In December 2024, a new article – 272.1 – was introduced into the Criminal Code of the Russian Federation by Federal Law No. 421-FZ of 30.11.2024. It established criminal liability for the illegal use, transfer, collection, or storage of computer information containing personal data.
Within the professional community of private detectives, this law caused a lot of discussion even during its draft stage. Today, many detectives are uncertain about how to work under these conditions — for example, simply trying to find a colleague’s phone number can now result in a 4-year prison sentence. Some are leaving the profession, while others continue business as usual.
Today, we’ll explain what we plan to do in this situation.
Let’s start with a short overview of the new law. In addition to introducing a new criminal offense, amendments were made to the Code of Administrative Offenses – turnover-based fines have been introduced for companies responsible for data leaks. Starting from 30.05.2025, such fines can reach up to 500 million rubles.
Overall, the message and purpose of the law are quite relevant, aiming primarily to protect citizens from the consequences of constant data breaches, which have sadly become commonplace. For example, in 2022, “Yandex” was fined 60,000 rubles for a leak of data from its Yandex.Eats service — as a result, the actual addresses of virtually every customer were exposed, along with phone numbers and other sensitive information (such as intercom codes). Clearly, the penalty did not match the damage caused.
As for the new article of the Criminal Code, it outlines the following offenses.
| Provision of Article 272.1 of the Criminal Code | Prison Term |
|---|---|
| Illegal use and/or transfer (distribution, provision, access), collection and/or storage of computer information containing personal data obtained through unauthorized access to the means of processing or storing such data, or through interference with their functioning, or by other unlawful means | 4 years |
| The same acts committed in relation to computer information containing personal data of minors, special categories of personal data, and/or biometric personal data | 5 years |
| Acts committed: a) for financial gain; b) causing significant damage; c) by a group with prior conspiracy; d) using official position |
6 years |
| Acts involving transborder transfer of computer information containing personal data and/or transborder movement of information carriers containing personal data | 8 years |
| Acts covered by this article that result in serious consequences or are committed by an organized group | 10 years |
| Creation and/or operation of an information resource (a website or a webpage on the Internet, information system, or software application) knowingly intended for the illegal storage or transfer (distribution, provision, access) of computer information containing personal data obtained unlawfully | 5 years |
As you can see, the penalties are quite serious.
It’s worth highlighting Part 6 of the article, which addresses responsibility for creating and maintaining information resources. This includes any bots or services that aggregate personal data.
Now let’s talk about how we plan to proceed given these changes.
After the law was passed, our team and partners (currently including several other detective agencies) held a brainstorming session and outlined directions we can safely develop and offer to our clients within the new legal framework. Here’s what we came up with.
We see these directions as the most promising and will focus our efforts on further developing our expertise in them.
Moreover, we are launching a referral program for our clients — if a new client comes through your recommendation, we’ll thank you with 10% of the contract value. So feel free to recommend us!
Sincerely, Head of the Agency, Alexey Sedykh
