I continue my exploration of why I believe that compliance is at the Tipping Point, with today’s entry of data point four, which is last week’s decision by the European Court of Justice (ECJ) in the Schrems case. While most commentators have focused on the Schrems decision around the lack of US data privacy protection from government or company intrusion, for the Foreign Corrupt Practices Act (FCPA) practitioner, Chief Compliance Officer (CCO) and compliance function, the decision will also be a tipping point. This tipping point is around the loss of the ‘Safe Harbor’ provision that allowed US companies to bring data developed in Europe back to the US for evaluation and use. While Facebook and Google immediately spring to mind as having been prime beneficiaries of this Safe Harbor provision, the Safe Harbor provision was equally critical in US compliance functions through two key areas of any best practices compliance program, hotlines and investigations.
Anonymous hotlines have long been problematic because of European Union (EU) privacy concerns and concerns around anonymous claims of illegal conduct but companies which took a rigorous approach to the implementation and subsequent management of whistleblowing hotlines, including putting in adequate safeguards to ensure security, confidentiality and transparency in its operation were generally considered to acceptable. Companies were required to create specific internal procedures to ensure the data, when transferred, is guaranteed a sufficient level of protection. This would have included a certification that the US company had met the requirements of the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework, as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from EU member countries and Switzerland. However this Safe Harbor provision is no longer legal and information developed through a hotline can no longer be brought to the US from a country that is a EU member.
Equally important will be investigations conducted in Europe. Stephen Dockery, writing in the Wall Street Journal (WSJ) online publication Risk & Compliance Journal, quoted Joe Pirrotta, the Director of Legal Services at document-handling company Integreon, for the following, “Previously, law firms could rely on Safe Harbor to use well-resourced U.S. hubs to analyze data from investigations conducted in Europe, but that will likely need to change.” Pirrotta went on to say, “Internal investigations are often the most sensitive of matters for clients, and corporations will likely look to law firms with in-country operations and a robust privacy framework as a means of mitigating risk.”
I interviewed UK solicitor and data privacy expert Jonathan Armstrong about the decision and some of its implications for the CCO, compliance practitioner and compliance function going forward for my podcast, the FCPA Compliance and Ethics Report. Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential FCPA allegations in a EU member country. The biggest issue would be around personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the property of the company. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available.
I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that that the only way at this point was to obtain the consent of the person being investigated. However the obtaining of such consent raises a host of other problems. He said, “Can I really get consent in an internal investigation? Can I go along, speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid the European legislation it has to be fully explained, it has to be honest, it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”” As Armstrong went on to note, “What answer is he likely to give in an internal investigation and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?”
With these two key components of any best practices compliance program, hotlines and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU sourced information; I believe there will be additional pressure put on the compliance function. Obviously any US company with EU based operations will have to take steps immediately to ring fence such data originating in Europe. It may also mean that any inquiries will need to be headed by locally based compliance practitioners.
Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company which is seeking cooperation credit because such company is required to turn over any and all information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use.
Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it very improbable that anyone, European or otherwise, would give such a consent but in the unlikely event such consent is given, you have told the target, they are the target and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] have already lost the case, allegedly, on the way in which the US firm involved conducted the investigation. They will have, rightly I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It’s going to need a lot of careful thought to structure data transfers, even to structure interviews. How do you move those interview notes about, how do you look at emails, all of this stuff is going to be absolutely critical not only so that you don’t break data privacy data protection laws, but also tipping off witness, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.”
How does the Schrems decision contribute to compliance at the tipping point? If you cannot use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard; it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through the use of internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to proscription of any FCPA violations.
Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel and the VW emissions-testing scandal; the Schrems decision will change the need for a more robust compliance program going forward to help protect a company.
Tomorrow I will tie it all together.
[View source.]
