According to a recent informal polling by Deloitte, 11.7 percent of responders are taking a “wait and see” approach to compliance with the GDPR as a whole, not just Article 10. It is a valid position to assume compliance risks as long as the risks are well understood.
Even the mighty FCPA needed over twenty years to become mainstream and to command respect in the C-Suite. Despite potential significant penalties and business disruption, some companies may indeed choose to wait until the GDPR has proven its mettle. However, these companies should realize that the mettle may be proven using them as an example.
Aren’t we protected by GDPR’s Article 6(1)? Article 6(1) sets forth six specific conditions under which personal data may be processed under the GDPR. Article 10 refers back to Article 6(1) in identifying the scope of its own restriction. Some have taken this to mean that Article 10 does not apply to them if their processing of criminal-history data fits within one of the conditions of Article 6(1).
However, borrowing Article 6’s bases for processing of Article 10 data is based on a misunderstanding of the GDPR’s multilayered data protection scheme. Article 6 is the initial threshold for processing any type of personal data under the GDPR. Even after the Article 6 threshold has been overcome, the GDPR sets additional higher thresholds for processing certain types of particularly sensitive personal data, including criminal-history information under Article 10. The reference to Article 6(1) in Article 10 restates the need for the processing to meet the lawfulness test in Article 6(1) before applying the restrictions in Article 10.
No worries — we just won’t ask about criminal history in low-risk countries. We have encountered a view that the inquiry into individuals’ criminal histories is unnecessary when conducting due diligence on third parties in the countries with low levels of perceived corruption. This approach seeks to bypass Article 10 issue altogether by not asking for Article 10 data for most countries from the European Economic Area.
U.S. law enforcement authorities have indeed endorsed a risk-based approach to due diligence. However, we suspect enforcement agencies would not agree that, regardless of other risk factors, anti-bribery due diligence of entities from countries with a relatively low perceived corruption need not include any criminal background vetting of individuals who control or act on behalf of such entities.
The goal of due diligence under the FCPA is to determine whether there are indications that a particular third party may engage in corrupt conduct and to document a defensible position that the principal company does not have awareness of a high probability that the third party would engage in corrupt conduct on its behalf. Just because a country appears relatively clean doesn’t mean everyone who lives there is a saint. A due diligence process that avoids learning about potential criminal background of individuals who control or act on behalf of the third party (this is the only way not to process the Article 10 data) for the sole reason that the country where the third party is located is perceived to be less corrupt than others may be viewed as ineffective because prior criminal conduct of relevant individuals is indicative of the propensity to engage in improper conduct in the future. It is also worth noting that FCPA enforcement actions have routinely targeted companies from EU countries that are not “perceived” as highly corrupt.
In fact, six of the top ten FCPA enforcement actions involved companies from such countries. A low degree of perceived corruption in the country is not a defense in FCPA cases. In any event, the GDPR has a wider territorial scope than this view implies. Companies based in the EU have to apply GDPR’s requirements to the processing of all personal data regardless of where data subjects are located. Strict compliance with Article 10 would therefore preclude inquiry into anyone’s criminal history no matter how corrupt their country’s reputation.
Illya Antonenko, pcitured above, is Data Protection Officer and Counsel for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.