Editors

Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Bill Steinman
Contributing Editor

Conflicts between GDPR and corporate anti-bribery compliance: OECD Working Group invites comments

In response to the OECD Working Group on Bribery’s (WGB) call for comments from stakeholders as part of its upcoming review of the 2009 OECD Anti-Bribery Recommendation, TRACE has submitted its overview of the significant challenges the new EU data protection legislation poses to corporate anti-bribery compliance programs. 

Specifically, our submission describes in detail the ways in which the GDPR and other similar personal data protection laws create new significant liability risks for companies and add costly and time-consuming obligations when the companies carry out best-practice anti-bribery compliance processes. 

Given that the GDPR is being considered by many countries as a model for implementing similar data protection laws in their jurisdictions, our submission calls on OECD members — most of which are member states of the EU and European Economic Area — to provide companies with detailed guidance on how the challenges posed by the GDPR to anti-bribery compliance programs may be resolved in practice. 

We also suggest that the OECD should make a recommendation for member countries to subject their existing and pending personal data protection legislation to review and consultation by relevant government departments and other stakeholders regarding the impact of such legislation on anti-bribery compliance, incentivizing good corporate behavior, and on the countries’ international anti-bribery commitments. 

Finally, countries should seek ways to harmonize their approaches to the equally important goals of fighting corruption and protecting personal data rights of individuals.

The full text of TRACE’s submission to the WGB is here.

The WGB has extended the deadline for submissions until May 6, so you still have time to submit your comments as well.

_____

Illya Antonenko, pictured above, is Data Protection Officer and Counsel for TRACE. He has advised clients as outside counsel, in-house and now at TRACE regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for 17 years. He has leveraged his experience in international matters by developing expertise in the General Data Protection Regulation and other data protection laws.

Share this post

LinkedIn
Facebook
Twitter

2 Comments

  1. TRACE has hit on an important issue that most people in the compliance and ethics space have not addressed. GDPR is a threat to effective compliance and ethics programs. SCCE, in its filing with the OECD Working Group on Bribery (WGB), has made this same point, along with other comments related to the Good Practice Guidance. TRACE’s filing has addressed this important issue with excellent detail and analysis.

    But this issue is broader than even TRACE recognizes. Fighting bribery is, of course, an important issue. But GDPR undercuts all compliance efforts. What about fighting environmental crimes? Workplace safety violations? Consumer fraud? Price fixing? Government contract fraud? Securities fraud? Consumer product safety? All of these and many more are being threatened by the failure of the privacy authorities in Europe to recognize the importance of organizational self-policing.

    This phenomenon is not limited to GDPR, however. There is an unfortunate history of government agencies, regulators and enforcement bodies seriously undercutting compliance programs. See Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421 (2017), http://www.rutgerslawreview.com/wp-content/uploads/2017/07/Joseph-Murphy-Policies-in-Conflict-69-Rutgers-U.-L.-Rev.-421-2017.pdf .

    What is the solution? I don’t think it rests with the WGB to revise the well-written Good Practice Guidance to try to address this assault on anti-bribery efforts. Rather, OECD should examine whether these laws, as currently constituted, represent non-compliance with the Anti-Bribery Convention. It should at least open an inquiry in this direction. Nothing the WGB could draft would deal with the outsized threat posed by the ambiguity of the GDPR, the extraordinary penalties and costs that threaten companies, and the enormous power this law gives to privacy bureaucracies.

    Ultimately the solution rests with the EU and other governments. Sure, they should regulate and protect privacy. But first they need to adopt as a bedrock general principle that organizational self-policing represents an important social value, and that those pursuing this purpose are not to be subject to fines, lawsuits, and possible criminal charges. Privacy is an important value, but it is not the only one and privacy regulators should not become super-regulators making these important policy decisions that affect so many lives. Kudos to TRACE for stepping up to this challenge. Cheers, Joe

  2. Uncontrolled collection of data passed on or sold without informing consumers what their data will be used for and for how long it will be kept. Single cases of security with breaches exposing personal data in the magnitude of hundreds of millions, data handlers not willing to safeguard the details they have been entrusted with are the reason legislation like GDPR are needed to re-balance the right for consumers to control their data.

    If companies had been more responsible than may be draconian laws the rebalance responsibility may have never been needed. In view of ever faster changing technology previous legislation never stood a chance to bring irresponsible data handles to account or make a significant impact on the organization that caused misery to consumers. GDPR is not the issue; but companies that neither acted ethically, nor were compliant with previous laws.

    https://haveibeenpwned.com/ — 7,858,185,878 pwned accounts
    https://www.zdnet.com/article/facebook-we-stored-hundreds-of-millions-of-passwords-in-plain-text/


Comments are closed for this article!