Cross-Border Internal Investigations: Data Protection and Employee Issues. June 11, 2014

Similar documents
THE BRIBERY ACT 2010 POLICY STATEMENT AND PROCEDURES

FIA INSTITUTE ANTI BRIBERY AND CORRUPTION POLICY

GLOBAL NEW CAR ASSESSMENT PORGRAMME ANTI BRIBERY AND CORRUPTION POLICY [DRAFT]

ANTI BRIBERY AND CORRUPTION POLICY

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

ANTI-BRIBERY AND CORRUPTION POLICY UK ENGINEERING RECRUITMENT LTD

Global Anti Bribery and Corruption Compliance Program Be transparent and keep it transparent

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

Director of Customer Care & Performance. 26 April The Board is asked to consider and approve the attached draft

NORTHERN IRELAND SOCIAL CARE COUNCIL

AIDENVIRONMENT ANTI-CORRUPTION AND BRIBERY POLICY

Anti-Bribery and Corruption Policy

ANTI-CORRUPTION AND BRIBERY POLICY - INCLUDING CODE OF PRACTICE ON BUSINESS GIFTS AND HOSPITALITY

3.1 A bribe is an inducement or reward offered, promised or provided in order to gain any commercial, contractual, regulatory or personal advantage.

ANTI-BRIBERY & CORRUPTION POLICY

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

ANTI-CORRUPTION & BRIBERY

The Act on Processing of Personal Data

16 March Purpose & Introduction

I. REGULATION OF INVESTIGATORY POWERS BILL

Simply Media TV Limited: Anti-corruption and bribery policy. DATED JUNE 2013 ANTI-CORRUPTION AND BRIBERY POLICY

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Bartington Instruments Ltd. Anti-Bribery Manual. The copyright of this document is the property of Bartington Instruments Ltd.

ANTI-BRIBERY POLICY. 1. Purpose

AIA Australia Limited

PE-CONS 71/1/15 REV 1 EN

ANTI-BRIBERY POLICY. (Covering all employees) Contents

NORTHERN IRELAND PRACTICE AND EDUCATION COUNCIL FOR NURSING AND MIDWIFERY

THE INTERNATIONAL IMPACT OF FRAUD THE UK BRIBERY ACT RAISING THE BAR ABOVE THE FOREIGN CORRUPT PRACTICES ACT

Little Rascals Pre-school Anti-Bribery Policy

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Anti-Bribery Policy. Anti-Bribery. Policy. Working Together. January Borders College 15/2/ Working Together.

8557/16 SHO/ra 1 DGD 2

closer look at Rights & remedies

Personal Data Protection Act

SERVICE OF PROCESS AND THE TAKING OF EVIDENCE ABROAD : THE IMPACT OF ELECTRONIC MEANS ON THE OPERATION OF THE HAGUE CONVENTIONS

REF: Legal & Resources Recommended Policy. APPROVAL BODY: DATE: July 2016 REVIEW DATE: July 2019

Annex - Summary of GDPR derogations in the Data Protection Bill

General Assembly Security Council

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

COMP Article 1. Article 1 Subject matter and objectives

ANTI-BRIBERY POLICY 1 POLICY STATEMENT

I. STATEMENT OF COMMITMENT AGAINST CORRUPTION, BRIBERY & EXTORTION

WHISTLE BLOWING POLICY

SCOTTISH JUNIOR FOOTBALL ASSOCIATION ANTI-CORRUPTION AND BRIBERY POLICY

Telekom Austria Group Standard Data Processing Agreement

The Bribery Act Frequently Asked Questions WHAT IS THE BRIBERY ACT 2010? WHO MUST COMPLY WITH THE UKBA?

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

INVESTIGATORY POWERS BILL EXPLANATORY NOTES

Translation from Finnish Legally binding only in Finnish and Swedish Ministry of the Interior, Finland

It is the responsibility of all Fletcher Personnel to understand and comply with this Policy, including any reporting requirements set out below.

Anti-bribery Policy. Approving Body: Council. Date of Approval: 26 November Policy owner: Director of Finance and Corporate Services

Anti-Bribery Policy. Anti-Bribery Policy

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

ARTICLE 29 Data Protection Working Party

Act No. 502 of 23 May 2018

This Policy sets out Sewtec s position on any form of bribery and corruption and provides guidelines aimed at:

HAUT-COMMISSARIAT AUX DROITS DE L HOMME OFFICE OF THE HIGH COMMISSIONER FOR HUMAN RIGHTS PALAIS DES NATIONS 1211 GENEVA 10, SWITZERLAND

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

The whistleblowing procedure is based on the following principles:

Be transparent and keep it transparent

Anti-Corruption Policy

PERSONAL INFORMATION PROTECTION ACT

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

The LTE Group. Anti-Bribery Policy Produced by. The LTE Group. LTEG anti-bribery policy v4 06/2016

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Submission to the Joint Committee on the draft Investigatory Powers Bill

APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

Brussels, 16 May 2006 (Case ) 1. Procedure

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

Investigatory Powers Bill

Anti-corruption and bribery policy.

SURVEY OF ANTI-CORRUPTION MEASURES IN THE PUBLIC SECTOR IN OECD COUNTRIES: GERMANY

Zen Internet ANTI-CORRUPTION AND BRIBERY POLICY. Zen Legal Department. Issue: v.2.final. Date: Wednesday, 05 August 2015

Conference of the States Parties to the United Nations Convention against Corruption

YMCA NSW Whistle Blower Policy

ANTI-CORRUPTION AND BRIBERY POLICY

Anti-Corruption & Bribery Policy (including gifts and hospitality)

ARTICLE 29 Data Protection Working Party

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

CAC/COSP/IRG/2011/CRP.4

Anti-Corruption and Bribery Policy

RESTREINT UE/EU RESTRICTED

Data Protection Policy. Malta Gaming Authority

COUNCIL POLICY BACKGROUND

Anti-Bribery Policy. Policies, Guidance & Procedures. The Collett School, St Luke s School Forest House Education Centre

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

B. The transfer of personal information to states with equivalent protection of fundamental rights

Wilmington Anti-Bribery and Corruption Policy Standard. Effective Date : June 2012

ANTI-CORRUPTION AND BRIBERY POLICY

[company name] Anti-Bribery & Anti-Corruption Policy

This guidance applies to all members of the University including all employees and independent members of Council and its Committees.

WHISTLEBLOWING POLICY AND PROCEDURE FOR: Schools. 1 April March 2018

Data Protection Bill [HL]

UNIVERSITY OF ROEHAMPTON ANTI-CORRUPTION & BRIBERY POLICY

Transcription:

Cross-Border Internal Investigations: Data Protection and Employee Issues June 11, 2014

Presenters Anita Esslinger Bryan Cave LLP Christopher Dueringer Bryan Cave LLP Sarah Delon- Bouquet Bryan Cave LLP Jana Fuchs Bryan Cave LLP Skip Westfall Grant Thornton LLP 2

Setting the scene Agenda EU in general data protection and employment issues France Germany China State Secrets Forensic investigation considerations 3

Setting the Scene US parent company with affiliates in France, Germany and China suggestion of possible improper payments by employees in these countries to obtain business with government-owned entities in China Potential liability under the FCPA and local anticorruption laws in each country 4

Setting the Scene US parent decides to do an internal investigation Hires a forensic investigation firm to assist Analysis of emails of employees and employee interviews Analysis by US counsel reporting to the US Board No current official proceedings Possibility of voluntary disclosure to relevant authorities 5

EU General Data Protection Directive 95/46/EC implemented and interpreted differently in the member states Basic Principles/Issues Fair and lawful processing Legitimate purpose Legitimate interest whose? Compliance with a legal obligation which law? Right of access vs confidentiality of investigation Transfer outside the EU (especially to the US) Public interest? Defense of legal claim Protection mechanisms 6

EU General Other potentially applicable local laws Employment laws Works Council rules Telecoms laws Protection of correspondence and communications Blocking statutes May not always be a clear way forward need to balance and mitigate risks 7

FRANCE 8

Internal Investigations in France: Preliminary Comments Carrying out internal investigations not truly embedded in French culture Criminal investigations more commonly carried out by investigating magistrates, police officers or state authorities French lawyers may not act as police officers or public prosecutors [cf. French Blocking Statute and Bar ethic rules]: only assist client in preparing file to defend its interests 9

Internal Investigations in France: Preliminary Comments Possible pre-investigation if a company is trying to detect serious misconduct at an early stage E.g., workplace monitoring, hotlines, whistleblowing procedures (provided company has declared compliance with the CNIL s blanket authorization) due diligence, disciplinary sanctions envisaged More thorough investigations if company has wellfounded beliefs of wrongdoing E.g., bribery, sexual harassment, theft of corporate assets 10

Internal Investigations in France Companies may be tempted to bypass customary application of key data privacy rules which would interfere with the investigation and prevent identification of employees involved in criminal offences but Role of investigating magistrate if a complaint has been filed with the public prosecutor French privacy law on collection and processing of personal data would apply Need to take into account French Blocking Statute Any document/evidence obtained unlawfully risk being rejected in future French court proceedings 11

French Data Privacy Principles and FCPA Investigation FCPA investigation: suspicion of improper payments Collection and review of emails and documents of selected employees raise data protection and employment law issue Principles to keep in mind 12

French Data Privacy Principles and FCPA Investigation Processing of personal data allowed providing: consent of the data subject granted; or if such processing complies with one of the following conditions: 1) Compliance with a data controller s legal obligation; 2) Safeguard of the life of the individual concerned; 3) Public service mission of the data controller; 4) Performance of a contract to which the relevant individual is party or compliance with pre-contractual measures as required by the relevant individual; 5) Achievement of legitimate interest pursued by data controller or individual concerned without infringing data subject s rights 13

French Data Privacy Principles and FCPA Investigation Can FCPA investigations comply with such data privacy principles? The CNIL does not allow investigations outside of judicial/administrative context: quid regarding pre-investigation? Obtain employee consent? Not recommended in employee/employer context due to relationship of subordination Exemption 1: Compliance with data controller s legal obligation? RISK Although French companies may fall within the scope of the FCPA legislation from a US point of view, a foreign law would not be considered as a binding valid legal obligation under French law 14

French Data Privacy Principles and FCPA Investigation Can FCPA investigations comply with such data privacy principles? Condition 5: Achievement of a legitimate interest? Link with whistleblowing measures: legitimate interest when report (and data processing needed) on serious risks in the areas of accounting, financial audit, fight against corruption, antitrust and competition law infringements, fight against discrimination and harassment at work, health, workplace hygiene & safety, environmental protection 15

French Data Privacy Principles and FCPA Investigation Data subject must be informed by data controller of: Data controller s (or its representative s) identity; Purpose of data processing; Mandatory or optional responses; Potential consequences vis-à-vis data subject resulting from a lack of response; Recipients of the data; Data subjects rights; Transfer of data outside the EU, if applicable 16

French Data Privacy Principles and FCPA Investigation 5 Key Principles Purpose: personal data to be collected and processed for a specific purpose; Proportionality: only necessary and relevant information treated and processed; Appropriate duration of retention of personal data; Safety and confidentiality of the data; Respect for the individuals rights: prior information to the data subjects regarding purpose of the data processing, rights of access and rectification of the personal data 17

Email Control and Screening Compatibility with employees right of privacy, including compliance with the principle of the secrecy of correspondence Tolerance for employees to use their professional inbox for personal purposes Need to expressly identify what is «personal» Truly personal emails may not be used to discipline employees Useful to have an internal policy/it charter whereby company may monitor the use of professional emails Prior works council consultation, CNIL declaration and employee information Company may monitor a «personal» file in the presence of the concerned employee or in the case of a strong suspicion of wrongdoing 18

French Blocking Statute Strong Blocking Statute in place: French Law n 68-678 of July 26,1968 Philosophy: to restrict extraterritorial application of foreign particularly US laws Subject to international treaties and conventions, regulations and laws in force, it is prohibited for any person to require, seek or communicate in writing, orally or in any other form economic, commercial, industrial, financial or technical documents or information in order to use them as evidence in future foreign judicial or administrative proceedings or in the context of such proceedings if already ongoing (Article 1 bis) 19

French Blocking Statute Strong Blocking Statute in place: French Law n 68-678 of July 26,1968 Violation punishable by 6 months imprisonment and/ or 18,000 fine (approximately 22,000 USD) Permission to take evidence sought pursuant to the Hague Convention on the Taking of Evidence Abroad in Civil and Commercial Matters dated March 18, 1970 Letters of request or via diplomatic officers, consular agents and commissioners 20

French Blocking Statute French Supreme Court case (December 12, 2007) confirmed the decision of the Paris Court of Appeals upholding the conviction of a Franco-American lawyer on charges of violating the blocking statute Transmission of evidence from France to abroad also restricted in the event of foreign administrative and other proceedings or investigations of a penal nature Possible solution to avoid Blocking Statute issues in the context of US (potentially penal) FCPA investigations: Franco-US mutual assistance and cooperation treaty (criminal proceedings) dated December 10, 1998 "French parties" indirect participation in criminal proceedings conducted abroad via the filter of the French Ministry of Justice to enable compliance with French Blocking Statute 21

Tips/Solutions for Investigations Ensuring a legitimate basis exists Key consideration: location of the data processing and the hosting facilities (within or outside the EU) If outside the EU, need to put into place protective measures (e.g., DTA, safeharbor) Guiding principle: proportionality, avoid fishing expeditions and unjustified impact on data subjects Handle data in a collected, controlled, processed and filtered manner to limit risks 22

GERMANY 23

General Remarks Corporate Liability The concept of corporate criminal liability generally does not exist in Germany No hands, no crime Criminal proceedings will therefore always be initiated against individual employees or members of company management Direct offence or indirect offence, e.g. violation of supervisory / management duty If personal liability is proven, sanctions may under certain circumstances be imposed also on the company 24

German Privacy Concept German Data Protection Law prohibits any processing of personal data, unless the data subject has unambiguously given consent or a statutory provision permits such data processing without explicit consent (permission statute). 25

Employee Consent Generally not accepted by authorities Debatable validity Revocable at any time Often unnecessary or not useful 26

Statutory Permission Permission statute must be constituted under German Privacy Law Permission cannot be based on foreign law statutes (e.g. FCPA, UK Bribery Act) Permission cannot be based on Codes of Conduct or other internal policies Any permission under German Data Protection Law requires extensive and diligent balancing of interest Foreign law statutes and internal policies may be considered in the balancing of interests 27

Investigations in Germany - General German privacy law applies, regardless of a violation of foreign statutes Breaches can cause investigations by German prosecutors and result in administrative or even criminal fines Evidence that was obtained unlawfully may be excluded from court proceeding 28

Blocking Statute No explicit blocking statute Strict employee data protections rules have a comparable effect Works council co-determination right have a comparable effect Employees often show high sensitivity 29

Permission Statute I. An employee s personal data may be collected, processed or used for Employment related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. II. Employees personal data may be collected, processed or used to investigate crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the collection, processing or use of such data is necessary to investigate the crime, and the employee does not have an overriding legitimate interest in ruling out the possibility of collection, processing or use, and in particular the type and extent are not disproportionate to the reason. 30

Solution Path Principle of Proportionality Data Processing must be suitable for the purpose of the investigation Data Processing has to be the least invasive measure to meet the purpose Data Processing has to be appropriate to the purpose 31

Solution Path Anonymization (!) Thorough fact finding in other jurisdictions prior to any investigation initiatives? Strict adherence of purpose limitation Reduction and limitation of data collection Purpose documentation Limitation of data transfers 32

Email Screening Mass screening is prohibited Individual selection and application in compliance with the permission statute Documentation of grounds of initial suspicion Highly critical if professional e-mail may also be used for private purposes Unlawful email monitoring may be considered a crime 33

Employee Interviews Employees have to participate and provide insofar as the questions are strictly work related Any data collected through interviews has to meet the requirements of the permission statute Any sharing or transfer of interview results has to comply with the permission statute 34

CHINA NAVIGATING CHINA S LAW ON PROTECTING STATE SECRETS ( State Secrets Law (as revised in 2010)) 35

Defined (Article 9) Where the divulgence of any of the following issues which are relevant to national security and interests may cause any harm to national security and interests with respect to politics, the economy, national defense, foreign affairs and so forth, such issues shall be recognized as State secrets: 1) Confidential issues involved in significant decisions on State affairs; 2) Confidential issues involved in national defense development and in the activities of the armed forces; 3) Confidential issues involved in diplomatic activities and in activities related to foreign countries, and the secrets of which the State shall fulfill obligations of confidentiality to foreign countries; 4) Confidential issues involved in national economic and social development; 5) Confidential issues involved in science and technology; 6) Confidential issues involved in activities in protecting the security of the State and in the investigation of crimes; and 7) Other confidential issues which are recognized by the State secret-protection administration. Confidential issues of political parties which fall into any of the aforementioned types shall be recognized as State secrets. 36

Classifications (Article 10) Top secret (disclosure would cause extremely serious harm) Highly secret (disclosure would cause serious harm) Secret (disclosure would cause harm) 37

Who May Possess or View a State Secret (Article 16) Personnel who know State secrets shall be limited to the minimum scope on the basis of actual need. The scope of personnel who know the State secrets shall be limited to specific personnel if it is possible; where it is not possible to limit the scope of personnel who know the State secrets to specific personnel, such scope shall be limited to the organs and units, which shall further specify the relevant personnel. Where it is necessary for personnel who are not within the scope of personnel who know the State secrets to know the State secrets on the basis of actual need, he/she shall obtain approval made by the principals of the organs or units. 38

Disclosing, Leaking or Divulging State Secrets Is Prohibited The organs and units shall tighten control over the carriers of State secrets. Any organization or individual must not commit any of the following acts: 1) Illegally acquire or hold carriers of State secrets; 2) Purchase, sell, present or destroy without any permission carriers of State secrets; 3) Transmit carriers of State secrets via the channels without any confidentiality measures, including via post, express and etc.; 4) Mail by post or consign carriers of State secrets to other countries or regions; and 5) Carry or transmit carriers of State secrets to other countries or regions without the permission of the relevant competent authorities. (Article 25) It is prohibited to illegally copy, record or save State secrets. It is prohibited to transmit State secrets via the internet or other public information networks or via wired or wireless communications which are free of any confidentiality measures. It is prohibited to involve any State secrets in private communications. (Article 26) * NOTE: Hong Kong, Macao and Taiwan are considered outside China s territory. 39

Potential Criminal Penalties Article 111 of the Criminal Law provides for penalties ranging from public surveillance and deprivation of political rights to life imprisonment, depending on the severity of the act, for whoever steals, spies into, buys, or unlawfully supplies state secrets or intelligence for an organ, organization or individual outside China s territory. Article 111 also provides that for an especially severe act that endangers national security, individuals may receive the death penalty. 40

What To Do When a Need Arises To View Alleged State Secret Information No transport out of China (physically or electronically) No copying (photocopy, photo, electronic, notes) Submit to neutral third party? Risk of violating State Secrets Law More likely investigation will remain confidential More transparency Submit to organ or unit? The State Administration for the Protection of State Secrets Safe but impact confidentiality and not transparent Written opinion on whether information is a State Secret Written permission to view, etc. 41

FORENSIC INVESTIGATION CONSIDERATIONS 42

Common Problems Jurisdictional Understanding Lack of Understanding of Data Map No Protocols for Data Transfer One Shot To Get Data Cultural Differences 43

Data Transfer Safe Harbour Certification EU Model Clauses Binding Corporate Rules 44

Document Processing & Review Running Keyword Searches On Site review by Counsel Protocols for Remote Review Protocols for Production Technology Solutions 45

QUESTIONS? 46

Contact Information Anita Esslinger, Partner, Bryan Cave LLP, Washington, DC and London anita.esslinger@bryancave.com T: 202-508-6333 or 44-20-3207-1224 Christopher Dueringer, Partner, Bryan Cave LLP, Los Angeles cdueringer@bryancave.com T: 310-576-2183 Sarah Delon-Bouquet, Counsel, Bryan Cave LLP, Paris sarah.delonbouquet@bryancave.com T: 33 1 44 17 77 25 Jana Fuchs, Associate, Bryan Cave LLP, Hamburg jana.fuchs@bryancave.com T: 49 40 30 33 16 136 Skip Westfall, Managing Director, Forensic, Investigative & Disputes Grant Thornton LLP, Houston - skip.westfall@us.gt.com T: 832-476-5000 47

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback