©

2013

Mor

rison

& F

oers

ter L

LP |

All R

ight

s R

eser

ved

| mof

o.co

m

Data Protection as Related to Anti-corruption Compliance

Investigations

Certificate in European Healthcare Compliance, Ethics & Regulation, Prague June 3, 2014

Presented by Alja Poler De Zwart

Morrison & Foerster LLP

This is MoFo. 2

Overview

• Anti-Corruption Laws

• Key Data Protection Challenges

• Implementing Compliance Programs Third-party intermediaries due diligence Whistleblowing hotlines

• Dealing with Investigations Multi-jurisdictional internal investigations Responding to information requests from regulators and courts

This is MoFo. 3

Anti-Corruption Laws • Companies are required to implement measures to deter, investigate,

identify, and address corruption There is no formal requirement under the FCPA to implement internal

controls to deter, investigate, identify, or address corruption The DOJ and SEC will consider a company’s compliance program when

deciding whether or not to bring charges

It is an offense to fail to prevent bribery under the UK Anti-Bribery Act • Compliance with anti-corruption laws must overcome hurdles of the

EEA data protection laws

This is MoFo. 4

Data Protection Laws in Europe

31 EEA Member States Albania Andorra Armenia Belarus Bosnia & Herzegovina Faroe Islands Georgia Gibraltar Greenland Guernsey Isle of Man Jersey Kosovo Macedonia Monaco Moldova Montenegro Russia San Marino Serbia Switzerland Ukraine

This is MoFo. 5

… and Elsewhere • North America Canada

Mexico

United States

• Central & South America Argentina

Bahamas

BES Islands

Chile

Colombia

Costa Rica

Curacao

Dominican Republic

Nicaragua

Peru

Saint Lucia

St. Maarten

Trinidad & Tobago

Uruguay

• Africa Angola

Benin

Burkina Faso

Côte d’Ivoire

Gabon

Ghana

Mali

Mauritius

Morocco

Senegal

Seychelles

South Africa

Tunisia

• Asia-Pacific Australia

Hong Kong

India

Japan

Macau

Malaysia

New Zealand

Philippines

Singapore

South Korea

Taiwan

Thailand

Vietnam

• Middle East Azerbaijan

Israel

Kyrgyzstan and Kazakhstan

Qatar (QFC) and UAE (DIFC)

This is MoFo. 6

European Data Protection Framework • 1995 Data Protection Directive Covers organizations established in the EEA and non-EEA organizations if they use

equipment/means located in the EEA for the collection of personal information

• Proposal for a General Data Protection Regulation, March 2014 Intended to replace the Data Protection Directive and harmonize laws across the EEA New obligations for organizations and tighter enforcement; higher monetary penalties Covers organizations and service providers established in the EEA as well as non-

EEA organizations if they offer products or services to or monitor individuals in the EU/EEA

Pending adoption

• ePrivacy Directive Notice and consent required for use of cookies and similar tracking technologies Limited exemptions Implementation varies per country

This is MoFo. 7

Key terms • Personal data Any information relating to an identified or identifiable individual

• Sensitive information Health information, sex life, racial or ethnic origin, political opinions,

religious or philosophical beliefs and trade union membership Also in many jurisdictions: (potential) criminal conduct and records, Social

Security number, other government-issued identification numbers, financial information (e.g., credit card data) and information about children

Processing is usually prohibited, unless: Opt-in consent from the individuals is acquired, where legally possible Narrow exceptions apply

• Processing Any operation involving personal data such as collection, use,

modification, storage, access, disclosure, transfer, deletion, etc.

This is MoFo. 8

Key Terms(2)

• Data controller A person or entity that (either alone or jointly with others) decides how

and why personal information is processed Primarily responsible for compliance with data protection laws, e.g.,: Notice and consent (where applicable) Handling access and correction requests Implementing mechanisms for cross-border transfers Imposing contractual obligations on data processors Registration/authorization – data protection authorities (DPAs)

• Data processor A person or entity that processes personal information on behalf of a

controller (e.g., third party service providers) Governed by contractual obligations imposed by the data controller

This is MoFo. 9

Legal Bases • Legal necessity is only sufficient for compliance with local laws Obligations imposed under foreign statutes are not sufficient to collect

personal data

• Consent is “neither sufficient nor recommended” Must be freely given, specific and informed and may be withdrawn at any

time Not always feasible to procure (e.g., from clients, suppliers, agents, etc.) Employee consent is typically challenged as it is usually not freely given

• Legitimate interest / balance of interests There is legitimate interest in complying with foreign anti-corruption laws Not sufficient for sensitive data

This is MoFo. 10

Cross-border Transfers • Broad concept – access (sometimes even potential access) to a

database located in another country • Sharing information with organizations in countries that are not

deemed adequate is subject to special restrictions Consent EU Model Contracts Binding Corporate Rules Safe Harbor Framework

• “Single” transfers outside the EEA are permitted unless a “significant” amount of information is involved

• “Mass” transfers should be avoided – keyword searches to limit collection and transfer are preferred to wholesale transfers

This is MoFo. 11

Information for Individuals and Regulators

• Individuals must be notified about Types of data collected Purposes for the collection Any disclosures or recipients Access and correction rights Other relevant circumstances

• Access and correction rights protect

the individual

• Registrations with data protection authorities should be filed and necessary authorizations obtained

This is MoFo. 12

Security • Appropriate technical and organizational security standards must be

in place

• Data retention and disposal policies should be activated Personal data should not be retained (stored) for longer than necessary Many jurisdictions have specific legal data retention periods

Personal data may not be retained indefinitely for possible future foreign litigation

Policies may conflict with U.S. laws that require retention of evidence

• Appropriate contracts with service providers should be agreed upon Forensic firms, translation firms, IT providers,

security companies, vetting companies, copying services, etc.

This is MoFo. 13

Proposal for Data Protection Regulation • Broader, more detailed definition of personal information and broader territorial scope • Non-EU processors also covered • Consent must be explicit and obtained by clear affirmative action; mere use of a service

does not constitute consent • Legitimate interest possible where collection is necessary for internal fraud, investigation,

etc., but only for occasional transfers • Processing of business contact details, direct marketing, and sharing of employee

information with EU affiliates covered • Profiling possible with consent • Less prescriptive administrative obligations for controllers (one-stop shopping

mechanism) • Impact assessment and DPA/DPO consultation necessary • Detailed processing contract and liability for processors • Limitations on cross-border transfers • Review of current adequacy mechanisms (Safe Harbor) at the latest during the 5 years • Regulatory disclosure (anti-FISA clause) must be approved by DPAs • Tougher sanctions ─ up to 5% of annual global turnover

This is MoFo. 14

Compliance Programs

• Companies under the FCPA (only issuers) and Anti-Bribery Act are required to implement compliance programs

• Senior officers may be liable for failure to do so • Compliance programs do not exempt companies from liability Limit the risk of foreign affiliates engaging in prohibited activities May influence the amount of any fines Under the Anti-Bribery Act having adequate

procedures is an affirmative defense

• Programs should be tailored and include A code of conduct Procedures for third party due diligence Procedures for detecting and investigating violations

(whistleblowing hotlines, employee monitoring, etc.)

This is MoFo. 15

Due Diligence on Third Party Intermediaries

• Companies can be held liable for the acts of intermediary third parties

• Conducting third-party due diligence to ensure that no illicit payments are made to foreign governments or public officials may limit the risks

• Due diligence often requires collection of personal data from principals and other key personnel Individuals’ financial accounts, history of bribery or related activities,

debarments, inclusion on a public watch list and business or personal relationships with government officials, etc.

Sensitive data, including political affiliation, criminal and judicial data • Many countries with data protection laws exclude or seriously limit

the collection of sensitive data

This is MoFo. 16

Due Diligence: Ensuring Privacy Compliance

Limit data collection to individuals in relevant positions Provide notice about data collection Have a strategy for dealing with consent Formulate due diligence questions to comply with local limitations on

sensitive data collection o Aim to solicit answers that are proportional to the purpose of the due

diligence o Carefully phrase questions asking whether key personnel are government

officials or have some association with government officials o Avoid, where feasible, obtaining criminal and judicial data; use of criminal

records checks must be limited Limit access to due diligence results on a need to know basis and

avoid further disclosure of personal data

This is MoFo. 17

Whistleblowing Hotlines

• Sarbanes-Oxley Act (SOX) Requires companies listed on the NY Stock Exchange or NASDAQ to

establish anonymous reporting procedures for employee complaints regarding fraud in accounting, auditing and financial reporting

Provides that U.S. parent can be held liable for foreign affiliates’ violations

• Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) Creates incentives and financial rewards for employees who report

concerns about violations of securities laws to the Securities and Exchange Commission (SEC)

Strengthens internal controls and implements internal reporting channels to help minimize risk of employees reporting potential violations to the SEC

• Policies should be in place for whistleblowing under both SOX and Dodd-Frank

This is MoFo. 18

EEA Framework for Whistleblowing Hotlines

• WP29 Opinion 1/2006 on internal whistleblowing systems Hotlines are permitted if they are established to comply with (local) legal

requirements or where required under “foreign” legal obligations that fulfill a “legitimate purpose”

Member State guidance (e.g., Austria, Denmark, Finland, France, Germany, Greece, Norway, Portugal, Sweden and Spain) and specific laws (Hungary and the United Kingdom) are included

This is MoFo. 19

Hotline: Ensuring Privacy Compliance Limit scope

Provide hotline as a voluntary alternative to other reporting mechanisms

Allow but do not advertise anonymous reporting

Be transparent o Provide up-front notice o Send notice prior to report (landing page, telephone script) o Give notice after the report

Provide access rights o Delays are permitted if necessary for investigation

10

This is MoFo. 20

Hotline: Ensuring Privacy Compliance (cont’d)

Establish and train dedicated team

Conclude data processing agreements with vendor

Address border transfer restrictions

Consult works council where required

Implement data retention and disposal policies

Ensure appropriate security standards

File local registrations and obtain necessary authorizations

10

This is MoFo. 21

Investigations

• Companies should have strategies to deal with violations of anti-corruption laws once they are detected internally or are subject to regulatory proceedings Conducting internal multi-jurisdictional investigations Responding to discovery requests from regulators and defending

enforcement actions U.S. discovery rules require broad and substantial

obligations to retain, search for, and produce documents requested by the other party or a regulator

A U.S. entity that has control over a foreign affiliate’s documents cannot ignore discovery requests

This is MoFo. 22

Internal Investigations

• Monitoring of employees’ electronic communications may help detect corruption or fraudulent behavior

• Approaches to employee monitoring vary across the EEA Employees’ right to privacy at work

must be balanced with other legitimate rights and interests of the employer

This is MoFo. 23

Internal Investigations (cont’d)

• Approaches vary across the EEA • WP29 Working Document 55/2002 on the surveillance of electronic

communications in the workplace permits monitoring, provided that It is necessary and proportionate for the intended purposes The least intrusive methods are used All online communications in the workplace are subject to confidentiality

protections Sensitive data are not collected Prior notice is provided (no further guidance is required to be delivered)

This is MoFo. 24

Internal Investigations: Ensuring Privacy Compliance

Implement a comprehensive employee monitoring program o Consider local laws that may limit or regulate employee monitoring o Inform employees not to expect (full) privacy, even if accounts are

password protected o Identify what types of conduct are prohibited o Inform employees that the network is provided for work purposes

and that monitoring will occur

Conduct regular training and refresher courses on appropriate email and Internet usage in the workplace

Obtain acknowledgment that an employee has received, understands, and will follow the requirements

Consult with and get necessary approval from employee representatives

This is MoFo. 25

Disclosure Requirements

• Conflicting demands exist between information requests and EEA data protection requirements U.S. courts may overrule or disregard EEA data

protection laws or mechanisms designed to limit cross-border discovery

U.S. courts and regulators can impose sanctions for failure to comply with information requests

EEA provides sanctions for violation of data protection laws

• No harmonized rules in the EEA Draft General Data Protection Regulation Blocking statutes (in France and Switzerland)

This is MoFo. 26

WP29 Guidance 1/2009 on Discovery in Civil Matters

• Does not cover document production in criminal and regulatory investigations

• Consent is “neither sufficient nor recommended” • Recognizes legitimate interest in complying with U.S. litigation

requirements Data must be “proportionate” (i.e., only for specific and imminent

proceedings and not at random for an unlimited time in anticipation of litigation)

Balance test to bridge EEA privacy regime and U.S. discovery rules • “Single” transfers outside the EEA permitted for establishment,

exercise and defense of legal claim unless a “significant” amount of data is involved

• Alternatives: Safe Harbor, Model Clauses, BCRs

This is MoFo. 27

Disclosure Requests: Ensuring Privacy Compliance

Raise issues in advance and communicate with the other party, court, or regulator as soon as practicable

Educate U.S. judges and regulators on EEA data protection laws and blocking statutes

Negotiate terms on who may access data, purposes for which data may be used and security standards

Work through issues creatively and show a willingness to cooperate o Consider redacting or anonymizing data o Consider screening data within the EEA o Use protective orders o Cooperate with EEA authorities o Apply appropriate security standards

This is MoFo. 28

Ensure compliance with general data protection requirements o Transfer mechanism o Notice

- Balancing transparency and non-disclosure obligations or detection of criminal activities

o Access and correction rights o Security o Processing agreement o Registration/Authorization

Disclosure Requests: Ensuring Privacy Compliance (cont’d)

This is MoFo. 29

Reading Materials • EU Data Protection Directive 1995/46/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF

• Draft General Data Protection Regulation http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-

consolidated-LIBE.pdf

• Article 29 Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf

• Article 29 Working Party Working Document 1/2009 on pre-trial discovery for cross-border civil litigation http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp158_en.pdf

This is MoFo. 30

Reading Materials (cont’d)

• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf

• Karin Retzer and Michael Miller – Mind the Gap: US Discovery Demands versus EU Data Protection http://www.mofo.com/files/Uploads/Images/110601-US-Discovery-Demands-versus-EU-Data-

Protection.pdf

• Karin Retzer and Joanna Lopatowska – How to Monitor Workplace E-Mail and Internet in Europe: The Polish Perspective http://www.mofo.com/files/Uploads/Images/110718-Privacy-and-Security-Law-Report.pdf

• Karin Retzer, Daniel Westman and Miriam Wugmeister – Between a Rock and a Hard Place: Whistleblowing Procedures under Sarbanes-Oxley and European Union Data Protection Laws http://www.mofo.com/Between-a-Rock-and-a-Hard-Place-Whistleblowing-Procedures-under-

Sarbanes-Oxley-and-European-Union-Data-Protection-Laws-04-05-2006/

This is MoFo. 31

Thank you!

Alja Poler De Zwart Morrison & Foerster LLP Brussels +32 2 340 7360 apolerdezwart@mofo.com