Here is a name compliance officers might come to loathe in 2015: Mario Costeja González. It was on his behalf that the European Court of Justice ruled last May that Google and other Internet search engines had to remove links to derogatory historical information about people if they request it—so long as the damage to the individual outweighs any public interest in linking to the information.

Already the ruling in this case appears to be having unexpected reach. European data protection authorities released guidelines in December that make the Costeja ruling a global issue, says Chris Babel, CEO of TRUSTe, a software firm that helps companies manage online privacy. Google has been removing references to specific people only on its country-specific URLs, like those ending in “.de” for Germany or “.es” for Spain. The new guidelines, however, say the right to be forgotten should apply across all domains, including “.com,” he says.

The Costeja case will cause headaches for companies trying to run background checks on staff, suppliers, or anyone else they want to know more about. “Companies will likely need to consider deeper and more sophisticated due diligence checks, to ensure that crucial information is not forgotten," says Seth Berman, executive managing director of Stroz Friedberg, an investigations and risk consultancy.

While corporate legal departments grapple with the Costeja decision, European Union lawmakers will be grappling with a related challenge: adopting—maybe, perhaps, at long last—a new general data protection regulation. EU officials have promised a sweeping new data protection rule for several years now; a broader reshuffling of European Commission officials in 2014 did not help to accelerate the process. Multiple issues still need to be resolved, such as the details on one-stop-shop regulation, but Babel warns companies not to wait for all the details to be decided.

Wording here matters: The new measures are in the form of a regulation rather than a directive, so once they are agreed they will apply directly and universally across all EU member states, without any further delay of national legislation.

“Companies will likely need to consider deeper and more sophisticated due diligence checks, to ensure that crucial information is not forgotten.”
Seth Berman, Executive Managing Director, Stroz Friedberg

“Given the complexity of introducing new global compliance initiatives, now is the time to assess the potential impact of the proposed regulation on your business and ensure you have the budget, tools, and plan in place to respond,” Babel says.

The proposed data protection regulation would introduce mandatory reporting on data breaches. That will likely happen at a time when hacking of corporate networks is only likely to increase. The result: Compliance officers face a double-whammy, Berman says.

“These trends are set to combine in a way that will have a very significant impact on corporations throughout Europe,” he argues, probably with a spike in the number of hacking incidents that go public.

“It will make hacking incidents even more stressful for company management,” Berman says.  “In addition to having to deal with the event itself, companies will also have to deal with a PR nightmare and, often, an irate regulator."

Keeping Up With Sanctions

Conflicts in the physical world will be just as pressing for business in 2015 as conflicts in cyberspace. Ongoing unrest in Ukraine “will continue to focus many firms on the difficulties of complying with the evolving and complex sanctions regimes targeting the region and, in particular, Russia,” Berman says.

He warns that given today’s inter-connected global economy, monitoring corporate business for transactions with forbidden parties will be far more complicated since sanctions will apply to specific people as well as countries; sanctions against Russian president Vladimir Putin’s inner circle, but not against Russia itself, are case in point. “The subtlety of the new sanctions rules means that it’s necessary to have a clear understanding of who exercises control over a counterparty,” Berman says.

In Russia, and across the old Soviet Bloc, that can be like finding an arctic fox in a blizzard. Compliance professionals will have to find better ways to penetrate opaque corporate structures to help their firms avoid fines and reputation damage.

Global Tax Gets Tougher

Global tax compliance will also spend much more time in the spotlight in 2015. In October, members of both the Organization for Economic Cooperation and Development and the G-20 signed a deal in Berlin to exchange tax information automatically. The idea is to crack down on illegal tax evasion. But the move chimes with a wider European drive to reduce tax avoidance, too— especially by U.S. technology companies that do business in Europe but pay little tax there.


Below, CW’s Neil Baker looks at the Bribery Act’s possible use in 2015.
Will 2015 see Britain’s Serious Fraud Office finally use the mighty Bribery Act of 2010 to bring a high-profile corporate prosecution? Asking that question has become an annual tradition for people who study the SFO.
That said, a headline-grabbing prosecution won’t be necessary for the Bribery Act to be taken more seriously in the coming year. A series of reforms introduced in 2014 will make corporate criminal liability “an increasingly real, and increasingly serious risk, for companies doing business in the U.K.,” says Alan Ward, partner at law firm Stephenson Harwood.
Top among those reforms was the introduction of deferred-prosecution agreements (DPAs) last February and new sentencing guidelines in October. The latter allow judges to punish corporate crime by inflicting substantial fines of up to four times a firm’s global revenue. Senior politicians have also given their backing to a new corporate criminal offense, of failure to prevent economic crimes by employees or agents.
“It’s likely that in 2015 the effects of these reforms will begin to be seen in earnest,” Ward believes. “The SFO is investigating a number of multinational corporate entities and it’s likely that one of these high-profile investigations will result in the first U.K. DPA next year—and possibly the first fine calculated under the new guidelines.”
To add a further layer of tension, the SFO might sue a company next year to test how legal privilege protects people in internal investigations, Ward says. “The director of the SFO has made clear that he has little time for broad-based assertions of privilege by companies' lawyers; he may already have his battlefield to test the law on privilege in mind.”
—Neil Baker.

Britain, for example, introduced a measure in November quickly dubbed “the Google tax,” to thwart companies shifting taxable profits offshore. (Google was one of the clear targets of the proposed tax, as are several other Silicon Valley giants in the Internet sector.)

The OECD/G-20 deal creates a framework for the exchange of “non-resident financial accounting information with the tax authorities in the account holders’ country of residence, on an annual basis,” explains Emmanuelle Ries, managing partner at law firm EBL Miller Rosenfalck. “If proven to be effective in fighting tax evasion, the OECD scheme will probably be extended to further countries in the not-too-distant future,” she adds.

Hiding State Hand-outs

One year ago, few people would have predicted that illegal state aid would be a compliance issue for 2014. But it was and will likely remain on the agenda through 2015.

In June, the European Commission opened three investigations into tax rulings issued by the Netherlands, Ireland, and Luxembourg in relation to Starbucks, Apple, and Fiat, respectively. In October the Commission then announced plans to investigate whether Luxembourg has been breaking EU state aid rules to curry favor with Amazon.

“This is all part of a campaign by the European Union to ensure a ‘fair share of taxes’ is maintained between EU members in an era when many are entering into so-called ‘sweetheart’ tax deals with big multinationals,” Ries says. “I expect this issue to fizz along in 2015, with the press, EU commission, and national politicians across the spectrum all vying for our attention—and no doubt plenty of companies keeping as low a profile as possible.”