Post on 23-Jun-2020
transcript
©
2013
Mor
rison
& F
oers
ter L
LP |
All R
ight
s R
eser
ved
| mof
o.co
m
Data Protection as Related to Anti-corruption Compliance
Investigations
Certificate in European Healthcare Compliance, Ethics & Regulation, Prague June 3, 2014
Presented by Alja Poler De Zwart
Morrison & Foerster LLP
This is MoFo. 2
Overview
• Anti-Corruption Laws
• Key Data Protection Challenges
• Implementing Compliance Programs Third-party intermediaries due diligence Whistleblowing hotlines
• Dealing with Investigations Multi-jurisdictional internal investigations Responding to information requests from regulators and courts
This is MoFo. 3
Anti-Corruption Laws • Companies are required to implement measures to deter, investigate,
identify, and address corruption There is no formal requirement under the FCPA to implement internal
controls to deter, investigate, identify, or address corruption The DOJ and SEC will consider a company’s compliance program when
deciding whether or not to bring charges
It is an offense to fail to prevent bribery under the UK Anti-Bribery Act • Compliance with anti-corruption laws must overcome hurdles of the
EEA data protection laws
This is MoFo. 4
Data Protection Laws in Europe
31 EEA Member States Albania Andorra Armenia Belarus Bosnia & Herzegovina Faroe Islands Georgia Gibraltar Greenland Guernsey Isle of Man Jersey Kosovo Macedonia Monaco Moldova Montenegro Russia San Marino Serbia Switzerland Ukraine
This is MoFo. 5
… and Elsewhere • North America Canada
Mexico
United States
• Central & South America Argentina
Bahamas
BES Islands
Chile
Colombia
Costa Rica
Curacao
Dominican Republic
Nicaragua
Peru
Saint Lucia
St. Maarten
Trinidad & Tobago
Uruguay
• Africa Angola
Benin
Burkina Faso
Côte d’Ivoire
Gabon
Ghana
Mali
Mauritius
Morocco
Senegal
Seychelles
South Africa
Tunisia
• Asia-Pacific Australia
Hong Kong
India
Japan
Macau
Malaysia
New Zealand
Philippines
Singapore
South Korea
Taiwan
Thailand
Vietnam
• Middle East Azerbaijan
Israel
Kyrgyzstan and Kazakhstan
Qatar (QFC) and UAE (DIFC)
This is MoFo. 6
European Data Protection Framework • 1995 Data Protection Directive Covers organizations established in the EEA and non-EEA organizations if they use
equipment/means located in the EEA for the collection of personal information
• Proposal for a General Data Protection Regulation, March 2014 Intended to replace the Data Protection Directive and harmonize laws across the EEA New obligations for organizations and tighter enforcement; higher monetary penalties Covers organizations and service providers established in the EEA as well as non-
EEA organizations if they offer products or services to or monitor individuals in the EU/EEA
Pending adoption
• ePrivacy Directive Notice and consent required for use of cookies and similar tracking technologies Limited exemptions Implementation varies per country
This is MoFo. 7
Key terms • Personal data Any information relating to an identified or identifiable individual
• Sensitive information Health information, sex life, racial or ethnic origin, political opinions,
religious or philosophical beliefs and trade union membership Also in many jurisdictions: (potential) criminal conduct and records, Social
Security number, other government-issued identification numbers, financial information (e.g., credit card data) and information about children
Processing is usually prohibited, unless: Opt-in consent from the individuals is acquired, where legally possible Narrow exceptions apply
• Processing Any operation involving personal data such as collection, use,
modification, storage, access, disclosure, transfer, deletion, etc.
This is MoFo. 8
Key Terms(2)
• Data controller A person or entity that (either alone or jointly with others) decides how
and why personal information is processed Primarily responsible for compliance with data protection laws, e.g.,: Notice and consent (where applicable) Handling access and correction requests Implementing mechanisms for cross-border transfers Imposing contractual obligations on data processors Registration/authorization – data protection authorities (DPAs)
• Data processor A person or entity that processes personal information on behalf of a
controller (e.g., third party service providers) Governed by contractual obligations imposed by the data controller
This is MoFo. 9
Legal Bases • Legal necessity is only sufficient for compliance with local laws Obligations imposed under foreign statutes are not sufficient to collect
personal data
• Consent is “neither sufficient nor recommended” Must be freely given, specific and informed and may be withdrawn at any
time Not always feasible to procure (e.g., from clients, suppliers, agents, etc.) Employee consent is typically challenged as it is usually not freely given
• Legitimate interest / balance of interests There is legitimate interest in complying with foreign anti-corruption laws Not sufficient for sensitive data
This is MoFo. 10
Cross-border Transfers • Broad concept – access (sometimes even potential access) to a
database located in another country • Sharing information with organizations in countries that are not
deemed adequate is subject to special restrictions Consent EU Model Contracts Binding Corporate Rules Safe Harbor Framework
• “Single” transfers outside the EEA are permitted unless a “significant” amount of information is involved
• “Mass” transfers should be avoided – keyword searches to limit collection and transfer are preferred to wholesale transfers
This is MoFo. 11
Information for Individuals and Regulators
• Individuals must be notified about Types of data collected Purposes for the collection Any disclosures or recipients Access and correction rights Other relevant circumstances
• Access and correction rights protect
the individual
• Registrations with data protection authorities should be filed and necessary authorizations obtained
This is MoFo. 12
Security • Appropriate technical and organizational security standards must be
in place
• Data retention and disposal policies should be activated Personal data should not be retained (stored) for longer than necessary Many jurisdictions have specific legal data retention periods
Personal data may not be retained indefinitely for possible future foreign litigation
Policies may conflict with U.S. laws that require retention of evidence
• Appropriate contracts with service providers should be agreed upon Forensic firms, translation firms, IT providers,
security companies, vetting companies, copying services, etc.
This is MoFo. 13
Proposal for Data Protection Regulation • Broader, more detailed definition of personal information and broader territorial scope • Non-EU processors also covered • Consent must be explicit and obtained by clear affirmative action; mere use of a service
does not constitute consent • Legitimate interest possible where collection is necessary for internal fraud, investigation,
etc., but only for occasional transfers • Processing of business contact details, direct marketing, and sharing of employee
information with EU affiliates covered • Profiling possible with consent • Less prescriptive administrative obligations for controllers (one-stop shopping
mechanism) • Impact assessment and DPA/DPO consultation necessary • Detailed processing contract and liability for processors • Limitations on cross-border transfers • Review of current adequacy mechanisms (Safe Harbor) at the latest during the 5 years • Regulatory disclosure (anti-FISA clause) must be approved by DPAs • Tougher sanctions ─ up to 5% of annual global turnover
This is MoFo. 14
Compliance Programs
• Companies under the FCPA (only issuers) and Anti-Bribery Act are required to implement compliance programs
• Senior officers may be liable for failure to do so • Compliance programs do not exempt companies from liability Limit the risk of foreign affiliates engaging in prohibited activities May influence the amount of any fines Under the Anti-Bribery Act having adequate
procedures is an affirmative defense
• Programs should be tailored and include A code of conduct Procedures for third party due diligence Procedures for detecting and investigating violations
(whistleblowing hotlines, employee monitoring, etc.)
This is MoFo. 15
Due Diligence on Third Party Intermediaries
• Companies can be held liable for the acts of intermediary third parties
• Conducting third-party due diligence to ensure that no illicit payments are made to foreign governments or public officials may limit the risks
• Due diligence often requires collection of personal data from principals and other key personnel Individuals’ financial accounts, history of bribery or related activities,
debarments, inclusion on a public watch list and business or personal relationships with government officials, etc.
Sensitive data, including political affiliation, criminal and judicial data • Many countries with data protection laws exclude or seriously limit
the collection of sensitive data
This is MoFo. 16
Due Diligence: Ensuring Privacy Compliance
Limit data collection to individuals in relevant positions Provide notice about data collection Have a strategy for dealing with consent Formulate due diligence questions to comply with local limitations on
sensitive data collection o Aim to solicit answers that are proportional to the purpose of the due
diligence o Carefully phrase questions asking whether key personnel are government
officials or have some association with government officials o Avoid, where feasible, obtaining criminal and judicial data; use of criminal
records checks must be limited Limit access to due diligence results on a need to know basis and
avoid further disclosure of personal data
This is MoFo. 17
Whistleblowing Hotlines
• Sarbanes-Oxley Act (SOX) Requires companies listed on the NY Stock Exchange or NASDAQ to
establish anonymous reporting procedures for employee complaints regarding fraud in accounting, auditing and financial reporting
Provides that U.S. parent can be held liable for foreign affiliates’ violations
• Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Creates incentives and financial rewards for employees who report
concerns about violations of securities laws to the Securities and Exchange Commission (SEC)
Strengthens internal controls and implements internal reporting channels to help minimize risk of employees reporting potential violations to the SEC
• Policies should be in place for whistleblowing under both SOX and Dodd-Frank
This is MoFo. 18
EEA Framework for Whistleblowing Hotlines
• WP29 Opinion 1/2006 on internal whistleblowing systems Hotlines are permitted if they are established to comply with (local) legal
requirements or where required under “foreign” legal obligations that fulfill a “legitimate purpose”
Member State guidance (e.g., Austria, Denmark, Finland, France, Germany, Greece, Norway, Portugal, Sweden and Spain) and specific laws (Hungary and the United Kingdom) are included
This is MoFo. 19
Hotline: Ensuring Privacy Compliance Limit scope
Provide hotline as a voluntary alternative to other reporting mechanisms
Allow but do not advertise anonymous reporting
Be transparent o Provide up-front notice o Send notice prior to report (landing page, telephone script) o Give notice after the report
Provide access rights o Delays are permitted if necessary for investigation
10
This is MoFo. 20
Hotline: Ensuring Privacy Compliance (cont’d)
Establish and train dedicated team
Conclude data processing agreements with vendor
Address border transfer restrictions
Consult works council where required
Implement data retention and disposal policies
Ensure appropriate security standards
File local registrations and obtain necessary authorizations
10
This is MoFo. 21
Investigations
• Companies should have strategies to deal with violations of anti-corruption laws once they are detected internally or are subject to regulatory proceedings Conducting internal multi-jurisdictional investigations Responding to discovery requests from regulators and defending
enforcement actions U.S. discovery rules require broad and substantial
obligations to retain, search for, and produce documents requested by the other party or a regulator
A U.S. entity that has control over a foreign affiliate’s documents cannot ignore discovery requests
This is MoFo. 22
Internal Investigations
• Monitoring of employees’ electronic communications may help detect corruption or fraudulent behavior
• Approaches to employee monitoring vary across the EEA Employees’ right to privacy at work
must be balanced with other legitimate rights and interests of the employer
This is MoFo. 23
Internal Investigations (cont’d)
• Approaches vary across the EEA • WP29 Working Document 55/2002 on the surveillance of electronic
communications in the workplace permits monitoring, provided that It is necessary and proportionate for the intended purposes The least intrusive methods are used All online communications in the workplace are subject to confidentiality
protections Sensitive data are not collected Prior notice is provided (no further guidance is required to be delivered)
This is MoFo. 24
Internal Investigations: Ensuring Privacy Compliance
Implement a comprehensive employee monitoring program o Consider local laws that may limit or regulate employee monitoring o Inform employees not to expect (full) privacy, even if accounts are
password protected o Identify what types of conduct are prohibited o Inform employees that the network is provided for work purposes
and that monitoring will occur
Conduct regular training and refresher courses on appropriate email and Internet usage in the workplace
Obtain acknowledgment that an employee has received, understands, and will follow the requirements
Consult with and get necessary approval from employee representatives
This is MoFo. 25
Disclosure Requirements
• Conflicting demands exist between information requests and EEA data protection requirements U.S. courts may overrule or disregard EEA data
protection laws or mechanisms designed to limit cross-border discovery
U.S. courts and regulators can impose sanctions for failure to comply with information requests
EEA provides sanctions for violation of data protection laws
• No harmonized rules in the EEA Draft General Data Protection Regulation Blocking statutes (in France and Switzerland)
This is MoFo. 26
WP29 Guidance 1/2009 on Discovery in Civil Matters
• Does not cover document production in criminal and regulatory investigations
• Consent is “neither sufficient nor recommended” • Recognizes legitimate interest in complying with U.S. litigation
requirements Data must be “proportionate” (i.e., only for specific and imminent
proceedings and not at random for an unlimited time in anticipation of litigation)
Balance test to bridge EEA privacy regime and U.S. discovery rules • “Single” transfers outside the EEA permitted for establishment,
exercise and defense of legal claim unless a “significant” amount of data is involved
• Alternatives: Safe Harbor, Model Clauses, BCRs
This is MoFo. 27
Disclosure Requests: Ensuring Privacy Compliance
Raise issues in advance and communicate with the other party, court, or regulator as soon as practicable
Educate U.S. judges and regulators on EEA data protection laws and blocking statutes
Negotiate terms on who may access data, purposes for which data may be used and security standards
Work through issues creatively and show a willingness to cooperate o Consider redacting or anonymizing data o Consider screening data within the EEA o Use protective orders o Cooperate with EEA authorities o Apply appropriate security standards
This is MoFo. 28
Ensure compliance with general data protection requirements o Transfer mechanism o Notice
- Balancing transparency and non-disclosure obligations or detection of criminal activities
o Access and correction rights o Security o Processing agreement o Registration/Authorization
Disclosure Requests: Ensuring Privacy Compliance (cont’d)
This is MoFo. 29
Reading Materials • EU Data Protection Directive 1995/46/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF
• Draft General Data Protection Regulation http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-
consolidated-LIBE.pdf
• Article 29 Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf
• Article 29 Working Party Working Document 1/2009 on pre-trial discovery for cross-border civil litigation http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp158_en.pdf
This is MoFo. 30
Reading Materials (cont’d)
• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf
• Karin Retzer and Michael Miller – Mind the Gap: US Discovery Demands versus EU Data Protection http://www.mofo.com/files/Uploads/Images/110601-US-Discovery-Demands-versus-EU-Data-
Protection.pdf
• Karin Retzer and Joanna Lopatowska – How to Monitor Workplace E-Mail and Internet in Europe: The Polish Perspective http://www.mofo.com/files/Uploads/Images/110718-Privacy-and-Security-Law-Report.pdf
• Karin Retzer, Daniel Westman and Miriam Wugmeister – Between a Rock and a Hard Place: Whistleblowing Procedures under Sarbanes-Oxley and European Union Data Protection Laws http://www.mofo.com/Between-a-Rock-and-a-Hard-Place-Whistleblowing-Procedures-under-
Sarbanes-Oxley-and-European-Union-Data-Protection-Laws-04-05-2006/
This is MoFo. 31
Thank you!
Alja Poler De Zwart Morrison & Foerster LLP Brussels +32 2 340 7360 apolerdezwart@mofo.com