Software developers from Russia, Belarus, and Ukraine have become well known outside their countries for delivering high-quality IT products and services. The strong education system, wide pool of tech graduates, and moderate pay rates in these countries produced attractive destinations for the technology industry.
Despite the proximity to Western Europe, the business and legal environment in Russia, Belarus, and Ukraine is very different from the one established in the EU and is often perceived by foreign partners as a “Pandora’s box” of diverse rules. Nevertheless, U.S. multinationals open subsidiaries and acquire local engineering teams in the region facing numerous challenges of complying with national laws. Local data protection requirements in relation to employee data are becoming part of their compliance efforts. With privacy developments in other regions, including the EU General Data Protection Regulation that comes into force in May 2018, corporate legal and HR professionals may find themselves overwhelmed.
As a potential solution, U.S. multinational companies are looking to find a unified approach to address employee privacy across all of their locations. In this regard, the GDPR setting a high bar for compliance might be viewed as a standard for corporate privacy programs. To assist companies in developing a global compliance strategy, this two-series article points out a number of unique employee privacy considerations of the region (e.g., Russian data localization rules) and provides a comparison between relevant provisions of the GDPR and employment/data protection laws in Russia, Belarus, and Ukraine.
Local laws and the GDPR
The approach to data protection laws in these three countries is not uniform, despite historical and cultural similarities in the region. Russia adopted its first data protection law in 2006 and amended it significantly in 2015. The notable highlight of these amendments is the requirement to store personal data of Russian citizens in databases physically located in Russia, combined with the increased power of the Federal Service for Supervision of Communication, Information Technology and Mass Media (Roskomnadzor), and its recent focus on enforcement activities.
Belarus has not yet implemented a specific data protection law; its adoption is included in the legislative plan for 2019. Certain privacy provisions can be found in the Law on Information, Informatization and Protection of Information, and the Law on Population Register; both were adopted in 2008 and hardly enforced. The government has recently taken progressive steps to attract investors in the technology sector promoting the Belarus Hi-Tech Park, but what approach it will take toward privacy and data protection remains to be seen.
Ukraine is a prospective member of the EU. The Ukrainian data protection law, adopted in 2010 with major changes as of 2014, essentially complies with EU Data Protection Directive 95/46/EC. Based on the EU-Ukraine Association Agreement, Ukraine has an obligation to align its legislation with the EU's highest standards. Consequently, Ukraine’s data protection law will likely be adjusted to comply with the GDPR.
Local employment laws, which are typically characterized as favorable to employees, may also include employee privacy provisions (e.g. Chapter 14 of the Russian Labor Code). Note that local laws come into play when companies hire individuals to perform a job or services in these countries. Multinationals prefer to incorporate a legal entity (e.g. a local subsidiary) that acts as a local employer and will handle the relevant labor, tax, immigration and other obligations.
The GDPR will apply to EU employers (controllers). Its scope may expand to non-EU entities that process personal data on the EU employer’s behalf creating a double challenge of complying with the GDPR and local laws. For example, a Ukrainian subsidiary collects job applicant information on the instructions of a Polish (EU) subsidiary, which is responsible for hiring engineers in Eastern Europe for a multinational group of companies. In such scenarios, careful analysis of the GDPR controller-processor relationships within the group should be taken, and appropriate documentation should be put in place.
The broad territorial scope of the GDPR may count in favor of using it as a standard for corporate privacy programs. But, even in the EU, the GDPR will not provide a single set of rules in the employment context. The EU member states may enact national laws specific to the processing of employee data based on Article 88 of the GDPR. In this regard, the GDPR, while establishing general rules for personal data processing, will hardly represent a unified approach for the processing of employee data. Multinationals should thoroughly examine local employment and data protection laws in and outside the EU.
Data protection officers
A foreign company opening its subsidiaries abroad most likely needs local expertise to navigate national law intricacies. The common approach is to involve external consultants, particularly when local offices do not have their own HR department or in-house legal support. However, multinationals might want to first identify if they have an obligation to appoint a data protection officer in these jurisdictions. If such appointment is mandatory or the company chooses to appoint a DPO, even in the absence of statutory requirements, this person may become an important ally to the global privacy team “on the ground."
In Russia, companies are required to designate a “person responsible for the processing of personal data." Similar to the DPO’s duties under the GDPR, this person oversees the company’s compliance with data protection laws, informs employees about legal requirements and internal policies in regard to data protection, and communicates with data subjects. The Belarusian laws do not require companies to have a DPO. At the same time, a person responsible for information security may need to be appointed.
Ukranian companies have an obligation to appoint a DPO in case they process “data constituting a high risk to individuals’ rights and freedoms." The 2014 amendments introduced this term, which is close to “special categories of data” under the GDPR; however, it additionally covers data related to individuals’ criminal convictions and offenses, their location and routes, and whether they suffered violence or abuse. The Ukrainian Parliament Commissioner for Human Rights (ombudsman) must be notified about their processing as well as the DPO appointment, except where such data is processed for compliance with the company’s employment obligation.
To compare, the GDPR provides that companies must designate a DPO if their core activities consist of regular and systematic monitoring of data subjects on a large scale or processing of special categories of data on a large scale. EU member states may go beyond that when introducing their GDPR implementation laws and oblige local companies to appoint a DPO in some other cases.
Even if it is not required on the EU or member states' levels, companies may opt to appoint DPOs. Such appointment can be beneficial for multinationals as it allows bringing an experienced data protection professional on board and suggests both internally and externally that the company is serious about privacy. Moreover, the GDPR makes a step toward companies with numerous locations and allows them to appoint a single DPO, provided that this person is easily accessible from each establishment. The Article 29 Working Party’s "Guidelines on DPOs" further suggest that such a DPO is located in the EU.
Assuming that multinationals need local DPOs for their Ukrainian and Russian subsidiaries, the question arises as to whether a GDPR-mandated DPO can perform such function for locations outside the EU. Russia, Belarus, and Ukraine share common borders with the EU, and having one person responsible for the whole region would be convenient from the organizational standpoint. The answer to this question depends on certain legal and business considerations.
Both the Ukrainian and Russian laws refer to the appointment of a DPO, traditionally viewed as an internal appointment. In contrast, the GDPR directly provides that a DPO may be a staff member or fulfill the tasks based on a service contract. While no restriction exists for foreign nationals to be hired for such a position (either full-time or part-time), immigration laws would require a work permit and/or work visa to be obtained before hiring a foreign individual in Russia and Ukraine. Also, as the DPO duties include direct communication with the DPA and data subjects, a local employee may be a better fit.
When hiring a local DPO, it also makes sense to avoid using the title of “data protection officer” at non-EU locations and leave it for the GDPR-mandated appointment. Actually, neither Russian nor Ukrainian laws use it, rather, they refer to a “person responsible for the processing of personal data” that could be translated as a “data protection specialist” in HR terminology.
As a result, multinationals may end up with a single EU-DPO and a number of data protection specialists at their non-EU offices. In case of a U.S.-headquartered multinational company, chief privacy officer can be on the top of this structure and serve as a head of the global privacy office which consists of a network of privacy professionals across the company’s locations.
Internal corporate policies
Companies in Russia, Belarus, and Ukraine must issue internal policies and procedures as provided by Labor Codes or other laws. From a privacy perspective, internal corporate policies may serve as a notice to employees about the company’s data processing practices and demonstrate that a company has taken certain data protection measures as local laws or regulations require. In practice, multinationals might want to adopt uniform policies applicable to all of their group companies. However, they need to be cautious while following this approach. National laws may vary and dictate different requirements to the scope, content, and even title of such policies.
The Russian data protection law obliges companies to adopt a “personal data processing policy." It may cover employees, former employees, job applicants, and their dependents. Roskomnadzor provided recommendations for its content and suggested to include detailed procedures for accommodating data subjects’ rights. Russian companies must also take numerous organizational and technical safeguards in the area of data security. Particular measures are defined in details based on the threat level matrix. They include restricting access to personal data, physical security requirements and many others.
While companies in Belarus are required to put in place internal security documentation, local laws have so far been silent on the mandatory issuance of internal data processing policies. Nevertheless, it is a good practice for a local company to adopt a policy that outlines its data handling practices. The specific focus may need to be made on establishing a framework for exercising employees’ data subject rights. Being part of a multinational company, local employees may conclude that they enjoy the same amount of rights as available to their EU colleagues under the GDPR, which may not be the case.
In Ukraine, companies must notify their employees (typically in the form of notices or internal policies) that their data is being processed and inform of their rights at the time of data collection, or within 30 days if their personal data is collected from third parties. A broad set of data protection and security measures should be adopted. Pursuant to the ombudsman’s order, companies must create a register of data processing operations; prepare an incident response plan; draft access policies, along with signing confidentiality agreements with employees who handle personal data; and organize a regular training for such employees.
Lastly, certain formalities must be followed in order for internal policies to be binding on employees. Companies can post such policies on the internal corporate portal or make their paper versions available through HR. In any case, companies should be able to demonstrate that employees have been informed of these policies. Employee signatures in the register traditionally serve as a proof. Employment-related documents must also be issued in local languages (as both Russian and Belarusian are official languages in Belarus, documents in either of them will suffice).
To compare, the GDPR covers many of the data protection measures mentioned above. However, it goes further and embraces a risk-based approach to data protection. Currently, there is no analog to the Data Protection Impact Assessment or privacy by design/default concepts in the data protection laws of Russia, Belarus, and Ukraine.
Photo credit: Chris Feichtner National Library | Minsk, Belarus via photopin (license)