If you run a business in Russia, build a product for that market, or simply want to know which rules govern personal data, it helps to see the whole legislative map at a glance. Below is a compact overview of the main acts and ideas that still shape practice in 2026. This is not legal advice — real cases need review with qualified counsel.
Constitution of the Russian Federation: privacy baseline
Articles 23–24 protect private life, family privacy, correspondence secrecy, and limit how information about private life may be collected. Later statutes are expected to stay consistent with these guarantees.
Federal Law No. 152‑FZ “On Personal Data”
Russia’s core specialized statute for operators and data subjects. In broad terms, 152‑FZ provides that:
- Personal data is processed on a lawful basis (consent, contract, legal obligation, and other grounds listed in the law).
- Operators must organize protection, access control, incident handling, and interaction with Roskomnadzor where the law requires it.
- Data subjects may obtain information about processing and, subject to exceptions, seek correction, blocking, or deletion (unless another law mandates longer retention).
- Rules apply to cross‑border transfers and to data localization: when collecting personal data of Russian citizens for subsequent processing while providing them services in Russia, initial recording and accumulation must occur in databases located in Russia (exact wording and carve‑outs are in the current text of the law and implementing regulations).
The law has been amended several times; before launching a product or changing how you process data, check the current edition and regulator guidance.
Federal Law No. 149‑FZ “On Information, IT, and Information Protection”
Covers a wider set of topics: information, online dissemination, information systems, interaction with registries of prohibited information, duties of organizers of information dissemination, and more. For companies and users, it is often the frame in which access to information meets content restrictions and intermediary obligations.
Criminal liability: unlawful access and malware (Criminal Code)
Criminal law complements civil and administrative tools:
- Article 272 — unlawful access to computer information.
- Article 273 — creation, distribution, or use of malicious programs.
Related offenses (trafficking credentials, misuse of storage rules, etc.) may also apply. Prosecutors and courts determine the exact charge.
Administrative liability (Code of Administrative Offenses)
Legal entities and officials can face administrative fines for violations of personal‑data rules (for example, missing required safeguards or processing without a proper legal basis where the law demands one). Fine amounts and grounds are updated over time — always use the current code.
Sector‑specific laws
Depending on the domain, other acts matter:
- Telecommunications rules and operator duties tied to investigations.
- Banking secrecy and medical confidentiality with their own regimes.
- Requirements for government and municipal information systems.
There is no single “one law for everything” in regulated industries — expect sector‑by‑sector analysis.
International context
GDPR and other EU regimes do not replace Russian law for processing that falls squarely under Russian rules, but they matter if you handle EU residents’ data or run cross‑border flows with the EU: you may need to reconcile multiple jurisdictions.
What end users should notice
- Privacy policies and consents should reflect real purposes and legal bases, in line with 152‑FZ‑style transparency.
- Access and objection rights should be reachable through real channels, not buried boilerplate.
- After a breach or abuse, document facts, contact the operator, and where appropriate involve Roskomnadzor or law enforcement — depending on the case.
Summary
In 2026, Russia’s framework still centers on Federal Law 152‑FZ on personal data, together with 149‑FZ on information, constitutional privacy protections, and criminal and administrative liability for unlawful access or mishandling. How it applies depends on your industry, role (operator, processor, cross‑border transfer), and the current text of the law — verify that before any legally significant decision.
Useful links: