While most commentators have focused on the Schrems decision around the lack of U.S. data privacy protection from government or company intrusion, for the compliance function, the decision raises serious issues on two significant areas of any best practices compliance program—hotlines and internal investigations.
Anonymous hotlines have long been problematic in the European Union, because of privacy concerns and concerns around anonymous claims of illegal conduct. Such concerns were generally satisfied via a certification that the U.S. company had met the requirements of the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from EU member countries and Switzerland. This Safe Harbor provision, however, is no longer legal, and information developed through a hotline can no longer be brought to the United States from a country that is an EU member.
Equally important will be internal investigations conducted in Europe. In an interview with U.K. solicitor and data privacy expert Jonathan Armstrong, he noted that the decision puts real roadblocks in the path of a U.S. company that could be investigating potential bribery and corruption allegations in an EU member country. The biggest issue would be around personal privacy and information. Unlike the United States, work e-mails are covered by the privacy rights afforded to individuals and are not the property of the company. The same is true of other information. Under the Schrems decision, the ability of a U.S. corporation to access that information and then take it back to the United States under the Safe Harbor provision is no longer available. The only way to legally obtain, secure, and transmit such information would be through fully informed consent of the person being investigated. Good luck with that.
With these two key components of any best practices compliance program, hotlines and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU sourced information, I believe there will be additional pressure put on the compliance function. Obviously any U.S. company with EU-based operations will have to take steps immediately to ring fence such data originating in Europe. It may also mean that any inquiries will need to be headed by locally based compliance practitioners.