Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Whistleblowing and self-reporting
Are whistleblowers protected in your jurisdiction?
At present, Russian law contains only one specific provision on the protection of whistleblowers. Article 9(4) of the Anti-corruption Law states that civil servants or state officials who report on corruption violations will enjoy state protection. However, this protection is afforded only in accordance with the general Russian legal provisions granting protection to participants in criminal cases (in particular, the Criminal Procedure Code, Federal Law 119-FZ on State Protection of Victims, Witnesses and Other Participants in Criminal Proceedings (August 20 2004) and Federal Law 46-FZ on State Protection of Judges, Public Officials of Law Enforcement and Controlling Bodies of (April 20 1995)).
In February 2017 the Federal Ministry of Labour proposed a draft law amending the Anti-corruption Law to extend the whistleblower protection in the public and private sectors. For this purpose, protection by the state will be granted to whistleblowers who report corruption offences to their employer, the Public Prosecutor's Office or the police, or those who have otherwise contributed to the counteraction of corruption. The draft law was submitted to the State Duma on October 16 2017.
Is it common for leniency to be shown to organisations that self-report and/or cooperate with authorities? If so, what process must be followed?
Under Article 4.2(3) of the Administrative Offences Code, the voluntary disclosure of an offence to the competent law enforcement authority qualifies as an extenuating circumstance. This means that the amount of the fine imposed on an organisation for violation of Article 19.28 of the Administrative Offences Code (unlawful remuneration on behalf of a legal entity) will be reduced. However, the court has sole discretion as to the scope of reduction of the fine.
According to Articles 204 (bribery in a commercial organisation), 204.1 (mediation in bribery in a commercial organisation), 291 (bribe taking by a civil servant) or 291.1 (mediation in bribery of a civil servant) of the Criminal Code, the bribe giver is released from criminal liability if he or she:
- actively enabled the discovery or investigation of the crime;
- was subject to blackmailing by the bribe taker; or
- following commission of the crime, voluntarily informed the competent law enforcement authority of the bribe taking.
Following the adoption of the proposed legislative changes according to which criminal liability is extended to legal entities, organisations that self-report may also benefit from these leniency provisions.
The reporting to non-Russian law enforcement authorities regularly requires the transfer of protected data from Russia to foreign jurisdictions. The collection and cross-border transfer of such data is subject to extensive Russian regulation.
In particular, emails, WhatsApp messages, SMS and other correspondence by Russian employees are protected by the ‘privacy of communication’ principle. Unless the Russian company adopted internal rules on the use of office communication means for business purposes only, the collection and transfer of such data requires prior written consent by the relevant employees.
Further, confidential materials may be protected by the so-called ‘commercial secret regime’ (ie, statutory rules according to which the owner of confidential information can take certain specifically listed measures to achieve protection of the materials as a commercial secret) or otherwise be subject to confidentiality obligations of the transferor. In this case, sufficient confidentiality obligations must be imposed on the third-party recipient to maintain the protection of the materials as confidential following a cross-border data transfer.
The transfer of personal data of Russian employees also requires the relevant employee's written consent to the transfer (which may, by way of precaution, also be reflected in the employment agreement). In case of a cross-border transfer, such a transfer must be specifically allowed by the consent. Since the employee's consent can be difficult to obtain in practice, the relevant data may have to be depersonalised before the transfer. Further, a data transfer agreement must be signed between the employing Russian company and the foreign recipient. In addition, due to Russian data localisation requirements, the primary database for personal data transferred abroad must be set up in Russia and, before the transfer of any new data, be updated accordingly.
On the other hand, Russian law has no general attorney-client privilege. A concept similar to this privilege exists only as ‘advocate secrecy’ in relationships between clients and advocates (ie, lawyers who passed a bar exam to represent clients in criminal and certain civil law court proceedings). Therefore, the protection of the attorney-client privilege does not usually restrict the (cross-border) transfer of data.
Click here to view the full article.