A bill has been submitted to Russia’s State Duma that would impose multi-million-ruble fines on Internet companies that refuse to store Russian users’ personal data on servers located in Russia, and on tech companies that repeatedly fail to surrender encryption keys to Russia’s Federal Security Service (FSB).

Under the draft legislation, legal entities that fail to comply with Russia’s data-localization requirements would risk fines between 2 and 6 million rubles ($30,980 and $92,930) for first offenses, and fines as high as 18 million rubles ($278,820) for repeat violations. Repeat refusals to surrender user-correspondence encryption keys to the FSB would result in fines between 2 and 6 million rubles.

“This legislation is a signal not only to Twitter and Facebook, but also to other companies that still haven’t complied with the requirements of Russia's laws,” says Alexander Zharov, the head of Roskomnadzor, Russia’s federal censor.

Currently, Internet companies that refuse to store users’ personal data in Russia are liable under administrative codes on the failure to provide information to the state. The maximum fine under existing laws is 5,000 rubles ($77).

This spring, Twitter and Facebook were each fined 3,000 rubles ($46) for refusing to store user data in Russia. Both companies have challenged the penalties in court.

After imposing fines, if noncompliance continues, Roskomnadzor has the power to force Internet service providers to block violators in Russia.