X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

As companies in the U.S. work to comply with laws such as the Foreign Corrupt Practices Act (FCPA), they often conduct internal investigations that rely, in part, on collecting information from employees, such as documents and emails. It’s all perfectly legal in the U.S., but it can quickly lead to potential conflict when in-house lawyers also have to navigate European Union regulations on data protection—laws that guard employee privacy, even for information stored on company computers and servers. Now imagine a scenario in which that information is even harder to obtain. Such appears to be the case under the E.U.’s new data-protection proposal. “Currently, one of the ways that in-house counsel manage this potential conflict of laws is obtaining genuinely voluntary employee consent,” says Jim Halpert, a partner in DLA Piper’s communications, e-commerce, and privacy practice in Washington, D.C. “The proposed [E.U.] regulation would declare employee consent—even if freely given—to be per se invalid.” What that means, Halpert adds, is that the proposal “eliminates the most convenient way of gathering evidence for U.S. legal compliance purposes.” At the same time, the proposal does not include an exception for the collection of data in order to comply with a non-E.U. member requirement. Essentially, says Halpert, companies would have to seek special permission from a member state, and there is no guarantee such a request would be approved. The E.U. proposal is still years away from becoming law, and could still be clarified along the legislative approval path, says Halpert. But the way the proposal is currently written does raise the specter of “uncertainty in a critical situation,” he says. Potential conflicts between compliance with U.S. law and with the E.U. data protection directive exist in the context of just about any investigation that requires the collection of data, says Sharie Brown, also a partner at DLA Piper, and co-chair of the firm’s FCPA, anti-corruption, and corporate compliance practice group. Those investigations are often related to potential violations of the FCPA, as well as possible financial fraud, procurement fraud, money laundering, and export control violations. In the U.S., companies have much more latitude to investigate employee computers and documents. By contrast, in the E.U., “their laws are more restrictive, and they value the privacy of their employees”—even when employee information is stored on a company’s own network or devices. Those restrictions can prove “very frustrating” for a company that is trying to conduct a comprehensive internal investigation—one that fulfills its fiduciary duty and meets the demands of U.S. regulators and law enforcement authorities, says Brown. Americans and Europeans simply don’t see eye to eye in a few different ways. For one thing, says Steptoe & Johnson partner Stewart Baker, “there is a constant inclination on the part of [European] data protection authorities to believe that the U.S. government is a source of bad things in the world—particularly on privacy.” “They’re always willing to believe the worst,” he adds. Second, a number of European countries view internal investigations differently from the U.S. They don’t all necessarily believe in “leaving no stone unturned in the search for evidence,” says Baker, former assistant secretary for policy at the U.S. Department of Homeland Security. But across the pond, the U.S. government expects companies to investigate themselves extensively and “to be tough on employees,” says Baker. In turn, U.S. general counsel “have a pretty strong view of what it takes to do a thorough investigation,” he says. “You need to be able to persuade the U.S. government that you did everything necessary to get to the bottom of a problem.” At present, conducting a thorough investigation that also complies with E.U. law can be more challenging—but it is doable, says Brown. Consulting with local counsel who are experts in a given country’s privacy laws is key, she says. Doing so allows companies both to avoid violating local laws, and to get through the technical hoops required in order to access employee information. That process may take longer than it would in the U.S., says Brown, but “as a practical matter, I have not had a situation where an employee simply refused to make their laptop available, or participate in interviews” related to a company investigation. While the future of the E.U.’s data-privacy rules is unclear, one thing is in sharp focus: counsel at multinational companies already have to clear compliance hurdles—sometimes conflicting ones—and there may be more on the horizon.

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2017 ALM Media Properties, LLC. All Rights Reserved.