Multinational businesses are subject to a patchwork of laws of the various jurisdictions in which they operate. Complying with the myriad rules and regulations can be challenging. Compliance obligations vary from one country to another, even where countries within a market (such as the European Union) have a deliberately harmonized approach. To add to the complexity, requirements under one jurisdiction’s laws sometimes create tension with another’s. For example, more and more companies are implementing due diligence processes for engaging third parties in order to reduce the risks of violating anticorruption laws, such as the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act 2010 (‘‘U.K. Bribery Act’’). However, their due diligence programs may unwittingly expose them to risks under privacy and data protection laws around the world.

More than 70 countries currently have a privacy or data protection law. These laws regulate the collection and use of personal information, which generally means any information pertaining to identified or identifiable individuals. Because anti-corruption compliance programs often involve collecting and using information about individuals to perform background checks, scrutinize red flags, or conduct internal investigations, these programs fall within the scope of the privacy and data protection laws. In order to carry out such activities lawfully, a company conducting due diligence on third parties may be required to notify concerned individuals about the company’s privacy practices, obtain their consent to the collection and use of the personal information, establish agreements or other controls to share the personal information with affiliates and service providers, or obtain approvals from privacy regulators. Thus, performing adequate anti-corruption due diligence while respecting privacy obligations can be challenging, but can be accomplished.

Originally published in Privacy & Security Law Report on 04/08/2013.