Last week the European Court of Justice issued the Schrems decision, which invalidated the Safe Harbor provision for transfer of personal, private data from Europe to the United States. While this decision is certainly going to affect U.S. companies such as Google and Facebook, I believe it will affect all U.S. companies in their anti-corruption compliance programs going forward, in ways both known and unknown at this point.

The first way it will affect U.S. companies at this time is through hotline reporting. All U.S. companies use Safe Harbor provision to bring any information developed in through calls to whistleblower hotlines back to the United States. Such a mechanism is no longer possible as the Schrems decision had immediate effect. Such information will, for the foreseeable future, have to remain in Europe or perhaps the country where it was developed.

Yet I suspect there will be a much larger consequence from the Schrems decision going forward for Foreign Corrupt Practices Act compliance, particularly in light of the Yates Memo and the new direction of the Justice Department to require companies to investigate and turn over information on individuals for prosecution. I recently had the opportunity to interview Cordery Compliance partner Jonathan Armstrong, an expert in U.K. and European privacy issues (plus a compliance practitioner) about some of the fallout from the Schrems decision.

Armstrong said that about your only realistic short-term option for getting private information, including emails and other data, will be through the consent of the investigation target. For this consent to be valid, however, you must fully disclose that you are investigating the individual for a FCPA issue.

As Armstrong sees it, you are required to say something like, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation, and you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent—and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”

Obviously you are communicating to a suspect he is under investigation. What do you think the level of cooperation will be going forward? What do you think the Justice Department might say about the efficacy of your investigation at this junction? These are open questions at this point, along with a host of others raised by the Schrems decision. 

Topics