity that organizes or carries out the processing of personal data, and determines the purposes and content of that processing. A "processor" is a person acting on behalf of an operator to process data according to the operator's instructions.

The law applies to processing carried out by Russian entities, foreign entities targeting Russian citizens, and any entity using databases located in Russia. The Russian Ministry of Communications has clarified that foreign entities may be deemed to target Russian citizens if they use .ru or .su domains, display Russian-language content, accept Russian currency, or serve Russian-language advertisements.

Legal Bases for Processing

Under 152-FZ, personal data may only be processed on one of the following legal bases:

• Consent of the data subject. This is the most common basis and must be specific, informed, conscious, and unambiguous. For certain categories of data, written consent is mandatory.

• Performance of a contract. Processing is permitted when necessary to fulfill a contract to which the data subject is a party.

• Legal obligation. When processing is required by Russian federal law.

• Vital interests. To protect the life, health, or other vital interests of the data subject when consent cannot be obtained.

• Public interest. For the exercise of rights and legitimate interests of the operator or third parties, provided this does not violate the data subject's rights.

• Professional journalism, scientific, literary, or artistic purposes. Subject to restrictions on harm to data subjects.

Consent requirements were tightened by the 2022 amendments (Federal Law No. 266-FZ). Consent must now be "subjective and unambiguous," meaning blanket or bundled consent is no longer sufficient. Each purpose of processing requires a separate consent.

Special Categories and Biometric Data

The law identifies special categories of personal data that receive heightened protection. These include data concerning race, ethnic origin, political opinions, religious or philosophical beliefs, health conditions, and sexual life.

Processing special category data is generally prohibited unless the data subject provides explicit written consent or one of a limited set of exceptions applies, such as when the data has been made publicly available by the subject, or when processing is required for medical purposes.

Biometric personal data receives its own separate treatment under Russian law. Defined as information characterizing the physiological and biological features of a person used for identification, biometric data includes fingerprints, facial images, retinal scans, DNA profiles, and voice recordings.

Biometric data may only be processed with the data subject's written consent. In the private sector, consent is effectively the only available legal basis. Government agencies have broader authority to process biometric data for national security and law enforcement purposes under the Unified Biometric System regulated by Federal Law No. 572-FZ.

Data Subject Rights Under 152-FZ

Russian data protection law grants individuals a comprehensive set of rights over their personal data. These rights are enforceable through complaints to Roskomnadzor and through the Russian courts.

Right of Access

Data subjects have the right to request and receive information about the processing of their personal data. This includes confirmation of whether data is being processed, the legal basis and purposes of processing, the categories of data held, the methods used for processing, and the retention period. Operators must respond to access requests within 10 business days.

Right to Rectification

If personal data is incomplete, outdated, or inaccurate, data subjects may request that the operator update, correct, or supplement the data. The operator must make the corrections promptly and notify the data subject of the changes.

Right to Deletion

Data subjects may demand that an operator destroy their personal data if it was obtained unlawfully, is no longer necessary for the stated processing purpose, the data subject withdraws consent, or the operator has failed to correct inaccuracies. Operators must destroy the data within 30 days of receiving the request.

Right to Withdraw Consent

Consent to data processing may be withdrawn at any time. Upon withdrawal, the operator must cease processing and destroy the personal data within 30 days, unless another legal basis for continued processing exists.

Right to Object to Automated Decision-Making

Data subjects have the right to object to decisions made solely through automated processing if those decisions produce legal effects or otherwise significantly affect the individual. The operator must explain the logic of the automated decision upon request.

Data Localization: Russia's Signature Requirement

Russia's data localization requirement is one of the most significant features of its data protection regime and one of the strictest in the world.

The Original 2015 Mandate

Federal Law No. 242-FZ, adopted in July 2014 and effective from September 1, 2015, requires all operators to "record, systematize, accumulate, store, amend, update, and retrieve" personal data of Russian citizens using databases physically located within the Russian Federation.

This requirement applies regardless of where the operator is incorporated. Any company collecting personal data from Russian citizens, whether through a website, mobile application, or offline form, must ensure that the primary database where that data is first recorded is located on Russian soil.

The law does not prohibit storing copies of the data abroad, but the original collection and the primary database must be in Russia. This distinction is critical for multinational companies that need to synchronize data across global systems.

The 2025 Tightening

Federal Law No. 23-FZ, signed on February 28, 2025, and effective July 1, 2025, significantly tightened localization requirements in several ways:

• Extended scope to processors. The localization requirement now applies not only to operators but also to any person processing personal data on behalf of an operator. Previously, only operators bore the localization obligation directly.

• Prohibited foreign databases for collection. Any use of foreign databases for the initial collection of Russian citizens' personal data is now expressly prohibited. This closes a loophole where some companies argued that using a foreign cloud service for initial intake, with subsequent replication to Russia, satisfied the original law.

• Notification requirement. Operators must notify Roskomnadzor of the location of their databases. This notification is separate from the general processing notification.

The 2025 amendments do not affect cross-border transfers. Operators may still transfer personal data outside Russia, provided they comply with the cross-border transfer notification requirements that took effect on March 1, 2023.

Notable Enforcement: The LinkedIn Block

The most prominent enforcement action involving data localization was the blocking of LinkedIn in Russia in November 2016. Roskomnadzor determined that LinkedIn stored the personal data of Russian users on servers outside Russia and refused to comply with the localization requirement. A Moscow court upheld the block, and LinkedIn remains inaccessible in Russia without a VPN.

Roskomnadzor: The Enforcement Authority

The Federal Service for Supervision of Communications, Information Technology and Mass Media, known as Roskomnadzor, is Russia's primary data protection authority. It operates under the Ministry of Digital Development, Communications, and Mass Media.

Powers and Functions

Roskomnadzor maintains broad enforcement powers. It conducts scheduled and unscheduled inspections of data operators, maintains the Register of Operators processing personal data (to which all operators must submit notifications), reviews complaints from data subjects, issues binding orders to correct violations, imposes administrative fines, and requests court orders to block websites that fail to comply with data localization or other requirements.

Roskomnadzor prioritizes inspections of operators handling special categories of data and biometric data, as well as operators transferring data to foreign countries. These operators can expect inspections approximately every two years.

Operator Registration

All data operators must submit a notification to Roskomnadzor before commencing personal data processing. As of May 30, 2025, failure to submit this notification carries fines of 30,000 to 50,000 rubles for responsible individuals and 100,000 to 300,000 rubles for organizations.

The notification must include the company name, purposes of processing, categories of data, categories of data subjects, lawful basis, processing methods, security measures, contact information for the data protection officer, the start date of processing, and the anticipated duration or conditions for termination of processing.

Roskomnadzor registers the operator within 30 days. Any changes to processing activities must be reported within 10 business days.

Breach Notification Requirements

Since September 1, 2022, Russia has operated a mandatory two-step breach notification regime that is among the fastest-response requirements in the world.

24-Hour Initial Notification

Upon discovering a security breach that results in the unlawful or accidental transfer, destruction, modification, blocking, copying, or disclosure of personal data, the operator must notify Roskomnadzor within 24 hours. This initial notification must include the nature of the breach, the suspected cause, the categories and approximate number of data subjects affected, the harm caused or likely to result, the security measures that were in place at the time, and the contact details of the person responsible for coordinating with the regulator.

72-Hour Follow-Up

Within 72 hours of discovering the breach, the operator must submit a supplementary notification containing the results of its internal investigation, including the specific personal data records compromised, corrective actions taken and planned, and the steps taken to mitigate harm to affected individuals.

Notification to Data Subjects

In addition to notifying Roskomnadzor, operators are expected to inform affected data subjects where the breach is likely to result in significant harm. The law does not specify an exact timeline for individual notifications, but unreasonable delay can be treated as a separate violation.

Penalties for Late Notification

Failure to notify Roskomnadzor within the 24-hour window can result in administrative fines of up to 3 million rubles (approximately USD 33,000). This is separate from any penalties for the underlying breach itself.

Penalties: The 2024-2025 Overhaul

Russia dramatically escalated its data protection penalties through two federal laws signed on November 30, 2024, which together represent the most significant penalty increase in the history of Russian data protection.

Federal Law No. 420-FZ: Administrative Penalties

Federal Law No. 420-FZ, effective May 30, 2025, introduced a tiered system of administrative fines tied to the scale of the data breach:

• 1,000 to 10,000 affected individuals: Fines between 3 million and 5 million rubles.

• 10,001 to 100,000 affected individuals: Fines between 5 million and 10 million rubles.

• More than 100,000 affected individuals: Fines between 10 million and 15 million rubles.

• Biometric data breaches: Fines of 15 million to 20 million rubles regardless of the number of individuals affected.

• Repeat offenses: Revenue-based fines of 1% to 3% of the company's annual revenue from the preceding year, with a minimum of 20 million rubles and a maximum of 500 million rubles (approximately USD 5.5 million).

• Data localization violations: Up to 6 million rubles for a first offense and up to 18 million rubles for subsequent violations.

Federal Law No. 421-FZ: Criminal Liability

Federal Law No. 421-FZ, effective December 11, 2024, introduced criminal penalties for the illegal collection, use, transfer, and sale of personal data. This was a landmark change, as personal data violations in Russia had previously been treated as purely administrative matters.

The criminal penalties follow a graduated structure:

• Basic offense (illegal use or transfer): Fine up to 300,000 rubles or imprisonment for up to 4 years.

• Aggravated circumstances (mercenary motive, conspiracy, or abuse of official position): Imprisonment for up to 6 years with a fine of up to 1 million rubles.

• Illegal cross-border transfer of personal data: Imprisonment for up to 8 years with a fine of up to 2 million rubles.

• Organized criminal activity or actions causing grave consequences: Imprisonment for up to 10 years with a fine of up to 3 million rubles.

Biometric data and data concerning minors carry enhanced penalties within each tier. The criminal provisions do not apply to individuals processing personal data for personal or family purposes.

Cross-Border Data Transfers

Russia permits cross-border transfers of personal data but subjects them to a detailed regulatory framework that was substantially revised in 2022-2023.

Notification to Roskomnadzor

Since March 1, 2023, operators must notify Roskomnadzor before initiating cross-border transfers. The notification must specify the recipient countries, the categories of data to be transferred, the purposes of transfer, and the legal basis. Roskomnadzor may prohibit or restrict the transfer within 10 business days of receiving the notification.

Adequate vs. Inadequate Countries

Roskomnadzor maintains a list of countries that provide adequate data protection. Transfers to adequate countries require only the standard notification. Transfers to countries not on the adequacy list require additional safeguards, most commonly the written consent of the data subject.

Transfers to inadequate countries are permitted if one of the following conditions is met:

• Written consent of the data subject specifying the recipient country.

• Fulfillment of an international treaty obligation.

• Protection of the constitutional order, defense, or national security.

• Performance of a contract with the data subject.

• Protection of the life, health, or vital interests of the data subject when consent cannot be obtained.

Restrictions

Roskomnadzor may prohibit or restrict cross-border transfers to specific countries or specific recipients if the transfer would threaten the security, sovereignty, or interests of the Russian Federation, or if the recipient country does not provide adequate protection.

The cross-border transfer framework operates independently of the data localization requirement. An operator may transfer data abroad, but the primary database must still be located in Russia.

Consent Requirements in Practice

Consent is the most common legal basis for data processing in Russia and carries specific formal requirements that differ from many other jurisdictions.

General Consent Standards

Consent must be freely given, specific, informed, conscious, and unambiguous. It may be given in any form that allows confirmation of its receipt, including through electronic means. However, certain types of processing require written consent.

When Written Consent Is Required

Written consent is mandatory for processing special categories of personal data, processing biometric data, cross-border transfers to countries without adequate protection, and automated decision-making that produces legal effects.

Written consent must include the full name and address of the data subject, the name and address of the operator, the specific purposes of processing, a list of data to be processed, the name of any third party that will process the data, a description of the processing actions, the consent period, and the method for withdrawing consent.

Withdrawal of Consent

Data subjects may withdraw consent at any time without providing reasons. Upon withdrawal, the operator must cease processing and destroy the data within 30 days, unless another legal basis permits continued processing.

Compliance Obligations for Operators

Operators face a broad set of organizational and technical obligations under 152-FZ.

Organizational Measures

Every operator must appoint a person responsible for organizing personal data processing (Russia does not use the term "Data Protection Officer," but the function is similar). The operator must publish a personal data processing policy, establish internal rules for data handling, conduct regular audits of processing activities, train employees who handle personal data, and maintain records of all processing activities.

Technical Measures

Operators must implement technical security measures in accordance with Government Decree No. 1119 on the requirements for personal data protection during processing in information systems, and the orders of the Federal Service for Technical and Export Control (FSTEC). These include access control systems, encryption of data at rest and in transit, intrusion detection, regular vulnerability assessments, and backup and disaster recovery.

The required level of protection depends on the classification of the information system, which is determined by the volume and sensitivity of the data processed.

Data Retention

Personal data must not be retained longer than necessary for the stated purpose of processing. Once the purpose has been achieved, the data must be destroyed or anonymized within 30 days unless longer retention is required by law.

Recent Developments and Trends

Russia's data protection landscape continues to evolve rapidly.

Expansion of the Unified Biometric System

The Russian government has been expanding the Unified Biometric System (UBS), a centralized platform for collecting and processing biometric data. Originally launched for banking identity verification, the UBS is being extended to cover access to government services, transportation, and other sectors. Participation requirements for organizations continue to grow.

Increased Enforcement Volume

Roskomnadzor has steadily increased the number and scope of its enforcement actions. The agency reported blocking access to over 12,600 materials promoting VPN services in the first four months of 2025 alone, reflecting a broader push to control data flows and internet access within Russia.

International Isolation Effects

Following the departure of many Western technology companies from Russia since 2022, data privacy compliance has become more complex. Russian operators increasingly rely on domestic cloud providers and data centers, which has simplified localization compliance but raised questions about the independence of the regulatory environment.

Growing Criminal Enforcement

The introduction of criminal liability through Law 421-FZ marks a significant shift. Russian authorities have signaled that they intend to pursue criminal cases against individuals who profit from personal data leaks, particularly those involving insider threats at telecommunications companies, banks, and government agencies.