In response to the OECD Working Group on Bribery’s public consultation on its Review of the 2009 OECD Anti-Bribery Recommendation, on 30 April 2019 TRACE issued a paper in which it provides comments on the challenges posed by the GDPR to anti-bribery compliance programmes. The full text of the paper can be found here.
In its paper, TRACE argues that “many GDPR provisions do not facilitate – and are even in direct conflict with – the essential elements of anti-bribery compliance programs such as due diligence of third parties and compliance procedures for monitoring, internal investigations and reporting” and that some of the tensions between the anti-bribery compliance regime and the data protection regime are due to the “contradictory goals” each regime seeks to accomplish. TRACE appears to urge the European Union, and other countries with data protection legislation similar to the GDPR, to provide clear ways for companies to reconcile the two regimes otherwise, according to TRACE, “both may suffer”.
TRACE highlights a number of challenges the GDPR presents to anti-bribery compliance programmes, in particular anti-bribery due diligence reviews of third parties, including:
Significantly increased cost and burden of compliance – TRACE notes that in order to comply with the best practices of anti-bribery compliance programmes (which would include, for example, conducting due diligence on third-party partners in the European Union and thus the processing of personal data), companies will need to comply with “complex EU legislation” (i.e. the GDPR and implementing laws in individual Member States) and risk facing large financial penalties, compensation claims and, in some cases, a prison term for failure to comply.
The strict requirements surrounding the processing of personal data relating to criminal convictions and offences – TRACE notes that data relating to criminal convictions and offences can only be processed under the GDPR “under the control of official authority” or where the processing is authorised by EU or Member State law that provides for appropriate safeguards. TRACE states that determining whether principals of third parties have a criminal background is an essential component of a company’s anti-bribery due diligence but that the processing of such data is unlikely to be lawful under the GDPR
The requirement to rely on a legal basis for the processing of personal data – TRACE argues that there is currently no clear reliable legal basis under the GDPR on which companies can rely for the processing of personal data as part of anti-bribery due diligence. TRACE notes that the most appropriate legal basis for such processing is the “legitimate interests” of the company carrying out such due diligence. However, such legitimate interest must not be overridden by the interests, rights and freedoms of data subjects and its use as a legal basis for processing is open to challenge by individual data subjects. TRACE also questions whether compliance with anti-corruption and antibribery laws would fall within the “compliance with a legal obligation” legal basis.
The processing of “special categories” of personal data – TRACE notes that due diligence procedures typically include politically exposed person screening, which in turn requires the disclosure of political party affiliations and positions. Such information is likely to be categorised as a “special category” of personal data (essentially more sensitive data) under the GDPR, the processing of which is more strictly regulated.
Interaction with US Department of Justice (DOJ) Requirements
The publication of the TRACE submission coincided with the release of new guidance by the DOJ on the “Evaluation of Corporate Compliance Programs”. Our recent client alert reviewing this guidance can be found here. The guidance emphasises the need to conduct effective due diligence on third parties if a compliance programme is to be – and considered by the DOJ to be – effective.
The wide reach of the FCPA, coupled with the application of the GDPR to certain entities sited outside of the European Union, demonstrates that the potential for conflict between an effective anti-bribery programme and compliance with the GDPR – as highlighted by TRACE – is not just a hypothetical legal problem but a real issue facing companies on a regular basis.
Beyond Due Diligence
It is not just anti-bribery due diligence that is impacted by the GDPR. Many aspects of good corporate governance are affected.
This is particularly so in the context of internal investigations into the conduct of employees and agents suspected of engaging in criminal behaviour such as bribery, corruption or fraud. Such investigations necessarily entail the processing of vast amounts of personal data (some of which may be sensitive) and often the covert monitoring of such employees’/agents’ electronic communications; the ability to do so has arguably become more difficult and burdensome under the GDPR.
Similar issues have also arisen in relation to the provision of information to governmental authorities outside of the European Union, especially the US authorities. The transfer of personal data to the US government by an EU-based entity is generally prohibited under the GDPR unless the US authorities have sought assistance from the relevant Member State via a mutual legal assistance treaty. In response to this difficulty, the United States has passed the CLOUD Act, which came into force in the United States last year (as to which see the firm’s previous alert here). Under the CLOUD Act, American law enforcement authorities are explicitly authorised to issue warrants compelling electronic communication service providers to produce data stored outside the United States. Complying with such an order could, however, put companies in breach of the cross-border data transfer provisions of the GDPR, until the UK and EU legislatures pass corresponding statutes or regulations to allow such compliance.
Unless and until further guidance is issued by the various European data protection authorities and courts on the way in which companies can implement and execute best practice anti-bribery compliance programmes in compliance with the GDPR, many of the uncertainties and challenges outlined above will remain.