Russia Data Privacy Laws: Federal Law 152-FZ, Penalties & 2025 Changes

Russia's primary data privacy statute, Federal Law No. 152-FZ on Personal Data, applies to any operator processing personal data of Russian citizens worldwide, requires primary database storage inside Russia, and since late 2024 subjects violators to criminal penalties under Article 272.1 of the Criminal Code, including imprisonment up to 10 years.

Russia operates one of the most comprehensive and strictly enforced data privacy regimes in the world. Federal Law No. 152-FZ on Personal Data, first enacted on July 27, 2006, has been amended more than a dozen times and now sits at the center of a layered regulatory system that includes mandatory data localization, aggressive breach notification rules, a mass state-surveillance infrastructure, and since late 2024, criminal penalties for data misuse.

For any business with Russian users, compliance is not optional. Roskomnadzor has demonstrated a willingness to block non-compliant platforms outright, as it did with LinkedIn in 2016, and the 2024-2025 penalty overhaul has made the financial consequences of non-compliance far more severe than at any prior point in the law's history.

This guide covers the full framework as it stands in mid-2026, including the landmark administrative and criminal penalty increases that took effect in late 2024 and May 2025.

Quick Answer: What Are Russia's Data Privacy Laws?

Russia's data privacy regime is built on three interlocking pillars. First, Federal Law No. 152-FZ sets the general rules for collecting, processing, and transferring personal data. Second, Federal Law No. 242-FZ (as tightened by Law No. 23-FZ in 2025) requires that personal data of Russian citizens be stored inside Russia. Third, the SORM surveillance system and the Yarovaya Law overlay the civilian framework with a mandatory state-access infrastructure that operates outside the consent-based model of 152-FZ.

The supervisory authority is Roskomnadzor, which holds broad powers to inspect, fine, and block. Following the 2024 amendments, individuals who illegally traffic in personal data also face prosecution under the Criminal Code.

Federal Law No. 152-FZ: The Core Framework

Scope and Key Definitions

Federal Law No. 152-FZ defines "personal data" broadly as any information relating to a directly or indirectly identifiable natural person. This covers obvious identifiers such as names, passport numbers, phone numbers, and email addresses, but also extends to combinations of data points that together identify an individual, online identifiers, and location data.

The law distinguishes between two primary actors. An "operator" is any person or entity that determines the purposes and content of personal data processing. A "processor" is an entity that handles personal data on an operator's instructions without independently determining the processing purpose. Both roles carry distinct obligations, and since July 2025 both are subject to the data localization requirement.

The law applies to:

• Russian legal entities and individuals engaged in data processing.
• Foreign entities that process personal data of Russian citizens, even if they have no physical presence in Russia.
• Any entity using databases located in Russia.

The Russian Ministry of Digital Development has clarified that a foreign entity targets Russian citizens if it uses .ru or .su domains, displays Russian-language content, accepts Russian currency, or places Russian-language advertising. Non-compliant foreign operators risk having their websites blocked in Russia.

Legal Bases for Processing

Under 152-FZ, personal data may only be processed on one of the following grounds:

Consent. The most commonly used basis. Consent must be freely given, specific, informed, and unambiguous. The 2022 amendments under Federal Law No. 266-FZ tightened this requirement: each separate processing purpose requires a separate consent, and pre-ticked boxes or bundled consent no longer satisfy the standard.

Contract performance. Processing is permitted when necessary to fulfill a contract with the data subject, such as delivering a purchased service.

Legal obligation. When a Russian federal law expressly requires the processing.

Vital interests. To protect the life or health of the data subject when consent cannot be obtained.

Legitimate interests. For the exercise of rights and legitimate interests of the operator or third parties, provided this does not override the data subject's fundamental rights.

Journalism, science, literature, and art. Subject to prohibitions on causing disproportionate harm.

Special Categories and Biometric Data

The law identifies a set of special categories that receive heightened protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, and data concerning sexual life. Processing these categories is prohibited unless the data subject provides explicit written consent or a specific statutory exception applies.

Biometric personal data is defined as information characterizing the physiological and biological features of a person used for identification, including fingerprints, facial images, iris scans, DNA profiles, and voice recordings. In the private sector, written consent is the only available processing basis. State agencies have broader authority under Federal Law No. 572-FZ governing the Unified Biometric System.

Breaches involving biometric data attract the highest administrative fines under the 2025 penalty schedule: 15 to 20 million rubles per incident for legal entities.

Data Subject Rights

Russian data protection law grants individuals enforceable rights over their personal data. These rights may be exercised through Roskomnadzor complaints and through Russian courts.

Right of access. Data subjects may request confirmation of processing, the legal basis and purposes, the categories of data held, and the retention period. Operators must respond within 10 business days.

Right to rectification. If data is inaccurate, incomplete, or outdated, the data subject may request correction. The operator must act promptly and notify the data subject.

Right to deletion. Data subjects may demand erasure if the data was collected unlawfully, is no longer needed for the stated purpose, or consent has been withdrawn. Operators must delete within 30 days.

Right to withdraw consent. Consent may be withdrawn at any time. Upon withdrawal, processing must cease and data must be destroyed within 30 days unless another legal basis justifies retention.

Right to object to automated decisions. Data subjects may object to decisions based solely on automated processing where those decisions produce legal or similarly significant effects. The operator must explain the decision logic on request.

Data Localization: Russia's Most Distinctive Requirement

The Original 2015 Mandate (Federal Law 242-FZ)

Federal Law No. 242-FZ, adopted in July 2014 and in force from September 1, 2015, requires all operators to carry out the recording, systematization, accumulation, storage, updating, and retrieval of personal data of Russian citizens using databases physically located within Russia.

The requirement applies regardless of where the operator is incorporated. A foreign company running a mobile app with Russian users must route the primary data storage to a Russia-based server. The original law permitted copying data abroad after initial collection in Russia, which many multinational companies used to maintain synchronized global systems.

The July 2025 Tightening (Federal Law No. 23-FZ)

Federal Law No. 23-FZ, signed February 28, 2025 and effective July 1, 2025, tightened the localization regime in three significant ways.

First, the obligation now covers processors as well as operators. HR document management platforms, cloud payroll systems, and any third-party data processor that handles Russian citizens' data on behalf of an operator must now store and process that data on Russian territory. The prior practice of delegating to foreign-hosted processors is no longer lawful.

Second, the use of foreign databases for the initial collection of personal data is expressly prohibited. Any form, chatbot, tracker, or intake script that writes data to a foreign server before replicating it to Russia violates the law, regardless of whether a Russian copy is subsequently created. The complete physical infrastructure involved in collection must be in Russia.

Third, operators must notify Roskomnadzor of the location of their databases. This notification is separate from the general processing notification and from any cross-border transfer notification.

Roskomnadzor uses an automated monitoring system called Revizor to verify server locations and analyze traffic patterns. The penalties for localization violations under the 2025 schedule are 1 to 6 million rubles for an initial violation and 6 to 18 million rubles for repeat violations.

The LinkedIn Precedent

The most prominent localization enforcement action remains the blocking of LinkedIn in Russia in November 2016. Roskomnadzor found that LinkedIn stored the personal data of Russian users on servers outside Russia and declined to comply. A Moscow court upheld the block. LinkedIn has remained inaccessible in Russia without a VPN ever since, and the case established that major global platforms are not exempt.

Roskomnadzor: Powers and Functions

The Federal Service for Supervision of Communications, Information Technology and Mass Media, universally known as Roskomnadzor, is Russia's data protection authority. It operates under the Ministry of Digital Development, Communications, and Mass Media.

Roskomnadzor's powers include:

• Maintaining the Register of Operators, to which all operators must submit notifications before commencing personal data processing.
• Conducting both scheduled and unscheduled inspections, with operators handling special categories or biometric data subject to inspection approximately every two years.
• Issuing binding orders to correct violations.
• Imposing administrative fines directly or through the courts.
• Petitioning courts to block websites that fail to comply with localization or other requirements.
• Reviewing and acting on complaints from data subjects.

Operator Registration Obligations

All data operators must notify Roskomnadzor before commencing processing. The notification must include the company's identity, the purposes and legal basis for processing, the categories of data and data subjects, the processing methods, the security measures in place, the contact details for the person responsible for data protection, and the anticipated retention period.

Roskomnadzor registers the operator within 30 days. Material changes must be reported within 10 business days.

Failure to submit the required notification carries fines of 100,000 to 300,000 rubles for legal entities under the 2025 penalty schedule.

Breach Notification Requirements

Since September 1, 2022, Russia has operated a two-step mandatory breach notification regime that is among the most demanding in the world in terms of response speed.

24-Hour Initial Notification

Upon discovering a security incident resulting in unauthorized transfer, destruction, modification, blocking, copying, or disclosure of personal data, the operator must notify Roskomnadzor within 24 hours. The initial notification must include the nature of the breach, the suspected cause, the categories and approximate number of affected individuals, the likely harm, the security measures in place at the time, and the contact details of the person coordinating the response.

72-Hour Follow-Up Report

Within 72 hours of discovering the breach, the operator must submit a full supplementary report covering the internal investigation findings, the specific records compromised, corrective actions taken and planned, and steps taken to mitigate harm to affected individuals.

Individual Notification

Operators are expected to notify affected data subjects where the breach is likely to cause significant harm. The law does not set an express deadline for individual notifications, but unreasonable delay may constitute a separate violation.

Penalties for Missed Deadlines

Failure to notify Roskomnadzor within 24 hours exposes a legal entity to fines of 1 to 3 million rubles. This is in addition to any fine levied for the underlying breach itself.

The 2024-2025 Penalty Overhaul

Russia enacted two laws on November 30, 2024 that together represent the most significant escalation of data protection penalties in the law's history. The administrative changes took effect May 30, 2025. The criminal changes took effect December 11, 2024.

Federal Law No. 420-FZ: Administrative Penalties

Federal Law No. 420-FZ amended the Code of Administrative Offences to introduce a tiered penalty structure for data breaches tied to the scale of exposure.

General data breach fines by scale (legal entities):

• 1,000 to 10,000 affected individuals: 3 million to 5 million rubles.
• 10,001 to 100,000 affected individuals: 5 million to 10 million rubles.
• More than 100,000 affected individuals: 10 million to 15 million rubles.

Biometric data breaches (legal entities): 15 million to 20 million rubles per incident, regardless of the number of individuals affected.

Repeat offense penalty: Where an operator has already received an administrative penalty for a data breach and suffers a subsequent breach, the penalty escalates to 1 to 3 percent of the company's annual revenue for the preceding calendar year, with a minimum of 20 million rubles and a maximum of 500 million rubles (approximately USD 5.5 million at current exchange rates).

General processing violations (unlawful processing or incompatible use, legal entities): 150,000 to 300,000 rubles, up from 60,000 to 100,000 rubles previously.

Breach notification failure (legal entities): 1 million to 3 million rubles for failure to notify Roskomnadzor within the required timeframes.

Data localization violations: 1 million to 6 million rubles for an initial violation; 6 million to 18 million rubles for a repeat violation.

Fine Reduction Conditions

The 420-FZ also creates a mechanism for courts to reduce fines where the operator can demonstrate simultaneous compliance with all of the following conditions before the penalty is issued:

• Annual cybersecurity spending equal to at least 0.1 percent of the company's revenue.
• Use of encryption or licensed data-protection technologies.
• Annual compliance documentation maintained for the preceding three years.
• Absence of aggravating circumstances.

This provision incentivizes investment in data security infrastructure. Operators that can document ongoing security expenditure are in a better position when penalties are assessed after a breach.

Federal Law No. 421-FZ: Criminal Liability

Federal Law No. 421-FZ introduced Article 272.1 into the Russian Criminal Code, creating a specific offense covering illegal collection, storage, use, and transfer of computer information containing personal data. Prior to December 2024, personal data violations were treated as purely administrative matters. Criminal liability marks a structural shift in the enforcement landscape.

The penalties under Article 272.1 follow a graduated tier structure:

Tier 1 (basic offense): Unauthorized collection, storage, use, or transfer of personal data without legal grounds. Fine up to 300,000 rubles or income for up to one year, or imprisonment up to 4 years.

Tier 2 (minors, special categories, or biometric data): Same conduct involving protected categories of data. Fine up to 700,000 rubles or income for up to two years, or imprisonment up to 5 years.

Tier 3 (aggravated circumstances): Acts committed for financial gain, by conspiracy, causing major damage, or through abuse of official position. Fine up to 1 million rubles, or imprisonment up to 6 years.

Tier 4 (cross-border unauthorized transfer): Transferring personal data outside Russia without legal grounds. Fine up to 2 million rubles and imprisonment up to 8 years.

Tier 5 (organized group or grave consequences): Fine up to 3 million rubles and imprisonment up to 10 years.

Operating illegal data platforms: Creating or maintaining information resources designed for unlawful storage or distribution of personal data. Fine up to 700,000 rubles or imprisonment up to 5 years.

The personal-and-family-use exemption applies: individuals processing personal data solely for domestic or family purposes are not subject to criminal liability under this article.

Russian authorities have indicated that initial criminal prosecutions will focus on insider-threat cases at banks, telecommunications companies, and government agencies, where employees with data access profit from selling customer databases, and on operators of channels that sell leaked data sets.

Cross-Border Data Transfers

Russia permits cross-border transfers of personal data but subjects them to a notification-and-review regime that has been in place since March 1, 2023.

The Notification Framework

Operators must notify Roskomnadzor before initiating any cross-border transfer. The notification must specify the recipient countries, the categories of data to be transferred, the purposes, and the legal basis. Roskomnadzor reviews the notification and may prohibit or restrict the transfer within 10 business days. If no action is taken within that period, the transfer may proceed.

The cross-border transfer obligation operates independently of data localization. Operators may transfer data abroad, but the primary database must remain on Russian territory. A synchronized copy may travel; the master record stays in Russia.

Adequate and Inadequate Countries

Roskomnadzor maintains a list of countries treated as providing adequate data protection. This list primarily comprises parties to Council of Europe Convention 108, plus additional countries added by Roskomnadzor Order No. 128 of August 5, 2022.

Countries on the adequacy list as of 2025 include Council of Europe member states, as well as Australia, Canada, Israel, Japan, New Zealand, Singapore, and several others. Transfers to adequate countries proceed under the standard notification regime.

Transfers to countries not on the adequacy list require one of the following conditions:

• Written consent of the data subject explicitly naming the recipient country.
• Fulfillment of an international treaty obligation of Russia.
• Protection of Russia's constitutional order, defense, or national security.
• Performance of a contract with the data subject.
• Protection of the vital interests of the data subject when consent cannot be obtained.

Roskomnadzor may prohibit transfers to specific countries or recipients where the transfer would threaten Russia's security or sovereignty.

Consent Requirements in Practice

General Standards

Consent under 152-FZ must be freely given, specific, informed, and unambiguous. It may be given in any form that allows confirmation of receipt. The 2022 amendments eliminated bundled or pre-checked consent: each purpose requires a separate, affirmative act by the data subject.

When Written Consent Is Mandatory

Written consent is required for:

• Processing special categories of personal data.
• Processing biometric personal data.
• Cross-border transfers to countries without adequacy status.
• Automated decision-making with legal or similarly significant effects.

Written consent must include the data subject's full name and address, the operator's full name and address, the specific purposes of processing, the list of data categories to be processed, the identity of any third parties who will receive the data, a description of the processing actions, the consent period, and the method for withdrawing consent.

Consent Withdrawal

Data subjects may withdraw consent at any time without providing reasons. Upon withdrawal, the operator must cease processing and destroy the data within 30 days unless another legal basis permits continued retention.

The SORM and Yarovaya Surveillance Overlay

No guide to Russian data privacy is complete without addressing the state-surveillance infrastructure that operates alongside 152-FZ. The System for Operative Investigative Activities, known by its Russian acronym SORM, is a mandatory interception architecture that has been expanded through three successive generations.

How SORM Works

All telecommunications operators and internet service providers in Russia are legally required to install FSB-specified hardware on their networks at their own expense. This hardware enables the FSB to intercept and access all traffic in real time without notifying the carrier. Carriers have no visibility into what is collected or when access occurs.

Court authorization is nominally required before the FSB exercises interception powers. In practice, the courts function as a near-automatic approval mechanism: in 2023, Russian courts approved more than 500,000 surveillance requests and rejected fewer than 300. The European Court of Human Rights ruled in the 2015 Zakharov case that SORM violated privacy rights. Russia made no substantive reforms and, following its withdrawal from the Council of Europe in March 2022, is no longer bound by that ruling as a matter of formal obligation.

The Yarovaya Law Data Retention Mandate

The Yarovaya Law, enacted in July 2016 and with retention obligations effective from July 2018, extended SORM's reach by imposing mandatory data retention on all operators. Telecommunications providers and internet intermediaries must retain:

• The content of voice calls, text messages, images, and data transmissions for six months.
• Metadata (time, location, sender, recipient) for three years.

This retention is separate from data held for ordinary business purposes and must be stored in a format accessible to the FSB on demand. Under national security exceptions, this retained data is accessible without individual judicial authorization for each access event.

Significance for Foreign Businesses

The SORM infrastructure means that personal data of Russian users may be accessed by Russian state authorities entirely outside the consent-based framework of 152-FZ. Any business operating services in Russia should factor this into its risk assessment, particularly where data held relates to individuals who may be of interest to Russian authorities.

Compliance Obligations for Operators

Organizational Requirements

Every operator must designate a person responsible for organizing personal data processing, a role functionally similar to a Data Protection Officer. Their contact details must be included in the Roskomnadzor notification. Failure to appoint a responsible person carries a fine of up to 50,000 rubles.

Operators must also:

• Publish a personal data processing policy accessible to users.
• Establish internal rules and procedures for data handling.
• Conduct regular audits of processing activities.
• Train all employees who access personal data.
• Maintain records of processing activities.

Technical Security Requirements

Operators must implement technical measures meeting the requirements of Government Decree No. 1119 and orders of the Federal Service for Technical and Export Control (FSTEC). The required protection level depends on the classification of the data and the information system. Requirements include:

• Access control and authentication systems.
• Encryption of personal data at rest and in transit.
• Intrusion detection and prevention.
• Regular vulnerability assessments.
• Data backup and disaster recovery.

The 0.1 percent of revenue cybersecurity spending threshold takes on practical significance under 420-FZ, since documented compliance is one of the conditions that may reduce an administrative fine after a breach.

Data Retention Limits

Personal data must not be retained beyond the period necessary for its stated processing purpose. Once the purpose is achieved, data must be destroyed or anonymized within 30 days, unless a longer retention period is imposed by law. The retention period must be documented in both the processing policy and the Roskomnadzor notification.

Compliance for Foreign Businesses

Foreign companies with Russian users face the most complex compliance position of any Russian data operator.

Data localization. Any service that collects personal data from Russian users must route initial collection through Russia-based infrastructure. Using a foreign cloud platform for the intake form, even temporarily, violates the July 2025 requirements.

Operator notification. Foreign operators within the law's extraterritorial scope must submit a notification to Roskomnadzor in Russian. Failure to register exposes the operator to the risk of website blocking in Russia.

Cross-border transfer filing. Any data flow from Russian servers to non-Russian infrastructure requires prior notification to Roskomnadzor. This includes routine data replication for global analytics or disaster recovery.

Breach notification. Foreign operators are subject to the 24/72-hour notification regime. Without Russian-speaking legal counsel or a local compliance partner, meeting the 24-hour deadline requires advance preparation.

Exit considerations. Following the departure of many Western technology companies from Russia after 2022, some operators now face the question of how to handle residual Russian user data. Operators that have ceased Russian operations but retain Russian user data must still address 152-FZ obligations, including handling deletion requests and complying with the cross-border transfer rules that govern even data movements out of Russia.

Recent Developments (2024-2026)

Criminal enforcement begins (December 2024). The entry into force of Law 421-FZ marks the first time personal data violations have carried criminal consequences in Russia. Prosecutors have indicated that initial cases will target data brokers, insiders at financial institutions and telecoms, and operators of services that sell leaked databases.

420-FZ fines now in force (May 2025). The revenue-based repeat-offense fines and the new biometric breach penalties became effective May 30, 2025. Operators should audit their breach response procedures and security investment documentation to ensure they can use the fine reduction provisions if needed.

Localization extended to processors (July 2025). The tightened localization requirements under Law 23-FZ took effect July 1, 2025. Companies that rely on third-party processors based outside Russia must migrate those processing activities to Russia-based infrastructure or Russia-operated cloud services.

Expanded Unified Biometric System. The government continues to extend the Unified Biometric System beyond banking into public transit, healthcare, and government services. This expansion increases the volume of biometric data in circulation and therefore the pool of operators exposed to the highest penalty tier.

Platform blocking and VPN enforcement. Roskomnadzor blocked access to more than 12,600 materials promoting VPN services in the first four months of 2025. The agency also restricted Apple FaceTime citing use for criminal recruitment. This pattern reflects ongoing pressure on tools that can be used to circumvent data-flow restrictions.

Domestic cloud migration. The exit of major Western cloud providers from Russia after 2022 has accelerated migration to domestic alternatives such as Yandex Cloud, SberCloud, and Mail.ru Cloud. Domestic providers simplify localization compliance but are themselves subject to SORM obligations.

Rule-of-law caveat. Russia's withdrawal from the Council of Europe in March 2022 removed the principal external accountability mechanism for data protection enforcement. The formal rules of 152-FZ exist and are enforced, but the enforcement environment is not independent of political considerations. Foreign operators in particular should note that Roskomnadzor blocking decisions have sometimes appeared to track broader geopolitical tensions rather than purely legal non-compliance.