Anti-corruption quarterly newsletter

a “total” analysis of the statUte of limitations anD its effect on JUrisDiction

On May 29th, the SEC and DOJ announced a combined $398 million settlement with Total S.A. (“Total”), the fourth-largest FCPA case of all time. The settlement is not just noteworthy for its size. It is also an example of the government’s aggressive position on the interstate commerce jurisdictional requirement and the SEC’s ability to reach a settlement with Total despite uncertainty surround- ing the statute of limitations and its possible effect on the SEC’s jurisdiction over Total.
Total is a French oil and gas company with American Depositary Shares that trade on the New York Stock Exchange. According to the SEC and DOJ, Total paid approximately $60 million in bribes over nine years in order to win lucra- tive contracts with the state-owned National Iranian Oil Company to develop oil and gas fields in Iran. Under the FCPA, jurisdiction over a foreign issuer like

Continued on Page 3

global WaTch

china cracks Down on corrUPtion with PharmaceUtical inDUstry sweeP

In recent years, the SEC and DOJ have conducted industry sweeps as a way  of cracking down simultaneously on public companies within the same sector that may have paid bribes abroad. In general, the industries targeted have been those with significant levels of government interaction. For example, in fall 2010, the SEC and DOJ embarked on an industry sweep of the oil services industry during which charges were brought against at least six companies.  In spring 2011, the SEC delivered at least 10 letters of inquiry to hedge funds, banks, and private equity firms, signaling the start of the financial services industry sweep. Currently, the SEC and DOJ appear to be wrapping up an
industry sweep of the pharmaceutical industry, which started in summer 2010.

Continued on Page 5

vIsIT WWW.sIdley.com For more InFormaTIon on sIdley’s FcPa/anTI-corruPTIon PracTIce

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from profes- sional advisers.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One
South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000. Sidley Austin refers to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.
Prior results described herein do not guarantee a similar out- come.

Possible eU Data Protection changes on the horizon

Counsel face numerous obstacles in collecting data located outside the U.S. for internal investigations. Among these, the EU Data Protection Directive (the “Directive”), which requires that counsel collecting data from European subsid- iaries comply with applicable local law, has been among the most challenging.
While many companies have developed protocols over time for obtaining  data from European countries in compliance with EU member state laws, they may be required to develop new protocols as the European Parliament now considers the adoption of a pan-European Data Protection Regulation (the “Regulation”) that would supersede the Data Protection Directive and impose
new and more substantial impediments to obtaining data in Europe, while also dramatically increasing the penalties for non-compliance. These new impedi- ments include a limitation on the legal effect of third country legal processes

Continued on Page 7

In The InTerIm

June 27, 2013: Medtronic Wins Double Declination– On June 27, 2013,
Minnesota-based Medtronic, Inc., obtained declinations from both the DOJ and the SEC. Medtronic had been investigated by both agencies for potential FCPA regarding around sales of its medical devices abroad.
June 28, 2013: UK Serious Fraud Office Releases Draft Code of Practice
For DPAs– On June 28, 2013, the UK Serious Fraud Office released its draft Code of Practice for Deferred Prosecution Agreements (“DPAs”). The draft explained that DPAs may be used for corporations, not individuals, accused of fraud, bribery and other economic crimes. The draft makes clear that when making the decision to enter into a DPA, the office is to ask whether the public interest would be

best-served by mounting a prosecution against the accused corporation.
July 1, 2013: Judge Gleeson (E.D.N.Y.) Approves DPA In HSBC Enforcement Action– While not an FCPA case, the order entered by Judge Gleeson of the Eastern District of New York in
the HSBC Bank Secrecy Act enforcement action is noteworthy because Judge Gleeson rejected both the government’s and HSBC’s claim that the Court lacked authority to approve the DPA. Both parties took the position that the law does not require them to seek the Court’s approval of
the DPA; however, Judge Gleeson made clear that “[b]y placing a criminal matter on the docket of a federal court, the parties have subjected their DPA to the legitimate exercise of the court’s authority.”

Clearly, this Order could have implications in the FCPA context where DPAs are an increasingly common occurrence between the government and alleged violators of the Act.
July 2, 2013:
Subramanian Krishnan, Former CFO of Digi International, Inc., Settles SEC Civil Action– The civil complaint filed by the SEC in September of 2012 in the
District of Minnesota alleged that Krishnan had engaged in conduct that resulted in the company filing inaccurate quarterly reports and corporate funds being used to pay for unauthorized travel and entertainment expenses. The settlement agreement resulted in
the entry of a judgment prohibiting him from “acting as an officer or director
of a public company for a period of five years following the date of the filing of the

Commission’s complaint and imposing a $60,000 civil penalty.”
July 26, 2013: Judge Leon Approves IBM settlement– In a 2011 civil complaint,  the SEC alleged that IBM had violated the FCPA’s books and records provisions by making cash payments to South Korean and Chinese government officials. The terms of the settlement agreement were first announced in March 2011;
however, Judge Leon refused to approve the settlement agreement until IBM agreed to immediately report
future potential violations of the FCPA to the Court and regulators. Accordingly, the terms of the $10 million
dollar settlement agreement, which was finally approved after 28 months of review
by Judge Leon, require IBM to file annual reports to the SEC and the court detailing its compliance program used to prevent bribery and to report “reasonably likely” violations of the anti-bribery

FCPA-Related Cases*

Corporate FCPA-Related Penalties*

or books and records
provisions of the FCPA

 

DOJ SEC

 

28
19 20
14 15
8    9

 

49

26 22  25

 

 

 

11  12

 

 

16  16

109

87

(in U.S. millions)

 

803

 

155.1
87.2

 

 

644.6

1885.12

 

 

502.7

 

 

260.3

 

 

421

 

 

292

within 60 days of gaining knowledge of such potential violations.
July 29, 2013: Alstom Executive Pleads Guilty– Frederic Pierucci, an executive at Alstom, a French company that provides equipment and services for high-speed rail transport

* New criminal or civil cases (settled or contested) instituted by year
**  Based upon public disclosures of investigations

* Includes disgorgement; does not include non-U.S. fines
**   Includes publicly disclosed reserves for future FCPA settlements

and power generation, pled

Continued on Page 3

 

2

a “total” analysis of the statUte of limitations anD its effect on JUrisDiction

Cont. FRoM CoVeR Page

Total must be predicated on a connection between the corrupt activity and use of an instrumentality of U.S. interstate commerce. In this case, the SEC and DOJ appear to have based FCPA jurisdiction over Total on only one instance in which Total’s conduct arguably implicated U.S. interstate commerce—a $500,000 pay- ment made from a U.S. bank account to a Swiss bank account as a part of Total’s efforts to improperly secure business in Iran. The allegations do not describe any other jurisdictional nexus. The Total case is thus another instance of the SEC’s and DOJ’s expansive interpretation of the FCPA’s interstate commerce jurisdictional requirement, in which a single act touching on interstate com- merce suffices to confer jurisdiction. Indeed, the SEC and DOJ explicitly cited this conduct as an example of a sufficient jurisdictional nexus in their joint FCPA Resource Guide.
While it is not surprising that the government considered the bank transfer sufficient to satisfy the interstate commerce test, what is surprising is that the single alleged “use” of an “instrumentality of interstate commerce” in Total occurred years ago. According to the SEC and DOJ, Total made the first payment in the bribery scheme in 1995 and the last in 2004. The SEC and DOJ began investigating Total’s Iranian business in 2003, but the parties did not reach the settlements until 2013—nine years after Total stopped paying bribes. Moreover, the $500,000 payment from a U.S. bank account that appears to have created jurisdiction was made in 1995—eighteen years before the settlement. Although the FCPA does not contain its own statute of limitations, the general statutes
of limitations for criminal prosecutions and the enforcement of civil penalties apply to the FCPA and prohibit enforcement after five years. The question is: how could the government bring charges nine years after the end of the bribery scheme and eighteen years after Total’s use of interstate commerce?
The answer likely turns on whether the government had commenced its investi- gation in time to secure a valid tolling agreement from Total, a common practice in FCPA-related investigations because of companies’ desire to forestall litiga- tion. Such an agreement, which was likely reached in the Total case, would have allowed the government to take its time investigating the matter and not settle the charges until nine years after the last payment. There are several issues that may have affected whether the government began its investigation in time (i.e., within the applicable statute of limitations) to secure a valid tolling agreement.
As it did here, the DOJ can extend the statute of limitations by bringing a conspiracy charge, which delays the beginning of the five-year statute of limitations until the last overt act included in the conspiracy. Thus, when the DOJ began investigating Total in 2003, the statute of limitations had not even begun to run (since the DOJ Information alleged that the conspiracy continued through 2004). As a result, if the DOJ secured a tolling agreement, it would have protected its rights indefinitely to commence an action for this conduct.
Things are murkier in the civil context because the SEC cannot bring a con- spiracy charge. Section 2462 of Title 28 imposes a five-year statute of limitations on enforcement actions that seek civil penalties, but courts are divided over whether § 2462 applies to equitable remedies, such as disgorgement of profits and injunctive relief, which are the only remedies the SEC sought and obtained here. In its latest discussion of § 2462, Gabelli v. SEC, the Supreme Court

In The InTerIm
Continued FRoM Page 2

guilty to conspiracy and substantive FCPA offenses for bribing members of the Indonesian Parliament and officials at the state-owned electric company in order to win an $118 million contract. Pierucci was the vice-president for global sales for
a Connecticut-based subsidiary of Alstom.
July 30, 2013: Ukraine Enacts New Anti-Corruption Legislation– Beginning in September of 2014, Ukrainian law will impose corporate criminal liability on companies whose employees bribe, indirectly  or directly, public officials or other individuals, “on behalf of ” and “in the interest of ” the corporation.
August 8, 2013: Allied Defense Group Wins DOJ Declination– Allied Defense Group (“Allied”), a munitions maker implicated in the DOJ’s “Shot Show” sting operation, was notified by the DOJ on August 8, 2013 that it had been granted a declination. One of the twenty-two Shot Show defendants was an Allied employee. The SEC had previously declined to bring charges in November of 2012.
August 20, 2013: New SFO Head Of Bribery Named– Ben Morgan, a former associate at Norton
Rose Fulbright, was named the Director of the UK Serious Frauds Office’s Department of Bribery and Corruption. The office is responsible for bringing complex fraud and corruption cases.

Continued on Page 4
3

a “total” analysis of the statUte of limitations anD its effect on JUrisDiction

Cont. FRoM Page 3

suggested that § 2462 may not apply to equitable remedies, although the opinion explicitly did not address the issue. Gabelli justified its ruling regarding penalties in part by distinguishing the punitive nature of civil fines from that of other remedies designed to “restore the status quo.” Thus, there is a strong argument that the SEC was not subject to any statute of limitations here because it sought only disgorgement of profits and an injunction.
Even if § 2462 does apply to equitable remedies, it is not clear whether the statute of limitations would bar the SEC from bringing a claim regarding the
$500,000 payment made through U.S. interstate commerce and thus deprive the Commission of jurisdiction. On the one hand, each payment could be considered an individual, separate offense such that the jurisdictional element must be satisfied separately for each payment. Under this interpretation, the
only payment over which the SEC had jurisdiction was Total’s $500,000 payment from a U.S. bank account in 1995, and the statute of limitations for this payment would have expired in 2000 (absent some exception). On the other hand, all
the payments in the bribery scheme could be considered part of a continuing offense, in which case the statute of limitations would not begin to run until the scheme concluded. Under this scenario, the statute of limitations would not have begun to run until 2004—the year of the last payment—and the SEC would have begun its investigation in time to secure a tolling agreement. Ultimately, the answer may lie between these two interpretations: each instance of bribery could be considered an individual, separate offense, but Total’s use of interstate commerce still could be viewed as furthering the overall bribery scheme and thus provide a basis for the SEC’s jurisdiction over all the payments. In either case, if the SEC secured a tolling agreement, it would have protected its rights to commence an action for this conduct.
In addition to the § 2462 arguments, the SEC may have been able to argue fraudulent concealment, an equitable doctrine not addressed in Gabelli that can toll the statute of limitations if the defendant has taken additional steps beyond the challenged action itself to conceal its conduct. In that event, the statute of limitations does not begin to run until the government discovers the violation. The SEC’s cease-and-desist order contains language that suggests that the
SEC may have relied on such a theory in charging Total. The order includes a paragraph describing Total’s efforts to conceal its payments by mischaracterizing them as “business development expenses.” The SEC’s reliance on this theory may have provided it with an additional argument that the statute of limitations had not expired by the time it commenced its investigation, and, therefore, if it secured a tolling agreement, it would have protected its rights to commence an action for the conduct.
In any event, there may have been enough uncertainty over whether the statute of limitations even applied and when it began to run in the civil enforcement context that Total was willing to toll the statute of limitations in order to be viewed as cooperative with the government investigation.
The uncertainty over the statute of limitations also may have contributed to the SEC’s decision to seek an administrative cease-and-desist order rather than
a settled federal court action that would have required approval by a district judge. In light of the increasing scrutiny of SEC settlements in the federal courts

comPlIance corner:
Financial services Firms should adjust Their compliance Programs as regulators re-purpose old Tools

Instead of following a traditional one-size-fits-all approach to FCPA investigations, the DOJ and SEC have signaled recently that they are looking for new and creative ways to collaborate in uncovering possible violations. The recent enforcement action against Direct Access Partners LLC (“DAP”),
the first of its kind, illustrates this approach and highlights the
importance of companies remaining vigilant about compliance. In this action, the SEC uncovered an alleged kick-back scheme during a routine, statutorily-authorized, periodic examination and turned it into
an FCPA investigation. Given the DOJ’s and SEC’s expansive view of enforcement set forth in their recent Resource Guide, it should come as
no surprise that the SEC is taking a novel approach toward utilizing its existing regulatory mechanisms to uncover and investigate corruption. Companies—particularly those in the financial services industry—should consider adjusting their compliance programs in light of this new development.
Under the Securities Exchange Act of 1934, the SEC is authorized to examine periodically any registered firm—including broker- dealers, transfer agents, clearing agencies, investment advisers, and investment companies.
These periodic examinations are designed to ensure that the firms are complying with federal securities laws and regulations, adhering to the disclosures they make to investors, and implementing adequate supervisory systems and compliance policies and procedures.

Continued on Page 5

Continued on Page 5

4

a “total” analysis of the statUte of limitations anD its effect on JUrisDiction

Cont. FRoM Page 4

(as discussed in our 1st Quarter 2013 Anti-Corruption Quarterly), the SEC may have been unwilling to test these largely uncharted waters. The SEC may have viewed an administrative proceeding as a safer forum, and Total may have viewed the possibility of an administrative cease-and-desist—instead of an
action in federal court—as further incentive to cooperate with the SEC despite a potential statute of limitations defense.   

 

global WaTch

china cracks Down on corrUPtion with PharmaceUtical inDUstry sweeP

Cont. FRoM CoVeR Page

One of the often-cited advantages of an industry sweep is the ability to leverage the SEC and DOJ’s enforcement powers across multiple industry players at the same time. Industry sweeps often cause other smaller or less influential players to voluntarily investigate and self-report corruption and to enhance their
anti-corruption programs and controls, thereby broadening the sweep’s effect beyond the key players that were specifically targeted and allowing regulators to get more bang for their enforcement buck.
Recently, the enforcement authorities in other countries have begun emulating this practice. In June 2010, almost simultaneously with the SEC/DOJ announce- ment of the start of its pharmaceutical industry sweep, the Chinese Ministry of Health began its own investigation of corruption in the pharmaceutical industry. That sweep focused on small, domestic pharmaceutical companies. In mid- to late-2013, the Chinese enforcement authorities initiated another sweep of the pharmaceutical industry, which focused on larger, multinational pharmaceutical companies doing business in China. This sweep is expected to last through 2013 and beyond.
This broader, more aggressive Chinese sweep is more akin to those conducted by the SEC and DOJ. To date, publicly available information indicates that Chinese officials have contacted at least six multinational corporations, as part of their investigation. For example, in the first case, a U.K.-based drug manufac- turer stands accused of using travel agencies and industry associations to offer bribes to doctors to prescribe the company’s drugs. In the second case, officials visited the Shanghai offices of a U.K.-based drug manufacturer to ask about its pricing practices. In the third case, officials from the State Administration for Industry and Commerce (“SAIC”) visited a Belgian-based drug manufacturer
to gather information on compliance. In the fourth case, SAIC officials visited  the offices of a French-based drug manufacturer and seized documents. SAIC investigations are known to overlap with the National Development and Reform Commission, which has just launched a pricing investigation into several foreign drug manufacturers. In the fifth case, a U.S. drug manufacturer is alleged to have paid hospital doctors to prescribe its products. In the sixth case, a Swiss pharma- ceutical company is also accused of allowing its staff to bribe Chinese doctors at

comPlIance corner
Continued FRoM Page 4

During a periodic examination of registered broker-dealer DAP, the SEC discovered a kickback scheme that was, in the agency’s words, “staggering in audacity and scope.” Both the DOJ and SEC filed charges against four individual traders for violations of the FCPA. The criminal complaint alleged that DAP paid between $3.6 million and $9.1 million in bribes to an official at a state-owned bank in Venezuela. This case appears to be the first time
that criminal FCPA charges were brought as a result of conduct that was discovered during one of the SEC’s periodic examinations. Indeed, this may indicate that, going forward, the SEC will more closely scrutinize irregularities for corruption-related issues while undertaking such routine examinations. The SEC
has wide latitude in conducting an examination, which it may or may not disclose to the firm being examined. As a result, the SEC may decide to utilize periodic
examinations more frequently in its efforts to enforce the FCPA among registered firms.
To prevent a DAP-like scenario, firms should make sure their compliance policies and procedures addressing FCPA risk in the following areas are up-to-date.
gifts, hospitality, and travel

A firm could be liable under the FCPA for providing excessive gifts, hospitality, and travel to employees of sovereign funds and other foreign state-controlled clients and investors or their family members. Red
flags could include, among others, disproportional entertainment, spouses accompanying guests, and stopovers with no business purpose.

Continued on Page 6

Continued on Page 6

5

global WaTch

china cracks Down on corrUPtion with PharmaceUtical inDUstry sweeP

Cont. FRoM Page 5

hospitals to prescribe its drugs. Finally, Chinese officials have hinted that other foreign companies may receive similar visits in the near future, as the govern- ment tries to stem what it views as rampant illegal activity in the pharmaceutical sector.
Although there is no clear answer as to what prompted this crackdown, there are several potential explanations. First, corruption and graft are widespread in the Chinese health-care system. The root of the problem stems from the fact
that new doctors in China are paid approximately the same amount as taxi driv- ers, and—although they have some upward salary mobility—their salaries often remain insufficient to support a family.
Second, there has also been some speculation that the investigations are designed to target foreign manufacturers as a means of bolstering demand, and consequently production, for domestic manufacturers. The fact that these
vigorous enforcement actions coincide with China’s recent economic slowdown lends some support to this view.
Third, there has also been speculation that the recent series of high profile settlements between U.S. regulators and multinational pharmaceutical companies, which have often prominently featured allegations of corruption in China, may have piqued the interest of Chinese regulators. The investiga- tions potentially signal the intent on the part of Chinese regulators to enforce their anti-corruption laws more aggressively than they have done in the past.
Furthermore, commentators have noted that these investigations have been conducted in an unusually public manner, as if they were intentionally designed to send a message to the pharmaceutical industry.
Regardless of the reason for these increased enforcement measures, companies currently operating in China—and particularly those in the healthcare sector— should consider several steps to address the increased risk of investigation
by Chinese anti-corruption regulators. First, companies should review their existing compliance policies and procedures to ensure that they incorporate recent updates to Chinese anti-corruption law and current international best practices. Second, companies should supplement their compliance training programs to ensure that relevant employees are briefed on and understand the current enforcement landscape and any updates or enhancements to the com- pany’s compliance policies. From a training perspective, the potential upside of the recent crackdown is that it may help to drive home the importance of
anti-corruption compliance to employees who might otherwise have questioned the relevance to their day-to-day work of anti-corruption norms based primarily on U.S. and UK law and international treaties. Third, the high degree of publicity that has accompanied the Chinese regulators’ campaign increases the likelihood of follow-on investigations related to the same conduct by law enforcement authorities in other countries. A proactive, timely, and independent investiga- tion into the conduct alleged may put the company in a better position to respond to any such follow-up inquiries. Further, companies contacted by Chinese regulators may want to consider whether it would be advantageous to make voluntary disclosures in other jurisdictions that are more likely to conduct follow-on investigations, such as the UK and the U.S.   

comPlIance corner
Continued FRoM Page 5

Use of Placement agents, finders, and other third Parties

A firm’s use of placement agents, finders, and other agents to solicit investments on its behalf from sovereign funds and other state- controlled clients and investors entails FCPA risk. Red flags could include, among others, agents recommended by government customers, agents who lack sufficient or qualified staff to perform the stated services, and requests for payments to unrelated companies.
Provision of special rights and  terms

A firm should be cognizant of potential FCPA risk associated with granting sovereign funds and other foreign state-controlled clients and investors special rights and terms, e.g., granting discounts or waiving management fees. Red flags could include, unexplained deviations from standard rights and terms and providing rights and terms not
provided to similarly-situated private clients and investors.
investment of managed capital

A firm should be aware of the potential liability under the FCPA related to the investment of managed capital. If the firm acquires a portfolio company, it
may inherit liability for past FCPA violations or assume liability for ongoing FCPA violations. Red flags could include, among others, the portfolio company’s existing
compliance program or lack thereof and a business model that includes high-risk areas, such as work or investments involving foreign government agencies or officials.

6

Possible eU Data Protection changes on the horizon

Cont. FRoM CoVeR Page

within the EU and a re-thinking of the principle of data subject consent. European parliamentarians have indicated a strong desire to vote the Regulation into effect prior to the end of the current session in 2014.
article 42

One of the most controversial elements of the Regula- tion—and one which may pose significant impediments to a non-European company seeking personal data from
Europe—is the potential inclusion of a measure that would limit the effect of foreign legal processes (e.g., U.S. subpoenas and court orders) with respect to European personal data. Members of the European Parliament (“MEPs”) in June 2013 reintroduced a controversial amendment to the proposed Regulation that would prohibit entities in third countries (such as the United States and other non-EU Member States) from accessing personal data in the EU where required by
a non-EU court or administrative authority without prior authorization by an EU Data Protection Authority (“DPA”), unless the data request is permitted to be transferred under a mutual legal assistance treaty (an “MLAT”), such as the Hague Convention. This provision, known as “Article 42”  or informally in the U.S. as an “anti-net tapping clause” or “anti-FISA clause,” may significantly frustrate compliance programs for global businesses by imposing additional requirements on organizations’ efforts to obtain data from
European subsidiaries or affiliates in order to respond to law enforcement requests.
The proposal to reinsert Article 42 follows the much-publi- cized claims that the U.S. government engaged technology firms to monitor data transmissions of non-U.S. users under a surveillance program known as PRISM. It is not clear, how- ever, how Article 42 would affect PRISM or other government surveillance efforts purportedly involving data collected in the United States, as Article 2 of the proposed Regulation states that “[the] Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security . . . (e) by competent authorities for the pur- poses of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.” Thus, any purported U.S. surveillance programs would likely fall outside of the scope of the Regulation. Instead, it is more likely that Article 42, if enacted in its present form, would affect global organizations that need to send personal data outside of EU member states for legal compliance in connec- tion with government investigations. Specifically, Article 42 would presumptively invalidate law enforcement requests, court orders, or other legal documents if they “require a

controller or processor to disclose personal data” unless the requirement came through an MLAT, or was approved by a European DPA.
Beyond this, Article 42 would require notification of an EU DPA and data subjects, which may contradict secrecy or non- disclosure requests associated with the DOJ, SEC, or other law enforcement demands for information in the United States or in other countries outside the EU. As a result, these proposed requirements may cause conflicting obligations
for multinational businesses. In large part, this is due to the extremely broad language of Article 42, which purports to invalidate any “judgment of a court or tribunal [or] decision of an administrative authority of a third country requiring  a controller or processor to disclose personal data,” which in the U.S. would include not only FISA court orders and
National Security Letters, but also any legal demands created in a government investigation or civil litigation.
The prospects for passage of Article 42 seemed slim before the recent publicity about NSA surveillance, and the recent re-introduction of Article 42 does not mean that it will be adopted or that it will be adopted in its current form. Viviane Reding, the European Commissioner for Justice, Fundamen- tal Rights and Citizenship, however, had previously stated she would look favorably upon the proposed re-introduction of Article 42, and consistently has pressed for the European Parliament’s swift approval of the Regulation. Article 42 was included in the Regulation as it was originally proposed by the European Commission, but efforts by the Obama Admin- istration and U.S. industry coalitions had been successful in making clear the potential damage to EU-U.S. cooperation
in law enforcement and trade, and a sizeable majority of the European Commissioners withdrew support from Article 42 in January 2012. However, the recent Snowden affair, which has created great distrust of American law enforcement authorities and the American technology industry, has had an effect on the political environment in Europe and may result in greater support for the measure.
consents no longer Valid?

Beyond Article 42’s potential limiting effect on government investigations, new limitations on the concept of data subject consent is another development in the proposed Regulation that may require foreign organizations to change their Euro- pean data collection protocols. Certain European DPAs have expressed reservations about whether meaningful consent can be obtained by an employer requesting consent from
its employee. Those DPAs surmise that, in an employment context, the consent is not authentic because an employee is

Continued on Page 8

Possible eU Data Protection changes on the horizon

Cont. FRoM Page 7

under pressure to provide the consent or potentially suffer negative employment repercussions. Under the proposed Regulation, however, organizations will bear the burden
of showing that an employee has given authentic consent and that the organization has provided the employee with a means of withdrawing consent at any time. Specifically, the Regulation restricts the use of “consent” as a means of data transfer “where there is a significant imbalance between the position of the data subject (i.e., the employee) and the data controller (i.e., the employer),” which is almost always the case. Under the proposed Regulation, non-European organizations thus may need to develop new mechanisms for extracting data from Europe in connection with anti- corruption investigations.
increased costs of non-compliance.

Finally, the potential changes described above must be viewed in light of the significant increases in penalties contemplated under the Regulation. Unlike violations of member state implementations of the Data Protection Directive, which only exceeded $1,000,000 in rare instances, the Regulation, in its current form, proposes fines of up to 2% of an organization’s annual worldwide turnover. Thus, an organization with global turnover of $10 billion would face a fine of up to $200 million for an intentional violation of the Regulation. At present, it is unclear whether the fine percent- age rate will change: the 2% rate is a decrease from the 5% initially proposed.

Beyond the drastic increases in fines, supervisory authorities enforcing the Regulation also will have new injunctive penal- ties and inspection rights at their disposal. At present, the proposed Regulation will permit DPAs to impose temporary or permanent bans on the processing of European personal data, to enter data processor or controller premises, and to suspend data flows from a European entity to third countries, including the United States. For multinational organiza- tions, these potential penalties rightly appear drastic, and many companies would understandably be uncomfortable with DPAs having the power to bar an American company’s subsidiary from processing its employee data or from sending relevant data to the United States parent. Therefore, contrasted with the existing structure, the Regulation’s penalty provisions are quite robust and provide teeth to the Regulation’s limiting provisions, which will likely result in significantly hampering a company’s ability to transfer data outside of the EU.   

the fcPa/anti-corrUPtion Practice of siDley aUstin llP

Our FCPA/Anti-Corruption practice, which involves over 90 of our lawyers, includes creating and implementing compliance programs for clients, counseling clients on compliance issues that arise from international sales and marketing activities, con- ducting internal investigations in more than 90 countries and defending clients in the course of SEC and DOJ proceedings. Our clients in this area include Fortune 100 and 500 companies in the pharmaceutical, healthcare, defense, aerospace, energy, transportation, advertising, telecommunications, insurance, food products and manufacturing industries, leading investment banks and other financial institutions.