We at TRACE have written extensively about our concern that Article 10 of the new EU General Data Protection Regulation (GDPR) presents an obstacle to anti-bribery due diligence of third parties, which is a necessary component of any corporate compliance program under the FCPA and other transnational anti-corruption laws (here, here, here, and here).
We have vigorously advocated for an EU-wide, or at least a national-level, solution to that obstacle, proposing legislative language to EU data protection authorities, and briefing ministry of justice officials and legislators. We have also reached out to relevant departments of the U.S. Government to advise them about adverse effects of the GDPR’s Article 10 on FCPA compliance efforts and its potential obstacles to the U.S.-EU trade.
This is the first time that we can report good news about our efforts.
As background, Article 10 of the GDPR prohibits the processing of personal criminal background information, among other things, unless such processing is either:
(i) carried out under the control of a European official authority; or
(ii) specifically authorized by law at the EU level or at the EU member state level.
In other words, unless one of the two conditions listed above is met, running criminal background checks, asking questions, or even researching publicly available information about a history of criminal convictions or offenses for individuals associated with a third-party entity (such as owners, officers or key employees) as part of anti-bribery due diligence or similar vetting efforts could be a violation of the GDPR punishable by a fine of up to €20 million or 4 percent of the total worldwide turnover, whichever is higher.
Unlike some other provisions in the GDPR, not even an express consent of each individual vetted would be sufficient to overcome the Article 10 prohibition if one of the two conditions in that article is not met.
When we first identified the Article 10 predicament for anti-bribery due diligence, we knew of no EU laws authorizing the processing of Article 10 data for purposes of anti-bribery due diligence, or other mechanisms that would allow such processing under the control of a European official authority.
And yet, identifying and addressing past criminal conduct by individuals associated with third-party entities, which could subject U.S. companies to FCPA violations, are at the core of robust due diligence processes for companies doing business overseas. Companies that fail to make such inquiries may risk running afoul of the anti-bribery provisions of the FCPA if third parties engage in corrupt acts on their behalf or, for public companies, the FCPA’s accounting provisions that require public companies to implement a system of robust internal accounting controls.
Our understanding of how Article 10 may impact the anti-bribery due diligence has been confirmed repeatedly. Moreover, several data protection and justice officials in Europe, whom our legal counsel contacted, unofficially agreed with our concerns and indicated that this was one of the “unintended consequences” of the GDPR.
While an EU-wide solution to this “unintended consequence” is not currently under consideration, we now see significant signs of progress. As a direct result of our efforts, and approving TRACE’s proposed language, the recently adopted Irish Data Protection Bill of 2018 contains a specific authorization of the “necessary and proportionate” processing of Article 10 data “to assess the risk of bribery or corruption, or both, or to prevent bribery or corruption, or both” pursuant to regulations to be promulgated by the Irish Minister for Justice and Equality.
We hope that such regulations will be issued by the Minister without delay. This would not only allow the processing of criminal background information of Irish data subjects as part of anti-bribery due diligence, but would also arguably permit the processing of such information for individuals residing in other EU member states by controllers whose “main establishments” are located in Ireland. In addition, we know of at least two other EU countries (the UK and the Netherlands) whose newly adopted national data protection laws will provide a complete or partial solution to the Article 10 issue for anti-bribery due diligence.
Even though this is indeed good news to celebrate, the goals of the GDPR “to remove the obstacles to flows of personal data within the Union” and to prevent “fragmentation in the implementation of data protection across the Union” have so far not been met with respect to such an important public policy objective as facilitating corporate efforts to fight corruption in compliance with international anti-corruption laws.
Those EU countries that have not adopted new national data protection laws in response to the GDPR or whose newly adopted laws do not address the Article 10 obstacle to anti-bribery due diligence, leave the prohibition in place. Companies doing business in the EU will find it difficult to navigate the patchwork of national laws in the attempt to meet their anti-bribery due diligence obligations without violating the GDPR.
We remain committed to seeking an EU-wide solution to reconcile the important but competing goals of personal privacy and business transparency.
Illya Antonenko, pictured above, is Privacy Counsel and Legal Research for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.