We at TRACE have written extensively about our concern that Article 10 of the new EU General Data Protection Regulation (GDPR) presents an obstacle to anti-bribery due diligence of third parties, which is a necessary component of any corporate compliance program under the FCPA and other transnational anti-corruption laws (here, here, here, and here).
We have vigorously advocated for an EU-wide, or at least a national-level, solution to that obstacle, proposing legislative language to EU data protection authorities, and briefing ministry of justice officials and legislators. We have also reached out to relevant departments of the U.S. Government to advise them about adverse effects of the GDPR’s Article 10 on FCPA compliance efforts and its potential obstacles to the U.S.-EU trade.
This is the first time that we can report good news about our efforts.
As background, Article 10 of the GDPR prohibits the processing of personal criminal background information, among other things, unless such processing is either:
(i) carried out under the control of a European official authority; or
(ii) specifically authorized by law at the EU level or at the EU member state level.
In other words, unless one of the two conditions listed above is met, running criminal background checks, asking questions, or even researching publicly available information about a history of criminal convictions or offenses for individuals associated with a third-party entity (such as owners, officers or key employees) as part of anti-bribery due diligence or similar vetting efforts could be a violation of the GDPR punishable by a fine of up to €20 million or 4 percent of the total worldwide turnover, whichever is higher.
Unlike some other provisions in the GDPR, not even an express consent of each individual vetted would be sufficient to overcome the Article 10 prohibition if one of the two conditions in that article is not met.
When we first identified the Article 10 predicament for anti-bribery due diligence, we knew of no EU laws authorizing the processing of Article 10 data for purposes of anti-bribery due diligence, or other mechanisms that would allow such processing under the control of a European official authority.
And yet, identifying and addressing past criminal conduct by individuals associated with third-party entities, which could subject U.S. companies to FCPA violations, are at the core of robust due diligence processes for companies doing business overseas. Companies that fail to make such inquiries may risk running afoul of the anti-bribery provisions of the FCPA if third parties engage in corrupt acts on their behalf or, for public companies, the FCPA’s accounting provisions that require public companies to implement a system of robust internal accounting controls.
Our understanding of how Article 10 may impact the anti-bribery due diligence has been confirmed repeatedly. Moreover, several data protection and justice officials in Europe, whom our legal counsel contacted, unofficially agreed with our concerns and indicated that this was one of the “unintended consequences” of the GDPR.
While an EU-wide solution to this “unintended consequence” is not currently under consideration, we now see significant signs of progress. As a direct result of our efforts, and approving TRACE’s proposed language, the recently adopted Irish Data Protection Bill of 2018 contains a specific authorization of the “necessary and proportionate” processing of Article 10 data “to assess the risk of bribery or corruption, or both, or to prevent bribery or corruption, or both” pursuant to regulations to be promulgated by the Irish Minister for Justice and Equality.
We hope that such regulations will be issued by the Minister without delay. This would not only allow the processing of criminal background information of Irish data subjects as part of anti-bribery due diligence, but would also arguably permit the processing of such information for individuals residing in other EU member states by controllers whose “main establishments” are located in Ireland. In addition, we know of at least two other EU countries (the UK and the Netherlands) whose newly adopted national data protection laws will provide a complete or partial solution to the Article 10 issue for anti-bribery due diligence.
Even though this is indeed good news to celebrate, the goals of the GDPR “to remove the obstacles to flows of personal data within the Union” and to prevent “fragmentation in the implementation of data protection across the Union” have so far not been met with respect to such an important public policy objective as facilitating corporate efforts to fight corruption in compliance with international anti-corruption laws.
Those EU countries that have not adopted new national data protection laws in response to the GDPR or whose newly adopted laws do not address the Article 10 obstacle to anti-bribery due diligence, leave the prohibition in place. Companies doing business in the EU will find it difficult to navigate the patchwork of national laws in the attempt to meet their anti-bribery due diligence obligations without violating the GDPR.
We remain committed to seeking an EU-wide solution to reconcile the important but competing goals of personal privacy and business transparency.
Illya Antonenko, pictured above, is Privacy Counsel and Legal Research for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.
This is indeed good news and TRACE is to be commended for identifying this point and pursuing remedies. I offer a couple comments on this.
First you correctly reference concerns about compliance with the FCPA, and there are of course other laws like the UK Bribery Act. But this is not simply about staying out of legal trouble. Bribery is a curse, an immoral act that causes great harm globally. This is not simply about meeting some legal details. This is a fight against evil. To the extent the GDPR interferes with this fight the EU is committing a true wrong.
Second, you are right to be concerned about bribery, but bribery is not the only harm that can be caused by companies. Companies can and do engage in a broad range of misconduct. Why, for example, should only anti-corruption efforts be carved out of GDPR? What about the fight against cartels? What about terrorism? What about human trafficking? What about preventing other forms of illegal conduct by companies? Do the privacy authorities alone get to determine which forms of crime and misconduct are worthy and which ones are not?
Why also is it necessary to scrounge for legal crumbs in our efforts to promote company compliance and ethics efforts? Why do we need to look at each individual country for what should have been common sense? Why does it not occur to the EU that company compliance and ethics efforts are in the public interest and need to be promoted, not chained to the desks of bureaucrats?
Bravo for TRACE for at least doing something on this. But shame on any system that makes doing the right thing a legal risk. Cheers, Joe
Your article is very interesting not only for an american point of view.
Do you have the possibility to send the project of Ireland Law ?
The Irish Law was passed on May 24th, 2018.
A pdf copy of this Act will be available on the Oireachtas website at the following link https://www.oireachtas.ie/en/bills/bill/2018/10/ towards the end of this week.
According to the French Sapin II Law (Article 17, II, 4°), one of the mandatory component of a compliance programs is third party due diligence. The law specifies that the French Anticorruption Agency has to issue guidelines detailing the content of that obligation. A quick look at those guidelines makes clear that criminal background checks are covered (https://www.economie.gouv.fr/files/files/directions_services/afa/French_Anticorruption_Agency_Guidelines.pdf ; p. 22).
Thus, companies that must implement anticorruption compliance programs have a legal authorization to do so pursuant to article 10.
A similar legal authorization is contained in the French financial & monetary code (article L. 561-1 et seq.) for AML/TF due diligence.
Comments are closed for this article!