As companies strengthen their anti-corruption compliance programs in response to the domestic enforcement climate, they face an increasing risk of violating data privacy laws across the globe. With law enforcement and regulators demanding information, companies find themselves trying to please two masters. Understanding foreign data privacy laws, which often conflict with American notions of privacy, and anticipating problems before they materialize, are key to minimizing conflicts. France in particular has a strict data privacy regime, and its laws are actively enforced. This article, the second in a three-part series, discusses how France applies the relevant E.U. Directive; best practices for due diligence in France; and six specific steps a company should take before a need to investigate arises in France as well as other E.U. member states and other jurisdictions with similar data privacy regimes. The third article in this series will tackle: internal investigation considerations; best practices for reviewing documents and conducting interviews; strategies for transferring data outside the E.U.; data privacy concerns when performing due diligence in the E.U.; and effective techniques for running an anti-corruption hotline in the E.U. The first article in this series discussed data privacy laws generally and specifically as they relate to FCPA compliance, and provided information about the specifics of the E.U. data privacy regime, including: data processing principles; restrictions on data transfer; data transfer mechanisms, including the meaning of “safe harbor status,” binding corporate rules and European model clause agreements; as well as how potential new regulation can affect data collection. See “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three)
,” The FCPA Report, Vol. 2, No. 1 (Jan. 9, 2013).