©20

13 M

orris

on &

Foe

rste

r LLP

| Al

l Rig

hts

Res

erve

d | m

ofo.

com

Data Protection as Related to Anti-corruption Compliance

European Certificate in Healthcare Compliance, Ethics & RegulationNovember 19, 2013

Presented by Alja Poler De ZwartMorrison & Foerster LLP

This is MoFo. 2

Overview

• Anti-Corruption Laws

• Key Data Protection Challenges

• Implementing Compliance Programs Third-party intermediaries due diligence Whistleblowing hotlines

• Dealing with Investigations Multi-jurisdictional internal investigations Responding to information requests from regulators and courts

This is MoFo. 3

Anti-Corruption Laws• Companies are required to implement measures to deter, investigate,

identify, and address corruption There is no formal requirement under the FCPA to implement internal

controls to deter, investigate, identify, or address corruption The DOJ and SEC will consider a company’s compliance program when

deciding whether or not to bring charges

It is an offense to fail to prevent bribery under the UK Anti-Bribery Act • Compliance with anti-corruption laws must overcome hurdles of the

EEA data protection laws

This is MoFo. 4

Data Protection Laws in Europe

30 Member States of the European Economic Area Albania Andorra Armenia Belarus Bosnia & Herzegovina Croatia Faroe Islands Georgia Gibraltar Guernsey Isle of Man Jersey Macedonia Moldova Monaco Montenegro Russia Serbia Switzerland San Marino Turkey (Pending) Ukraine

This is MoFo. 5

… and elsewhere• North America Canada

Mexico

United States

• Central & South America Argentina

Brazil (Pending)

Bahamas

Chile

Colombia

Costa Rica

Ecuador (Pending)

Peru

Uruguay

• Middle East Azerbaijan

Israel

Kyrgysztan

Qatar (QFC)

UAE (DIFC)

• Africa Angola

Benin

Burkina Faso

Cape Verde

Gabon

Mauritius

Morocco

Senegal

Seychelles

South Africa (Pending)

Tunisia

• Asia-Pacific Australia

Hong Kong

India

Japan

Macau

Malaysia

New Zealand

Philippines

Singapore

South Korea

Taiwan

Thailand (Pending)

Vietnam

This is MoFo. 6

European Data Protection Framework

• 1995 Data Protection Directive provides general rules for processing personal data Implementation slightly different inn the 30 EEA member states Covers organizations established in the EEA and to non-EEA

organizations if they use equipment in the EEA for the collection of personal data

• Proposal for a General Data Protection Regulation, October 2013 Meant to replace the Directive and harmonize laws across the EEA Organizations will face new obligations and tighter enforcement

This is MoFo. 7

Key terms

• Personal data Any information relating to an identified or identifiable individual

• Sensitive data Health information, sex life, racial or ethnic origin, political opinions,

religious or philosophical beliefs, trade union membership Also criminal conduct and records in many jurisdictions

Processing usually prohibited unless: opt-in consent from the individuals or narrow exceptions apply

• Processing Any operation involving personal data such as collection, use,

modification, storage, access, disclosure, transfer, deletion, etc.

This is MoFo. 8

Key Terms(2)

• Data controller A person or entity that (either alone or jointly with others) decides how

and why personal information is processed Primarily responsible for compliance with data protection laws, e.g.,: Notice and consent (where applicable) Handling access and correction requests Implementing mechanisms for cross-border transfers Imposing contractual obligations on data processors

• Data processor A person or entity that processes personal information on behalf of a

controller (e.g., third party service providers) Governed by contractual obligations imposed by the data controller

This is MoFo. 9

Legal Basis for Data Processing• Legal necessity is only sufficient for compliance with local laws Obligations imposed under foreign statutes are not sufficient to collect

personal data

• Consent is “neither sufficient nor recommended” Must be freely given, specific and informed and may be withdrawn at any

time Not always feasible to procure (e.g., from clients, suppliers, agents, etc.) Employee consent is typically challenged as it is usually not freely given

• Legitimate interest / balance of interests There is legitimate interest in complying with foreign anti-corruption laws Not sufficient for sensitive data

This is MoFo. 10

Transfer Restrictions• Broad concept – (sometimes even potential) access to a database

located in another country • Sharing data with organizations in countries that are not deemed

adequate is subject to special restrictions Consent EU Model Contracts Binding Corporate Rules Safe Harbor Framework

• “Single” transfers outside the EEA are permitted unless a “significant” amount of data is involved

• “Mass” transfers should be avoided – keyword searches to limit data collection and transfer are preferred to wholesale data transfers

This is MoFo. 11

Information for Individuals and Regulators

• Individuals must be notified about Types of data collected Purposes for the collection Any disclosures or recipients Access and correction rights Other relevant circumstances

• Access and correction rights protect the individual

• Registrations with data protection authorities should be filed and necessary authorizations obtained

This is MoFo. 12

Security

• Appropriate technical and organizational security standards must be in place

• Data retention and disposal policies should be activated Personal data should not be retained (stored) for longer than necessary Personal data may not be retained indefinitely for possible future foreign

litigation Policies may conflict with U.S. laws that require retention of evidence

• Appropriate contracts with service providers should be agreed upon Forensic firms, translation firms,

vetting companies, copying services, etc.

This is MoFo. 13

Draft General Data Protection Regulation• Broader definition of personal data and broader territorial scope• Non-EU processors also covered • Consent must be explicit • Legitimate interest possible where data collection is necessary for internal fraud,

investigation etc.• Processing of business contact details, direct marketing, and sharing employee data

with EU affiliates covered• Profiling possible with consent • Less prescriptive administrative obligations for controllers • Impact assessment and DPA/DPO consultation necessary • Detailed processing contract and liability for processors • Limitations on data transfers • Review of current adequacy mechanisms (Safe Harbor) at the latest in 5 years• Regulatory disclosure (anti-FISA clause) must be approved by DPAs• Tougher sanctions• Up to 5% of annual global turnover

This is MoFo. 14

Compliance Programs

• Companies under the FCPA (only issuers) and Anti-Bribery Act are required to implement compliance programs

• Senior officers may be liable for failure to do so • Compliance programs do not exempt companies from liability Limit the risk of foreign affiliates engaging in prohibited activities May influence the amount of any fines Under the Anti-Bribery Act having adequate

procedures is an affirmative defense

• Programs should be tailored and include A code of conduct Procedures for third party due diligence Procedures for detecting and investigating violations

(whistleblowing hotlines, employee monitoring, etc.)

This is MoFo. 15

Due Diligence on Third Party Intermediaries

• Companies can be held liable for the acts of intermediary third parties

• Conducting third-party due diligence to ensure that no illicit payments are made to foreign governments or public officials may limit the risks

• Due diligence often requires collection of personal data from principals and other key personnel Individuals’ financial accounts, history of bribery or related activities,

debarments, inclusion on a public watch list and business or personal relationships with government officials, etc.

Sensitive data, including political affiliation, criminal and judicial data• Many countries with data protection laws exclude or seriously limit

the collection of sensitive data

This is MoFo. 16

Due Diligence: Ensuring Privacy Compliance

• Limit data collection to individuals in relevant positions• Provide notice about data collection• Have a strategy for dealing with consent • Formulate due diligence questions to comply with local limitations on

sensitive data collection Aim to solicit answers that are proportional to the purpose of the due

diligence Carefully phrase questions asking whether key personnel are government

officials or have some association with government officials Avoid, where feasible, obtaining criminal and judicial data; use of criminal

records checks must be limited • Limit access to due diligence results on a need to know basis and

avoid further disclosure of personal data

This is MoFo. 17

Whistleblowing Hotlines

• Sarbanes-Oxley Act (SOX) Requires companies listed on the NY Stock Exchange or NASDAQ to

establish anonymous reporting procedures for employee complaints regarding fraud in accounting, auditing and financial reporting

Provides that U.S. parent can be held liable for foreign affiliates’ violations

• Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Creates incentives and financial rewards for employees who report

concerns about violations of securities laws to the Securities and Exchange Commission (SEC)

Strengthens internal controls and implements internal reporting channels to help minimize risk of employees reporting potential violations to the SEC

• Policies should be in place for whistleblowing under both SOX and Dodd-Frank

This is MoFo. 18

EEA Framework for Whistleblowing Hotlines

• WP29 Opinion 1/2006 on internal whistleblowing systems Hotlines are permitted if they are established to comply with (local) legal

requirements or where required under “foreign” legal obligations that fulfill a “legitimate purpose”

Member State guidance (e.g., Austria, Denmark, Finland, France, Germany, Greece, Norway, Portugal, Sweden and Spain) and specific laws (Hungary and the United Kingdom) are included

This is MoFo. 19

Hotline: Ensuring Privacy Compliance• Limit scope

• Provide hotline as a voluntary alternative to other reporting mechanisms

• Allow but do not advertise anonymous reporting

• Be transparent Provide up-front notice Send notice prior to report (landing page, telephone script) Give notice after the report

• Provide access rights Delays are permitted if necessary for investigation

10

This is MoFo. 20

Hotline: Ensuring Privacy Compliance (cont’d)

• Establish and train dedicated team

• Conclude data processing agreements with vendor

• Address border transfer restrictions

• Consult works council where required

• Implement data retention and disposal policies

• Ensure appropriate security standards

• File local registrations and obtain necessary authorizations

10

This is MoFo. 21

Investigations

• Companies should have strategies to deal with violations of anti-corruption laws once they are detected internally or are subject to regulatory proceedings Conducting internal multi-jurisdictional investigations Responding to discovery requests from regulators and defending

enforcement actions U.S. discovery rules require broad and substantial

obligations to retain, search for, and produce documents requested by the other party or a regulator

A U.S. entity that has control over a foreign affiliate’s documents cannot ignore discovery requests

This is MoFo. 22

Internal Investigations

• Monitoring of employees’ electronic communications may help detect corruption or fraudulent behavior

• Approaches to employee monitoring vary across the EEA Employees’ right to privacy at work

must be balanced with other legitimate rights and interests of the employer

This is MoFo. 23

Internal Investigations (cont’d)

• Approaches vary across the EEA• WP29 Working Document 55/2002 on the surveillance of electronic

communications in the workplace permits monitoring, provided that It is necessary and proportionate for the intended purposes The least intrusive methods are used All online communications in the workplace are subject to confidentiality

protections Sensitive data are not collected Prior notice is provided (no further guidance is required to be delivered)

This is MoFo. 24

Internal Investigations: Ensuring Privacy Compliance

• Implement a comprehensive employee monitoring program Consider local laws that may limit or regulate employee monitoring Inform employees not to expect (full) privacy, even if accounts are

password protected Identify what types of conduct are prohibited Inform employees that the network is provided for work purposes

and that monitoring will occur

• Conduct regular training and refresher courses on appropriate email and Internet usage in the workplace

• Obtain acknowledgment that an employee has received, understands, and will follow the requirements

• Consult with and get necessary approval from employee representatives

This is MoFo. 25

Disclosure Requirements

• Conflicting demands exist between information requests and EEA data protection requirements U.S. courts may overrule or disregard EEA data

protection laws or mechanisms designed to limit cross-border discovery

U.S. courts and regulators can impose sanctions for failure to comply with information requests

EEA provides sanctions for violation of data protection laws

• No harmonized rules in the EEA Draft General Data Protection Regulation Blocking statutes (in France and Switzerland)

This is MoFo. 26

WP29 Guidance 1/2009 on Discovery in Civil Matters

• Does not cover document production in criminal and regulatory investigations

• Consent is “neither sufficient nor recommended”• Recognizes legitimate interest in complying with U.S. litigation

requirements Data must be “proportionate” (i.e., only for specific and imminent

proceedings and not at random for an unlimited time in anticipation of litigation)

Balance test to bridge EEA privacy regime and U.S. discovery rules• “Single” transfers outside the EEA permitted for establishment,

exercise and defense of legal claim unless a “significant” amount of data is involved

• Alternatives: Safe Harbor, Model Clauses, BCRs

This is MoFo. 27

Disclosure Requests: Ensuring Privacy Compliance

• Raise issues in advance and communicate with the other party, court, or regulator as soon as practicable

• Educate U.S. judges and regulators on EEA data protection laws and blocking statutes

• Negotiate terms on who may access data, purposes for which data may be used and security standards

• Work through issues creatively and show a willingness to cooperate Consider redacting or anonymizing data Consider screening data within the EEA Use protective orders Cooperate with EEA authorities Apply appropriate security standards

This is MoFo. 28

• Ensure compliance with general data protection requirements Transfer mechanism Notice Balancing transparency and non-disclosure

obligations or detection of criminal activities

Access and correction rights Security Processing agreement Registration/Authorization

Disclosure Requests: Ensuring Privacy Compliance (cont’d)

This is MoFo. 29

Reading Materials • EU Data Protection Directive 1995/46/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF

• Draft General Data Protection Regulation http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-

consolidated-LIBE.pdf

• Article 29 Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf

• Article 29 Working Party Working Document 1/2009 on pre-trial discovery for cross-border civil litigation http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp158_en.pdf

This is MoFo. 30

Reading Materials (cont’d)

• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf

• Karin Retzer and Michael Miller – Mind the Gap: US Discovery Demands versus EU Data Protection http://www.mofo.com/files/Uploads/Images/110601-US-Discovery-Demands-versus-EU-Data-

Protection.pdf

• Karin Retzer and Joanna Lopatowska – How to Monitor Workplace E-Mail and Internet in Europe: The Polish Perspective http://www.mofo.com/files/Uploads/Images/110718-Privacy-and-Security-Law-Report.pdf

• Karin Retzer, Daniel Westman and Miriam Wugmeister – Between a Rock and a Hard Place: Whistleblowing Procedures under Sarbanes-Oxley and European Union Data Protection Laws http://www.mofo.com/Between-a-Rock-and-a-Hard-Place-Whistleblowing-Procedures-under-

Sarbanes-Oxley-and-European-Union-Data-Protection-Laws-04-05-2006/

This is MoFo. 31

Thank you!

Alja Poler De ZwartMorrison & Foerster LLPBrussels +32 2 340 7360apolerdezwart@mofo.com