While the Schrems decision from the European Court of Justice was recognizable to most U.S. compliance and legal practitioners as (1) an extension of the EU’s greater desire for privacy than is generally allowed in the United States, and (2) continued retribution by the European Union for the Snowden revelations about NSA spying; there was an announcement recently that had the Man From FCPA scratching his head around EU data and privacy.
As reported in the New York Times, the EU’s top anti-trust enforcer, Margrethe Vestager warned that “collection of large amounts of data by a small number of tech companies like Google and Facebook could be in violation of the region’s tough competition rules.” Yes, you read that right, not privacy violations but violations of anti-trust regulations. Her theory goes something like this: “If few companies control the data you need to cut costs, then you give them the power to driver others out of the market.” Now with the continued fallout from the Schrems decision for U.S. companies, they may have to worry about having too much data?
These remarks come as EU and U.S. negotiators are trying to work out a new safe harbor agreement by the end of January. Without a new agreement in place, many U.S. companies are still having trouble determining what information they can bring back to the United States from Europe. Interestingly, the French company Alstom has reportedly told the Justice Department it has provided all the information it can under French privacy laws for the upcoming criminal trial of former Alstom executives accused of violating the FCPA. The German company Volkswagen is also balking at providing key information to U.S. regulators in its ongoing emissions-testing scandal, claiming German privacy laws prohibit it from divulging information which is routinely provided by U.S. companies in an investigation.
The implications for the compliance practitioner for this position are quite challenging. First and foremost, data is the one thing that could cut across the spectrum for usable information in any best practices compliance program. Companies should be monitoring their own data to not only detect possible FCPA violations but to move toward using this data in a prevent and even proscriptive prong. It is not too far an intellectual leap to see where Ms. Vestager could next take her anti-competitive reach: to a company’s own data.