In response to the OECD Working Group on Bribery’s call for comments as part of its upcoming review of the 2009 OECD Anti-Bribery Recommendation, anti-bribery business association TRACE has submitted its overview of new issues that have emerged in the fight against foreign bribery due to implementation of the EU’s General Data Protection Regulation.
TRACE’s concerns, as laid out in their comment letter, are discussed in further detail below:
Significantly increased cost of compliance. “The GDPR leads to a significantly increased cost of compliance for international business transactions, which becomes a particularly heavy burden for SMEs,” TRACE said.
It cited as a hypothetical scenario a non-EU SME entering the EU market with non-consumer products or services that establishes relationships with local distribution partners or intermediaries as a cost-effective route to market. “This would lead to the need to conduct anti-bribery due diligence on the potential partners in the EU,” TRACE said.
TRACE noted, however, conducting a detailed review of the background and conduct of individuals and their periodic reputational screening poses a risk of triggering the GDPR under its extra-territorial scope principle of “monitoring [EU data subjects’] behavior” set forth in Article 3(2)(b). Thus, by just following anti-bribery compliance program best practices exposes non-EU SMEs and their EU-based partners to potentially large penalties, TRACE said.
GDPR’s prohibition on Processing Personal Criminal Background Information. Article 10 of the GDPR prohibits the processing of personal data relating to criminal convictions and offenses, unless “carried out only under the control of official authority or when the processing is authorized by [European] Union or [EU] Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
Prudent compliance and risk professionals know that determining whether third-party principals have a criminal background—related to bribery or economic crimes, for example—are an essential part of anti-bribery due diligence. “Such inquiries are carried out by companies or their compliance service providers without supervision, direction, or control of any official authority,” TRACE said. “This creates a conflict between the GDPR’s language quoted above and anti-bribery due diligence requirements.”
Uncertain legal basis for processing any personal data as part of due diligence. “There is currently no clear reliable legal basis under the GDPR that could unquestionably legitimize the processing of any—even of non-criminal nature—personal data as part of anti-bribery due diligence,” TRACE said. Its comment letter goes into significant detail as to why this is the case.
GDPR’s prohibition on processing special categories of personal data. Article 9 of the GDPR prohibits, among other things, the processing of “personal data revealing … political opinions” of data subjects. “According to our EU data protection counsel, the mere fact that a person is a member or an official of a particular political party is sufficiently ‘revealing political opinions’ of that individual to trigger the Article 9 prohibition,” TRACE said.
In contrast, anti-bribery laws like the U.S. Foreign Corrupt Practices Act, prohibit corrupt contributions to political parties and candidates for political office and, thus, requires companies to use due diligence processes to ensure that any payments made to third parties are not disguised as improper political contributions. “Consequently, due diligence processes typically incorporate a so-called politically exposed person (PEP) screening, which discloses, among other things, political party affiliations and political party positions of the screened subjects,” TRACE noted. “As a result, unless companies can find and document an applicable exception from Article 9, they risk violating the GDPR’s Article 9 prohibition by conducting best-practices anti-bribery due diligence.”
Other GDPR obligations requiring changes to due diligence processes. The GDPR contains numerous other requirements that have not been part of best practices for anti-bribery due diligence processes, including, among others:
- Data minimization and purpose limitation principles, which would require companies to justify the scope of personal data collected as part of anti-bribery due diligence and narrow this scope to what is necessary and proportionate to the clearly articulated anti-bribery due diligence purpose;
- A time limitation principle that would require implementation of strict retention schedules so that the personal data—including personal data contained in due diligence reports or legal opinions—is not kept for longer than is necessary for that purpose;
- Data processing notifications to each data subject whose data is processed as part of anti-bribery due diligence;
- Maintenance of personal data processing activity records;
- Implementation of processes to facilitate data subjects’ exercise of their data protection rights listed in the GDPR;
- Requirement to ensure that IT systems used for data processing and communication channels are secure to implement appropriate technical and organizational measures, access controls, and other safeguards;
- Data breach notification requirements;
- The need to vet and put in place GDPR Article 28 controller-processor contracts with any outside service providers that process or have access to the data (e.g., cloud hosting providers, outside IT support, etc.); and
- Third-country (i.e.: outside the European Union) data transfer requirements.
“All these obligations would require significant changes to the anti-bribery compliance programs and best practices guidance documents,” TRACE said.