Companies are improperly using the European Union’s fairly new privacy standards as the scapegoat for why they can’t disclose documents to the U.S. government during foreign bribery investigations, according to U.S. enforcers.
Businesses that collect and use consumer data within the EU are now held to stricter guidelines surrounding the collection and processing of personal information of individuals. In an investigation of illegal bribery, both the U.S. Justice Department and the Securities and Exchange Commission routinely ask for troves of documentation that help determine if a bribery violation took place.
Companies found in violation of the EU’s General Data Protection Regulation, which took effect May 25, can be fined up to 20 million euros, or 4 percent of annual global turnover.
But firms are still expected to hand over necessary documentation when facing a Foreign Corrupt Practices Act probe, Ephraim Wernick, assistant chief of the DOJ’s FCPA unit, said July 25 at the American Conference Institute’s global anticorruption forum in Washington.
“It’s still too early to see the impact of GDPR, but many companies have raised it as an obstacle, but it’s not an obstacle that can’t be circumvented,” Wernick said.
Sense of Ambiguity
Companies are understandably worried about violating GDPR. “When faced with an ambiguity over whether or not to share private data with U.S. authorities in an FCPA investigation, I am sure many companies would be more comfortable under-sharing than over-sharing, particularly since large fines can attach to GDPR breaches,” said Tamlin Bason, a technology litigation and policy analyst at Bloomberg Intelligence in an email.
GDPR regulations are vast and vague, Bason told Bloomberg Law, “I think many companies are still feeling their way through GDPR compliance.”
The GDPR’s language is explicit to the fact that companies are able to share private data if it’s necessary to comply with a legal obligation, he added.
The U.S. government isn’t going to buy the argument that certain documents can’t shared because of GDPR, Robert Dodge, assistant director of the SEC’s FCPA unit, said at the anticorruption event.
“We make out our own judgment,” Dodge said. “Is the company using this as a shield to keep us at arms length?”
Dodge said the SEC is still working to assess the effect GDPR is actually having on document turnover. Agency officials are “unsure” the new privacy rules are a bona fide impediment, he said.
The DOJ is similarly studying the issue, Wernick said. “We have to work through it and see if a company is using this primarily to block us off.”
The U.S. attorneys manual, which guides how the government conducts an FCPA investigation, says companies are expected to work “diligently” to identify all documentation and hand it off to officials.
“The fact is that foreign laws that are restrictive does not stand in the way of us doing our job,” Wernick said.
Companies embroiled in an FCPA investigation are typically assessed for leniency based on how cooperative they are with officials. The DOJ’s fairly new FCPA corporate leniency policy provides companies significant perks, such as discounted fines and the ability to forgo prosecution, if they actively cooperate with the government in turning over all documents, witnesses, and other necessary details.
Companies in the midst of a government request for documentation that is covered by GDPR standards should assess how formal the ask really is, Bason suggested. Handing over documents “may turn on whether U.S. authorities are merely making an informal request for the data or are making a formal request that would trigger the company’s legal obligation to turn over the documents.”