By Alexandra Wrage & Illya Antonenko – Alexandra is the President and Founder and Illya is Privacy Counsel at TRACE International
‘Corruption is at the heart of so many of the world’s problems. It erodes public trust in government, undermines the rule of law and may give rise to political and economic grievances that may, in conjunction with other factors, fuel violent extremism. Tackling corruption is vital for sustaining economic stability and growth, maintaining security of societies, protecting human rights, reducing poverty, protecting the environment for future generations and addressing serious and organised crime.’
Communiqué. Anti-Corruption Summit, London, 2016
‘Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified.’ Article 8 of the EU Charter of Fundamental Rights
Scientists warn us that the Milky Way galaxy, which we call home, is on a collision course with the neighbouring Andromeda galaxy. The two galaxies will collide in about… four billion years.
Just like the two galaxies, two worthy causes – combatting transnational bribery and protecting personal data – have been on a collision course for some time. However, unlike the predicted Milky Way-Andromeda encounter, we do not have to wait long to witness the clash between the requirements of international anti-bribery laws and those of personal data protection laws. The first effects of this may be seen in May 2018, when the enforcement of the European Union’s General Data Protection Regulation (GDPR) will have arrived. There is even a convenient countdown clock at eugdpr.org for those of us who are fascinated with recurring doomsday predictions.
One of the most spectacular effects to watch for is the GDPR Article 10’s prohibition on reviewing criminal background information of individuals, which is squarely opposed to the need to review criminal background information on individuals as part of anti-bribery due diligence. There is still time to resolve this potential conflict. TRACE International and McCann FitzGerald have prepared a position paper on the GDPR Article 10’s potential obstacles to anti-bribery due diligence, advocating for a coordinated implementation by EU member states of laws authorising companies to continue with robust anti-bribery due diligence reviews of third parties. Only a prompt coordinated legislative effort across the European Union may prevent the most spectacular aspect of the clash between the GDPR and international anti-bribery laws.
Everyone reading this magazine is familiar with the international anti-bribery regime, which has coalesced around the US Foreign Corrupt Practices Act of 1977. Although the post-Watergate (FCPA) was all but dormant for more than two decades after its inception, with only occasional prosecutions of egregious cases, it was revived in the early 2000s. Since then, each successive FCPA enforcer has kept up the momentum. FCPA penalties against companies (often those based in the EU) have reached hundreds of millions of dollars. The combined penalties of the top 10 FCPA enforcement actions exceed $6billion and six involve companies headquartered in the EU. Despite President Trump’s criticism of the law, Attorney General Jefferson Sessions has offered assurances that FCPA enforcement will continue apace. Indeed, the latest mega-FCPA enforcement action came down in September 2017 against Telia Company of Sweden, whose combined penalties and disgorgement were just shy of $1billion. Smaller FCPA enforcement actions against companies and individuals are announced most months.
“Just like the two galaxies, two worthy causes — combatting transnational bribery and protecting personal data — have been on a collision course for some time. However, unlike the predicted Milky Way-Andromeda encounter, we do not have to wait long to witness the clash between the requirements of international anti-bribery laws and those of personal data protection laws”
The FCPA is not alone. The UK has its Bribery Act of 2010, which in some aspects is even stricter than the FCPA. In fact, all EU member countries have adopted analogous transnational anti-bribery legislation to implement the international treaties they signed: the Organisation for Economic Co-operation and Development Convention of Combating Bribery of Foreign Public Officials in International Business Transactions, the European Union Convention Against Corruption Involving Officials and the Council of Europe Criminal Law Convention on Corruption.
All these laws prohibit bribery of foreign public officials to obtain or retain business, including through the use of third parties. The prohibition against indirect bribery of foreign officials is broad. Even if a company contractually forbids its sales representatives, distributors, intermediaries, consultants, customs brokers, freight forwarders or similar service providers to pay bribes on its behalf and further avoids giving them any explicit authorisations or directives concerning bribes, actions of such third parties in foreign countries may still lead to criminal or civil liability for the company. This may occur if the company is found to have ignored or failed to exercise reasonable efforts to discover indications that the third party would or was likely to engage in bribery. The UK Bribery Act is even more explicit in making it an offence for a company to fail to prevent bribery on its behalf.
Anti-bribery due diligence is the only effective countermeasure that companies can deploy against potentially crippling enforcement actions for misconduct of their service providers abroad. Over time, statutory provisions, prosecutions, enforcement actions, official guidance documents and less official pronouncements from law enforcement agencies and relevant intergovernmental organisations have combined to ensure that anti-bribery due diligence is a very invasive inquiry into the reputation, qualifications and background of third parties, their owners, managers, key employees and relatives. Nothing of any importance or relevance is left unturned in the search for a potential clue that the third party or associated individuals may engage in bribery. Are they qualified to provide the services in question? Where did they work in the past and what else are they doing now? Are they related or otherwise connected to government officials? Does anyone involved have official authority or influence over government decision-making? And, most importantly, is there anything in the background of the third parties or associated individuals that may indicate proclivity to engage in corrupt behaviour? In other words, anti-bribery due diligence processes corporate and personal data – lots of data.
EU data protection requirements
With all the talk about the GDPR, the EU data protection regime is not new. While the Americans have their ‘inalienable rights’ such as life, liberty and the pursuit of happiness, the Europeans have ‘fundamental rights’, among which is ‘the right to the protection of personal data’. The GDPR is the result of the progression from the European Convention on Human Rights of 1950 (which guaranteed the right to privacy), to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 1980, to the EU Data Privacy Directive of 1995 and the EU Charter of Fundamental Rights of 2000.
For the most part, the EU Data Privacy Directive of 1995, as implemented by member states, has not been unduly burdensome for companies and any violations have not been punished too severely. The approaching GDPR exhibits all the signs of a major change. The GDPR may even one day rival the FCPA in the onerousness and the complexity of its many compliance requirements, the worldwide reach and the size of potential penalties.
First, unlike the EU Data Privacy Directive, the GDPR’s provisions will have immediate binding legal force in every EU country. Second, the 99 articles on 88 pages of the GDPR will impose numerous complex rules and require evidence-based demonstrable compliance. Third, data protection authorities will wield significant ‘corrective powers’, including:
- Administrative fines of up to €20million or four per cent of the total worldwide annual revenue, whichever is higher
- The power to restrict or ban processing of personal data
- The power to suspend personal data flows outside the EU or to an international organisation
Like the EU Data Privacy Directive, the GDPR will require EU-based companies to apply GDPR protections to personal data of all individuals whose data they process, regardless of whether those individuals live in the EU. However, the GDPR will cover not only EU-based companies, it will also apply to non-EU companies that sell their products or services to EU residents and non-EU companies that ‘monitor [EU residents’] behaviour as far as their behaviour takes place within the Union’. This means that conducting anti-bribery due diligence on a third party that may be associated in some way with EU residents may fall within the GDPR’s purview, regardless of where the principal or third-party companies are located because such due diligence would involve monitoring behaviour of EU residents as it relates to corruption.
Although these features of the new EU data protection regime are untested and the degree of the enforcement vigour remains to be seen, there is little likelihood that the EU data protection authorities will choose to exercise significant restraint in using all of the tools now available to them, especially given the proliferation of private data breaches in recent years and the calls for the governments to do something. To prove this point Helen Dixon, Irish Data Protection Commissioner, has stated that she is ready to impose fines to the GDPR’s limit in appropriate cases and that there will be no ‘amnesty or first or second chances’ for GDPR violators. Moreover, large potential fines destined for national coffers may prompt governments to allocate more resources to the GDPR enforcement efforts.
The coming collision
Now that we have established that the two legal regimes – combatting transnational bribery and personal data privacy – are of comparable size in terms of their potential business impact and thus should both attract attention from corporate management and boards, this article’s title no longer appears so far-fetched – any conflict between anti-bribery laws and the GDPR should raise alarm.
Even apart from the specific language of the laws, the two regimes have conflicting goals. One seeks to bring transparency to international transactions, uncover shady deals, expose corrupt actors, reveal bribes camouflaged as commissions or service fees. To do so, it needs to bring out into the open what some wish to hide. The other regime is all about regulating, restricting, minimising and at times prohibiting the processing of personal data and making sure that the companies, still willing to process personal data after all that, treat personal data as a valuable asset belonging to individuals and account for the use of this asset to these individuals and supervising authorities. In the opinion of EU data protection authorities, ‘even individuals engaged in illegal activities should not be subject to disproportionate interference with their [privacy] rights and interests’.
Companies will have to find ways to reconcile the opposite goals of the two regimes. At the very least, the GDPR will require companies conducting anti-bribery due diligence to articulate the legal basis for processing personal data, justify the scope of personal data collected, be transparent about such processing, be prepared to facilitate data subjects’ exercise of their data protection rights listed in the GDPR, ensure that IT systems used for data processing are secure and implement a myriad of other safeguards, technical and organisational measures, controls and compliance mechanisms.
“A prohibition to inquire into individuals’ criminal backgrounds will effectively eviscerate the anti-bribery vetting process”
However, the most troubling part of the GDPR for anti-bribery due diligence is its Article 10, which provides that the processing of personal data relating to criminal convictions and offences ‘shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects’.
To the author’s knowledge, there is currently no such law in the European Union that specifically authorises the processing of personal criminal background information for purposes of anti-bribery due diligence and includes appropriate safeguards. A prohibition to inquire into individuals’ criminal backgrounds will effectively eviscerate the anti-bribery vetting process. If this legislative gap is left unresolved by May 2018, companies may face a dilemma between complying with their international anti-bribery due diligence obligations or with the GDPR, with each option presenting a risk of an enforcement action and significant fines.
Please contact the authors if you are interested in finding out more about the GDPR Article 10’s potential obstacles to anti-bribery due diligence or to join TRACE’s working group exploring solution to these obstacles.
About the Authors:
Alexandra Wrage is the president and founder of TRACE, an international anti-bribery business organization. She has written and edited several books on bribery and innovative compliance solutions and she hosts the popular financial crime podcast, Bribe, Swindle or Steal. Ms. Wrage, a Canadian, read law at King’s College, Cambridge.
Mr Illya Antonenko is Privacy Counsel at TRACE International, Inc. His fifteen years in legal practice have been focused on helping companies keep their cross-border business operations compliant with various applicable laws such as anti-corruption and data protection.
1.The current EU and EEA data protection regime features a patchwork of approaches, where some countries have come up with a case-by-case authorisation or licensing mechanism for processing of personal criminal data, while others have no basis for such processing in the context of anti-bribery due diligence, and yet another group of countries treat criminal data as other ‘sensitive data’. While this issue may have existed all along, the arrival of the GDPR with its sizable penalties has brought it into the open