Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Robert Clark: Will the EU data protection rule block due diligence?

Companies minimize the risk of corruption by adequately vetting their prospective representatives — typically by reviewing information about the financial interests and relevant connections of the intermediaries’ owners and key personnel, and screening those individuals for reputational and criminal-history issues.

These routine inquiries will soon become considerably more difficult.

In May 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect, requiring affected companies to implement heightened safeguards in their collection, use, disclosure, and retention of information about individual persons.

The Regulation has a broad territorial reach, applying not only to companies based in the EU, but also to any company offering goods and services to EU residents or that uses personal data in connection with “the monitoring of [EU residents’] behavior as far as their behavior takes place within the Union.”

There is a troubling ambiguity in that phrase. The purpose of due diligence is to anticipate potential illicit acts an intermediary may be in a position to commit. Identifying such risks requires accurate information about individuals’ connections and interests. It is unclear whether such prior-history information is within the GDPR’s scope — whether “the monitoring of behavior” includes inquiries into a person’s past activities and associations.

If so, due diligence becomes much harder.

If a “data subject” resides in the EU or has engaged in potentially relevant behavior there, the GDPR prohibits any “data controller” (here, the entity performing due diligence) from obtaining or using any information about the subject until the subject has been given notice of the information being collected, its purpose, and the right to object.

Even more troubling, information concerning a subject’s criminal history can be processed “only under the control of official authority or when the processing is authorized by Union or Member State law.” Data controllers based in the EU must comply with these requirements and restrictions even where the data subjects reside and act elsewhere.

This data-protection regime is in tension within European anti-corruption law. In 2009, the Organization for Economic Co-operation and Development squarely promoted the principle of third-party liability, calling on signatories to the OECD Anti-Bribery Convention (including 23 EU member states) to ensure that companies are liable for bribery undertaken for their benefit by agents and intermediaries.

If the GDPR inhibits or prevents companies from performing even baseline due diligence (such as criminal background checks), it will seriously weaken their ability to monitor agents’ behavior, interfering with the policy aims not only of the OECD, but of any authority committed to fighting transnational bribery.

In principle, these restrictions can be addressed by individual EU member states’ authorizing the processing of criminal-history information and indentifying anti-corruption due diligence as a “public interest” activity justifying the use of personal information. But there is no guarantee of Union-wide consistency on these points, and businesses could find themselves forced to navigate a state-by-state patchwork of information-processing restrictions, with harsh penalties (up to 4 percent of annual global turnover) for non-compliance.

This uncertainty isn’t good for business, or for anti-corruption. We need greater clarity regarding the constraints the new regulation will place on businesses’ due diligence efforts, and greater assurance of uniformity across the EU member states. If the EU wishes to remain seriously engaged in fighting corruption — both within and outside of its borders — it must take steps to ensure that the GDPR will not unduly interfere with companies’ efforts to responsibly research the backgrounds of their intermediaries and representatives.

TRACE has been actively working, in cooperation with our European counsel McCann FitzGerald, to bring our processes into full GDPR-compliance. At the same time, we are deeply concerned about the GDPR’s potential interference with anti-bribery compliance efforts worldwide, and we are committed to addressing these challenges together with other interested parties, both public and private.

(If you are interested in learning more about TRACE’s efforts or joining our working group, please contact us here.)

We are hopeful that the appropriate regulatory body (currently the Article 29 Working Party, soon to become the European Data Protection Board) can be prevailed upon to clarify the relation between the new data-protection regime and the due diligence research that businesses are required to perform. By doing so, it can help preserve Europe’s role as a leader in the global anti-corruption movement.


Robert Clark, pictured above, is the Manager of Legal Research at TRACE, where he oversees a team of lawyers responsible for the production of analytical content. He is the co-editor of What You Should Know About Anti-Bribery Compliance (2017) available from Amazon here.

Share this post



  1. Hi, Robert – Thank you for raising an issue that people have simply ignored. We tend to give much deference to the EU’s privacy initiatives without examining the enormous potential for mischief when bureaucrats are given such broad power.

    In the EU privacy has already been misused in an ill-advised attack on one of the most important compliance & ethics tools, helplines. (Note that while the French privacy authority initiated this attack, the French legislature has now taken steps to require reporting systems.) Privacy and other laws have similarly been used to undermine other compliance & ethics efforts. While the fight against corruption is one casualty, these policies undercut all efforts within organizations to fight business crime and misconduct.

    What we need is not merely a limited carve-out from privacy law to protect anti-corruption efforts, but establishment in the legal system of a firm policy promoting and protecting compliance and ethics efforts. Privacy is important, but it is just one of many important policies.

    Companies and other organizations serve the public when they undertake effective compliance & ethics programs. They should not be sacrificed merely to advance one policy agenda. In an article I wrote for the Rutgers University Law Review I reviewed various ways the legal system undercuts compliance & ethics programs, and offered a broad policy to support these organizational compliance & ethics. See Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421 (Winter 2017).

    Cheers, Joe

  2. I don't see the issue is here. Article 6(1)(c) of the GDPR states clearly that, "Processing shall be lawful only if and to the extent that at least one of the following applies:(…) processing is necessary for compliance with a legal obligation to which the controller is subject."

    The various AML laws (whether the EU Directive or nationa implementing legislation) are quite explicilt about the obligations regarding customer due diligence. Therefore, screening clients against publicly available sanctions lists created for the purpose of ensuring compliance with AML/CTF laws would seem to be sufficient already without any further clarification needed from the WP29 or Member State law.

  3. GDPR may in fact make due diligence programmes easier for Data Controllers, for the following reasons:

    • It is true there are heightened safeguards in the obtaining of consent. There has not yet been guidance on “appropriate technical and administrative security measures” that differ from those specified in the Annex to the Model Clause data transfer agreements
    • The regulation does have a broad territorial reach, but no longer will companies have to obtain approval for their programmes from individual data protection authorities (like CNIL) except in rare cases
    • Most multinational companies will already be processing the Personal Data of EU residents and they have already become accustomed to the protection and transfer of that data via Privacy Shield or data transfer agreement. Companies that did not have a presence in the EU will be subject to GDPR if they offer goods or services to EU citizens and “monitor” EU residents’ behavior. It is doubtful that one-off due diligence of past behavior or connections constitutes “monitoring” in the sense the Amazon monitors everything its customers do, but it makes no difference to a due diligence firm that is already subject to GDPR because they are processing personal data of data subjects residing in the EU.
    • Obtaining information on criminal convictions and criminal activity is prohibited in EU countries already by local laws. GDPR just codifies it for the entire EU in a regulation.

  4. In response to NJS's comment: Article 6(1)(c) only provides a lawful basis for processing; if you don't have a "lawful basis", you can't process personally identifiable information at all. The problem here is that the GDPR imposes additional restrictions on that lawful processing. In particular, Article 10 forbids the processing of personal criminal-history data (outside the control of official authority) unless such processing is authorized by the relevant member state. The prohibition specifically applies to data processing carried out under Article 6(1), and therefore applies to processing carried out for compliance purposes or in furtherance of a legal obligation under 6(1)(c). As for the authorization provided by AML/CTF laws, they may be adequate for AML/CTF purposes, but due-diligence inquiries related to anti-bribery compliance go much further, and are not limited to reviewing PEP, government denied parties and sanctions lists.

Comments are closed for this article!