Whistleblowing and self-reporting
Are whistleblowers protected in your jurisdiction?
Protection of civil servants and state officials At present, Russian law contains only one specific provision on the protection of whistleblowers. Article 9(4) of the Anti-corruption Law states that civil servants or state officials who report on corruption violations will enjoy state protection. This protection is afforded in accordance with the general Russian legal provisions granting protection to participants in criminal cases, in particular:
- the Criminal Procedure Code;
- Federal Law 119-FZ on the State Protection of Victims, Witnesses and Other Participants in Criminal Proceedings 2004; and
- Federal Law 46-FZ on the State Protection of Judges, Public Officials of Law Enforcement and Controlling Bodies 1995.
Extended whistleblower protection On 13 December 2017 the State Duma adopted in its first reading amendments to the Anti-corruption Law, which will introduce measures in Russia aimed at protecting whistleblowers who report on corruption offences.
This legislative process follows the recommendations under the Organisation for Economic Cooperation and Development (OECD) Convention on Combatting Bribery of Foreign Public Officials in International Business Transactions to establish effective mechanisms for the protection of individuals reporting on the bribery of foreign public officials.
Exceeding these recommendations, the draft law extends to the reporting on any bribery offence in the public or private sector in Russia. According to the draft law, individuals who report such an offence to their employer's representative, the Public Prosecutor's Office or the police will be protected by the state. The protective measures include:
- confidentiality obligations regarding the whistleblower’s identity and the content of their report;
- protection against any discrimination in regard to the whistleblower’s employment situation for two years following the reporting; and
- the granting of free legal aid to the whistleblower.
If adopted, the draft law is likely to require organisations operating in Russia to:
- adjust their procedures for handling whistleblower reports from Russia;
- establish mechanisms to obtain a whistleblower's consent for the use of personal data; and
- adopt in Russia an internal document regulating the handling of whistleblower reports.
Is it common for leniency to be shown to organisations that self-report and/or cooperate with authorities? If so, what process must be followed?
Self-reporting Since 14 August 2018, companies operating in Russia have been able to exclude themselves from liability for bribery by way of self-reporting to the Russian law enforcement agencies. Based on changes to the Administrative Offences Code, legal entities will not be held liable if they enabled:
- the uncovering of the relevant violation (by the company);
- the conduct of an administrative investigation (against the company); or
- the uncovering, disclosure and investigation of the related criminal offence (committed by individuals acting in the interest of the company).
The self-reporting will release the company from penalty payments under Article 19.28 of the Administrative Offences Code (unlawful remuneration on behalf of a legal entity). In contrast to other jurisdictions, this release includes 100% of the penalties and is mandatory; it is not subject to the discretion of the law enforcement agencies or courts.
The new self-reporting rules apply to all types of bribery, except for the bribery of foreign public officials. The Russian legislature has chosen to exclude such bribery from the self-reporting rules in order not to deviate from the OECD Convention on Combatting Bribery of Foreign Public Officials in International Business Transactions, which was acceded by Russia and does not provide for comparable rules.
The benefits of self-reporting will be limited to the reporting company itself. Individuals who made bribery payments in the interest of the company – typically employees and agents – will continue to face prosecution under the Criminal Code. However, individuals may separately self-report under the leniency provisions of Articles 204 (bribery in a commercial organisation), 204.1 (mediation in bribery in a commercial organisation), 291 (bribe giving to a civil servant) and 291.1 (mediation in bribery of a civil servant) of the Criminal Code.
Cross-border reporting The reporting to non-Russian law enforcement authorities regularly requires the transfer of protected data from Russia to foreign jurisdictions. The collection and cross-border transfer of such data is subject to extensive Russian regulation.
In particular, emails, WhatsApp messages, SMS messages and other correspondence by Russian employees are protected by the privacy of communication principle. Unless the Russian company has adopted internal rules on the use of office communication means for business purposes only, the collection and transfer of such data requires prior written consent by the relevant employees.
The transfer of Russian employees’ personal data also requires the relevant employees' written consent to the transfer (which may, by way of precaution, also be reflected in the employment agreement). In case of a cross-border transfer, such a transfer must be specifically consented to. Since employee consent can be difficult to obtain in practice, the relevant data may have to be depersonalised before the transfer. Further, a data transfer agreement must be signed between the Russian employer and the foreign recipient. In addition, due to Russian data localisation requirements, the primary database for personal data transferred abroad must be set up in Russia and – before the transfer of any new data – must be updated accordingly.
On the other hand, Russian law has no general attorney-client privilege. A concept similar to this privilege exists only in the form of advocate secrecy in relationships between clients and advocates (ie, lawyers who passed a bar exam to represent clients in criminal and certain civil law court proceedings). Therefore, the protection of the attorney-client privilege does not usually restrict the (cross-border) transfer of data.