data protection as related to anti-corruption...
TRANSCRIPT
©20
13 M
orris
on &
Foe
rste
r LLP
| Al
l Rig
hts
Res
erve
d | m
ofo.
com
Data Protection as Related to Anti-corruption Compliance
European Certificate in Healthcare Compliance, Ethics & RegulationNovember 19, 2013
Presented by Alja Poler De ZwartMorrison & Foerster LLP
This is MoFo. 2
Overview
• Anti-Corruption Laws
• Key Data Protection Challenges
• Implementing Compliance Programs Third-party intermediaries due diligence Whistleblowing hotlines
• Dealing with Investigations Multi-jurisdictional internal investigations Responding to information requests from regulators and courts
This is MoFo. 3
Anti-Corruption Laws• Companies are required to implement measures to deter, investigate,
identify, and address corruption There is no formal requirement under the FCPA to implement internal
controls to deter, investigate, identify, or address corruption The DOJ and SEC will consider a company’s compliance program when
deciding whether or not to bring charges
It is an offense to fail to prevent bribery under the UK Anti-Bribery Act • Compliance with anti-corruption laws must overcome hurdles of the
EEA data protection laws
This is MoFo. 4
Data Protection Laws in Europe
30 Member States of the European Economic Area Albania Andorra Armenia Belarus Bosnia & Herzegovina Croatia Faroe Islands Georgia Gibraltar Guernsey Isle of Man Jersey Macedonia Moldova Monaco Montenegro Russia Serbia Switzerland San Marino Turkey (Pending) Ukraine
This is MoFo. 5
… and elsewhere• North America Canada
Mexico
United States
• Central & South America Argentina
Brazil (Pending)
Bahamas
Chile
Colombia
Costa Rica
Ecuador (Pending)
Peru
Uruguay
• Middle East Azerbaijan
Israel
Kyrgysztan
Qatar (QFC)
UAE (DIFC)
• Africa Angola
Benin
Burkina Faso
Cape Verde
Gabon
Mauritius
Morocco
Senegal
Seychelles
South Africa (Pending)
Tunisia
• Asia-Pacific Australia
Hong Kong
India
Japan
Macau
Malaysia
New Zealand
Philippines
Singapore
South Korea
Taiwan
Thailand (Pending)
Vietnam
This is MoFo. 6
European Data Protection Framework
• 1995 Data Protection Directive provides general rules for processing personal data Implementation slightly different inn the 30 EEA member states Covers organizations established in the EEA and to non-EEA
organizations if they use equipment in the EEA for the collection of personal data
• Proposal for a General Data Protection Regulation, October 2013 Meant to replace the Directive and harmonize laws across the EEA Organizations will face new obligations and tighter enforcement
This is MoFo. 7
Key terms
• Personal data Any information relating to an identified or identifiable individual
• Sensitive data Health information, sex life, racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership Also criminal conduct and records in many jurisdictions
Processing usually prohibited unless: opt-in consent from the individuals or narrow exceptions apply
• Processing Any operation involving personal data such as collection, use,
modification, storage, access, disclosure, transfer, deletion, etc.
This is MoFo. 8
Key Terms(2)
• Data controller A person or entity that (either alone or jointly with others) decides how
and why personal information is processed Primarily responsible for compliance with data protection laws, e.g.,: Notice and consent (where applicable) Handling access and correction requests Implementing mechanisms for cross-border transfers Imposing contractual obligations on data processors
• Data processor A person or entity that processes personal information on behalf of a
controller (e.g., third party service providers) Governed by contractual obligations imposed by the data controller
This is MoFo. 9
Legal Basis for Data Processing• Legal necessity is only sufficient for compliance with local laws Obligations imposed under foreign statutes are not sufficient to collect
personal data
• Consent is “neither sufficient nor recommended” Must be freely given, specific and informed and may be withdrawn at any
time Not always feasible to procure (e.g., from clients, suppliers, agents, etc.) Employee consent is typically challenged as it is usually not freely given
• Legitimate interest / balance of interests There is legitimate interest in complying with foreign anti-corruption laws Not sufficient for sensitive data
This is MoFo. 10
Transfer Restrictions• Broad concept – (sometimes even potential) access to a database
located in another country • Sharing data with organizations in countries that are not deemed
adequate is subject to special restrictions Consent EU Model Contracts Binding Corporate Rules Safe Harbor Framework
• “Single” transfers outside the EEA are permitted unless a “significant” amount of data is involved
• “Mass” transfers should be avoided – keyword searches to limit data collection and transfer are preferred to wholesale data transfers
This is MoFo. 11
Information for Individuals and Regulators
• Individuals must be notified about Types of data collected Purposes for the collection Any disclosures or recipients Access and correction rights Other relevant circumstances
• Access and correction rights protect the individual
• Registrations with data protection authorities should be filed and necessary authorizations obtained
This is MoFo. 12
Security
• Appropriate technical and organizational security standards must be in place
• Data retention and disposal policies should be activated Personal data should not be retained (stored) for longer than necessary Personal data may not be retained indefinitely for possible future foreign
litigation Policies may conflict with U.S. laws that require retention of evidence
• Appropriate contracts with service providers should be agreed upon Forensic firms, translation firms,
vetting companies, copying services, etc.
This is MoFo. 13
Draft General Data Protection Regulation• Broader definition of personal data and broader territorial scope• Non-EU processors also covered • Consent must be explicit • Legitimate interest possible where data collection is necessary for internal fraud,
investigation etc.• Processing of business contact details, direct marketing, and sharing employee data
with EU affiliates covered• Profiling possible with consent • Less prescriptive administrative obligations for controllers • Impact assessment and DPA/DPO consultation necessary • Detailed processing contract and liability for processors • Limitations on data transfers • Review of current adequacy mechanisms (Safe Harbor) at the latest in 5 years• Regulatory disclosure (anti-FISA clause) must be approved by DPAs• Tougher sanctions• Up to 5% of annual global turnover
This is MoFo. 14
Compliance Programs
• Companies under the FCPA (only issuers) and Anti-Bribery Act are required to implement compliance programs
• Senior officers may be liable for failure to do so • Compliance programs do not exempt companies from liability Limit the risk of foreign affiliates engaging in prohibited activities May influence the amount of any fines Under the Anti-Bribery Act having adequate
procedures is an affirmative defense
• Programs should be tailored and include A code of conduct Procedures for third party due diligence Procedures for detecting and investigating violations
(whistleblowing hotlines, employee monitoring, etc.)
This is MoFo. 15
Due Diligence on Third Party Intermediaries
• Companies can be held liable for the acts of intermediary third parties
• Conducting third-party due diligence to ensure that no illicit payments are made to foreign governments or public officials may limit the risks
• Due diligence often requires collection of personal data from principals and other key personnel Individuals’ financial accounts, history of bribery or related activities,
debarments, inclusion on a public watch list and business or personal relationships with government officials, etc.
Sensitive data, including political affiliation, criminal and judicial data• Many countries with data protection laws exclude or seriously limit
the collection of sensitive data
This is MoFo. 16
Due Diligence: Ensuring Privacy Compliance
• Limit data collection to individuals in relevant positions• Provide notice about data collection• Have a strategy for dealing with consent • Formulate due diligence questions to comply with local limitations on
sensitive data collection Aim to solicit answers that are proportional to the purpose of the due
diligence Carefully phrase questions asking whether key personnel are government
officials or have some association with government officials Avoid, where feasible, obtaining criminal and judicial data; use of criminal
records checks must be limited • Limit access to due diligence results on a need to know basis and
avoid further disclosure of personal data
This is MoFo. 17
Whistleblowing Hotlines
• Sarbanes-Oxley Act (SOX) Requires companies listed on the NY Stock Exchange or NASDAQ to
establish anonymous reporting procedures for employee complaints regarding fraud in accounting, auditing and financial reporting
Provides that U.S. parent can be held liable for foreign affiliates’ violations
• Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Creates incentives and financial rewards for employees who report
concerns about violations of securities laws to the Securities and Exchange Commission (SEC)
Strengthens internal controls and implements internal reporting channels to help minimize risk of employees reporting potential violations to the SEC
• Policies should be in place for whistleblowing under both SOX and Dodd-Frank
This is MoFo. 18
EEA Framework for Whistleblowing Hotlines
• WP29 Opinion 1/2006 on internal whistleblowing systems Hotlines are permitted if they are established to comply with (local) legal
requirements or where required under “foreign” legal obligations that fulfill a “legitimate purpose”
Member State guidance (e.g., Austria, Denmark, Finland, France, Germany, Greece, Norway, Portugal, Sweden and Spain) and specific laws (Hungary and the United Kingdom) are included
This is MoFo. 19
Hotline: Ensuring Privacy Compliance• Limit scope
• Provide hotline as a voluntary alternative to other reporting mechanisms
• Allow but do not advertise anonymous reporting
• Be transparent Provide up-front notice Send notice prior to report (landing page, telephone script) Give notice after the report
• Provide access rights Delays are permitted if necessary for investigation
10
This is MoFo. 20
Hotline: Ensuring Privacy Compliance (cont’d)
• Establish and train dedicated team
• Conclude data processing agreements with vendor
• Address border transfer restrictions
• Consult works council where required
• Implement data retention and disposal policies
• Ensure appropriate security standards
• File local registrations and obtain necessary authorizations
10
This is MoFo. 21
Investigations
• Companies should have strategies to deal with violations of anti-corruption laws once they are detected internally or are subject to regulatory proceedings Conducting internal multi-jurisdictional investigations Responding to discovery requests from regulators and defending
enforcement actions U.S. discovery rules require broad and substantial
obligations to retain, search for, and produce documents requested by the other party or a regulator
A U.S. entity that has control over a foreign affiliate’s documents cannot ignore discovery requests
This is MoFo. 22
Internal Investigations
• Monitoring of employees’ electronic communications may help detect corruption or fraudulent behavior
• Approaches to employee monitoring vary across the EEA Employees’ right to privacy at work
must be balanced with other legitimate rights and interests of the employer
This is MoFo. 23
Internal Investigations (cont’d)
• Approaches vary across the EEA• WP29 Working Document 55/2002 on the surveillance of electronic
communications in the workplace permits monitoring, provided that It is necessary and proportionate for the intended purposes The least intrusive methods are used All online communications in the workplace are subject to confidentiality
protections Sensitive data are not collected Prior notice is provided (no further guidance is required to be delivered)
This is MoFo. 24
Internal Investigations: Ensuring Privacy Compliance
• Implement a comprehensive employee monitoring program Consider local laws that may limit or regulate employee monitoring Inform employees not to expect (full) privacy, even if accounts are
password protected Identify what types of conduct are prohibited Inform employees that the network is provided for work purposes
and that monitoring will occur
• Conduct regular training and refresher courses on appropriate email and Internet usage in the workplace
• Obtain acknowledgment that an employee has received, understands, and will follow the requirements
• Consult with and get necessary approval from employee representatives
This is MoFo. 25
Disclosure Requirements
• Conflicting demands exist between information requests and EEA data protection requirements U.S. courts may overrule or disregard EEA data
protection laws or mechanisms designed to limit cross-border discovery
U.S. courts and regulators can impose sanctions for failure to comply with information requests
EEA provides sanctions for violation of data protection laws
• No harmonized rules in the EEA Draft General Data Protection Regulation Blocking statutes (in France and Switzerland)
This is MoFo. 26
WP29 Guidance 1/2009 on Discovery in Civil Matters
• Does not cover document production in criminal and regulatory investigations
• Consent is “neither sufficient nor recommended”• Recognizes legitimate interest in complying with U.S. litigation
requirements Data must be “proportionate” (i.e., only for specific and imminent
proceedings and not at random for an unlimited time in anticipation of litigation)
Balance test to bridge EEA privacy regime and U.S. discovery rules• “Single” transfers outside the EEA permitted for establishment,
exercise and defense of legal claim unless a “significant” amount of data is involved
• Alternatives: Safe Harbor, Model Clauses, BCRs
This is MoFo. 27
Disclosure Requests: Ensuring Privacy Compliance
• Raise issues in advance and communicate with the other party, court, or regulator as soon as practicable
• Educate U.S. judges and regulators on EEA data protection laws and blocking statutes
• Negotiate terms on who may access data, purposes for which data may be used and security standards
• Work through issues creatively and show a willingness to cooperate Consider redacting or anonymizing data Consider screening data within the EEA Use protective orders Cooperate with EEA authorities Apply appropriate security standards
This is MoFo. 28
• Ensure compliance with general data protection requirements Transfer mechanism Notice Balancing transparency and non-disclosure
obligations or detection of criminal activities
Access and correction rights Security Processing agreement Registration/Authorization
Disclosure Requests: Ensuring Privacy Compliance (cont’d)
This is MoFo. 29
Reading Materials • EU Data Protection Directive 1995/46/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF
• Draft General Data Protection Regulation http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-
consolidated-LIBE.pdf
• Article 29 Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf
• Article 29 Working Party Working Document 1/2009 on pre-trial discovery for cross-border civil litigation http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp158_en.pdf
This is MoFo. 30
Reading Materials (cont’d)
• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf
• Karin Retzer and Michael Miller – Mind the Gap: US Discovery Demands versus EU Data Protection http://www.mofo.com/files/Uploads/Images/110601-US-Discovery-Demands-versus-EU-Data-
Protection.pdf
• Karin Retzer and Joanna Lopatowska – How to Monitor Workplace E-Mail and Internet in Europe: The Polish Perspective http://www.mofo.com/files/Uploads/Images/110718-Privacy-and-Security-Law-Report.pdf
• Karin Retzer, Daniel Westman and Miriam Wugmeister – Between a Rock and a Hard Place: Whistleblowing Procedures under Sarbanes-Oxley and European Union Data Protection Laws http://www.mofo.com/Between-a-Rock-and-a-Hard-Place-Whistleblowing-Procedures-under-
Sarbanes-Oxley-and-European-Union-Data-Protection-Laws-04-05-2006/
This is MoFo. 31
Thank you!
Alja Poler De ZwartMorrison & Foerster LLPBrussels +32 2 340 [email protected]