On May 25, 2018, the European Union’s new expansive data privacy regime, the General Data Protection Regulation (GDPR), went into effect. The new law is more restrictive than previous data privacy regulations and will likely have a significant impact on the way both cross-border internal investigations and multi-jurisdictional agency enforcement actions are conducted.
One of the most significant facets of the GDPR is its reach. Firstly, it seeks to protect the “personal data” of individuals who are physically in the EU, and therefore applies to more than just EU citizens and residents by reaching out to give rights to anyone who is in the EU, even temporarily, and who has personal data in the EU (EU data subjects) that an entity wants to access, use, or even store. Second, the types of data protected are defined broadly to include any information related to a natural person that can be used to either directly or indirectly identify him or her. This includes standard identifying information such as name, national identifiers (social security number equivalents), address, medical/biometric information, birthday, etc., but also includes photos, social media posts, email addresses, computer IP information, and portable device location data. In addition, disparate pieces of information that when viewed in the aggregate are sufficient to identify an individual also constitute personal data. This goes beyond what information had been protected by prior data privacy laws.
Another important aspect of the GDPR is its territorial scope. The GDPR seeks to control the activities of companies or other entities, not only operating just in the EU, but also the activities of any company that wants to access, use, store, or otherwise “process” the personal data of individuals who are in the EU—no matter where the company is operating or where the processing would take place. Further, the GDPR continues to restrict the ability of companies or other entities to transfer such data outside of the EU. As a result, the GDPR essentially affects any company anywhere in the world that wants to access or process the personal data of EU data subjects.
Companies affected by the GDPR are divided into two groups, by the functions they will perform. “Controllers” determine why and how personal data is processed (i.e. the purposes and the means) and may process the data themselves. Generally, companies and their lawyers are controllers. On the other hand, “processors” only conduct the processing of the data on behalf of, and at the direction of, a controller. This category would include e-discovery vendors, forensic data firms, etc. Data processing can involve either automated and manual data manipulation—or both—including the collection, organization, storage, alteration, destruction, or dissemination of personal data. The GDPR requires processors to keep detailed records of what personal data they possess and how it is processed. Most importantly, companies will need to carefully document their GDPR relationships and agreements with their lawyers and with entities that process their data.
Processing of personal data may only occur under a strict set of circumstances and only for a clearly articulated and legal purpose, and must be limited to only what is necessary to fulfill the legal basis for the processing. The purposes most applicable in internal and cross-border investigations will include processing that is necessary for a contract with the data subject, necessary for the controller to comply with EU law, or for the controller’s “legitimate interest.” “Consent” by the data subject is available, as it was in the past, but the GDPR requires that consent be explicit and affirmative, in a clear and intelligible form, using plain language, and gained after an explanation of all privacy rights. Consent can also be withdrawn – at which point the processing would have to cease. Thus, it is now dangerous for companies to rely on consent of the data subjects in an investigation as the basis for processing their data. Moreover, most FCPA and other anti-corruption investigations involve vast amounts of data, so it may not be feasible to obtain consent for every individual.
The most likely legal basis available to most companies conducting investigations is that each company—and its lawyers—have a “legitimate interest.” Companies may argue that they have a legitimate interest in investigating, stopping, or preventing possible corruption or addressing internal compliance issues. Law firms may argue that they have a legitimate interest in providing legal advice to their clients. Such investigations and legal advice may result in a company decision to cooperate with a DOJ enforcement action to minimize or possibly eliminate criminal liability and any commensurate financial penalty, which can create tensions with the company’s obligations to comply with the GDPR. A further complication with using the “legitimate interest” basis for processing data is that, at some point in the investigative process, companies and their lawyers will need to inform data subjects about what data they have collected and are processing.
Establishing a legal basis for processing personal data does not cover international transfers of the data. Controllers must establish separate justifications, and satisfy separate requirements, to share personal data with third parties located outside of the EU. Indeed, the GDPR generally prohibits a company from sharing personal data with any entity that is not a controller or a processor—which includes non-EU law enforcement agencies. Mutual legal assistance treaties (MLATs) are still available for intergovernmental transfer, but the GDPR does not provide a smooth path for private companies, or their lawyers, to share the personal data of EU data subjects with U.S. regulatory and law enforcement personnel.
The GDPR’s expansive data privacy regime can present significant obstacles to organizations that are conducting internal investigations, responding to enforcement actions, or attempting to comply with the DOJ’s FCPA Corporate Enforcement Policy. As discussed in our Winter 2018 FCPA Review, this Policy establishes a presumption that a company will receive a declination if it voluntarily discloses an FCPA violation, cooperates with the DOJ’s investigation, and properly remediates all unlawful conduct. Under the Policy, self-disclosure and full cooperation require production to the DOJ of all facts relevant to the wrongdoing at issue, which includes the provision of documents, information relating to the involvement and potential culpability of the company’s officers, employees, or agents, and making available for interview those company officers and employees who may possess relevant information. The requirement that a company produce all relevant documents, including overseas documents, creates a clear conflict with the GDPR’s restrictions on the processing and disclosure of EU data subjects’ personal data. And the penalties for violations of or non-compliance with the GDPR are severe—up to four percent of a company’s global annual revenue or €20 million, whichever is greater.
A company deciding whether to provide documents and personal data to the U.S. government therefore faces a dilemma. Those wishing to receive lenient treatment for FCPA violations must balance the benefits of a potential declination or a reduced financial penalty with the risk of significant fines under the GDPR. The DOJ Policy places the burden on the company to justify its argument that it cannot disclose documents, and must show specific efforts to identify all available legal avenues to locate and produce relevant material. This tension between the DOJ FCPA Corporate Enforcement Policy and the GDPR will require companies and their external counsel to think creatively about how to collect and produce information sufficient to obtain cooperation credit from the DOJ, while minimizing the risks of liability under the GDPR.
Companies will need to comply with the GDPR to the maximum extent possible, including documenting their legal basis for processing, the specific processing steps undertaken, compliance with the rules related to the international transfer of data to third parties (such as the companies’ US law firm and/or litigation support providers) and the efforts they have taken to protect the rights of EU data subjects. Of course, a company’s collection, processing, and ultimate production of documents should be as narrowly tailored as possible, while still endeavoring to provide all necessary information about the wrongdoing at issue in order to receive full cooperation credit.
It is expected that more guidance from EU regulatory authorities will be issued in the coming months and years, but the current state is rife with unresolved questions about how the GDPR will work in practice, particularly for companies not based in the EU and for the conduct of internal and external investigations. As cross-border investigations become increasingly complex, the tensions between the FCPA Corporate Enforcement Policy and the GDPR will likely become a cornerstone consideration for every investigation. Companies and external counsel will need to create sophisticated strategies for complying with both enforcement and data privacy regimes to balance the risk and rewards of each.
Amelia Hairston-Porter is Counsel at Miller & Chevalier in Washington. Her practice focuses on internal and government investigations, international corporate compliance, and white collar defense, primarily involving the Foreign Practices Act. Hairston-Porter frequently advises companies and individuals with respect to complex U.S. and foreign enforcement actions in connection with transnational criminal investigations. She can be reached at email@example.com.