We’re based in the United States, so how does the GDPR concern us?
GDPR’s Article 3(1) ties the GDPR’s territorial scope to being established in the EU, while Article 3(2)(a) extends the GDPR’s reach to those non-EU companies that offer products or services to individuals in the EU. Some U.S. companies that don’t have presence in the EU and don’t offer products or services to EU consumers may therefore conclude that the GDPR doesn’t apply to them.
However, we also need to consider Article 3(2)(b), which covers “the monitoring [by non-EU companies] of … behavior [of data subjects who are in the European Union] as far as their behavior takes place within the [European] Union.” If a third party has owners, directors, managers or key employees who reside in the EU, any due diligence into that third party will necessarily involve inquiry into their past and ongoing conduct, which — to the extent that it takes place or has taken place in the EU — will therefore trigger Article 3(2)(b), bringing the full range of the GDPR’s requirements, obligations and restrictions into play.
We have been advised by our EU data protection counsel that, despite appearing to do so, Recital 24 does not limit the “behavior-monitoring” basis only to instances where “natural persons are tracked on the internet.” This is so because recitals themselves do not have the force of law but can only be used by the courts to help interpret ambiguous provisions. On its face, Article 3(2)(b) is not ambiguous in this respect. Therefore, the EU courts are unlikely to narrow EU data subjects’ protections under the GDPR based solely on the language of the recital, especially given a privacy-invasive nature of anti-bribery due diligence.
This view was confirmed by the Article 29 Data Protection Working Party, which stated in its Guidelines on Data Protection Officers with respect to this recital that “the notion of monitoring is not restricted to the online environment and online tracking should only be considered as one example of monitoring the behavior of data subjects.” These Guidelines have since been endorsed by the European Data Protection Board.
What now? We remain convinced that Article 10 of the GDPR continues to present a significant obstacle to the performance of robust and responsible anti-bribery due diligence even after our optimistic report in May. As we reported then, some EU countries have introduced legislation authorizing the processing of Article 10 data for purposes of anti-bribery due diligence in their national laws (e.g., Ireland, the United Kingdom, and the Netherlands). However, other EU countries don’t have such an authorization (e.g., Germany). The Irish statutory authorization has yet to be implemented by the Department for Justice and Equality (DOJE) through regulation.
We have continued our efforts to see this through and have advocated before the DOJE for the regulation to be issued as quickly as possible. Once the Irish regulations are adopted, the Article 10 issue will be fully resolved for TRACE’s operations that involve personal data processing. However, the solutions in Ireland, the UK, and the Netherlands may not be available for all controllers.
For example, companies established in France may be facing conflicting legal requirements. On the one hand, the guidelines under the French Sapin II law require that anti-bribery due diligence determine whether third parties’ “managers, main shareholders and beneficial owners have been the subject of adverse information, allegations, prosecution or convictions for any offens
es and, more particularly, corruption offenses.” On the other hand, the French Law No. 2018-493 of June 20, 2018 implementing the GDPR does not list anti-bribery due diligence among the grounds for processing individuals’ criminal background information. In contrast, the Law does include, among other things, an authorization for IP protection groups to process individuals’ criminal background information for purposes of defending IP rights.
We remain concerned that companies doing business in the EU face the challenge of navigating a patchwork of national laws in the attempt to meet their anti-bribery due diligence obligations without violating the GDPR. In the words of Alja Poler De Zwart, a Morrison Foerster lawyer based in Brussels who was quoted in a March 2018 Anti-Corruption Report article (paywall), “Do you continue to comply with the FCPA and risk violating the GDPR, or do you scale your FCPA vetting back in fear of the GDPR fines and instead risk the wrath of the U.S. Department of Justice.”
For our part, we will continue to advocate for an EU-wide solution to reconcile the important but competing goals of personal privacy and business transparency.
Illya Antonenko, pictured above, is Data Protection Officer and Counsel for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.