by Joe Looby
Complicated, yes, but impossible? No, according to a report just out from RAND Europe.
With the widely reported increase in FCPA enforcement by the U.S. DOJ and SEC, and a new U.K. Bribery Act taking effect in April of 2011, corporations are increasingly required to conduct anti-bribery due diligence and investigations across the globe. In many instances, this may require the collection of email and documents from one country and the review and production of such documents in another country.
However, EU data privacy laws often seem to be in direct conflict with U.S. regulatory requirements to produce documents for FCPA investigations. To comply with a DOJ request for documents from certain countries—say, Germany or Italy—a company cannot simply rely on “U.S. notions” of employee consent and then gather those documents and bring them to the U.S. for review and production to the DOJ.
For example, if an EU employee were to consent upon hiring to the employer’s unrestricted use of his or her email (a common practice in the U.S.) – a later transfer to the U.S. on this basis alone would violate EU data privacy. To further complicate matters, each EU country, and certain local jurisdictions within those countries, can implement their own data privacy rules differently.
The RAND Europe report, sponsored by FTI Technology, outlines options that can be considered by companies and counsel, and the report incorporates guidance from the European Directive’s Article 29 Working Party, the Sedona Conference, as well as national data privacy regulators and experts from five European countries (France, Germany, Spain, Switzerland and the United Kingdom).
Some of these recommendations include processing and redacting documents in country, use of a privacy log, or assigning a third party to adhere to the European legal framework. In addition, the report includes country-specific requirements for the five countries mentioned above.
The full report is available for download here.