GDPR: Compliance Issues in Russia¹ 128 (2018)
On 25 May 2018, the EU General Data Protection Regulation (GDPR) entered into force. International companies doing business in Russia must now comply both with the GDPR and the Russian laws though they may contradict each other. The question arises how to find the right way in a pickle of the new data privacy rules?
GDPR VS. RUSSIAN PERSONAL DATA LAW
At a first glance, the EU and Russian regulations have many things in common. They are based on similar data processing principles first established by the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108). Both legal acts apply to the wholly or partly automated processing of personal data and the non-automated processing of structured sets of data. Similar to the EU data controllers, Russian entities must demonstrate compliance with the PDL at the request of the Data Protection Authority (Roscomnadzor) and in some other cases by adopting internal policies and implementing legal, technical and organisational measures.
However, most of GDPR business documents and practices cannot be implemented in a Russian office of a multinational company as they are. First, there are important differences in terminology. According to the GDPR, the controller determines the processing purposes and means when the processor conducts the processing on behalf of the controller. Under the Russian Personal Data Law No. 152-FZ dated 27 July 2006 (PDL), the controller’s and processor’s roles are embraced by so-called data operator. In simple terms, the data operator is an entity or a person dealing with personal data and, therefore, fully responsible for the data protection and security.
As explained by Roscomnadzor, subsidiaries, representative offices and branches of non-Russian companies (jointly, the Russian Offices), are the data operators if they process personal data within the Russian borders. Article 6(3) of the PDL states that the data operator may assign the processing to ‘a third party’ (the term processor is not in official use). The ‘third party’ (processor) must process the data according to the assignment, but it does not act on behalf of the data operator.
Second, the PDL does not set forth any concept similar to the GDPR’s group of undertakings. As a result, the affiliated entities cannot perform intragroup data transfers based on the controller’s legitimate interests by analogy with Recital 48 of the GDPR. Roscomnadzor does not review or approve binding corporate rules at the request of the data operators.
Third, the Russian laws require that the data subject’s consent be documented as a written declaration in certain cases (e.g. disclosure of Russian employees’ data to a third party by their employer). The PDL provides for a number of mandatory clauses to be specified in this declaration and, therefore, the form prepared under the GDPR may not work in Russia. In addition, there are differences in requirements on informing data subjects and giving access to personal data.
Fourth, all Russian Offices must necessarily appoint a data protection officer. Article 37 of the GDPR prescribes to do so only in a limited number of cases.
The GDPR provides considerable fines for non-compliance with its requirements, which, however, are incomparably higher than those applied in Russia. Since the Russian laws are unclear on how to treat longstanding illegal practices (e.g. the use of an incorrect consent declaration multiple times), there is a risk of imposing separate administrative fines in each case where similar offences take place. Data breaches may also result in on-site inspections of the Russian Offices by Roscomnadzor. Hence, international companies should take legal risks arising from the PDL into account while planning Russia-related business endeavors.
How Does GDPR Apply in Russia?
The collisions between the GDPR and the PDL often come into play at least in the following situations:
1. Business Unit in Russia. The GDPR applies to data processing in the context of the activities of an EU establishment, regardless of whether the processing itself takes place within the EU (Recital 22). Simply stated, a Russian Office may be required to process data in line with the GDPR while working with the EU-based head office on a joint project. This is often the case for IT, R&D, marketing, pharma and many other businesses. In addition, the GDPR applies to the Russian Offices if their actions fall under the territorial scope clause (Art. 3), including offering goods or services and monitoring behaviour of data subjects in the EU. The solution is to approve GDPR-compliant corporate policies binding on all offices worldwide, including Russia. Many companies implement the policies simply by emailing them to the Russian staff. According to the Russian Labour Code and case law, a policy can be enforced against employees only if it is: (i) translated into Russian or bilingual; (ii) officially approved by the Russian Office’s authorized body (usually, the CEO of a subsidiary or the Head of a branch / representative office); and (iii) made familiar to the employees and this is confirmed with their signatures. In most cases, the GDPR corporate policies cannot be used for demonstrating compliance with the PDL by default. In order to prevent possible collisions, they should be supplemented with local policies drafted under the PDL and applicable only in Russia.
The local policies should cover issues not regulated by the GDPR or contradicting to Russian law, such as paperwork and security measures relating to the manual data processing.
2. Cross-border Transfers. Companies often transfer data from the EU to the Russian Offices and business partners. Since Russia has not been short-listed as a country offering an adequate level of data protection, such cross-border transfers are usually documented with the following agreements:
- Personal data processing agreement (Art.28(3) of the GDPR) under which a Russian Office acts as a data processor; and
- EU Commission standard contractual clauses for the transfer of personal data to processors established in third countries.
These agreements should be revised from the Russian law perspective as they may contradict the PDL in terms of the processing purposes description, data security requirements and some other provisions.
The PDL stipulates a list of mandatory clauses for the data processing agreements. The most practical solution is to sign two interrelated sets of contractual documents according to the European and Russian rules, simultaneously.
What to do?
The Russian Office of an EU or multinational company should: (i) localize Russian versions of the global policies with consideration of the PDL requirements; (ii) check that the global policies are binding on employees under Russian law; and (iii) ensure that the global policies are supplemented with local Russian documents where prescribed by the PDL. In case of a cross-border transfer, be ready to negotiate the contractual terms and sign a Russian agreement in addition to the GDPR agreements. These measures should help to mitigate legal risks arising from the PDL and keep the data processing in Russia under control, on the one side, and stay complaint with the GDPR, on the other side.