It has been over three months since the EU General Data Protection Regulation (GDPR) went into effect. The sky hasn’t fallen, and we are still here. We at TRACE now wear a t-shirt saying “I survived the GDPR” and see the humor in GDPR jokes and online memes.
Three months is a good time to revisit our earlier prediction of a “collision of galactic proportions” between the GDPR and the FCPA. Our most dire warning concerned the new risks arising from conducting robust anti-bribery due diligence in view of Article 10 of the GDPR, which prohibits the processing of personal criminal background information unless such processing is either: (1) carried out under the control of a European official authority or (2) specifically authorized by EU or EU member state law.
In other words, unless one of these two conditions is met, inquiring into a history of criminal convictions or offenses for individuals associated with a third-party entity as part of anti-bribery due diligence may run afoul of the GDPR and may lead to significant fines and in some EU countries even to prison sentences. As we reported on May 24, a number of EU countries offered partial solutions to this problem through national legislation, and we played an active role in one of these developments. However, we are still in need of an EU-wide fix.
Since sounding our first alarm, we have heard and read an array of reactions to our warnings, some suggest that the problem isn’t as serious as we have made it out to be. In this three-part series, we will address some of these interpretations.
That can’t be right — the outcome would be absurd! Some believe that even in the absence of a specific authorization by EU national laws (e.g., in Germany) Article 10 data could still be processed for purposes of anti-bribery due diligence because EU legislators could not possibly have intended to thwart companies’ anti-bribery efforts and undermine anticorruption laws and conventions.
According to this view, it is “absurd” that self-policing in compliance with anti-bribery laws should expose companies to GDPR liability. Whatever the GDPR actually says, surely supervising authorities wouldn’t go after companies for such behavior. And even if the supervising authorities initiate an enforcement action, wouldn’t courts be more sympathetic and business friendly than GDPR “privacy activists.”
Relying on prosecutorial discretion and courts’ leniency probably isn’t a good strategy. Consider:
- There are numerous supervising authorities in the European Economic Area, each with its own enforcement pipeline, priorities, and ambitions, and each capable of initiating an enforcement action.
- Under Article 82, aggrieved individual data subjects also have a right of action for material and non-material damages.
- There is a quasi-class action mechanism under Article 80 allowing organizations like the activist-led and crowd-funded noyb — “none of your business” — to bring privacy cases “in a much more effective way than before.”
- We have found that some Europeans find robust anti-bribery due diligence not only intrusive and burdensome, but also somehow “American.” They oppose “outsourced law enforcement” by private entities, and would gladly see it restricted.
In our view, the time spent on waiting for an enforcement action or a day in court would be better spent on calling for a legislative solution to these “absurd” outcomes in countries that do not currently provide it. At a recent conference, a senior data protection official from the European Commission acknowledged that Article 10 may present an obstacle to processing personal criminal background information in the context of anti-bribery due diligence and suggested that Article 10 already provides a roadmap to how to resolve the issue legislatively.
In short, what appears to us as an “absurd” outcome may not seem that way to those who have the power to act.
Illya Antonenko, pictured above, is Data Protection Officer and Counsel for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.