Concise and to the point with ALRUD: HR & DIGITAL (№15)

Key trends in personal data (PD) processing that have affected employers in 2024

ALRUD’s Labour & Employment Practice team wishes you Happy Holidays!

In this year's last newsletter on IT and PD protection, we would like to go over what happened over the last year and remind you of the key legislative changes that employers need to consider when processing PD.

1. The gradual lifting of the moratorium on inspections

If the moratorium is lifted, it will likely be replaced by a risk-oriented approach: employers will undergo inspections if they exhibit risk indicators. If none are identified, inspectors will still conduct preventive visits.

Although Russian Government Resolution No. 372 of March 10, 2023 has yet to be changed and still suggests an extension of the moratorium until 2030, the risk that the moratorium will suddenly be lifted cannot be completely ruled out.

2. Constant expansion of the list of risk indicators

Given the moratorium on inspections, the number of risk indicators used as grounds for unscheduled inspections is constantly growing. The list of risk indicators includes the detection of three or more discrepancies between the information published on the company's website and that in the notification of intent to process PD and/or transfer it across borders sent to Roskomnadzor; as well as the detection of two or more violations of Federal Law No. 149-FZ dated July 27, 2006 regarding Article 10.2-2 (peculiarities of providing information using recommendation technologies) within one year.

It is worth remembering that in processing employees' PD, employers can use recommendation technologies in internal (corporate) portals, websites, corporate messengers, on training platforms, and so on. For HR profiling, we recommend ensuring compliance with the applicable requirements, particularly those on transparency.

3. Toughening of liability for PD violations

The increase in fines for offenses and the introduction of new administrative offenses and even crimes evince the legislator's increased interest in data privacy and its aim to minimize the often-excessive processing of PD by data controllers.

Fines have been established for the processing of PD without the written consent of the subject, if required by law, up to RUB 700,000 (and up to RUB 1.5 million for repeated violations).

A law has also come into effect toughening the liability of officials and companies in the event of:

• leak of PD (a fine of up to RUB 15 million for the first violation, and up to 3% of revenue for the corresponding year for repeated violations);

• failure to notify Roskomnadzor of a leak of PD (up to RUB 3 million) or of the intention to process PD (up to RUB 300,000).

Criminal liability was introduced for the illegal storage/collection/transmission of illegally obtained PD, the creation/operation of Internet resources with the intent to illegally store/transmit illegally obtained PD (Article 272.1 of the Criminal Code of the Russian Federation).

4. Audit of consent for processing PD

The legislator plans to oblige data controllers (including employers) to gain consent to process PD separately from other documents signed by the subject and/or provided to him/her for familiarization.

Simply requesting consent in other documents may nullify the receipt thereof, as such consent may be considered to be non-free, i.e., provided against the express will of the subject. Such a risk is particularly high in labour relations, as the employee is traditionally viewed as the weaker party. We recommend employers double-check the form and aim of consents on processing PD of the employees.

We also recommend auditing consent and the existing processes for processing PD in labour relations in order to filter out the processes that do not require consent and eliminate unnecessary requests for it.

5. Foreign sanctions and the transition to Russian software

The EU and the US have imposed a ban on the direct and indirect provision of company management software to Russia, including that for HR.

We understand that the use of foreign information systems is deeply embedded in the HR systems of many employers. Therefore, we recommend considering options such as changing software vendors and localizing the relevant HR processes.

We would also like to remind you that from January 01, 2025, state corporations, systemically important organizations, and critical information infrastructure (CII) entities are prohibited from using information protection means or cybersecurity services (work or services) from companies from “unfriendly” states.

What to expect and prepare for in 2025?

Looking ahead to 2025, we are confident that PD will require special attention. The legislator aims to expand the requirements for data controllers, their obligations to ensure the legality of PD processing, and the confidentiality and security of PD. Employees, as subjects of PD, are becoming increasingly aware of their privacy rights, as evinced in the increasing number of labour disputes involving PD.

We expect a gradual change in the regulator's approach to the legal basis for processing PD, including a reduction in the role of consent.

The regulation of platform employment will continue to develop, requiring the elaboration of labour, tax, and PD risks, consumer protection, dispute resolution, and antitrust regulation.

We are witnessing an overhaul of the traditional approaches to HR management. The main emphasis is shifting from human interaction to the synergy of human and machine, and the active use of AI in HR processes. We recall the prohibition on making decisions affecting the rights and legitimate interests of an employee based solely on the automated processing of PD. Companies should develop rules by which AI can access and monitor data along with local policies regulating data protection and the cybersecurity issues involved in using AI.

Our longstanding recommendation was to conduct audits of PD processes and training for employees. Employees are not only the driving force but also the most vulnerable part of the company. Seventy percent of incidents involving PD, including leaks, are caused by employees. Conducting audits and staff training will allow employers to reduce privacy risks, use privacy compliance as a competitive business advantage, and increase staff loyalty, bringing a positive impact on the employer brand.

We look forward to providing you with comprehensive legal support in what remains of this year or as the new year begins! Happy 2025!