The FCPA Report

The definitive source of actionable intelligence covering the Foreign Corrupt Practices Act

Articles By Topic

By Topic: Data Privacy

  • From Vol. 6 No.2 (Feb. 1, 2017)

    A New Era in FCPA Disclosure

    In the past few years, U.S. enforcement authorities have heightened their rhetoric surrounding voluntary and complete self-disclosure. New policies and rules issued by the government strongly encourage and incentivize disclosure in unprecedented ways. At the same time, an alarming increase in data leaks and the ever-present danger of whistleblowers threaten to reveal or force the disclosure of company information and secrets at every turn. In a guest article, Lara A. Covington, a partner in the Washington, D.C., office of Holland & Knight, and Lisa A. Prager, a partner in the firm’s New York office, explain that the net effect of these internal and external pressures is that U.S. companies have never faced more inducements to disclose potential FCPA violations nor higher risks of inadvertently disclosing them. See The FCPA Report’s three-part series on the DOJ’s Pilot Program: “Going Deep on the Fraud Section’s FCPA Pilot Program” (Apr. 20, 2016); “How Will the Fraud Section’s Pilot Program Change Voluntary Self-Reporting?” (May 4, 2016); and “Earning Cooperation Credit Under the Fraud Section’s FCPA Pilot Program” (May 18, 2016).

    Read Full Article …
  • From Vol. 5 No.25 (Dec. 21, 2016)

    Navigating Data Privacy Laws in Cross-Border Investigations

    Conducting a cross-border investigation or performing global due diligence each has its own set of unique challenges, which only become more formidable when coupled with a formal anti-corruption inquiry. In the E.U. in particular, issues range from confusing and often conflicting privacy laws, to language and cultural barriers, to custodian access and local coordination. In a guest article, Deena Coffman and Nina Gross, managing directors at BDO, provide insight on the data privacy landscape in the E.U. and how to comply with competing demands during a cross-border investigation. See “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three)” (Jan. 9, 2013); Part Two (Jan. 23, 2013); Part Three (Feb. 6, 2013).

    Read Full Article …
  • From Vol. 5 No.19 (Sep. 28, 2016)

    Managing Data Privacy Challenges in Performing Due Diligence and Internal Investigations in China (Part Two of Two)

    For companies doing business in China, understanding data privacy and cybersecurity requirements under Chinese law is critical. But once a company is familiar with the basic legal contours, more practical concerns move to the forefront. In this article, the second in a two-part series on China’s data privacy and cybersecurity laws, we share insights from practitioners working in China on how companies can manage the practical challenges of running their businesses while staying on the right side of the law. The first article in the series explained the basic structure of the data compliance regime in China, including the criminal law, civil law, industry regulations and the draft Cybersecurity Law. See also “The Emperor Is Far Away: The Evolving Nature of Third-Party Risk in China” (Sep. 9, 2015).

    Read Full Article …
  • From Vol. 5 No.18 (Sep. 14, 2016)

    Data Privacy and Cybersecurity in China: Crossing the River by Feeling the Stones (Part One of Two)

    The Chinese National People’s Congress is currently considering a new law on cybersecurity that could have a far-reaching impact on data management in China. While the legislation is not yet in effect, it highlights the need for companies to familiarize themselves with China’s varied data privacy and cybersecurity laws as they currently are, and how they may be in the near future. This, the first part of a two-part series, provides insight from practitioners in China explaining the various sources of law governing data management in China and what types of information are covered by the law. In the second part, we will explore practical implications of these laws with regard to employee relations, particularly during internal investigations and due diligence. See our two-part series on China’s State Secrets Law: “A Primer for Anti-Corruption Practitioners (Part One)” (Jun. 29, 2016); and “Six Things to Consider When Engaging in Internal Investigations in China (Part Two)” (Jul. 13, 2016).

    Read Full Article …
  • From Vol. 5 No.16 (Aug. 10, 2016)

    Second Circuit Quashes Warrant for Microsoft to Produce Email Content Stored Overseas 

    A federal appeals court ruling has made it more difficult for the DOJ to obtain electronic content stored overseas, creating implications for an array of government investigations. The Second Circuit Court of Appeals agreed with Microsoft that a request to produce customer content it stored in Ireland was beyond the scope of the Stored Communications Act. “It’s an extremely significant decision [that the Act] does not authorize a U.S. district court to issue a search warrant to seize data being held by ISPs or remote computing services (cloud services) outside the territorial U.S.,” Edward McAndrew, a partner at Ballard Spahr, told The FCPA Report. “It is the first ruling of its kind on that issue from the U.S. Court of Appeals. See “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (Jun. 28, 2016)

    Read Full Article …
  • From Vol. 5 No.15 (Jul. 27, 2016)

    Regional Risk Spotlight: What Companies Need to Know About Internal Investigations in South Africa

    Japanese conglomerate Hitachi recently paid a $19 million penalty for corruption related to its work with a local partner in South Africa. That case highlighted the FCPA risks associated with South Africa’s local content requirements, but the country also has rigorous anti-corruption, anti-terrorism and data privacy laws that can further influence a company’s assessment of corruption risk and how it performs internal investigations. The FCPA Report recently spoke with Vlad Movshovich and Meluleki Nzimande of South African law firm Webber Wentzel to learn more about South Africa’s current enforcement environment and what companies need to know in order to manage their anti-corruption risk. See “Lack of Training and Due Diligence Leads to $19 Million Penalty for Hitachi” (Oct. 7, 2015).

    Read Full Article …
  • From Vol. 5 No.15 (Jul. 27, 2016)

    Key Requirements of the Newly Approved Privacy Shield

    The European Union has formally adopted the long-awaited Privacy Shield, which replaces the Safe Harbor framework as a mechanism to comply with E.U. data protection requirements for the E.U.-U.S. transfer of personal data. Companies can begin to self-certify compliance with the framework on August 1, 2016. “Companies cannot take the Privacy Shield lightly. It’s a much more detailed framework with more accountability” than Safe Harbor, Sidley Austin senior counsel Cam Kerry told The Law Report Group. We review the Privacy Shield’s background, its key requirements and examine whether, when and how to join. See also “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (Jun. 28, 2016).

    Read Full Article …
  • From Vol. 5 No.13 (Jun. 29, 2016)

    Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations

    Multi-jurisdictional anti-corruption investigations are proliferating and subject companies must manage competing requests and competing legal regimes. At the recent White Collar Crime Institute presented by the New York City Bar Association, a panel of foreign lawyers delved into the challenges faced by counsel confronting multinational regulatory actions, including coordinating requests from multiple jurisdictions, preserving attorney-client privilege, conducting witness interviews and navigating data privacy laws. The panel featured attorneys based in London, Geneva, Hong Kong and Sao Paulo. See “How the Expanding Petrobras Scandal May Spark a New Era of Multi-Lateral Enforcement” (Dec. 2, 2015).

    Read Full Article …
  • From Vol. 5 No.4 (Feb. 24, 2016)

    Deal Struck to Keep Transatlantic Data Flowing

    Two days after the expiration of a deadline set by Europe’s data protection authorities, and after months of negotiations, the European Commission and U.S. Department of Commerce reached an understanding that intends to allow transatlantic transfer of digital data by thousands of companies to continue, including the data flowing in cross-border anti-corruption investigations. The so-called “Privacy Shield” agreement “makes existing cooperation between the FTC and E.U. DPAs [data protection authorities] more robust, with better enforcement mechanisms and means of redress for E.U. citizens whose privacy rights may have been infringed by E.U.-U.S. cross-border transfers,” Davina Garrod, a London-based Akin Gump partner, said. However, she added that “the shield is by no means a panacea, and does not fix all of the problems identified by the [E.U. Court of Justice] in the Schrems judgment” that invalidated the previous Safe Harbor data transfer pact. We discuss the agreement, important steps that remain before the Privacy Shield can be finalized, and the immediate impact on cross-border investigations and other data exchanges with the E.U. See “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three)” (Jan. 9, 2013); Part Two (Jan. 23, 2013); Part Three (Feb. 6, 2013).

    Read Full Article …
  • From Vol. 4 No.21 (Oct. 21, 2015)

    A Dangerous Harbor?  Analyzing the European Court of Justice Ruling

    An Austrian graduate student’s lawsuit against Facebook has resulted in the invalidation of a 15-year old data privacy treaty relied upon by thousands of multi-national companies.  On October 6, 2015, the Court of Justice of the European Union (ECJ), the highest court in the E.U., held that the Safe Harbor framework that allowed companies to transfer personal data from the E.U. to the U.S., including data for cross-border investigations and discovery, is invalid.  The ECJ found that the U.S. does not ensure adequate protection for personal data, primarily because of the access rights that the ECJ said U.S. agencies have.  Although the ruling is immediate, the “sky is not falling,” said Harriet Pearson, a partner at Hogan Lovells.  On October 16, 2015, a group of E.U. member state privacy regulators, the Article 29 Working Party, called for renewed negotiations on a treaty and recommended interim actions for companies.  There will need to be a “transition to a more complex and perhaps a more work-intensive compliance strategy than Safe Harbor had previously afforded companies,” Pearson said.  See “Checklist of Actions to Take and Issues to Consider When Navigating Data Privacy and Anti-Corruption Issues,” The FCPA Report, Vol. 2, No. 21 (Oct. 23, 2013).

    Read Full Article …
  • From Vol. 4 No.15 (Jul. 22, 2015)

    Addressing E-Discovery Challenges When Conducting International Investigations

    Conducting e-discovery in a cross-border investigation – a task difficult to avoid in an FCPA probe – presents an array of challenges including compliance with data privacy and other local laws; language and cultural barriers; and data collection issues.  In a guest article, e-discovery experts at Epiq Systems Martin Bonney and Melinda Kunjasich detail those challenges and explain best practices for conducting thorough and cost efficient e-discovery in international investigations.  See also “How to Manage a Multi-National Anti-Corruption Investigation,” The FCPA Report, Vol. 2, No. 6 (Mar. 20, 2013).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 17, 2014)

    Weil Attorneys Address Six Key U.S. and E.U. Cybersecurity Risks

    The extensive cybersecurity breaches at major public companies such as Target, Home Depot and JPMorgan Chase have placed cybersecurity issues on the radar of both regulators and the private sector.  Cyber breaches can give rise to regulatory, reputational and enterprise risk.  A recent panel discussion sponsored by the Cross-Border Group considered the current regulatory climate on cybersecurity in both the U.S. and the E.U., and six ways to handle cybersecurity risks.  The discussion was moderated by J.P. Wilson, head of the Cross-Border Group and the speakers included Weil, Gotshal & Manges partners Barry Fishley and Kyle C. Krpata, and counsel Paul A. Ferrillo.  See also “Seven Steps the Legal Department Can Take to Decrease Cybersecurity Risk,” The FCPA Report, Vol. 3, No. 22 (Nov. 5, 2014).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 16, 2014)

    Compliance Strategies in Advance of the Sweeping New E.U. Data Protection Regulation

    The current fragmented system of data protection laws in the E.U., so often a complicating factor in cross-border anti-corruption investigations, is on the verge of a significant overhaul.  The European Parliament voted overwhelmingly in support of proposing the General Data Protection Regulation last month with a vote of 621-10.  The Regulation outlines a data protection framework that would replace the existing framework of Member State-specific laws.  This article analyzes the new Regulation with insights derived from a recent webinar hosted by the Society of Corporate Compliance and Ethics and led by Robert Bond, a partner and Head of Data Protection & Information Security at Speechlys Bircham in London.  Bond’s program focused on the potential timeline of the proposed Regulation as well as four practical changes that companies should consider if the Regulation is enacted within the E.U.  For an in-depth analysis of the current E.U. data protection framework and FCPA compliance, see “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three),” The FCPA Report, Vol. 2, No. 1 (Jan. 9, 2013); Part Two of Three, Vol. 2, No. 2 (Jan. 23, 2013); Part Three of Three, Vol. 2, No. 3 (Feb. 6, 2013).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 23, 2013)

    Checklist of Actions to Take and Issues to Consider When Navigating Data Privacy and Anti-Corruption Issues

    Investigating a potential FCPA violation almost invariably entails cross-border discovery because U.S. companies need data housed overseas.  While trying to please U.S. regulators in obtaining information relevant to suspected bribes both in the context of internal investigations and due diligence of another company, however, companies often find themselves at the risk of violating the strong data privacy laws enacted in many countries across the globe.  To minimize conflicts, companies must educate themselves about data privacy, plan ahead and act strategically.  This checklist can serve as a guide to help companies comply with data privacy laws when conducting cross-border anti-corruption or other investigations, and when engaging in common compliance activities.  The checklist highlights data privacy issues that companies should consider and actions they should take prior to the development of an FCPA issue, during an investigation and during due diligence.  For more on the interaction between data privacy and anti-corruption laws, see The FCPA Report’s Data Privacy Series: "Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three),” The FCPA Report, Vol. 2, No. 1 (Jan. 9, 2013); Part Two Of Three, Vol. 2, No. 2 (Jan. 23, 2013); Part Three of Three, Vol. 2, No. 3 (Feb. 6, 2013).

    Read Full Article …
  • From Vol. 2 No.9 (May 1, 2013)

    Handling the Challenges of Overseas Anti-Corruption Investigations: Forensic Accountants, Government Expectations, Translators, Upjohn Warnings, Privilege Issues and Recording Interviews

    Internal FCPA investigations do not respect jurisdictional boundaries, and varying customs and laws of different areas critically impact not only internal investigations, but also prosecutions and litigations for multi-national companies that may follow.  Failing to identify and address the specific issues relevant to an anti-corruption investigation can have significant legal and financial consequences.  A recent panel of experts at the American Bar Association’s Institute on Internal Investigations and Forum for In-House Counsel discussed the complexities of internal investigations, sharing their advice on best practices starting with actions to take during the first 72 hours of the investigation.  From both government and private sector perspectives, the panel addressed how to handle language and cultural differences, as well as how to navigate varying legal regimes that affect privilege and complicate the collection of documents.  They also provided insight on interviewing witnesses and how best to deal with the U.S. government when it comes to disclosing an investigation.

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 17, 2013)

    Representing Foreign Companies in Criminal FCPA Actions: Strategies for Handling the Legal, Practical and Cultural Challenges

    Many FCPA investigations and prosecutions involve foreign companies or foreign subsidiaries of U.S. companies.  When the DOJ investigates or commences a criminal enforcement action against a foreign company, local laws, customs and practices can create challenges for unwary U.S. counsel in areas such as discovery and attorney-client privilege.  A recent event shed light on the topics that frequently come up when dealing with a foreign company client: attorney-client privilege, cross-border discovery, data privacy, obstruction of justice and extradition.  The event participants, all partners at Kaye Scholer LLP, also shared advice on working with in-house counsel in Japan and China and addressed other practical issues specific to the European Union, China and Japan.

    Read Full Article …
  • From Vol. 2 No.7 (Apr. 3, 2013)

    How to Maintain an Anti-Corruption Reporting Hotline That Complies with Data Privacy Laws

    The November 2012 FCPA Resource Guide emphasized that a confidential reporting hotline is one of the hallmarks of an effective FCPA compliance program.  However, operating such a hotline requires a company to collect personal data about employees.  Accordingly, maintaining a reporting hotline may conflict with applicable data privacy laws, particularly in non-U.S. jurisdictions.  How can companies both abide by data privacy laws and maintain a reporting hotline, consistent with best compliance practices?  This article addresses this question and, in doing so, offers guidance on setting up a hotline; processing and investigating complaints; and post-investigation procedures.

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 20, 2013)

    How to Manage a Multi-National Anti-Corruption Investigation

    Managing a single internal anti-bribery investigation that spans multiple jurisdictions requires forethought, coordination, creativity and preparation.  When leading an investigatory team, counsel must consider both the laws and customs of the United States and the laws and customs of the multiple jurisdictions where its client maintains operations.  Counsel also must be mindful of the relationships between various jurisdictions.  Failing to identify and address the specific issues relevant to an investigation can have significant legal and financial consequences.  A panel of experts at the New York City Bar recently shared their insights on how to successfully run a complex international investigation.  The panelists offered advice on, among other things, navigating data privacy laws; protecting the attorney-client privilege; addressing employee rights; and determining whether to voluntarily disclose the results of an internal investigation.

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 6, 2013)

    Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part Three of Three)

    To comply with the FCPA, companies must exercise decisive control – they must act quickly and effectively to investigate potential corrupt actions and conduct thorough due diligence.  These actions, coupled with the inevitable time pressure, can put a company in direct conflict with foreign data privacy laws.  Carefully crafting compliance policies and investigation plans can minimize this conflict.  This article, the third in a three-part series, details six steps companies should take at the beginning of an investigation; delves into the issues facing companies that perform internal investigations and conduct due diligence; and offers concrete advice from top practitioners about conducting those activities in a way that minimizes the risk of violating data privacy laws.  The first article in this series discussed the application of data privacy laws to FCPA compliance and the specifics of the E.U. data privacy regime, including: data processing principles; restrictions on data transfer; data transfer mechanisms, including the meaning of “safe harbor status,” binding corporate rules and European model clause agreements; as well as how potential new regulation can affect data collection.  See “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three),” The FCPA Report, Vol. 2, No. 1 (Jan. 9, 2013).  The second article in this series discussed how France applies the relevant E.U. Directive; best practices for due diligence in France; and six specific steps a company should take before a need to investigate arises in France as well as other E.U. member states and other jurisdictions with similar data privacy regimes.  See “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part Two of Three),” The FCPA Report, Vol. 2, No. 2 (Jan. 23, 2013).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 23, 2013)

    Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part Two of Three)

    As companies strengthen their anti-corruption compliance programs in response to the domestic enforcement climate, they face an increasing risk of violating data privacy laws across the globe.  With law enforcement and regulators demanding information, companies find themselves trying to please two masters.  Understanding foreign data privacy laws, which often conflict with American notions of privacy, and anticipating problems before they materialize, are key to minimizing conflicts.  France in particular has a strict data privacy regime, and its laws are actively enforced.  This article, the second in a three-part series, discusses how France applies the relevant E.U. Directive; best practices for due diligence in France; and six specific steps a company should take before a need to investigate arises in France as well as other E.U. member states and other jurisdictions with similar data privacy regimes.  The third article in this series will tackle: internal investigation considerations; best practices for reviewing documents and conducting interviews; strategies for transferring data outside the E.U.; data privacy concerns when performing due diligence in the E.U.; and effective techniques for running an anti-corruption hotline in the E.U.  The first article in this series discussed data privacy laws generally and specifically as they relate to FCPA compliance, and provided information about the specifics of the E.U. data privacy regime, including: data processing principles; restrictions on data transfer; data transfer mechanisms, including the meaning of “safe harbor status,” binding corporate rules and European model clause agreements; as well as how potential new regulation can affect data collection.  See “Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three),” The FCPA Report, Vol. 2, No. 1 (Jan. 9, 2013).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 23, 2013)

    Specific Strategies from Goldman Sachs, Société Générale and Leading Law Firms on Conducting Cross-Border FCPA Investigations

    The considerable challenges posed by an internal FCPA investigation are compounded when that investigation involves a cross-border component – as it almost invariably does.  In-house and outside counsel in cross-border investigations must navigate legal regimes that often conflict (notably in the area of data privacy); divergent approaches to the attorney-client privilege; varying business and governance structures; and different languages and cultural mores.  Moreover, best practices in the area of cross-border investigations are not codified or neatly packaged; rather, they are a function of long and often arduous experience.  In an effort to identify and communicate some of those best practices, a seasoned panel of in-house and law firm lawyers convened in New York on January 15, 2013 for a panel hosted by Catalyst, an e-discovery services provider.  The panel was moderated by Vasu Muthyala, counsel at O’Melveny & Meyers LLP.  He was joined by Greg Andres, partner at Davis Polk & Wardell LLP; John Driscoll, Managing Director and Director of Litigation and Regulatory Affairs at Société Générale; Justin Shur, partner at Molo Lamken LLP; John Tredennick, Chief Executive Officer of Catalyst; and Christine Chi, Global Head of the Anti-Bribery Group at Goldman Sachs.  The panelists discussed, among other issues: major challenges facing companies performing cross-border investigations, including the differing notions of data privacy and attorney-client privilege in different regions and strategies for coordinating with multiple jurisdictions; tips for conducting a cross-border investigation, including when to retain outside counsel; and the dynamics of reporting, both obligatory reporting via a Suspicious Activity Report and voluntary disclosure, especially in the current whistleblower climate.

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 9, 2013)

    Conflicting Compliance Obligations: How to Navigate Data Privacy Laws While Performing Internal Investigations and Promoting FCPA Compliance in the E.U. (Part One of Three)

    Vigorous anti-corruption compliance – as undertaken by many companies in the wake of the recent uptick in FCPA prosecutions – may endear a company to the DOJ and SEC, but could also put it at risk of violating data privacy laws across the globe.  In Europe, where privacy is considered a fundamental right, this is a particularly thorny problem.  It is difficult for companies operating in both the U.S. and E.U., if not impossible, to comply with both U.S. law and E.U. data privacy legislation.  To minimize conflicts, companies must educate themselves about data privacy, plan ahead and act strategically.  This article series helps companies do just that, delving into the details of E.U. privacy regulations and the challenges they pose during all the stages of an anti-corruption internal investigation, as well as during due diligence on third parties and for mergers and acquisitions and when creating and maintaining an anti-corruption hotline.  Through discussions with numerous data privacy and FCPA experts as well as secondary research, this article series provides a valuable framework for understanding data privacy laws in the E.U. and applying them to anti-corruption compliance.  This first part of the article series discusses data privacy laws generally and specifically as they relate to FCPA compliance and provides information about the specifics of the E.U. data privacy regime, including: data processing principles; restrictions on data transfer; data transfer mechanisms, including the meaning of “safe harbor status,” binding corporate rules and European model clause agreements; as well as how potential new regulation can affect data collection.  The second part of this article series will discuss how France specifically applies the relevant E.U. Directive; best practices for due diligence in France; and specific steps a company should take before a need to investigate arises in the E.U. and other jurisdictions with similar data privacy regimes.  The third part will tackle internal investigation considerations; best practices for reviewing documents and conducting interviews; strategies for transferring data outside the E.U.; data privacy concerns when performing due diligence in the E.U.; and effective techniques for running an anti-corruption hotline in the E.U.  See also “Strategies for Preserving Data Before and During an FCPA Investigation,” The FCPA Report, Vol. 1, No. 12 (Nov. 14, 2012).

    Read Full Article …