With Baker & McKenzie Paris’ assistance and for the first time in France, the French subsidiary of a leading oil group obtains an authorization from the data protection authority ("CNIL") to implement a screening processing of its commercial partners to prevent and detect risks of corruption and money laundering.
With the strengthening of European and international legislation, the fight against corruption and money laundering is a major, sensitive issue for international groups. Although this is a burning subject, the implementation of the systems required by the specific regulations of each country (e.g., the “FCPA” in the United States, the “LCAPE” in Canada, the “UKBA" and “POCA” in the United Kingdom, the United Nations Convention Against Corruption and the European Commission’s Fourth Directive, etc.) comes up against the requirements of local regulations, notably in terms of personal data protection. Indeed, for a long time, these regulations have created difficulties and slowed down the deployment of such systems at the European subsidiary level in a number of countries, including in France where CNIL’s prior authorization is required.
This is this context, that with Deliberation no. 2014-172 of May 6, 2014 (the “Authorization”), for the first time, the CNIL authorizes a company, a French subsidiary of a leading oil group (the “Company”), to implement a personal data processing which purpose is to implement procedures to screen commercial partners not only to prevent and detect risks of corruption, but also of money laundering. Indeed, until this decision, only companies in the banking and financial sector benefited from such an authorization covering both fields.
For the record, the only authorization granted up to now for commercial companies was a 2012 authorization for the French subsidiaries of the 3M group, and it was limited to corruption alone (“3M Decision”) — see our alert on this subject.
This CNIL Authorization is, therefore, of particular interest and replete with lessons for multinational groups, mainly as regards the following aspects:
1. Evolution of CNIL's doctrine on grounds used to justify the legitimacy of processing
Consideration of the Company’s business field
CNIL expressly points out that the Company’s business field is characterized by the need to use a large number of intermediaries, thus creating very significant financial flows, so that it “involves the purchase and sale of products and services involving many third parties (clients, service providers, agents), both in France and abroad, and notably in countries that are particularly exposed to the risk of corruption and money laundering.” In so doing, CNIL justifies the Authorization based on the particularly sensitive nature of the Company’s business sector. This reasoning could very well apply to other business fields with similar characteristics.
Consideration of the extraterritorial effect of foreign regulations
As the Company’s parent company is registered in England, the Authorization is based on two British laws, the UK Bribery Act, the “UKBA”, of April 8, 2010, and the Proceeds of Crime Act, the “POCA”, of 2002, therefore marking a continuation in CNIL’s trend to open up to taking foreign regulations into consideration to justify personal data processing carried out in France.
Recognition of the Company’s legitimate interest in the processing of personal data, thus excluding the need for data subjects' prior consent
CNIL justifies the personal data processing with the data controller’s legitimate interest not infringing on the data subject’s interests or fundamental rights and freedoms. In so doing, CNIL confirms that obtaining the data subjects’ prior consent is not necessary and that merely informing them is adequate to roll out such processing.
2. An approach to the integrity verification ("screening")process that complies with the principle of proportionality
The screening carried out by the Company must be implemented gradually: with a first level of screening consisting in evaluating the risk given the various pieces of information collected (e.g., size, volume, frequency, nature of the transaction, etc.), a second level involving using a tool provided by a third-party service provider and based on official national and international sources and on information from the press as well as court and public authorities’ decisions.
Very strict limitation as to the sources that may be used to carry out the screening
The tool must be configured in a way that allows the Company to access only the information specifically related to fighting against corruption and money laundering. In addition, CNIL considers that only those lists applied in France and in the parent company’s country of establishment and which are issued by a public authority, when the Company is required to apply them, shall be used as part the screening processing.
Limitation as to the data processed and the data subjects and absence of automated decision
The Authorization provides an exhaustive list of all the data that may be processed in each screening stage. It also states that the screening must involve only commercial partners’ executives and direct or indirect shareholders. The Authorization points out that no decision to refuse to enter into a relationship may be taken based only on the information obtained with the tool used. If applicable, an individual assessment must be made and additional information must be gathered before a decision is made.
Regarding the other conditions (prior information of the data subjects, limited retention terms, data security, transfers outside the EU and recipients), CNIL adopted a position in line with its customary doctrine: (i) commercial partners may be informed on the Internet as well as in contracts and in the Company’s general terms and conditions; (ii) data retention is limited, in an active database, to 90 days as of the end of the verification, regardless of the level of risk identified, and 10 years thereafter; (iii) access to the IT system must be secured and traced; (iv) recipients are limited to the Company’s legal, financial and ethics and compliance departments and to its shared service center, and transfers outside the European Union to the third-party service provider that provides the screening tool must be secured by a data transfer agreement based on the European Commission’s standard contractual clauses.
3. Towards a European framework ?
The Authorization was signed by CNIL's President, Isabelle Falque-Pierrotin, who, since February 2014, is also the Chair of the WP29 (which brings together the Presidents of all the European data protection authorities).
Following the example of CNIL’s influence, which led to a WP29 opinion on the recommended legal framework for implementing whistleblowing schemes based on the CNIL’s deliberation on single authorization AU004, it may be convenient that the WP29 defines a common legal framework, based on this Authorization, to allow multinational groups to roll out, in accordance with EU regulations on the processing of personal data, their screening system in all their European subsidiaries in order to fight against corruption and money laundering.
To conclude, this Authorization creates a precedent establishing the safeguards CNIL requires for this type of processing, which should enable CNIL to process future authorization requests with greater speed for international groups confronted with this type of problem.