On May 24, I wrote a post for the FCPA Blog about TRACE’s concerns that Article 10 of the new EU General Data Protection Regulation (GDPR) presents an obstacle to anti-bribery due diligence of third parties, and how we have advocated for an EU-wide, or at least a national-level, solution.
As background, Article 10 of the GDPR prohibits the processing of personal criminal background information, among other things, unless such processing is either:
(i) carried out under the control of a European official authority; or
(ii) specifically authorized by law at the EU level or at the EU member state level.
In response to my post, Antoine Delacarte commented that according to the French Sapin II Law (Article 17, II, 4°), a mandatory component of compliance programs is third party due diligence, including criminal background checks.
“Thus, companies that must implement anticorruption compliance programs have a legal authorization to do so” pursuant to GDPR Article 10, Mr. Delacarte said.
He also cited a similar legal authorization in the French financial and monetary code (article L. 561-1 et seq.) for AML/TF due diligence.
I am grateful to Antoine Delacarte for his excellent contribution.
Indeed, Sapin II’s Guidelines issued by the French Anti-corruption Agency (Agence Française Anticorruption) indicate that “Organizations should ascertain whether third parties, their managers, main shareholders and beneficial owners have been the subject of adverse information, allegations,prosecution or convictions for any offences and, more particularly, corruption offenses.” See the English translation of the Guidelines.
I am not a French or EU lawyer but there appear to be some issues with such a promising possibility of resolving the tension between GDPR’s Article 10 and anti-bribery due diligence:
1. Although AFA’s guidelines/recommendations are required by Sapin II, the guidelines themselves do not appear to have the force of law or regulation. So, they arguably do not meet GDPR Article 10’s requirement for the “processing [to be] authorized by … Member State law.”
2. GDPR Article 10 requires that any authorization by Union or Member State law to process Article 10 data should “provid[e] for appropriate safeguards for the rights and freedoms of data subjects.” Neither Sapin II nor AFA’s guidelines provide for any safeguards for the rights and freedoms of data subjects when processing Article 10 data.
3. Any potential solution presented by AFA’s guidelines under Sapin II would probably be unavailable to entities that are not subject to the French jurisdiction, i.e. whose anti-bribery due diligence is not governed by Sapin II.
We have not addressed the anti-money laundering/combating the financing of terrorism due diligence because the AML/CFT due diligence would require a different analysis under the GDPR for several reasons:
1. a somewhat different nature, scope and purpose of due diligence in each instance;
2. the Fourth Anti-Money Laundering Directive, which has specific data protection language;
3. detailed Member State legislation under the Fourth Anti-Money Laundering Directive such as the French law you cite; and
4. the strong support from the FATF and financial institutions for AML/CFT at the EU level (including before the old Article 29 Working Party).
Again, I thank Antoine Delacarte for his input. And I welcome further discussion about this important topic.
Illya Antonenko is Privacy Counsel and Legal Research for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.