For many years the U.S. Foreign Corrupt Practices Act has been the dominant anti-bribery regulation affecting multinational companies. More recently, the U.K. Bribery Act of 2010 has been in the spotlight, with a broader jurisdictional reach and subject-matter scope. Complying with these and other anti-bribery laws often requires companies with global operations to transfer data across borders.
Meanwhile, data privacy regulations have been enacted in many jurisdictions, particularly countries in the European Union. The privacy laws continue to evolve, and proposed new EU data protection regulations are currently under review. Complying with both anti-bribery laws and data protection regulations can be challenging, as they at times appear to be in conflict with each other. Failure to comply with current EU requirements could result in significant monetary fines, criminal penalties and an outright ban against the transfer of personal data outside of the EU, making it even more critical that companies correctly navigate the requirements of both sets of laws.
FCPA AND U.K. BRIBERY ACT REQUIREMENTS
In order to comply with the U.S. government’s expectations under the FCPA, companies are increasingly being required to conduct due diligence on third parties around the world, including agents, sales representatives, consultants, joint venture partners and acquisition targets. There is no definitive checklist for conducting third-party due diligence. However, the government has provided some guidance.
For example, in 2011, the U.S. Securities and Exchange Commission resolved FCPA claims against Tenaris S.A. with a deferred prosecution agreement that recognized that the company had strengthened its policies, including enhanced due diligence procedures related to third-party agents. Also, guidance set forth by the U.S. attorney general encourages U.S. companies to “exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives,” which may include “investigating potential foreign representatives and joint venture partners.”
In addition, the 2011 Federal Sentencing Guidelines Manual provides credit to an organization that violates the FCPA, if the organization maintains an effective compliance program, including “exercis[ing] diligence to prevent and detect criminal conduct.”
Third-party due diligence is also important under the U.K. Bribery Act. Section 7 imposes criminal liability on an organization that fails to prevent a person associated with the organization from paying a bribe on behalf of the organization. An organization has a defense if it can show that it established “adequate procedures” to prevent or detect bribery. Guidance provided by the U.K. Ministry of Justice explains that due diligence procedures should take “a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organization, in order to mitigate identified bribery risks,” which in certain situations, may include “indirect investigations, or general research on proposed associated persons.”
The parameters of each due diligence investigation should be determined based upon a comprehensive risk assessment of the proposed transaction. A company conducting a due diligence review may wish to gather information that could be considered “personal,” and potentially transfer the data across borders for review and analysis.
Similarly, when a company conducts an internal bribery investigation or is the subject of a government investigation, relevant documents may exist in one country that the company may wish to transfer to another country for review and production. Governmental agencies urge companies under investigation to voluntarily provide information, including documents, even if they are located in a foreign jurisdiction. Such cooperation may benefit the company and be a factor in the government’s decision to discount a fine below the U.S. Sentencing Guidelines.
For example, on March 14, the U.S. Department of Justice announced the resolution of an FCPA enforcement action against Bizjet International Sales and Support Inc. The monetary penalty agreed to by Bizjet reflected an approximately 30 percent reduction off the bottom of the fine range under the U.S. Sentencing Guidelines. The DOJ attributed the reduction to several factors, including Bizjet’s extraordinary cooperation, such as providing employees (both U.S.-based and foreign) for interviews, and gathering and organizing information and evidence for the DOJ.
DATA PRIVACY LAWS
Unfortunately, these due diligence and document production requirements can seem inconsistent with data privacy laws in the jurisdictions where the information is located that restrict the transfer of certain types of data across international borders.
Member countries of the EU and European Economic Area (EEA) are governed by a comprehensive Data Protection Directive issued in 1995. Earlier this year, the EU announced substantial proposed changes to the directive that many view as imposing even greater restrictions on the flow of personal data. Under both current and proposed regimes, personal data may be transferred to a country outside the EU only if that country provides an adequate level of protection for the data, or if an exception applies.
U.S. privacy laws do not meet the EU adequacy standard. Consequently, unless the data transfer is subject to an exception, a company conducting an anti-bribery investigation or due diligence review may not legally transfer the personal data of anyone, including the company’s own employees, from any of the 27 EU member states or the EEA to a location inside the United States.
Unambiguous consent from the individual is one of the limited exceptions for data transfer afforded under the directive. However, some member states require that the consent be revocable; that it relate to the relevant country; and that the purpose and use of the data being transferred is identified. Also, some countries believe that consent cannot freely be given in employment situations and are considering eliminating the exception in that context.
Other exceptions to transfer restrictions include the U.S./EU Safe Harbor program, model contract clauses and binding corporate rules (BCRs). The Safe Harbor program requires eligible U.S. organizations to adhere to guiding privacy principles and file annual certification letters with the U.S. Department of Commerce. Model clauses are data transfer provisions approved by the European Commission, with specific language that must be incorporated into third-party contracts. BCRs, which require approval from each member state where transfer occurs, may be adopted by a company to specify procedures for international transfers of personal data within the company.
The General Data Protection Regulation proposed by the European Commission represents a comprehensive reform of the 1995 directive. Key changes in the proposed regulation include a revised definition of consent, which must be a freely given, informed and explicit indication of the data subject’s wishes. The regulation eliminates the exemption for consent in most employee/employer relationships.
The draft regulation streamlines the approval process for BCRs and provides some needed flexibility regarding model contract clauses with third parties. Notwithstanding the improvements, however, neither model contractual clauses nor BCRs may be of value to multinational corporations that need to transfer data in response to a time-sensitive FCPA investigation or due diligence review, unless the clauses or BCRs are already in place.
The new regulation also proposes to increase the penalties for violations. Specifically, transferring personal data to a third country that does not meet adequacy requirements and where appropriate safeguards to protect the data were not taken, could result in penalties of up to 1 million euros, or 2 percent of the company’s annual turnover (gross income).
Given the number and complexity of European laws that apply to the international transfer of personal data, multinational companies should carefully consider their data collection and review options in connection with a due diligence review or bribery investigation involving persons who reside outside of the United States. Penalties for failing to abide by data transfer restrictions present significant exposure for companies doing business abroad and are only expected to increase under the proposed new regulation.
This article first appeared in Corporate Counsel, a Legal affiliate based in New York.
Erika Brown Lee is senior counsel in Fulbright & Jaworski’s Washington, D.C., office. She is a credentialed certified information privacy professional, and a member of the firm’s privacy, competition and data protection group, as well as the antitrust and trade regulation group.
Elaine Lawson is senior counsel in the firm’s Houston office, and a member of the firm’s government investigations and enforcement and white-collar criminal defense practice groups.