On July 19th, 2012, the French data protection authority ("CNIL") allowed for the first time, under strictly identical conditions, 13 French companies to implement procedures for the conduct of background screening of personal data in order to identify potential partners who may be involved in corrupt practices. These 13 companies, which are affiliates of the 3M Group, do not belong to the banking and financial sectors.
Practical Consequences For Companies:
Prior to the issuance of these 13 deliberations (the "Deliberations"), CNIL only allowed companies falling within the banking and finance sectors to implement background screening data processing, on the basis that these companies were obligated to do so under French law.
In practice, this prevented international groups of companies subject to foreign anti-corruption obligations, such as the US Foreign Corrupt Practices Act of 1977 ("FCPA") and the UK Bribery Act of 2010 ("UKBA") from conducting background screening data processing within their French affiliates.
As evidenced by the Deliberations, CNIL's doctrine has evolved and leaves the way open to companies acting outside the banking and finance sectors, to implement background screening data processing for the detection and prevention of corruption, so long as the processing is grounded on some legal basis, be it a foreign or domestic act.
What are the lessons drawn from CNIL's Deliberations?
The authorization may be grounded on requirements set forth by FCPA and UKBA.
The Deliberations issued by CNIL on July 19th, 2012 authorized 13 companies of the 3M Group to implement processing of personal data for the detection and prevention of corrupt practices, as mandated by the FCPA and UKBA. It is worth noting that for the very first time, CNIL has made reference to provisions of foreign acts, whereas, CNIL has always refused in the past to authorize any processing of data with no justification under French law.
Indeed, although French law sanctions anti-corruption practices, no provision expressly requires the implementation of internal control mechanisms like FCPA or UKBA.
In the present instance, CNIL considers that the legitimate interest of the data controller is thus satisfied by its obligation to implement such data processing, pursuant to FCPA and UKBA requirements. Furthermore, CNIL has authorized the implementation of data processing in light of a number of safeguards that the French affiliates of the 3M Group represented they would implement.
The inquiry must be made on a step-by-step and gradual process to identify the level of exposure.
The processing will be conducted through a progressive integrity questionnaire system which aims to assess the level of exposure to corrupt practices. Depending on the risk level identified through the first questionnaire, a second questionnaire may be used in order to collect and gather additional information. An extensive screening of potential partners through a third party aggregator of public databases (Securimate, in this instance) will be performed only if the initial questionnaires produce a high level of risk exposure.
The categories of data processed must be limited to relevant data, and must not be excessive.
Authorized companies will only be allowed to collect the following information through questionnaires: identification data; birth date; nationality; professional status; relations with a government, public organisations, civil servants or the beneficiary of "operations"; economic data, insolvency, embargo.
Should an assessment of the questionnaires identify a high level of risk, authorized companies may collect the following additional data through the third party: identity of the members of the executive board, key-employees, professional contacts; reputation of the potential partner (corruption-related litigation, if any); history of commercial relations with the authorized companies' group, and relations of the potential partner with government officials.
The report resulting from the screening process must only include reference to objective sources, and must exclude any information on penalties or convictions.
The questionnaire to be used to assess the level of risk corresponding to each potential partner must not lead to processing of information pertaining to penalties or convictions. In addition, the report on the potential partner must only include information already disclosed to the public or available through press releases.
Duration of data retention must be limited and access to the data must be restricted.
Data collected by means of the different questionnaires and reports will be stored in an active database for no longer than 90 days following the end of the evaluation process. Data will then be archived for no longer than 10 years. It will only be made available to the US "Compliance Group" and the "compliance services" of other affiliates having the same partners. Access by such compliance services will be limited to the sole integrity assessment data resulting from the questionnaires.
Access to the data will be highly restricted, and operations performed on the data will be tracked by the system.
Transfer of Data
The transfer of data to the US Compliance Group and compliance services located in countries that do not provide adequate protection will be appropriately secured by EU model clauses.
Information of the data subjects targeted by the screening process
All potential partners subject to the background screening process will be informed of its existence through a data privacy clause to be found on said questionnaires. The 3M's website will also publish a specific policy. In addition, commercial agreements will include a provision on the company's anticorruption policy.
Employees must be regularly trained to anti-corruption practices so that they may detect wrong practices and conduct screening process when necessary.
May the Deliberations Serve as Guidelines for Other Authorizations?
Any company wishing to benefit from a similar authorization in France shall ensure that the background screening it contemplates complies with the French Data Privacy Act of January 6, 1978, as construed by CNIL. In this regard, the Deliberations may serve as guidelines for companies wishing to implement data processing for the detection and prevention of corruption.
Once the contemplated processing is properly reviewed and, as the case may be, adjusted to comply with the French Data Privacy Act, an application for authorization may be filed online on CNIL's website.
Such online application must be accompanied by a detailed file sent by mail to CNIL with an explanation and a description, for each requirement, of how the applicant contemplates complying with the requirements (What is the progressive method used? How are the security measures implemented? What is the data storage term? How is the transfer of data, if any, secured? How is the partner subject to the screening process informed?).
Due to the sensitive nature of this kind of request, CNIL generally invites the applicant to discuss the application and answer CNIL's questions. Some adjustments may be requested by CNIL to make the processing compliant with the French Data Privacy Act.
It is worth noting that CNIL's Deliberations of July 19th, 2012 are strictly limited to anti-corruption data processing, to the exclusion of any processing related to anti-money laundering, which is allowed for banks and insurances companies only.