05
Wed, Aug
52 New Articles

Russian Data Localisation and Whistleblowing Systems – the Most Important Q&A

Russian Data Localisation and Whistleblowing Systems – the Most Important Q&A

Russia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Even though data localisation requirements were already introduced in Russia back in 2015, their effects on cross-border reporting channels in the whistleblowing systems of multinational companies have so far received relatively little attention. Due to the recent increase in the fines for violations, we have compiled the most important questions and answers below:

Why are cross-border reporting channels in Russia critical?

Cross-border reporting channels for Russia may violate the Russian data localisation requirements. In particular, this is the case where the personal data of Russian citizens is collected and saved for the first time outside of Russia upon the receipt of reports. Reporting channels with foreign telephone numbers as well as e-mail addresses or websites with data storage on servers abroad are therefore not permitted. That means that group-wide whistleblowing systems cannot be extended to Russia without problems.

What happens if data localisation requirements are violated?

In the event of violations of the data localisation requirements, the Russian supervisory authority Roskomnadzor may block websites and impose fines. These fines were increased significantly at the end of last year from previously insignificant amounts to approximately EUR 80,000 for initial and EUR 240,000 for repeated violations. Roskomnadzor closely monitors compliance with the localisation requirements and performs hundreds of compliance audits each year. During a compliance audit, Roskomnadzor checks all information systems used by the company, including any whistleblowing systems. Using non-localised reporting channels therefore entails a high risk of being penalised at any time.

What exactly are the Russian data localisation requirements?

To comply with the Russian data localisation requirements, whistleblower reports from Russia must be stored initially in Russia, as they may contain the personal data of Russian citizens. This is the only option to ensure compliance with the main requirement of the Russian data localisation rules, which is to place the primary database with the personal data of Russian citizens on a server in Russia. Any database abroad can only be a copy of the Russian database; the Russian database must always be updated before an update is made to the foreign database.

Should companies do without reporting channels for Russia?

Multinational companies operating in Russia face the difficult choice to either set up reporting channels on the ground or to leave Russia out of the group-wide whistleblowing system. However, for most companies it will hardly be acceptable to operate in a country with a high risk of bribery and corruption such as Russia without being able to receive whistleblower reports. In that case, they would be exposed to significantly increased liability risks under Russian and, in particular, foreign law (such as the US FCPA and UK Bribery Act, or the upcoming German Act on Corporate Sanctioning).

Can reporting channels at the Russian subsidiary be an alternative?

Companies with offices on the ground would usually consider setting up internal reporting channels to Russian personnel (e.g. to the local general director or compliance function). Such internal reporting channels, however, will likely suffice only in exceptional cases. Since a legislative initiative aimed at the protection of whistleblowers ultimately failed in June 2019, whistleblowers enjoy almost no protection under Russian law. Fear of retaliation and concerns regarding the objectivity of case management would limit whistleblower activity in many local offices right from the outset.

What can multinational companies do?

In most cases, companies will be able to set up a functioning local whistleblowing system in Russia only at external ombudspersons. These ombudspersons can receive reports on the ground and feed them into the group-wide whistleblowing system, in compliance with the data localisation requirements. The relevant criteria for selecting the ombudspersons will be the availability of the technical infrastructure, the ability to handle case management as well as their integrity. In particular, the last criterion will likely cause the most difficulties when selecting ombudspersons in Russia.

By Hannes Lubitzsch, Associated Partner, and Vyacheslav Khayryuzov, Counsel, Noerr

Russian Knowledge Partner

Founded in 1993, Egorov Puginsky Afanasiev & Partners is the leading full-service law firm in the CIS with offices in Russia, Ukraine and Belarus and associated offices in the UK, the USA and Cyprus.

We advise its clients in many areas of law, including: dispute resolution in Russia and abroad, corporate law, M&A, antitrust issues, project finance and PPP, restructurings and insolvencies, energy and natural resources, property management and privatization, environment, technical regulation and industrial safety, banking and finance, intellectual property, criminal law, real estate and construction, taxation, family and labour disputes, marine and transport law, and international trade and customs.

We combine high academic qualifications, internationally acknowledged moral and ethical values, senior partners' professional experience and practical abilities with the vigour and knowledge of younger attorneys that enables thus providing clients with reliable, first-class service according to both Russian and western standards through a flexible structure.

All News about, and Legal Analysis by, Egorov Puginsky Afanasiev & Partners can be found here.

Firm's website: www.epam.ru

 

Our Latest Issue