Concise and to the point with ALRUD: HR & DIGITAL (№15)

Key trends in personal data (PD) processing that have affected employers in 2024

ALRUD’s Labour & Employment Practice team wishes you Happy Holidays!

In this year's last newsletter on IT and PD protection, we would like to go over what happened over the last year and remind you of the key legislative changes that employers need to consider when processing PD.

1. The gradual lifting of the moratorium on inspections

If the moratorium is lifted, it will likely be replaced by a ****risk-oriented approach****: employers will undergo ****inspections**** if they exhibit ****risk indicators****. If none are identified, inspectors will still conduct preventive visits.

Although Russian Government Resolution No. 372 of March 10, 2023 has yet to be changed and still suggests an extension of the moratorium until ****2030****, the ****risk**** that the moratorium will ****suddenly be lifted**** cannot be completely ruled out.

2. Constant expansion of the list of risk indicators

Given the moratorium on inspections, the number of ****risk indicators**** used as grounds for ****unscheduled inspections**** is constantly ****growing****. The list of risk indicators includes the detection of ****three or more discrepancies**** between the information published on the company's ****website**** and that in the ****notification**** of intent to ****process**** PD and/or ****transfer**** it across borders sent to ****Roskomnadzor****; as well as the detection of ****two or more violations**** of Federal Law No. 149-FZ dated July 27, 2006 regarding Article 10.2-2 (peculiarities of providing information using ****recommendation technologies****) within ****one year****.

It is worth remembering that in processing ****employees' PD****, employers can use ****recommendation technologies**** in ****internal (corporate) portals****, ****websites****, corporate ****messengers****, on training ****platforms****, and so on. For ****HR profiling****, we recommend ensuring ****compliance**** with the applicable requirements, particularly those on ****transparency****.

3. Toughening of liability for PD violations

The increase in ****fines**** for offenses and the introduction of new ****administrative offenses**** and even ****crimes**** evince the legislator's increased interest in data privacy and its aim to minimize the ****often-excessive processing**** of PD by data controllers.

Fines have been established for the processing of PD ****without the written consent**** of the subject, if required by law, up to ****RUB 700,000**** (and up to ****RUB 1.5 million**** for repeated violations).

A law has also come into effect toughening the liability of officials and companies in the event of:

• ****leak of PD**** (a fine of up to ****RUB 15 million**** for the first violation, and up to ****3% of revenue**** for the corresponding year for repeated violations);

• ****failure to notify Roskomnadzor of a leak of PD**** (up to ****RUB 3 million****) or of the intention to ****process PD**** (up to ****RUB 300,000****).

****Criminal liability**** was introduced for the illegal storage/collection/transmission of illegally obtained PD, the creation/operation of Internet resources with the intent to illegally store/transmit illegally obtained PD (****Article 272.1 of the Criminal Code of the Russian Federation****).

4. Audit of consent for processing PD

The legislator plans to ****oblige data controllers**** (including employers) to gain ****consent to process PD separately**** from other documents signed by the subject and/or provided to him/her for ****familiarization****.

Simply requesting consent in other documents may nullify the receipt thereof, as such consent may be considered to be ****non-free****, i.e., provided ****against the express will of the subject****. Such a risk is particularly ****high**** in ****labour relations****, as the employee is traditionally viewed as the ****weaker party****. We recommend employers ****double-check**** the ****form**** and ****aim**** of consents on processing PD of the employees.

We also recommend ****auditing consent**** and the ****existing processes for processing PD**** in labour relations in order to filter out the processes that ****do not require consent**** and eliminate ****unnecessary requests for it****.

5. Foreign sanctions and the transition to Russian software

The EU and the US have imposed a ****ban**** on the ****direct**** and ****indirect provision**** of ****company management software**** to Russia, including that for ****HR****.

We understand that the use of foreign information systems is deeply embedded in the ****HR systems**** of many employers. Therefore, we recommend considering options such as ****changing software vendors**** and ****localizing the relevant HR processes****.

We would also like to remind you that from January 01, 2025, ****state corporations****, ****systemically important organizations****, and ****critical information infrastructure (CII) entities**** are prohibited from using information protection ****means or cybersecurity services**** (work or services) from companies from ****“unfriendly” states****.

What to expect and prepare for in 2025?

Looking ahead to 2025, we are confident that ****PD**** will require ****special attention****. The legislator aims to ****expand the requirements**** for data controllers, their ****obligations**** to ensure the legality of ****PD processing****, and the ****confidentiality**** and ****security**** of PD. ****Employees****, as subjects of PD, are becoming increasingly ****aware of their privacy rights****, as evinced in the increasing number of ****labour disputes involving PD****.

We expect a gradual change in the regulator's approach to the ****legal basis for processing PD****, including a reduction in the role of ****consent****.

The regulation of ****platform employment**** will continue to develop, requiring the elaboration of ****labour****, ****tax****, and ****PD risks****, ****consumer**** protection, ****dispute resolution****, and ****antitrust**** regulation.

We are witnessing an overhaul of the traditional approaches to ****HR management****. The main emphasis is shifting from human interaction to the ****synergy of human and machine****, and the active use of ****AI in HR processes****. We recall the ****prohibition**** on making decisions ****affecting**** the ****rights**** and ****legitimate interests**** of an ****employee**** based solely on the ****automated processing**** of PD. Companies should develop rules by which ****AI can access**** and ****monitor data**** along with ****local policies**** regulating ****data protection**** and the ****cybersecurity**** issues involved in using ****AI****.

Our longstanding recommendation was to ****conduct audits of PD processes**** and training for employees. ****Employees**** are not only the ****driving force**** but also the most ****vulnerable part**** of the company. ****Seventy percent**** of incidents ****involving PD****, including ****leaks****, are ****caused by employees****. Conducting ****audits**** and ****staff training**** will allow employers to reduce ****privacy risks****, use ****privacy compliance**** as a competitive ****business advantage****, and increase staff ****loyalty****, bringing a ****positive impact**** on the ****employer brand****.

We look forward to providing you with comprehensive legal support in what remains of this year or as the new year begins! Happy 2025!