Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three)

Vigorous anti-corruption compliance – as undertaken by many companies in the wake of the recent uptick in FCPA prosecutions – may endear a company to the DOJ and SEC, but could also put it at risk of violating data privacy laws across the globe.  In Europe, where privacy is considered a fundamental right, this is a particularly thorny problem.  It is difficult for companies operating in both the U.S. and E.U., if not impossible, to comply with both U.S. law and E.U. data privacy legislation.  To minimize conflicts, companies must educate themselves about data privacy, plan ahead and act strategically.  This article series helps companies do just that, delving into the details of E.U. privacy regulations and the challenges they pose during all the stages of an anti-corruption internal investigation, as well as during due diligence on third parties and for mergers and acquisitions and when creating and maintaining an anti-corruption hotline.  Through discussions with numerous data privacy and FCPA experts as well as secondary research, this article series provides a valuable framework for understanding data privacy laws in the E.U. and applying them to anti-corruption compliance.  This first part of the article series discusses data privacy laws generally and specifically as they relate to FCPA compliance and provides information about the specifics of the E.U. data privacy regime, including: data processing principles; restrictions on data transfer; data transfer mechanisms, including the meaning of “safe harbor status,” binding corporate rules and European model clause agreements; as well as how potential new regulation can affect data collection.  The second part of this article series will discuss how France specifically applies the relevant E.U. Directive; best practices for due diligence in France; and specific steps a company should take before a need to investigate arises in the E.U. and other jurisdictions with similar data privacy regimes.  The third part will tackle internal investigation considerations; best practices for reviewing documents and conducting interviews; strategies for transferring data outside the E.U.; data privacy concerns when performing due diligence in the E.U.; and effective techniques for running an anti-corruption hotline in the E.U.  See also “Strategies for Preserving Data Before and During an FCPA Investigation” (Nov. 14, 2012).

To read the full article

Continue reading your article with an ACR subscription.