- Introduction
The current stage of societal development is characterized by a transition to a digital model of interaction, in which the majority of social, economic, and state processes are carried out using information technologies. Digitalization significantly simplifies access to services, accelerates information exchange, and increases management efficiency. For instance, in the Russian Federation, according to data presented by the President, there are over 130 million Internet users, and the share of households with broadband Internet access is expected to reach 97% by 2030 [4]. However, technological progress creates new threats to the right to privacy. The collection and processing of personal data are often carried out without fully informing data subjects, which gives rise to ethical problems regarding respect for the right to personal secrecy and the fairness of information processing.
One of the key phenomena of the modern information society is the formation of the so-called human digital footprint [9]. A digital footprint is understood as the aggregate of information that remains as a result of a user’s activity on the Internet and when using various digital services. This footprint is formed both through the user’s conscious actions (registering on websites, publishing information, online purchases) and automatically — through the collection of technical data about behavior, geolocation, and activity time. The digital footprint has a dual nature: on the one hand, it allows for increased service efficiency and personalized services; on the other hand, it creates a threat to privacy. On its basis, a digital personality profile is formed, which may contain information about habits, interests, income level, and health status. The use of such data by third parties without the subject’s consent poses a particular danger. Moreover, a digital footprint is almost impossible to completely delete, as data is stored on the servers of various organizations and can be copied an unlimited number of times.
The relevance of this topic is driven by the alarming statistics of incidents related to personal data breaches. According to analytical reports, 103 data breaches involving 50 million records were recorded in 2025. In 2024, there were 135 breaches with over 710 million records of personal data [15]. These figures confirm the scale of the problem and its impact on the security of citizens.
The aim of the study is to analyze the effectiveness of existing legal mechanisms for protecting citizens’ right to confidentiality of personal data in the context of digitalization, as well as to identify the main threats and risks associated with the use of digital technologies.
The objectives of the study include:
- To examine the legal nature of personal data and the content of constitutional guarantees of privacy.
- To analyze the main types of violations and judicial practice in this area.
- To evaluate recent changes to Russian legislation (Federal Laws No. 420-FZ and No. 421-FZ) regarding administrative and criminal liability.
- To formulate proposals for improving the legal regulation of personal data protection.
- Material and methods
The empirical basis of the study consisted of statistical data on personal data breaches for 2024–2025, published in analytical reports [15], as well as court decisions in cases of violations in the field of personal data protection.
The regulatory framework for the study is determined by:
— The Constitution of the Russian Federation (Article 24, guaranteeing the right to privacy) [1];
— Federal Law No. 152-FZ of July 27, 2006 «On Personal Data» (as amended) [3];
— Federal Law No. 421-FZ of November 30, 2024, which supplemented the Criminal Code of the Russian Federation with Article 272.1 [14];
— Federal Law No. 420-FZ of November 30, 2024, which increased administrative liability under Article 13.11 of the Code of Administrative Offenses of the Russian Federation [13];
— Decree of the President of the Russian Federation No. 474 of July 21, 2020 «On the National Development Goals of the Russian Federation through 2030» (regarding digitalization and internet access) [4];
— Resolution of the Government of the Russian Federation of June 30, 2018 No. 772 (on determining the list of biometric personal data) [5].
The theoretical basis was formed by the scientific works of I.L. Bachilo [6], G.E. Volkova [7], K.A. Ivanova [8], A.N. Mochalov [9], A.P. Sergeev and T.A. Polyakova [10], devoted to issues of personal data protection, digital footprint and privacy.
The following methods were used in the study:
— formal legal analysis — to analyze legal provisions on financial data;
— comparative legal analysis — to examine various approaches to legal regulation;
— analysis of judicial practices — to identify typical phenomena;
— statistical analysis — to process data breaches;
— systemic and structural analysis — to classify medical data and identify key issues.
- Results and discussion
3.1 Concept and Classification of Personal Data
The study found that personal data means any information relating directly or indirectly to an individual who is identified or identifiable [3]. This definition is broad in nature, which allows it to cover a significant amount of information, but at the same time creates certain difficulties in their precise identification and law enforcement.
For a deeper understanding of the category of personal data, it is necessary to examine their classification [6].
By degree of access:
- Confidential data – information whose access is restricted by law and internal policies of organizations;
- Publicly available data – information voluntarily disclosed by the data subject to an unlimited circle of persons.
By category:
- Ordinary data – information that allows identifying a person;
- Special data – categories of personal data that include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, intimate life, etc. [3].
In accordance with current legislation and established law enforcement practice, the following information about an individual falls under the category of protected personal data: last name, first name, patronymic, date and place of birth, gender, residential address, data from an identity document, taxpayer identification number (if any); telephone numbers, passport details, INN, SNILS, salary level, marital status; passport number and series; insurance number of an individual personal account; biometric data; bank account, bank card number [3][8].
3.2. Biometric Personal Data
A special place in this system is occupied by biometric personal data [5][3]. As the study has shown, this refers to information characterizing the physiological and biological features of a person, allowing for their identification. Such data include facial image, voice, fingerprints, and iris of the eye.
The uniqueness of biometric data lies in its immutability: unlike a password or a phone number, such data cannot be replaced if compromised. In this regard, the processing of biometric data requires a special legal framework and enhanced protection measures. Their unlawful use can lead to serious consequences, including violation of the right to privacy and threats to personal security.
Thus, biometric data represents the most sensitive category of personal information, requiring strict regulation.
3.3. Legal Regulation of Personal Data Protection
Turning to the analysis of the regulatory framework, it should be noted that the fundamental source is Article 24 of the Constitution of the Russian Federation [1], which establishes a prohibition on the collection, storage, and dissemination of information about an individual’s private life without their consent. A key role is played by Federal Law No. 152-FZ of July 27, 2006, «On Personal Data» [3], which regulates the entire data lifecycle: from collection to destruction. A separate permissive procedure is established for biometric data (Part 2 of Article 11 of Law No. 152-FZ) [3] due to their immutability.
At the end of 2024, amendments came into force that increased liability: the Criminal Code was supplemented with Article 272.1 [2] (imprisonment of up to 10 years for illegal trafficking of personal data), and the Administrative Offenses Code of the Russian Federation saw a stricter Article 13.11 [13].
In practice, it is revealed that Article 9 of Law No. 152-FZ [3] enshrines the data subject’s right to withdraw consent, but there is no mechanism for the actual deletion of the «digital footprint.» Data once transferred to an operator may be retained in backup copies, transferred to third parties on the basis of contracts, and is not subject to destruction unless «otherwise provided by law.» This creates a significant gap between the right and its implementation.
Furthermore, there is a conflict between Article 24 of the Constitution of the Russian Federation [1] and the requirements of Federal Law No. 115-FZ «On Counteracting the Legalization of Income» [11], which obliges banks and telecommunications operators to retain customer data for up to 5 years without the possibility of early deletion at the request of a citizen. The public interest (combating money laundering) effectively blocks the implementation of the constitutional right to privacy.
3.4. Key Problems of Personal Data Protection and Ways to Solve Them
One of the most acute problems is mass data breaches and insufficient security of information systems. The number of incidents is measured in the hundreds per year, and the volume of compromised records is in the hundreds of millions [15]. Leaks of biometric data are particularly dangerous because they cannot be replaced [5][3].
To solve this problem, it is first necessary to strengthen information security requirements for organizations, including the mandatory implementation of modern security measures, regular system audits, and employee training. Furthermore, it is advisable to introduce a mechanism of turnover-based fines, in which the amount of sanctions depends on the company’s financial indicators, thereby increasing business interest in data protection.
In practice, the most common violation is the formal obtaining of consent to the processing of personal data [7][8]. Users, as a rule, are not aware of exactly what information they are providing and for what purposes it will be used. This is due to the complexity of user agreements and the lack of a real alternative to refusing data transfer when using digital services. As a result, the collection often exceeds the stated purposes, and data is transferred to third parties without explicit consent.
A solution to this problem is possible through stricter requirements for informing users. It is necessary to ensure transparency of data processing, including simplifying consent forms, mandatory disclosure of the purposes of information use, and providing a real possibility of refusal. Control over compliance with the principle of data minimization should also be strengthened, whereby the collection of information is limited to only the necessary volume [16].
A significant portion of violations in the field of personal data protection is due to the human factor [9][10]. Employee errors, the use of weak passwords, non-compliance with basic security rules, and insufficient awareness among citizens about the risks of the digital environment significantly increase the likelihood of leaks and other incidents.
Moreover, many users lack sufficient knowledge about their rights and do not take the necessary measures to protect their personal information [17].
In this regard, the development of digital literacy programs becomes particularly important [10]. It is necessary to implement educational initiatives aimed at developing safe behavior skills in the digital environment, both among citizens and among specialists working with personal data.
- Conclusion
The conducted study allows us to conclude that digitalization has created new threats to the privacy of citizens. Russian legislation is increasing liability for data breaches, but this alone does not solve the problem [18]. The main weaknesses lie not in the absence of penalties, but in the fact that protection mechanisms do not work well.
The measures proposed in the article — turnover-based fines, simplified consent forms, digital literacy programs — could improve the situation, but require serious refinement and political will.
References
1. Konstitutsiya Rossiyskoy Federatsii (prinyata vsenarodnym golosovaniem 12.12.1993 s izmeneniyami, odobrennymi v khode obshcherossiyskogo golosovaniya 01.07.2020) [The Constitution of the Russian Federation]. Ofitsial'nyy internet-portal pravovoy informatsii. URL: http://www.pravo.gov.ru/constitution/ (accessed: 17.04.2026).2. Ugolovnyy kodeks Rossiyskoy Federatsii ot 13.06.1996 № 63-FZ (red. ot 11.12.2024) [Criminal Code of the Russian Federation]. Sobranie zakonodatel'stva RF. 1996. № 25. St. 2954.
3. Federal'nyy zakon ot 27.07.2006 № 152-FZ «O personal'nykh dannykh» (red. ot 30.11.2024) [Federal Law on Personal Data]. Sobranie zakonodatel'stva RF. 2006. № 31 (ch. 1). St. 3451.
4. Ukaz Prezidenta RF ot 21.07.2020 № 474 «O natsional'nykh tselyakh razvitiya Rossiyskoy Federatsii na period do 2030 goda» [Decree of the President on National Development Goals]. Sobranie zakonodatel'stva RF. 2020. № 30. St. 4884.
5. Postanovlenie Pravitel'stva RF ot 30.06.2018 № 772 «Ob opredelenii perechnya biometricheskikh personal'nykh dannykh...» [Government Resolution on Biometric Data]. Sobranie zakonodatel'stva RF. 2018. № 28. St. 4234.
6. Bachilo I.L. Informatsionnoe pravo: uchebnik dlya vuzov [Information Law: Textbook for Universities]. 5th ed. Moscow: Yurayt Publ., 2023. 419 p.
7. Volkova, G.E. Pravovoe regulirovanie obrabotki geolokatsionnykh dannykh: problemy i perspektivy [Legal Regulation of Geolocation Data Processing: Problems and Prospects]. Informatsionnoe pravo. 2022. № 4. P. 15-19.
8. Ivanova, K.A. Zashchita personal'nykh dannykh v epokhu Big Data [Personal Data Protection in the Big Data Era]. Vestnik Moskovskogo universiteta. Seriya 11: Pravo. 2023. № 2. P. 88-102.
9. Mochalov, A.N. Tsifrovoy sled cheloveka: ponyatie, pravovaya priroda, problemy zashchity [Digital Footprint: Concept, Legal Nature, Protection Problems]. Rossiyskiy yuridicheskiy zhurnal. 2021. № 5. P. 172-181.
10. Sergeev, A.P., Polyakova, T.A. Pravo na neprikosnovennost' chastnoy zhizni v tsifrovuyu epokhu [Right to Privacy in the Digital Age]. Zhurnal rossiyskogo prava. 2023. № 1. P. 45-58.
11. Federal'nyy zakon ot 07.08.2001 № 115-FZ «O protivodeystvii legalizatsii (otmyvaniyu) dokhodov, poluchennykh prestupnym putem, i finansirovaniyu terrorizma» (red. ot 30.12.2025) [Federal Law on Counteracting Legalization of Illegally Obtained Incomes]. Sobranie zakonodatel'stva RF. 2001. № 33 (ch. 1). St. 3418.
12. Federal'nyy zakon ot 27.07.2006 № 149-FZ «Ob informatsii, informatsionnykh tekhnologiyakh i o zashchite informatsii» (red. ot 08.08.2024) [Federal Law on Information, Information Technologies and Protection of Information]. Sobranie zakonodatel'stva RF. 2006. № 31 (ch. 1). St. 3448.
13. Federal'nyy zakon ot 30.11.2024 № 420-FZ «O vnesenii izmeneniy v Kodeks Rossiyskoy Federatsii ob administrativnykh pravonarusheniyakh» [Federal Law No. 420-FZ amending the Code of Administrative Offenses]. Sobranie zakonodatel'stva RF. 2024. № 49. St. 7321.
14. Federal'nyy zakon ot 30.11.2024 № 421-FZ «O vnesenii izmeneniy v Ugolovnyy kodeks Rossiyskoy Federatsii» [Federal Law No. 421-FZ amending the Criminal Code]. Sobranie zakonodatel'stva RF. 2024. № 49. St. 7322.
15. Analiticheskiy otchet o utechkakh personal'nykh dannykh v Rossii v 2024-2025 godakh [Analytical report on personal data breaches in Russia in 2024-2025] // InfoWatch. 2026. URL: https://www.infowatch.ru/resources/analytics (accessed: 17.04.2026).
16. Bondarev, V.G., Bashmakova, N.I., Sinina A.I. (2020). Judicial discourse: genesis and definition of the concept//Conflictology. Vol. 15. № 1. pp. 52-65.
17. Bashmakova, N.I., Ryzhova, N.I., Kuznetsova, O.A. (2025). Historical Retrospective of Mediation as an Integrative Concept: Paradigms of Study and Interdisciplinarity. Administrative Consulting, (1-1), 65-80.
18. Privalov, N. I. (2012). The Third Way of Russia: A New Hope in the XXI Century. Ekaterinburg: Ural Publishing, 434 p.