Earlier this week another huge shift happened, which may portend a very different world for compliance going forward. As with the most recent titanic shift (from the Volkswagen emissions-testing scandal) this event did not arrive from anti-corruption compliance. The event was the ruling by the European Court of Justice, in a decision known as the Schrems case that the previously presumed European Union Safe Harbor regime is invalid. That means EU member state data protection regulators do have power to investigate complaints about the adequacy of the level of protection of data transfers to the United States, and to suspend data transfers if they conclude that the U.S. does not provide an adequate level of protection.
This decision leaves many U.S. companies scrambling to ascertain the scope of the ruling and what it might mean for data collection in a wide range of areas going forward. Yet even the normally pro-business Financial Times said, “The U.S. authorities and American technology companies bear some blame for the ECJ’s ruling” largely because the companies have targeted what people normally consider to be private information in a “way that places commercial interests before those of customer protection.” Further, the National Security Agency has made no bones about the access it wants from those companies’ servers.
For the anti-corruption compliance practitioner, this decision is really double-trouble when you consider it in light of the recent Yates Memo. This change in Justice Department policy to focus on prosecuting individuals also extended to what the department wants from companies internally investigating matters such as potential Foreign Corrupt Practices Act violations. The Yates Memo and commentary from Justice Department representatives has made clear that if companies want any cooperation credit, they must now immediately investigate individuals and turn over any evidence to the government as soon as possible.
Under the ECJ ruling in Schrems, however, U.S. companies may not be able even to investigate the private data of European employees, let alone transmit that evidence back to the United States. This could mean no email review, no review of non-company social media sites, and a host of other headaches. The decision takes effect immediately, so if you are out there looking at emails or other personal data for European employees, you need to stop now and assess your legal options.