Cross-Border Internal Investigations: Data Protection and Employee Issues June 11, 2014
Presenters Anita Esslinger Bryan Cave LLP Christopher Dueringer Bryan Cave LLP Sarah Delon- Bouquet Bryan Cave LLP Jana Fuchs Bryan Cave LLP Skip Westfall Grant Thornton LLP 2
Setting the scene Agenda EU in general data protection and employment issues France Germany China State Secrets Forensic investigation considerations 3
Setting the Scene US parent company with affiliates in France, Germany and China suggestion of possible improper payments by employees in these countries to obtain business with government-owned entities in China Potential liability under the FCPA and local anticorruption laws in each country 4
Setting the Scene US parent decides to do an internal investigation Hires a forensic investigation firm to assist Analysis of emails of employees and employee interviews Analysis by US counsel reporting to the US Board No current official proceedings Possibility of voluntary disclosure to relevant authorities 5
EU General Data Protection Directive 95/46/EC implemented and interpreted differently in the member states Basic Principles/Issues Fair and lawful processing Legitimate purpose Legitimate interest whose? Compliance with a legal obligation which law? Right of access vs confidentiality of investigation Transfer outside the EU (especially to the US) Public interest? Defense of legal claim Protection mechanisms 6
EU General Other potentially applicable local laws Employment laws Works Council rules Telecoms laws Protection of correspondence and communications Blocking statutes May not always be a clear way forward need to balance and mitigate risks 7
FRANCE 8
Internal Investigations in France: Preliminary Comments Carrying out internal investigations not truly embedded in French culture Criminal investigations more commonly carried out by investigating magistrates, police officers or state authorities French lawyers may not act as police officers or public prosecutors [cf. French Blocking Statute and Bar ethic rules]: only assist client in preparing file to defend its interests 9
Internal Investigations in France: Preliminary Comments Possible pre-investigation if a company is trying to detect serious misconduct at an early stage E.g., workplace monitoring, hotlines, whistleblowing procedures (provided company has declared compliance with the CNIL s blanket authorization) due diligence, disciplinary sanctions envisaged More thorough investigations if company has wellfounded beliefs of wrongdoing E.g., bribery, sexual harassment, theft of corporate assets 10
Internal Investigations in France Companies may be tempted to bypass customary application of key data privacy rules which would interfere with the investigation and prevent identification of employees involved in criminal offences but Role of investigating magistrate if a complaint has been filed with the public prosecutor French privacy law on collection and processing of personal data would apply Need to take into account French Blocking Statute Any document/evidence obtained unlawfully risk being rejected in future French court proceedings 11
French Data Privacy Principles and FCPA Investigation FCPA investigation: suspicion of improper payments Collection and review of emails and documents of selected employees raise data protection and employment law issue Principles to keep in mind 12
French Data Privacy Principles and FCPA Investigation Processing of personal data allowed providing: consent of the data subject granted; or if such processing complies with one of the following conditions: 1) Compliance with a data controller s legal obligation; 2) Safeguard of the life of the individual concerned; 3) Public service mission of the data controller; 4) Performance of a contract to which the relevant individual is party or compliance with pre-contractual measures as required by the relevant individual; 5) Achievement of legitimate interest pursued by data controller or individual concerned without infringing data subject s rights 13
French Data Privacy Principles and FCPA Investigation Can FCPA investigations comply with such data privacy principles? The CNIL does not allow investigations outside of judicial/administrative context: quid regarding pre-investigation? Obtain employee consent? Not recommended in employee/employer context due to relationship of subordination Exemption 1: Compliance with data controller s legal obligation? RISK Although French companies may fall within the scope of the FCPA legislation from a US point of view, a foreign law would not be considered as a binding valid legal obligation under French law 14
French Data Privacy Principles and FCPA Investigation Can FCPA investigations comply with such data privacy principles? Condition 5: Achievement of a legitimate interest? Link with whistleblowing measures: legitimate interest when report (and data processing needed) on serious risks in the areas of accounting, financial audit, fight against corruption, antitrust and competition law infringements, fight against discrimination and harassment at work, health, workplace hygiene & safety, environmental protection 15
French Data Privacy Principles and FCPA Investigation Data subject must be informed by data controller of: Data controller s (or its representative s) identity; Purpose of data processing; Mandatory or optional responses; Potential consequences vis-à-vis data subject resulting from a lack of response; Recipients of the data; Data subjects rights; Transfer of data outside the EU, if applicable 16
French Data Privacy Principles and FCPA Investigation 5 Key Principles Purpose: personal data to be collected and processed for a specific purpose; Proportionality: only necessary and relevant information treated and processed; Appropriate duration of retention of personal data; Safety and confidentiality of the data; Respect for the individuals rights: prior information to the data subjects regarding purpose of the data processing, rights of access and rectification of the personal data 17
Email Control and Screening Compatibility with employees right of privacy, including compliance with the principle of the secrecy of correspondence Tolerance for employees to use their professional inbox for personal purposes Need to expressly identify what is «personal» Truly personal emails may not be used to discipline employees Useful to have an internal policy/it charter whereby company may monitor the use of professional emails Prior works council consultation, CNIL declaration and employee information Company may monitor a «personal» file in the presence of the concerned employee or in the case of a strong suspicion of wrongdoing 18
French Blocking Statute Strong Blocking Statute in place: French Law n 68-678 of July 26,1968 Philosophy: to restrict extraterritorial application of foreign particularly US laws Subject to international treaties and conventions, regulations and laws in force, it is prohibited for any person to require, seek or communicate in writing, orally or in any other form economic, commercial, industrial, financial or technical documents or information in order to use them as evidence in future foreign judicial or administrative proceedings or in the context of such proceedings if already ongoing (Article 1 bis) 19
French Blocking Statute Strong Blocking Statute in place: French Law n 68-678 of July 26,1968 Violation punishable by 6 months imprisonment and/ or 18,000 fine (approximately 22,000 USD) Permission to take evidence sought pursuant to the Hague Convention on the Taking of Evidence Abroad in Civil and Commercial Matters dated March 18, 1970 Letters of request or via diplomatic officers, consular agents and commissioners 20
French Blocking Statute French Supreme Court case (December 12, 2007) confirmed the decision of the Paris Court of Appeals upholding the conviction of a Franco-American lawyer on charges of violating the blocking statute Transmission of evidence from France to abroad also restricted in the event of foreign administrative and other proceedings or investigations of a penal nature Possible solution to avoid Blocking Statute issues in the context of US (potentially penal) FCPA investigations: Franco-US mutual assistance and cooperation treaty (criminal proceedings) dated December 10, 1998 "French parties" indirect participation in criminal proceedings conducted abroad via the filter of the French Ministry of Justice to enable compliance with French Blocking Statute 21
Tips/Solutions for Investigations Ensuring a legitimate basis exists Key consideration: location of the data processing and the hosting facilities (within or outside the EU) If outside the EU, need to put into place protective measures (e.g., DTA, safeharbor) Guiding principle: proportionality, avoid fishing expeditions and unjustified impact on data subjects Handle data in a collected, controlled, processed and filtered manner to limit risks 22
GERMANY 23
General Remarks Corporate Liability The concept of corporate criminal liability generally does not exist in Germany No hands, no crime Criminal proceedings will therefore always be initiated against individual employees or members of company management Direct offence or indirect offence, e.g. violation of supervisory / management duty If personal liability is proven, sanctions may under certain circumstances be imposed also on the company 24
German Privacy Concept German Data Protection Law prohibits any processing of personal data, unless the data subject has unambiguously given consent or a statutory provision permits such data processing without explicit consent (permission statute). 25
Employee Consent Generally not accepted by authorities Debatable validity Revocable at any time Often unnecessary or not useful 26
Statutory Permission Permission statute must be constituted under German Privacy Law Permission cannot be based on foreign law statutes (e.g. FCPA, UK Bribery Act) Permission cannot be based on Codes of Conduct or other internal policies Any permission under German Data Protection Law requires extensive and diligent balancing of interest Foreign law statutes and internal policies may be considered in the balancing of interests 27
Investigations in Germany - General German privacy law applies, regardless of a violation of foreign statutes Breaches can cause investigations by German prosecutors and result in administrative or even criminal fines Evidence that was obtained unlawfully may be excluded from court proceeding 28
Blocking Statute No explicit blocking statute Strict employee data protections rules have a comparable effect Works council co-determination right have a comparable effect Employees often show high sensitivity 29
Permission Statute I. An employee s personal data may be collected, processed or used for Employment related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. II. Employees personal data may be collected, processed or used to investigate crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the collection, processing or use of such data is necessary to investigate the crime, and the employee does not have an overriding legitimate interest in ruling out the possibility of collection, processing or use, and in particular the type and extent are not disproportionate to the reason. 30
Solution Path Principle of Proportionality Data Processing must be suitable for the purpose of the investigation Data Processing has to be the least invasive measure to meet the purpose Data Processing has to be appropriate to the purpose 31
Solution Path Anonymization (!) Thorough fact finding in other jurisdictions prior to any investigation initiatives? Strict adherence of purpose limitation Reduction and limitation of data collection Purpose documentation Limitation of data transfers 32
Email Screening Mass screening is prohibited Individual selection and application in compliance with the permission statute Documentation of grounds of initial suspicion Highly critical if professional e-mail may also be used for private purposes Unlawful email monitoring may be considered a crime 33
Employee Interviews Employees have to participate and provide insofar as the questions are strictly work related Any data collected through interviews has to meet the requirements of the permission statute Any sharing or transfer of interview results has to comply with the permission statute 34
CHINA NAVIGATING CHINA S LAW ON PROTECTING STATE SECRETS ( State Secrets Law (as revised in 2010)) 35
Defined (Article 9) Where the divulgence of any of the following issues which are relevant to national security and interests may cause any harm to national security and interests with respect to politics, the economy, national defense, foreign affairs and so forth, such issues shall be recognized as State secrets: 1) Confidential issues involved in significant decisions on State affairs; 2) Confidential issues involved in national defense development and in the activities of the armed forces; 3) Confidential issues involved in diplomatic activities and in activities related to foreign countries, and the secrets of which the State shall fulfill obligations of confidentiality to foreign countries; 4) Confidential issues involved in national economic and social development; 5) Confidential issues involved in science and technology; 6) Confidential issues involved in activities in protecting the security of the State and in the investigation of crimes; and 7) Other confidential issues which are recognized by the State secret-protection administration. Confidential issues of political parties which fall into any of the aforementioned types shall be recognized as State secrets. 36
Classifications (Article 10) Top secret (disclosure would cause extremely serious harm) Highly secret (disclosure would cause serious harm) Secret (disclosure would cause harm) 37
Who May Possess or View a State Secret (Article 16) Personnel who know State secrets shall be limited to the minimum scope on the basis of actual need. The scope of personnel who know the State secrets shall be limited to specific personnel if it is possible; where it is not possible to limit the scope of personnel who know the State secrets to specific personnel, such scope shall be limited to the organs and units, which shall further specify the relevant personnel. Where it is necessary for personnel who are not within the scope of personnel who know the State secrets to know the State secrets on the basis of actual need, he/she shall obtain approval made by the principals of the organs or units. 38
Disclosing, Leaking or Divulging State Secrets Is Prohibited The organs and units shall tighten control over the carriers of State secrets. Any organization or individual must not commit any of the following acts: 1) Illegally acquire or hold carriers of State secrets; 2) Purchase, sell, present or destroy without any permission carriers of State secrets; 3) Transmit carriers of State secrets via the channels without any confidentiality measures, including via post, express and etc.; 4) Mail by post or consign carriers of State secrets to other countries or regions; and 5) Carry or transmit carriers of State secrets to other countries or regions without the permission of the relevant competent authorities. (Article 25) It is prohibited to illegally copy, record or save State secrets. It is prohibited to transmit State secrets via the internet or other public information networks or via wired or wireless communications which are free of any confidentiality measures. It is prohibited to involve any State secrets in private communications. (Article 26) * NOTE: Hong Kong, Macao and Taiwan are considered outside China s territory. 39
Potential Criminal Penalties Article 111 of the Criminal Law provides for penalties ranging from public surveillance and deprivation of political rights to life imprisonment, depending on the severity of the act, for whoever steals, spies into, buys, or unlawfully supplies state secrets or intelligence for an organ, organization or individual outside China s territory. Article 111 also provides that for an especially severe act that endangers national security, individuals may receive the death penalty. 40
What To Do When a Need Arises To View Alleged State Secret Information No transport out of China (physically or electronically) No copying (photocopy, photo, electronic, notes) Submit to neutral third party? Risk of violating State Secrets Law More likely investigation will remain confidential More transparency Submit to organ or unit? The State Administration for the Protection of State Secrets Safe but impact confidentiality and not transparent Written opinion on whether information is a State Secret Written permission to view, etc. 41
FORENSIC INVESTIGATION CONSIDERATIONS 42
Common Problems Jurisdictional Understanding Lack of Understanding of Data Map No Protocols for Data Transfer One Shot To Get Data Cultural Differences 43
Data Transfer Safe Harbour Certification EU Model Clauses Binding Corporate Rules 44
Document Processing & Review Running Keyword Searches On Site review by Counsel Protocols for Remote Review Protocols for Production Technology Solutions 45
QUESTIONS? 46
Contact Information Anita Esslinger, Partner, Bryan Cave LLP, Washington, DC and London anita.esslinger@bryancave.com T: 202-508-6333 or 44-20-3207-1224 Christopher Dueringer, Partner, Bryan Cave LLP, Los Angeles cdueringer@bryancave.com T: 310-576-2183 Sarah Delon-Bouquet, Counsel, Bryan Cave LLP, Paris sarah.delonbouquet@bryancave.com T: 33 1 44 17 77 25 Jana Fuchs, Associate, Bryan Cave LLP, Hamburg jana.fuchs@bryancave.com T: 49 40 30 33 16 136 Skip Westfall, Managing Director, Forensic, Investigative & Disputes Grant Thornton LLP, Houston - skip.westfall@us.gt.com T: 832-476-5000 47