Lawyers and businesses today are concerned with data privacy issues like never before—not only because of the mounting number of data privacy scandals, but also because of new regulations, most importantly the EU’s General Data Protection Regulation (GDPR). The GDPR, which was adopted in 2016 and became applicable in May 2018, reformed the entire personal data protection system in the EU by setting new rules of data protection and privacy. Moreover, the GDPR applies not only to entities that operate within the EU, but also to all entities established in the EU when operating outside the EU, as well as to entities established outside the EU when they are offering their goods and services inside the EU or monitoring individuals from the EU. The GDPR thus has global reach, as well as stringent penalties for violations.

The GDPR has implications for many different fields, and anticorruption is no exception. This is especially true for corporations conducting internal investigations of possible bribery by firm employees or agents, and when conducting due diligence on potential partners. Much of the data collected in these corporate investigations will include “personal data” as defined and regulated by the GDPR. For this reason, some commentators have warned that the effect of the GDPR on traditional corporate anticorruption investigations will amount to “a collision of galactic proportions.”

That may by hyperbole, but it is certainly the case that the GDPR will impose important new obligations that influence how companies handle anti-bribery compliance issues, both in the context of internal investigations and in the context of due diligence.

Internal investigations:

When a company conducts an internal investigation into a potential case of corruption or fraud, the company, or the outside counsel it retains to conduct the investigation, collects a substantial amount of personal data. For example, Siemens’ 2006 internal investigation into allegations of overseas bribery involved over 1,750 interviews and over 800 informational meetings, as well as the collection and preservation of over 100 million documents. During such investigations, emails, contracts, and other documents with employees’ personal data are almost always reviewed. In addition, the personal data of third parties, such as clients and external vendors, may also be collected and analyzed in the course of an internal investigation. For example, clients’ names and addresses may appear on clients’ emails, and external vendors’ names are on contracts and other company documents. More generally, if a company is in a business that requires collecting and storing data, much of that data may appear in the documents gathered and analyzed as part of an internal investigation into corruption or fraud allegations.

The GDPR may have an impact on how these investigations are conducted, because under the GDPR, the processing of personal data is lawful only if one of two strict standards is met. First, the processing can be lawful if the person whose data is being collected provides a consent. Second, the processing can be lawful if there is “some other legitimate basis” for collecting and analyzing the data, laid down either by the national laws of the Member States or in GDPR itself. Fortunately, from the perspective of internal investigators, the GDPR further clarifies that “processing of personal data strictly necessary for the purposes of preventing fraud” counts as a legitimate basis. It’s not entirely clear how broadly “fraud” will be interpreted, in particular whether it would include, say, investigations into whether company employees paid bribes to government officials. But the national laws of the Member States may help clarify the matter. Moreover, in addition to the specific language about preventing fraud, the GDPR allows data processing for the “legitimate interests of the controller or a third party.” These provisions likely mean that data processing that is part of a legitimate investigation into potential criminal conduct (including, presumably, bribery) would not be prohibited by the GDPR. Nonetheless, investigators will still need to exercise care so as not to run afoul of the GDPR, in several respects:

• First, even though the GDPR allows the processing of personal data when doing so is strictly necessary to prevent fraud, it still imposes a balancing test which the investigators will need to show they passed. That means that investigators will need to document how they balanced the interests of the people whose personal data was collected against the company’s interest in preventing fraud, and this will likely entail an explanation as to why collecting that specific personal data was necessary, and why no other, less intrusive methods would work. For this reason, the organization within which the investigation is conducted (or the investigation team) should also document the facts that form a reasonable suspicion for fraud.
• Second, investigators will have to ensure (and document) that they do not collect data in certain special categories (including data revealing ethnic origin, political opinions, trade union membership, etc.), as the processing of such data is prohibited by the GDPR, except for specific exceptions, none of them relevant in the cases of internal investigations.
• Third, if the company retains an outside firm to conduct the investigation, then the company will have to make sure the contract with the outside investigators includes clauses regarding the transference and use of personal data, and will also need to ensure that the external investigation team does not take the data to a third country that does not guarantee “adequate data protection.”
• Finally, the GDPR requires that individuals be notified whenever their personal data is processed. Companies will most likely have to inform their employees during trainings and other events that in specific cases, their personal data may be collected and processed in the context of an internal investigation into fraud, corruption, or other misconduct. Meeting the notice requirement is more complex with regard to outside parties (like clients and vendors). The text of the GDPR seems to require that they be notified in case their personal data is required for an internal investigation. But doing so might thwart the purpose of investigation in some cases. It’s not yet clear how this potential conflict will be handled, and we will have to wait and see how the practice develops on this issue.

Due Diligence:

Another field where the GDPR may create difficulties for companies trying to comply with anticorruption laws concerns the due diligence that is often conducted on potential partners (vendors, joint venture partners, consultants, etc.). Such due diligence is often essential to avoid violating laws like the US Foreign Corrupt Practices Act, the UK Bribery Act, France’s Loi Sapin II, and others. Such due diligence inevitably entails collecting a lot of personal data about the potential partner (if it’s a natural person) or its employees (if it’s a legal entity). Such information may include not only names and addresses, but criminal history, political affiliations, and other personal details. And gathering that information is not merely incidental to the due diligence investigation—whether a potential partner has a history of fraud, or whether he has close family ties with influential government decision-makers, or whether his education and experience indicate that a requested “consulting fee” is defensible on legitimate economic grounds, are precisely the sorts of things companies are supposed to find out when assessing the risk that a potential partner might engage in corrupt conduct that would get the company in legal trouble.

The GDPR makes this more complicated. The process will now have to be documented properly, following a similar framework as in internal investigations (the purpose and means, balancing test, scope, etc.). The company will also have to figure out the legal basis for collecting personal data in such a case. The easiest way to ensure an adequate legal basis would be to get the consent of the people the company needs to check. However, obtaining consent from all the people about whom personal information is collected will often be infeasible. Doing so might be too time consuming and complex if many people are involved, and in some cases the information collected in due diligence investigations ends up including personal data on third parties, such as a potential business partner’s spouse and family members, who would technically need to give their consent too. Moreover, the GDPR requires that consent be “freely given,” a requirement that legal commentators interpret as excluding contexts in which the provision of consent is a prerequisite for receiving a contract.

If the company that wants to conduct due diligence can’t get legally adequate consent, what then? Unfortunately, there is no specific clause in the GDPR that allows for personal data collection for purposes of conducting due diligence, an omission that has sparked widespread concern (see here, here and here for example). That said, the GDPR, as noted above, does allow the collection and processing of data for the “legitimate interests of the controller or a third party,” and it seems straightforward that complying with the anti-bribery legislation is a legitimate interest. Of course, several of the issues raised in the context of internal investigations are relevant here too: the company conducting the due diligence will have to carefully document the entire process, and the notification issue remains unsettled and awaits further clarification.

There’s one more specific problem related to due diligence in particular. As mentioned above, although the GDPR usually employs a balancing test to determine whether personal data can be processed, the GDPR specifically prohibits the processing of certain types of data under any circumstances, such as data on ethnic origin or trade union membership. Most pertinent and problematic for due diligence, GDPR Article 10 provides that “processing of personal data relating to criminal convictions and offences” can only be carried out under the control of government authorities or when authorized by an EU or an EU Member State law that provides “appropriate safeguards for the rights and freedoms of data subjects.” A handful of EU Member States (including Ireland, Austria, Denmark, France and a few others) recently adopted regulations that allow personal data to be collected and processed during a due diligence investigation, but most countries do not have such laws yet. This raises an obvious problem for anti-bribery compliance teams, since the necessary due diligence will usually entail searching for personal data related to criminal convictions and offences. Some organizations and countries have already started raising this problem and searching for solutions in national laws. But until this this issue is resolved—either by either an official interpretation of the GDPR from the EU, or by new national laws that satisfy the existing language of Article 10—compliance professionals are left to operate in a limbo where if they want to comply with anticorruption requirements, they may be forced to risk breaching GDPR.