United States: Corporate Compliance Monitorship and Data Privacy Considerations

In October 2018, the Benczkowski memorandum was published reconsidering the U.S. Department of Justice’s approach to the use of corporate monitors to ensure that monitorships will not impose unnecessary burdens on businesses. Yet since then, practice shows that 50% of Foreign Corrupt Practices Act (FCPA) corporate resolutions still result in monitorships.

Background

The memorandum was issued by Brian A. Benczkowski, the Assistant Attorney General in charge of the Justice Department’s Criminal Division. It supplements the guidelines on the appointment of a corporate monitor provided in the 2008 memorandum issued by then-acting Deputy Attorney General Craig S. Morford, and contains more specific criteria for determining whether appointment of a corporate compliance monitor is needed in individual cases.

According to the Benczkowski memorandum, independent compliance monitors are imposed because they are seen as “a helpful resource and beneficial means of assessing a business organization’s compliance with the terms of a corporate criminal resolution.” Therefore, if the DOJ determines that the appointment of a compliance monitor is required, it will expect the monitor to assess the adequacy of the company’s compliance program and provide recommendations on how to enhance it to meet the DOJ’s standards. In doing so, the monitor will rely on the guidance provided by the DOJ.

In June 2020, the DOJ released an updated version of its Guidance Document on Evaluation of Corporate Compliance Programs (Evaluation Guidance), initially issued in February 2017 and revised in April 2019.

The importance of cooperation with a compliance monitor cannot be overstated. However, while companies might be zealous in supporting the monitor, they may face obstacles during the process, and even find themselves violating local data privacy laws and regulations, if data privacy considerations are not properly addressed prior to and during the monitorship. One of the challenges faced by companies when dealing with the compliance monitor is to find the right balance between effective cooperation with the monitor, on the one hand, and compliance with data privacy requirements on the other. The updated Evaluation Guidance explicitly instructs prosecutors to consider the fact that a company might need to structure its compliance program in a particular way to satisfy applicable requirements foreign law. However, it does not automatically excuses the company from meeting the DOJ’s standards, and it is the company’s job to defend the pathway it chose to follow to structure it company in a way to ensure its integrity and effectiveness while abiding by foreign law.

This article will address how to reconcile DOJ’s expectations as set forth in the Evaluation Guidance with local data privacy requirements.

Evaluation Guidance for Data Privacy and Transfer Compliance

The updated Evaluation Guidance is structured around three “fundamental questions,” or key topics, concerning corporate compliance:

• Is the corporation’s compliance program well-designed?
• Is the program being applied earnestly and in good faith? In other words, is the program being
  implemented effectively?
• Does the corporation’s compliance program work in practice?

Each of these key topics includes several more specific sub-topics, 12 in total, that should be considered during the evaluation. As illustrated in the chart below, an assessment of the company’s compliance program with respect to each of the 12 sub-topics requires a review of data that will likely include personal data (PD) of either the company’s employees or third parties. The processing of personal data, including information such as name and company email address, is increasingly being made subject to significant compliance requirements, such as those in the European Union’s General Data Protection Regulation (GDPR), which themselves can carry material consequences for non-compliance.

Key Issues and Considerations

It is no secret that data privacy can be a sticking point between companies and DOJ in the context of cross-border investigations and disclosures, with DOJ demanding documents that companies claim are protected by local data privacy laws. Similar to cross-border investigations, a company working with a compliance monitor is expected to act in good faith and take all necessary steps to ensure that the monitor will be able to access all the information required to conduct a meaningful assessment of the company’s compliance program.

Therefore, it is important to identify the issues that the company may face from a data privacy perspective in connection with the monitorship. The company will need to implement effective mechanisms and safeguards to maintain effective cooperation with the monitor, while simultaneously addressing data privacy regulatory requirements. Ideally, these issues should be addressed prior to the beginning of the monitorship.

Some of the key issues from the data privacy perspective that may be faced by companies going through the evaluation process are outlined in the chart below:

As follows from the above, in the context of monitorship, the key categories of individuals, whose PD is protected under data privacy laws include:

• Employees
• Former employees
• Customers
• Contractual business partners
• Potential business partners

Based on the nature of the relationship with the individuals that fall under these categories, collecting, processing, and disclosing their PD to the monitor may be more or less challenging, depending on the sophistication and effectiveness of the company’s data privacy compliance program. Therefore, it is highly recommended that companies consider the following issues at the outset of the monitorship.

Initial briefings: Consider conducting briefings for the monitor up front about the data privacy laws in the relevant jurisdictions to make sure that the monitor’s expectations are managed.

Data collection: Data that may need to be collected at the monitor’s request

• Identify data subjects (e.g., employee data, data of third parties with whom the company has contractual relationships, data of third parties with whom the company does not have contractual relationships);
• Consider location of data (e.g., whether local laws impose additional requirements, such as a data localization requirement);
• Evaluate effectiveness of mechanisms allowing the company to disclose PD to third parties (e.g., whether data privacy consents were obtained, or if relevant provisions were included in employment agreements or contracts with third parties).

Data transfer: Whether or not the monitor will request the collected data to be transferred outside the country of origin

• Consider local law requirements for the cross-border transfer of PD (obtaining an opinion of a local counsel to flag potential data privacy issues is highly recommended as part of the preparation for the monitorship);
• Identify available cross-border data transfer mechanisms (e.g., whether the transfer would be made to an “Adequate Jurisdiction” or whether the execution of a data transfer agreement would need to be
  negotiated with the compliance monitor).

Ad hoc solutions to address data privacy issues: Compliance monitorships are never a completely smooth process, and no matter how effective your data privacy compliance program is, there may be bottlenecks, requiring ad hoc and immediate solutions, such as:

• A compliance monitor might want to review historical business partners’ screening materials for the sole purpose of getting a sense of how the screening was conducted previously, which may be prior to the implementation of the company’s data privacy compliance program. In such case, an interim solution may be to anonymize/redact PD, because it is not deemed essential for the purposes of the review; or
• If the company has implemented a mechanism allowing it to disclose certain PD to third parties but has not yet finalized the arrangements required to allow the cross-border transfer, it may suggest to the monitor conducting an on-site review in the interest of time.

Violation of data privacy laws may result in quite significant fines to add to the expenses the company has already borne in connection with the settlement with the DOJ. For instance, the GDPR sets fines of up to Euro 20 million or four percent of worldwide annual turnover from the preceding financial year. Therefore, addressing data privacy issues up front can protect the company from potential liability and ensure that the monitorship goes smoothly.