Anastasia Petrova

Ban on foreign information security services from “unfriendly” jurisdictions Decree No. 250 of the Russian President dated 1 May 2022 “On Additional Measures to Ensure the Information Security of the Russian Federation” previously imposed restrictions on the ****use of foreign information security means****. In particular, government authorities, state corporations, systemically important organizations, and subjects of critical information infrastructure (“CII subjects”) are prohibited from using ****information security means**** as of 1 January 2025: ****Originating**** from “unfriendly” states; Or from ****manufacturers**** that are organizations under the jurisdiction of “unfriendly” states, directly or indirectly controlled by them or ****affiliated**** with them. Decree No. 500 of the Russian President dated 13 June 2024 extended the scope of the ban: as of 1 January 2025, government authorities, state corporations, systemically important organizations and CII subjects are also prohibited from ****using cybersecurity services**** (work or services) from companies from “unfriendly” states. If your company belongs to government authorities, state corporations, systemically important organizations or CII subjects, we recommend that together with IT you conduct an ****audit of software**** and ****IT services used for HR****, ****accounting**** and ****personnel management**** purposes in order to ensure timely compliance with the requirements of the above-mentioned presidential decrees. A 14th package of sanctions, including IT restrictions, has been imposed against Russia The USA has significantly expanded sanctions against Russia, with new restrictions affecting financial infrastructure, ****cloud**** services and information technology. The USA will ban a number of software and IT services as of ****12 September 2024****. The US Department of the Treasury, together with the State Department, issued a special decree with the following restrictions: It is prohibited to provide any person in Russia with ****design services**** and ****IT consulting services****; It is prohibited to supply ****cloud technology**** and ****IT support services**** for business management, as well as design and manufacturing software. Russian companies using such software for ****HR purposes**** may consider the following courses of action: Change the ****vendor****, which will allow them to continue using the software in Russia; ****Localize**** relevant HR processes. Exemption from liability for personal data leaks due to the insignificance of the offence During the ‘I Give My Heart to Children’ Russian Professional Skills Competition for Continuing Education Employees, there was a technical failure that led to the brief publication (****three minutes****) of information about a personal data subject on the competition website. The subject’s ****passport details****, ****registration address****, ****telephone number**** and ****email address**** were published, all of which constitutes personal data. In court, the data controller pointed out that the incident was caused by a technical malfunction in the service, third parties did not gain access to the personal data since the violation was ****eliminated**** as soon as possible, and ****no damage**** was caused to the subject of the personal data. The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, (Roskomnadzor) reported that it ****did not receive any complaints**** about the data controller as a result of the incident. In accordance with the law, the data controller sent a ****notification about the leak**** of personal data. A justice of the peace of the Danilovsky District of Moscow (Case No. 05-1415/456/2023) ruled that the data controller had failed to ensure the ****confidentiality of personal data**** and had not prevented ****unauthorized access**** to it by third parties, and qualified the offence under Part 1 of Article 13.11 of the Code of Administrative Offences of the Russian Federation. However, since the court had no evidence that information about the personal data subject had been ****copied****, ****obtained**** or ****used**** by ****third parties**** to violate its legally protected rights, including through the competition website, the court relieved the data controller of administrative liability due to the ****insignificance of the offence**** and limited itself to a ****verbal reprimand****.

The State Duma will consider a draft law on the possibility for the plaintiff to receive personal data (“PD”) of the defendant Amendments are planned to be made to the ****Civil Procedure Code**** of the Russian Federation. It is proposed to grant the plaintiff the right to file a ****motion**** to the court for assistance in ****establishing information about the defendant****, which is necessary to file a claim in court, but the plaintiff does not have. In addition, if the law is adopted, the court will be able to independently determine the ****ist of data**** about the defendant necessary to accept the claim. More than half of the surveyed small and medium-sized businesses are not ready for tougher sanctions for PD leaks Less than half of Russian companies (44%) from the ****SMB segment**** have managed to ****review their PD protection measures**** against the background of possible tightening of sanctions for their leaks. 50% of companies have not even studied the amendments in detail, and some do not plan to strengthen protection at all yet. Some of the respondents (45%) expect to strengthen protective processes ****“within a year”****, another 8% - ****“in the next six months”****. There are also those (4%) who do not plan to review the protection at all yet. At least 32% of SMB respondents are concerned about ****reputational risks**** from sanctions. 68% of respondents are concerned about ****financial losses****, including from the imposition of fines. It is noteworthy that only 43% of respondents have conducted an audit of PD processing processes over the past 3 years, 11% conducted an audit more than 3 years ago. Almost a quarter (21%) have never conducted an audit at all. 25% of the respondents could not give an answer to this question. We remind you that the draft laws on ****administrative and criminal liability for PD leaks**** are planned to be finally considered this ****spring session of the State Duma****. Regardless of the adoption of these bills in this session, we recommend that data controllers be prepared to tighten liability for PD leaks. To this end, companies should conduct an ****audit of PD processing processes and an IT security audit****. A draft law on the right of the Federal Tax Service to transfer information that constitutes a tax secret to interdepartmental commissions has been adopted in the first reading According to the new law on employment, ****interdepartmental commissions**** on combating ****illegal employment**** will be created in the regions of the Russian Federation. They have the right to receive from various authorities, including the ****tax service****, PD and information constituting a ****tax secret****. They want to extend the effect of the tax secrecy regime to cases where the tax authorities transfer relevant information and information to interdepartmental commissions of the subjects of the Russian Federation and territorial bodies of the ****Federal Service for Labour and Employment (Rostrud)****. Following the results of the prosecutor's office's inspection, the DPO of the company was brought to administrative liability The ****Prosecutor's office**** of the Kirovsky district of Saratov conducted an inspection of compliance with legislation in the field of PD protection in a medical company. During the supervisory activities, together with a specialist of the ****Roskomnadzor Department**** for the Saratov region, a fact of ****illegal dissemination of a database containing PD of clients****, in particular ****phone numbers**** and ****full names****, was revealed. According to this fact, the district prosecutor's office initiated an administrative offense case under Part 1 of Article 13.11 of the Administrative Code of the Russian Federation ****against a responsible official of a medical company****. According to the results of the consideration of the case, the DPO was sentenced to an ****administrative fine in the amount of RUB 10,000 (approx. USD 112, EUR 103)****. Question Can an employer track the ****location**** of employees through their personal smartphones?Can an employer track the location of employees through their ****personal smartphones****? Answer from Rostrud The employer has the right to monitor the employee through an ****application in a mobile phone****, if this is related to the ****performance of job duties****. We additionally note the need to obtain the ****consent of employees to track and process PD****.

The Federation Council clarified how the Russian Digital Code will look like Work on the ****Digital Code****, which will become the basis for legal regulation of relations in the field of ****information**** and ****digital technologies****, will take at least another ****year****, and a significant part of the future document is planned to be devoted to the protection of ****personal**** and ****biometric data****. The structure of the Code reflects two parts – ****general**** and ****special****: the general part will list the basic concepts, terms, principles, subjects and objects of law, that is, all that is called the ****conceptual apparatus****; in a special part – specific types of state and social institutions, types of legal relations and ways of their regulation. Separately, the Federation Council noted that the special part involves three large sections: issues of ****communication****, ****information**** and ****personal data protection****. We recommend that employers monitor the development and adoption of the code, as it can have a direct impact on digitized HR processes in companies. Participants of JSC and LLC at online meetings will be identified by electronic signatures or biometric personal data Draft amendments to the ****laws on JSC and LLC**** have been prepared for the second reading in the ****government bill**** (No. 103501-8). Initially this document was devoted to another issue: it provided for the possibility of the JSC to suspend the sending of ****correspondence**** and payment of ****dividends**** to ****shareholders**** who have not ****contacted the company for more than two years**** (the so-called ****lost shareholders****). It is proposed to use a choice of five options when identifying a participant in online meeting: enhanced qualified electronic signature, enhanced unqualified electronic signature, personal data from the ****Unified Identification and Authentication System**** (ESIA), as well as information from the ****Unified Biometric System**** (EBS). At the same time, ****non-public JSC**** will be able to deviate from the rules set out: specify in the charters other ways to ****reliably identify persons**** taking online participation in the meeting and ways to sign ballots. The bill also regulates the general rules for online meetings. For example, such a format should provide for ****broadcasting****, and the company is obliged to ****keep a record**** of it. If there are significant ****technical problems**** that make it impossible to hold a meeting, the vote is declared ****invalid****. Question Should the Data Protection Officer (DPO) be directly subordinate to the General director?Should the Data Protection Officer (DPO) be directly subordinate to the General director? Answer from Roskomnadzor The DPO receives instructions directly from the ****executive body**** of the organization that is the data controller and is accountable to it.The DPO receives instructions directly from the executive body of the organization that is the data controller and is ****accountable to it****.

The Russian government has approved draft amendments to the Russian Criminal Code that increase the severity of punishment for leaks of personal data (“PD”) The amendments have changed slightly compared with the version adopted in the first reading. The Ministry of Internal Affairs (MVD) proposed mitigating liability for leaks and editing the wording so that penalties are imposed only in the event of the leakage of (1) data of 50 or more PD subjects, or (2) information about people’s private life, personal or family secrets, special categories of PD, or biometric PD. The Ministry of Justice opposed such amendments, arguing that restricting the number to 50 PD subjects would result in attackers intentionally splitting up databases with leaked PD, while those who leak the PD of fewer people would be able to avoid criminal punishment. Under the draft law, if a violation results in severe consequences, the guilty parties may be punished with a fine of up to 3 million RUB (approximately 32,730 USD or 30,476 EUR) and maximum prison sentence of up to 10 years, as well as forced labour and deprivation of the right to hold certain positions or engage in certain activities. We are closely monitoring the consideration of this draft law and will keep you posted about the latest news. Russia may soon have a mechanism to compensate for damages caused by the leakage of PD The Federation Council has drafted a bill on mandatory insurance for PD leaks. The law would clearly specify not only the insurance amount, limits and list of risks, but also a list of exceptions that should not be set by the actual insurance companies. We understand that the legislators’ main goal is to encourage companies to pay closer attention to their IT infrastructure, in part to ensure the best possible protection of stored PD or to refuse to process it if it is not required for business. Growing number of PD-related legal disputes The number of disputes over the illegal use of PD is on the rise in Russia: since the start of 2024, their number has already increased by 17% compared with the beginning of 2023. There were a total of 17,400 cases across the country in 2023, an increase of 23% from 2022. Last year, the greatest dynamics in this regard were seen in administrative and criminal cases. The disputes under the Russian Criminal Code concern the illegal receipt of PD about a particular person, which is due to increased attention to the problem of growing terrorist threats. Businesses, in turn, face claims from employees about the reliable storage of their information and the legality of processing their PD. On the one hand, this poses reputational risks, while, on the other hand, it attracts the attention of the Russian PD authority (Roskomnadzor). We recommend that data controllers regularly conduct an audit of the processes of PD processing to bring them into compliance with the requirements of law and minimize financial, operational and reputational risks.

Webinar "Artificial intelligence technologies in HR processes: lawyers' opinion" was held on the 2nd of May. It was devoted to the latest trends, practical considerations, and complicated situations arising due to use of artificial intelligence (AI) in Russia. Irina Anyukhina, Partner of ALRUD Labour and Employment Practice, Anastasia Petrova, ALRUD Of Counsel, and Margarita Egiazarova, ALRUD Senior Associate, shared their views on topical issues and provided valuable insights on the use of AI in Russia. In the course of the webinar, the experts addressed legal aspects of use of AI in HR, offered suggestions on implementation of AI in HR, shared solutions to the problems connected with data privacy violation, and measures to mitigate the risks, and also gave the examples of implementation of AI in HR. This topic was of great interest to the audience, webinar attendees actively asked questions and got involved into discussion.

The Presidential Administration has not approved amendments to the second reading of the draft law on turnover fines for personal data (“PD”) leaks Despite the positive review of the draft law from the Government Commission, the State Legal Department of the President has prepared a ****negative review**** of the draft law on ****turnover fines**** for businesses for ****PD leaks****. The Presidential Administration did not support the proposal of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation to introduce ****mitigating circumstances for companies****, noting also that the definition of an identifier that will determine the size of the leak should be contained in the ****law on PD****, and not in the Code of Administrative Offences, as is currently proposed, and compensation ****should be appointed by the court****. In addition, the review says that the composition of the offense should be clearly defined, now it is described as “an act or omission of a person that led to the unlawful transfer of information”. We are closely monitoring the consideration of this draft law and will keep you up with the latest news. A draft law has been submitted to the State Duma on revoking consent to the processing of PD given by the subject through the website The draft law proposes to provide for the mandatory possibility of ****revoking consent**** to the processing of PD ****in electronic form****, that is, through sites where the subject previously consented to access such information. It is proposed to amend Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, fixing the need to provide a way to revoke the user's consent to the processing of their PD ****in the same form in which it was received****. The draft law provides for the need to fix in the content of the consent to the processing of PD an indication of the ****method of its withdrawal****. According to the authors of the draft law, this will allow citizens to significantly simplify the possibility of exercising their right to revoke consent to the processing of PD in a form convenient for them. For data controllers, the conversion of this draft law into law will entail the need to post additional information on Internet resources (websites) and their technical adjustment. Attempts to recover damages from a former employee for reputational damage ended in the Supreme Court of the Russian Federation, which ruled that media reports about the leakage of PD do not indicate harm to business reputation The Supreme Court of the Russian Federation considered the dispute between PJSC Sberbank of Russia and a former employee of LLC National Recovery Service. In 2019, an employee copied ****clients data**** from their corporate laptop, which was a ****bank secret****, and tried to sell them for a ****monetary reward**** on an Internet forum “Dublik.at”. These illegal actions were discovered by specialists of the recovery service, who, on the instructions of the bank, monitored and identified such cases. As a result, the former employee was found guilty of ****illegally disclosing information constituting a banking secret****, without the consent of their owner, by a person to whom it was entrusted for work, out of self-interest (Part 3 of Article 183 of the Criminal Code of the Russian Federation). The incident became known to the ****media****. The bank considered that it had suffered ****reputational damage**** in this way and demanded that the culprit pay more than RUB 3.5 million. The courts of three instances supported this position and recovered ****RUB 1.5 million**** from the former employee. However, the Supreme Court of the Russian Federation clarified that ****media reports**** about the leakage of PD of clients of a credit institution ****do not**** in themselves ****indicate harm to business reputation****. When applying to the court, the bank must provide evidence of a ****causality**** between the employee's illegal act, media reports and the occurrence of adverse consequences in the form of loss or decrease in credibility in the bank's business reputation. The Supreme Court of the Russian Federation also indicated that a legal entity or a citizen compensates for damage caused by its employee in the performance of job duties (in accordance with Article 1068 of the Civil Code of the Russian Federation). Therefore, since the disclosure was made using official position, the court should have discussed the ****possibility of replacing the defendant with their employer****.

On 24 April 2024 the American Chamber of Commerce in Russia (“AmCham Russia”) held its annual HR-Conference ”Adapting HR to a Changing World”. Anastasia Petrova, Of Counsel in ALRUD Labour and Employment Practice, spoke on the topic: ”Artificial Intelligence: Legal Aspects in Labour Relations”. In her speech the expert addressed the following issues: Concept of AI in the legislation; Initiatives relating to AI in Russia and abroad; Risk of discrimination when using AI; Targeted job advertisements; Risks of recognizing AI use as inadmissible; Admissible spheres of AI application in HR; Court practice: application of AI in HR; Case on deepfake, works made for hire and AI. Anastasia also reviewed the basic principles of personal data processing, identified roles and challenges related to use of AI, and told about the legal risks and protection of personal data when implementing AI. During the conference experts discussed legal and administrative aspects of HR management, covered the issues of innovations, HR-strategy, and corporate branding. The American Chamber of Commerce in Russia (AmCham) is the leading international business association in Russia. Founded in 1994, AmCham advocates for the interests of the largest American corporations, Russian companies, as well as companies from Europe and Asia. The mission of AmCham is to promote the development of a sustainable market environment conductive to business operations in Russia.

Government Commission approves positive review of draft law on turnover fines for leaks of personal data (“PD”) We previously informed you about the draft law that would impose ****turnover fines for PD leaks****, as well as fines for the failure to ****notify the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (“Roskomnadzor”) about the intention to process PD**** and the illegal transfer (****leak****) of PD. The bill has already been adopted by the State Duma in the first reading. On 1 April 2024, the ****Government Commission**** approved a ****positive review**** of the draft law and: Supported the initiative of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation to take into account ****mitigating circumstances**** (the payment of ****monetary compensation**** to victims of PD leaks and the data controller’s annual and significant ****investments**** in measures to ensure the ****information security of PD**** during the last three years) and ****aggravating circumstances**** (the use of communication means or non-certified means of encoding (encryption) when committing a violation); Recommended clarifying the amount of fines for PD leaks for the ****proportionality**** and ****feasibility of the execution**** of such a punishment; Proposed including provisions in the law about ****accidental PD leaks****; Strongly called for ****increasing penalties for leaks of biometric PD****. We recommend not only implementing mechanisms to ****prevent PD leaks****, but also conducting an ****audit of PD information security****, checking whether the company has submitted a ****notification**** about its intention to process PD. Reminder In accordance with clause 4 of Article 1370 of the Civil Code of the Russian Federation, if an employer does not apply for a ****patent to the Federal Service for Intellectual Property (“Rospatent”)**** within ****six months**** from the date of ****notification from an employee**** about the creation of an ****invention****, ****utility model**** or ****industrial design****, then the ****right to obtain a patent**** for the corresponding result of intellectual activity ****may be returned to the employee****. This was noted by the Intellectual Property Rights Court in its ****decision dated 7 March 2024 in Case No. SIP-793/2023****. Facts of the case In 2013, an employee of a joint-stock company, as part of his job duties, created a ****utility model**** (wiper drive). In 2015, he was transferred from the joint-stock company to a limited liability company, and three years later the joint-stock company was declared ****insolvent****. In 2017, a ****patent for a utility model was obtained**** with the limited liability company listed as the patent holder. Three years later, the limited liability company discovered that its patent was being used, and first filed an application against the offending party with the ****Federal Antimonopoly Service (“FAS”)****, and then in ****court****. The offending party’s actions were deemed to be an act of ****unfair competition****. The latter, in turn, filed a demand in court to ****invalidate the patent****. The patent was invalidated by a court decision. ****The right to obtain the patent remained with the employee****, because the employer did not perform the necessary actions envisaged by clause 4 of Article 1370 of the Civil Code of the Russian Federation within the prescribed period. Below are a few interesting points that were reflected in the court decision: The limited liability company was created in violation of the provisions of Article 115 of Federal Law No. 127-FZ “On Insolvency (Bankruptcy)” dated 26 October 2002 in order to ****withdraw the joint-stock company’s liquid assets****; The general director of the joint-stock company was prosecuted under ****Article 196 of the Criminal Code of the Russian Federation**** (intentional insolvency) and sentenced to 4.5 years ****in prison**** with a ****fine**** of 150,000 RUB (approximately 1,615 USD or 1,484 EUR); The technical solution created by the employee during his work at the joint-stock company corresponds to the technical solution for the disputed patent; The employee did not object to filing a patent application, because, as he noted, during the period when the disputed patent was obtained, ****he did not have special knowledge concerning intellectual property****, and therefore could not assess the actions of the limited liability company. Question What legal grounds are applicable to ****transfer employees’ PD**** to a third party for the purpose of ****conducting a special assessment of working conditions****? Answer Conducting a special assessment of working conditions is a ****mandatory obligation**** of the ****employer**** according to Article 214 of the Russian Labour Code, for which the company must transfer the ****insurance number of the individual personal account**** of employees to the organization conducting the special assessment. ****The consent of the employees is not required****.

Ministry of Labour: Employers may discipline employees for disclosing a colleague’s salary Earlier, we informed about the position of the GIT of the Nizhny Novgorod Region that if the employer’s ****local policy**** prohibits the ****disclosure**** of the ****salary**** of other employees, then employees who view another employee’s pay slip and disclose his/her salary may be ****disciplined****. The ****Ministry of Labour**** reminded: the employer shall adopt local policies aimed at ****protecting the personal data**** (“PD”) of employees, with which the latter must be ****familiarized**** under signature. Only in this case, when an employee discloses the salary of other employees, the perpetrator may be disciplined by making a ****warning****, ****reprimand****, and even ****dismissed**** (Letter of the Ministry of Labour No. 14-6/OOG-1418 dated 11 March 2024). We recommend that companies monitor the availability and correct content of local policies in relation to the processing of personal data of employees, since local policies may be pivotal and crucial in the case of decisions on bringing employees to disciplinary liability. Microsoft may delay blocking of cloud services in Russia As we reported, the ****12th sanctions package**** of the European Union, introduced on 19 December 2023, included ****restrictions**** on the ****supply of various software**** to Russia. Until 20 March 2024, a ****transitional period**** was established to stop the existing export of such goods. The media reported on the ****possible postponement**** of the suspension of access to**** Microsoft cloud services**** in Russia. At the same time, subscriptions to products such as Teams, OneDrive, Azure, Office 365, and all web services (including free ones) will definitely be blocked. Keys on MS Visio and Office will also be blocked, and Security Updates (WSUS) will not be delivered. We remind you that the potential postponement ****does not cancel the restrictions imposed****, but will provide the necessary time to create data backups and configure an ****alternative IT infrastructure****. The Council of Federation proposed to oblige companies to have a reserve to pay compensation for PD leaks The main idea of the initiative is for companies that process PD to have ****financial security**** to compensate for harm to PD subjects. This may be a ****policy**** from an insurance company, a ****bank guarantee****, or a document confirming the availability of a ****reserve fund**** within the company. There is no final decision yet on whether the measure will be implemented in the legislation and apply to all PD controllers or only to those who have more than a ****certain number of PD records**** in the information system. Besides, there is no consensus in the Council of Federation on what will be an ****insured event**** and what will be the ****limits of the insurance amount**** for payments to affected citizens; it is assumed that the amount of payment will depend on the ****level of PD**** – the more ****sensitive**** the leaked information, the greater the insurance amount. Question Is the employee’s identification number his PD? Answer of the Ministry of Digital Development, Communications and Mass Media Given that the identification number cannot be assigned to another employee, it allows to identify a specific employee, and, therefore, is a PD. Answer of Roskomnadzor The employee’s identification number compiles his PD only in combination with other information (for example, with the employee’s full name).

We are glad to announce that Anastasia Petrova, Of Counsel in ALRUD Labour and Employment Practice, has been elected a Co-Chair of AmCham Compliance Committee! In her new capacity, Anastasia addressed the meeting of the American Chamber of Commerce Compliance Committee held on 13 March 2024. The event was held in a hybrid format: participants could attend both online and in-person. The following topics were covered at the meeting: Sanctions compliance development in 2023 and key issues to focus on for the moment; Impact of the 12 EU sanctions package on the compliance in the sphere of IT and personal data processing. We congratulate Anastasia and wish her success in professional advancement! The American Chamber of Commerce in Russia (AmCham) as founded in 1994. AmCham advocates for the interests of the largest American corporations, Russian companies, and also companies from Europe and Asia. AmCham’s mission is to promote the development of a sustainable market environment conductive to business operations in Russia.