Even though data localisation requirements were already introduced in Russia back in 2015, their effects on cross-border reporting channels in the whistleblowing systems of multinational companies have so far received relatively little attention. Due to the recent increase in the fines for violations, we have compiled the most important questions and answers below:
Why are cross-border reporting channels in Russia critical?
Cross-border reporting channels for Russia may violate the Russian data localisation requirements. In particular, this is the case where the personal data of Russian citizens is collected and saved for the first time outside of Russia upon the receipt of reports. Reporting channels with foreign telephone numbers as well as e-mail addresses or websites with data storage on servers abroad are therefore not permitted. That means that group-wide whistleblowing systems cannot be extended to Russia without problems.
What happens if data localisation requirements are violated?
In the event of violations of the data localisation requirements, the Russian supervisory authority Roskomnadzor may block websites and impose fines. These fines were increased significantly at the end of last year from previously insignificant amounts to approximately EUR 80,000 for initial and EUR 240,000 for repeated violations. Roskomnadzor closely monitors compliance with the localisation requirements and performs hundreds of compliance audits each year. During a compliance audit, Roskomnadzor checks all information systems used by the company, including any whistleblowing systems. Using non-localised reporting channels therefore entails a high risk of being penalised at any time.
What exactly are the Russian data localisation requirements?
To comply with the Russian data localisation requirements, whistleblower reports from Russia must be stored initially in Russia, as they may contain the personal data of Russian citizens. This is the only option to ensure compliance with the main requirement of the Russian data localisation rules, which is to place the primary database with the personal data of Russian citizens on a server in Russia. Any database abroad can only be a copy of the Russian database; the Russian database must always be updated before an update is made to the foreign database.
Should companies do without reporting channels for Russia?
Multinational companies operating in Russia face the difficult choice to either set up reporting channels on the ground or to leave Russia out of the group-wide whistleblowing system. However, for most companies it will hardly be acceptable to operate in a country with a high risk of bribery and corruption such as Russia without being able to receive whistleblower reports. In that case, they would be exposed to significantly increased liability risks under Russian and, in particular, foreign law (such as the US FCPA and UK Bribery Act, or the upcoming German Act on Corporate Sanctioning).
Can reporting channels at the Russian subsidiary be an alternative?
Companies with offices on the ground would usually consider setting up internal reporting channels to Russian personnel (e.g. to the local general director or compliance function). Such internal reporting channels, however, will likely suffice only in exceptional cases. Since a legislative initiative aimed at the protection of whistleblowers ultimately failed in June 2019, whistleblowers enjoy almost no protection under Russian law. Fear of retaliation and concerns regarding the objectivity of case management would limit whistleblower activity in many local offices right from the outset.
What can multinational companies do?
In most cases, companies will be able to set up a functioning local whistleblowing system in Russia only at external ombudspersons. These ombudspersons can receive reports on the ground and feed them into the group-wide whistleblowing system, in compliance with the data localisation requirements. The relevant criteria for selecting the ombudspersons will be the availability of the technical infrastructure, the ability to handle case management as well as their integrity. In particular, the last criterion will likely cause the most difficulties when selecting ombudspersons in Russia.
By Hannes Lubitzsch, Associated Partner, and Vyacheslav Khayryuzov, Counsel, Noerr