Navigating cooperation with the Department of Justice under a GDPR regime
On 30 November 2017, the United States Department of Justice (DOJ) issued a new formal policy concerning corporate enforcement of the US Foreign Corrupt Practices Act (FCPA).1 While the new policy (the FCPA Policy) brought welcome clarification concerning the DOJ’s commitment to rewarding cooperating business entities with leniency, it still left unanswered several key questions regarding credit for voluntary disclosure and cooperation. In cross-border investigations, this lack of clarity creates challenges for multinational companies that are subject to the European Union’s new General Data Protection Regulation (GDPR), which imposes limits on the ability of companies to transfer personal data from the European Union to the DOJ.2
The new FCPA Policy, which followed from the DOJ’s 2016 FCPA Pilot Program, establishes criteria for leniency for companies seeking to resolve FCPA liability.3 Unlike the FCPA Pilot Program, the FCPA Policy creates a presumption that qualifying companies that self-disclose wrongdoing and provide complete cooperation will be entitled to a declination.4 Unfortunately, a lack of specificity regarding the DOJ’s interpretation of and expectations concerning self-disclosure and cooperation remain. The uncertainty around these factors was exacerbated by guidance issued by then Deputy Attorney General Sally Yates which directed prosecutors to focus on holding culpable executives and employees responsible for corporate crime (the Yates Memo).5 In doing so, the Yates Memo indicated that a company must provide ‘all relevant facts’ relating to the conduct of its culpable executives, employees and business partners in order to be eligible for leniency. Although the Yates Memo, like the FCPA Pilot Program, does not define ‘all relevant facts’, it nonetheless imposes the burden on a company to demonstrate that it has provided ‘all relevant facts’, leaving interpretation and application of this requirement to the judgement of individual prosecutors.
Under the FCPA Policy, the latest DOJ pronouncement concerning cooperation and self-disclosure, companies are expected to provide a wide range of categories of evidence in their possession, including evidence from outside the United States, in order to qualify for leniency.6 With the advent of the GDPR, however, questions abound. The new data protection regime limits the ability of companies to transfer documents from the European Union to the DOJ, including emails of allegedly culpable executives and employees, unless the transfer is done in a manner that is consistent with the GDPR’s requirements.7 If a company fails to comply with the GDPR, it may be subject to significant penalties – €20 million, or 4 per cent of a company’s global revenue, whichever is greater – and EU regulators have stated they intend to enforce it. Thus, the GDPR undoubtedly will create new and unforeseen challenges for companies seeking to transfer data from the European Union to the DOJ or, for that matter, any other US regulator.
In this article, we review recent developments in DOJ’s treatment of disclosure and cooperation, including under the new FCPA Policy. We then discuss the challenges of proactively cooperating with the DOJ under the new FCPA Policy, while also seeking to transfer data from the European Union in a manner that is consistent with the requirements of the GDPR. Finally, we provide some preliminary guidance for companies seeking to reconcile their obligations under the GDPR with their efforts to qualify for maximum cooperation credit under the FCPA Policy.
Background on the FCPA Policy’s requirements for leniency
When issued, the FCPA Policy received substantial coverage insofar as it expressed a ‘presumption’ that the DOJ will not prosecute a company that fully complies with the stated criteria of voluntary disclosure, cooperation and remediation, absent certain aggravating factors.8 The non-exclusive list of aggravating factors includes the involvement of ‘executive management’ in the misconduct, significant profit to the company from the misconduct, pervasiveness of the misconduct throughout the company and recidivism. The policy also provides assurances that even if a company is not eligible for a declination, it may still receive a 50 per cent reduction off the low-end of the US Sentencing Guidelines fine range, as long as it is not a recidivist and satisfies the other stated criteria of self-disclosure, cooperation and remediation.9 A company that only partially fulfils the requirements of the FCPA Policy may also be eligible for up to a 25 per cent reduction in fines.10
The FCPA Policy adopts the definition of cooperation found in the Yates Memo, requiring that a company provide ‘all facts relevant to the wrongdoing at issue, including: all relevant facts gathered during a company’s independent investigation’.11 Further, cooperation must be ‘proactive’, meaning that a company must disclose relevant facts to the DOJ before requested to do so.12 Undoubtedly by design, this definition is extremely open-ended and places the burden on a company to persuade the DOJ that it has satisfied the requirements of the FCPA Policy. As such, it makes it essential that a company have a shared understanding with the DOJ about the appropriate scope of the internal investigation as that will yield the facts that the company provides. Absent such an understanding, a company runs the risk that its investigation and related cooperation will be deemed insufficient or that, in an abundance of caution, it will unnecessarily conduct a broad, burdensome and expensive investigation in order to ensure that it is able to satisfy the standard of cooperation in the FCPA Policy.
Perhaps most challenging for a company that is subject to the GDPR, the FCPA Policy places the burden on a company to:
• provide all relevant documents from outside the United States concerning the conduct at issue and culpable individuals; or
• convince the DOJ why it is unable to do so due to legal hurdles such as foreign data privacy statutes and blocking statutes.13
Specifically, the FCPA Policy states:
Where a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.14
As we discuss in greater detail below, satisfying this requirement without running afoul of the GDPR will require considerable expertise, as well as timely and effective communication with the DOJ.
Another point of continuing uncertainty under the FCPA Policy concerns the criteria for voluntary disclosure. The policy requires that a disclosure must be made ‘prior to an imminent threat of disclosure or government investigation’ to be considered voluntary.15 In addition, the disclosure must be made within a reasonable time of becoming aware of the misconduct and should include ‘all relevant facts’ known to the company, including about individuals.16 There is tension in the DOJ’s use of the Yates’ cooperation standard for its standard for voluntary disclosure, as at the time of an initial disclosure, it is usually too early in the investigation to know ‘all relevant facts’ about individual conduct.
Recent DOJ settlements under the FCPA Policy and its predecessor, the FCPA Pilot Program, have done little to clarify what constitutes a qualifying voluntary disclosure. One day before the formal FCPA Policy was publicly disclosed, the DOJ announced that SBM Offshore NV had agreed to pay more than US$475 million to resolve corruption charges, including payment of US$238 million in criminal penalties to the DOJ, US$240 million to the authorities in the Netherlands, and US$342 million to the authorities in Brazil.17 According to the DOJ, SBM paid more than US$180 million in commissions to intermediaries, knowing those funds would be used to pay bribes to officials of Petrobras and elsewhere to win contracts worth US$2.8 billion with state-owned oil companies.18 Although SBM self-reported misconduct it had investigated, DOJ denied SBM credit for voluntary disclosure. The DOJ’s rationale for this decision, as reflected in public documents, raises significant concerns that the concept of ‘voluntary disclosure’ is very narrow. After SBM’s disclosure, the DOJ initially declined to prosecute SBM, and later independently learned of new information demonstrating a US nexus for the alleged wrongdoing. According to the DOJ, the new information was not uncovered during SBM’s own initial investigation and it caused the DOJ to reopen its investigation.19 Notably, however, there is no indication in the papers that SBM had access to the information or otherwise failed to conduct a reasonable investigation. It thus appears that because the DOJ learned of new relevant information on its own, it determined that SBM should not receive credit for voluntarily disclosing the wrongdoing in the first place.
The SBM case also points to the problem of incorporating the Yates standard into the criteria for initial disclosure. Prior to the FCPA Pilot Program, the DOJ had assessed a company’s disclosure and cooperation against the totality of circumstances, including how the company continued to investigate itself as new information came to light. Under prior practice, it was also understood that a company could notify DOJ that it was investigating allegations and subsequently provide more information to the DOJ as it learned the facts. The SBM case, however, suggests that the DOJ may exercise its discretion under the FCPA Policy to deny a company credit for voluntary disclosure if it does not reveal what the DOJ determines are ‘all relevant facts’ about individuals at the time of the initial disclosure, notwithstanding a company’s best good faith efforts during the investigation to ascertain and disclose to the DOJ all relevant facts.
In another significant FCPA settlement in June 2018 involving the Paris-based global financial services firm, Société Générale, the DOJ denied the firm credit for voluntary disclosure regarding the conduct in Libya. In that matter, Société Générale allegedly secured over US$3.6 billion in business from Libyan state institutions under the former regime of Colonel Ghadaffi by paying over US$90 million to a Libyan broker, part of which was then paid to Libyan government officials. Pursuant to a deferred prosecution agreement (DPA) with the DOJ, Société Générale’s parent corporation was charged with conspiracy to violate the anti-bribery provisions of the FCPA and agreed to pay US$585 million in penalties. Additionally, SGA Société Générale Acceptance NV, a subsidiary of the bank, entered a guilty plea to conspiracy to violate the anti-bribery provisions of the FCPA.20 The DPA provided that Société Générale was not entitled to voluntary disclosure credit ‘because [the company] did not voluntarily and timely disclose . . . the facts set forth’ in the agreed factual statement attached to the DPA.21 This sweeping statement suggests that the DOJ has set a high standard for voluntary disclosure credit, given that the 34-page statement of facts covers conduct from 2004 through 2012, including information likely obtained from third-party sources. From the papers, we cannot ascertain whether the DOJ determined that the issues surrounding voluntary disclosure concerned the bank’s initial disclosure (including the timing of the disclosure) or updates it did or did not provide as part of its cooperation with the DOJ. Relatedly, the DPA reflects that the DOJ denied the bank some cooperation credit, and notes that certain ‘issues resulted in a delay during the early stages of the investigation’, and that the DOJ itself ‘develop[ed] significant independent evidence of the Company’s misconduct’.22
Complying with the FCPA Policy under a GDPR regime
A company subject to the GDPR – basically any company with offices in the European Union or processing personal data of EU residents – must be aware that voluntary cooperation with the DOJ may run afoul of the GDPR if not properly handled. As we noted above, the DOJ’s FCPA Policy provides that a company will qualify for full leniency only if it discloses all relevant evidence in the company’s possession, including data and documents from overseas, in a voluntary and timely fashion. This creates tension with the GDPR, which presumes that any data involving personal identifying information, including names – such as emails to and from company executives, employees and business partners – should not be freely transferred to a US law enforcement agency.23
A company seeking to comply with the FCPA Policy, and avoid or mitigate an enforcement action by US authorities, and the GDPR, and avoid an enforcement action by EU authorities, will find itself navigating two conflicting regulatory regimes. The GDPR starts with a presumption against disclosure and requires that a company take steps to safeguard the privacy interests of data subjects, even when they are otherwise permitted to process data and produce it to US regulators. Under the GDPR, there must be a valid legal basis for each step in the process of collecting, processing and transferring documents and other information to the DOJ. While the GDPR appears to contemplate that a company may be able to justify these actions to satisfy their legal obligations to US authorities, uncertainty continues to exist over the exact legal rationale under the GDPR for doing so.24 Moreover, even if a company’s transfer of data to the United States is justified, the GDPR requires that the company take steps to ensure that the transfer is narrow in scope and that the confidential nature of the information is preserved.25
The tension between the requirements of the GDPR and those of the FCPA Policy arises immediately when a company initiates an internal investigation and decides to self-disclose potential violations of the FCPA to the DOJ. As the recent settlements discussed above reflect, the DOJ’s view of voluntary disclosure turns on both the timing and the completeness of the disclosure. To meet the DOJ’s expectations, a company may be required to conduct a fairly broad initial collection and review of company emails and documents, even if it has not determined whether US laws were violated. Under the GDPR, however, it is not clear if a company conducting an internal investigation in response to unconfirmed allegations regarding potential violations of US laws may justify broad searches of personal data.26 In such cases, a company may only be able to conduct a search of data until sufficient evidence is obtained to support a broader search. This would obviously hinder the ability of a company to persuade the DOJ that its disclosure was both timely and complete, as required by the FCPA Policy, especially if significant evidence of wrongdoing surfaces and is disclosed later in the investigation or is brought to the attention of the DOJ by a third party.
A second area where the GDPR may hinder a company’s efforts to obtain leniency under the FCPA Policy concerns the requirement that, under certain circumstances, a company must provide notice to individuals whose data is being transferred. If a company’s transfer of data is not ‘necessary for the establishment, exercise or defence of legal claims’, as provided by GDPR article 49(e),27 the company must demonstrate a ‘compelling legitimate interest’ for the transfer under article 49(g).28 Under these circumstances, however, the company will be obliged to ‘inform the data subject of the transfer and of the compelling legitimate interests pursued’.29 Although a company’s cooperation with a DOJ investigation often is known to its employees, and in particular, subjects of the investigation, the DOJ may still wish a company to withhold from those individuals the nature of the documents the company is providing to the DOJ, in part to prevent witnesses from coordinating their stories around certain documents. In other instances, an investigation may still be covert and the company’s cooperation may be sought confidentially by the DOJ, such as when the DOJ is investigating an ongoing bribery scheme. Advising potential subjects and witnesses of a DOJ investigation who were otherwise unaware of it would be, in the DOJ’s view, tantamount to interfering with its investigation. In view of the foregoing, it may not be possible to comply with the strict letter of article 49(g) and also earn full cooperation credit from the DOJ. Thus, where a company believes there is a possibility of exposure under the FCPA, even if remote, it would seem prudent to attempt to justify any transfer of data to the DOJ under GDPR article 49(e).
Even assuming a company has satisfied itself that it can transfer documents to the DOJ under article 49(e), the GDPR nonetheless may require it to take a more limited approach to production in order to strike the appropriate balance between the interests of the company in cooperating with the DOJ and the privacy interests of the individuals whose data is being produced.30 For example, a company could produce documents with redactions of the names of persons who do not appear to be involved in the wrongdoing at issue. Another possible approach could be ‘pseudonymisation’, which involves concealing the names of persons on emails by labelling them with non-identifying descriptors (eg, Senior Manager A). It is likely, however, that the DOJ will not be satisfied with either of these approaches, as it will want to be able to see the names of all persons on relevant documents and assess their roles in and knowledge of the alleged wrongdoing without the filter of company counsel. A company could also take a staggered approach to production, producing core documents and then asking the DOJ to request additional documents as the investigation progresses.31 This approach, however, is also likely to run contrary to the DOJ’s desire to obtain as much relevant information as possible early in the investigation.
These and other approaches designed to protect the privacy rights of data subjects under the GDPR could compromise the ability of the company to obtain full disclosure and cooperation credit from the DOJ under the FCPA Policy. Under such circumstances, a company must be mindful that the FCPA Policy places on it the burden of demonstrating that the GDPR will impede or has impeded its ability to provide the DOJ with all relevant documents and information in a timely manner.32 In that regard, we provide some preliminary guidance on addressing GDPR constraints before the DOJ.
Prioritise and produce data and documents in tranches
In most investigations where a company is committed to the path of cooperation, the DOJ will welcome the company’s efforts to identify and produce the most relevant information and documents as expeditiously as possible. In many instances, those core documents also will support the position that the company is transferring the data under GDPR article 49(e). To the extent that a company’s initial production prompts follow-up requests from the DOJ, including where the company is transparent with the DOJ about the existence of additional tranches of relevant documents, follow-up requests by the DOJ would further bolster the company’s position regarding the applicability of article 49(e). Moreover, by invoking GDPR article 49(e), as opposed to article 49(g), the company will avoid the requirement under article 49(g) that it notify individuals whose data is being transferred, another fact that the DOJ should favourably consider as it evaluates the company’s cooperation.
Invoking the mutual legal assistance process
Another way a company can avoid running afoul of the GDPR is by requesting that the DOJ pursue a mutual legal assistance (MLA) request with relevant EU member countries, while at the same time demonstrating cooperation with the DOJ by assisting the DOJ in formulating those requests and orchestrating an expeditious response to the MLA request. The MLA process should not be a substitute for any production of documents (absent the existence of a blocking statute, such as the French blocking statute, which prohibits companies from producing French-sourced documents directly to foreign regulators for investigatory purposes), and it can be used in parallel with the company’s more limited core production of documents most central to the relevant legal issues. By providing the DOJ with core relevant documents and assisting the DOJ in obtaining other records through the MLA, the company may be successful in demonstrating genuine cooperation with the DOJ while also complying with the GDPR.
Proactively assisting the DOJ in identifying documents
If a company believes that it must take a narrow approach to the initial production of documents to the DOJ because of uncertainty about the legal basis under the GDPR for transferring data to the DOJ, it can take certain steps to assist the DOJ in identifying additional records. For example, if the company initially produces relevant emails in pseudonymised form, it can provide the DOJ with relevant data analytics about the senders and recipients. It can also describe in greater detail to the DOJ the nature and categories of documents that it may have withheld from production. If the DOJ indicates those documents are relevant to its investigation, the company will at least have a stronger justification under the GDPR for its production of additional records to the DOJ, as well as production of unredacted records.
Demonstrating the company’s genuine commitment to GDPR compliance
The DOJ will be sceptical of a company that routinely provides EU-sourced documents to third parties outside the European Union but claims that the GDPR hinders its ability to cooperate with the DOJ. A company would be advised to develop formalised policies regarding GDPR compliance in connection with regulatory requests from outside the European Union and in order to demonstrate to the DOJ that the company is in fact complying with the GDPR as a matter of policy and not using it as a shield to hinder the DOJ’s investigation. In addition, because DOJ prosecutors are likely to be less familiar with the GDPR’s requirements than the company’s counsel, it may be prudent to provide them with an explanation concerning the constraints the GDPR imposes on the company in its cooperation with the DOJ.
The FCPA Policy sets a high threshold for a company seeking voluntary disclosure and cooperation credit, and vests discretion in DOJ prosecutors to decide whether a company is entitled to such leniency. The recently passed GDPR has created new challenges that a company subject to its requirements must consider when facing an investigation of alleged violations of the FCPA and attempting to realise the benefits of the FCPA Policy. While the GDPR includes provisions allowing for the transfer of data to regulators outside the EU, there currently is a dearth of guidance or precedent on those provisions. Nevertheless, there are proactive steps a company can take to provide the DOJ with relevant data and documents in order to maximise its ability to obtain leniency from the DOJ, while also limiting its own exposure under the GDPR.
1 See United States Attorneys’ Manual (USAM) Section 9-47.120.
2 See EU GDPR Article 4(1): ‘“personal data” means any information relating to an identified or identifiable natural person (“data subject”) . . . such as a name.’
3 The one-year programme was announced on 5 April 2016, in a DOJ memorandum entitled ‘The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance’.
4 See USAM Section 9-47.120, Section 1.
5 See Memorandum of Deputy Attorney General Sally Yates Regarding Individual Accountability in Corporate Wrongdoing, issued on 9 September 2015, and codified at Section USAM 9-28.000 et seq.
6 See USAM Section 9-47.120, Section 3(b) (stating that proactive cooperation includes the ‘[t]imely preservation, collection, and disclosure of relevant documents and information relating to their provenance, including (a) disclosure of overseas documents, the locations in which such documents were found, and who found the documents’).
7 See EU GDPR Article 4(1): ‘“personal data” means any information relating to an identified or identifiable natural person (“data subject”) . . . such as a name.’
8 See USAM Section 9-47.120, Section 1.
9 USAM Section 9-47.120, Section 1.
10 USAM Section 9-47.120, Section 2.
11 USAM Section 9-47.120, Section 3(b).
13 USAM Section9-47.120, Section 3(b).
15 See United States Sentencing Guidelines Section 8C2.5(g)(1).
16 See USAM Section9-47.120, Section 3.
17 DOJ Press Release, dated 29 November 2017, SBM Offshore NV And United States-Based Subsidiary Resolve Foreign Corrupt Practices Act Case Involving Bribes in Five Countries, available at https://www.justice.gov/opa/pr/sbm-offshore-nv-and-united-states-based-subsidiary-resolve-foreign-corrupt-practices-act-case.
19 United States v SBM Offshore NV, Deferred Prosecution Agreement, Criminal Case No. 17-686 (SD TX, Houston Division, 29 November 2017), at paragraph 4.
20 Press Release, US Attorney’s Office EDNY, ‘US Dep’t Justice, Société Générale SA Agrees to Pay $860 Million in Criminal Penalties for Bribing Gaddafi-Era Libyan Officials and Manipulating Libor Rate’ (4 June 2018), www.justice.gov/usao-edny/pr/soci-t-g-n-rale-sa-agrees-pay-860-million-criminal-penalties-bribing-gaddafi-era-libyan; Press Release, US Attorney’s Office EDNY, ‘US Dep’t Justice, Legg Mason, Inc. Agrees to Pay $64 Million in Criminal Penalties and Disgorgement to Resolve FCPA Charges Related to Bribery of Gaddafi-Era Libyan Officials’ (4 June 2018), www.justice.gov/opa/pr/legg-mason-inc-agrees-pay-64-million-criminal-penalties-and-disgorgement-resolve-fcpa-charges.
21 United States v Société Générale SA, Deferred Prosecution Agreement, Crim. No. 18-CR-253 (EDNY, 4 June 2018), at paragraph 4(a).
22 Id at paragraph 4(b). In a DPA with Panasonic Avionics Corporation, announced in April 2018, the DOJ also denied the company voluntary disclosure credit. Unlike the SBM or Société Générale cases, however, the DOJ specified as the basis for doing so clear factors demonstrating the untimeliness of the disclosure: ‘the Company’s disclosures occurred only after the [SEC] requested documents from Panasonic related to possible violations of anti-corruption laws and several years after the Company and Panasonic first became aware of the allegations of bribery . . . but chose not to voluntary report’ them. United States v Panasonic Avionics Corp, Deferred Prosecution Agreement (DDC, 30 April 2018), at paragraph 4.
23 GDPR article 44 establishes a presumption that personal data will not be transferred to a third country outside the European Union unless certain conditions set forth in the GDPR are satisfied. Article 45 states that data may be transferred generally to a country outside the European Union that the EU Commission has decided ‘ensures an adequate level of protection’ of data. Notably, the United States is not designated as such a country by the Commission. Article 46 states that transfers of personal data to other third countries can only occur if the company transferring the data ‘has provided appropriate safeguards’ for the ‘data subject rights’. Article 49 further states that such transfers must also comply with certain legal criteria, including the exercise or defence of legal claims or the ‘compelling legitimate interests’ of the transferring company. In the event the later rationale is invoked, the company must demonstrate ‘suitable safeguards with regard to the protection of personal data’.
24 Article 6(f) of the GDPR appears to provide that a company may collect and review employee emails and other personal data for the purpose of complying with US regulatory obligations. Article 49(e) also may provide a legal basis for transferring such data to US authorities. Specifically, article 49(e) states that if ‘the transfer is necessary for the establishment, exercise or defence of legal claims’, it may occur. Alternatively, article 49(g) provides that a company may transfer such data if it is in the compelling interests of the company to do so, subject to a strict balancing of the data subjects’ rights and a requirement that the company notify individuals whose data is being produced.
25 See GDPR article 44, 49.
26 Under article 49(e), the transfer must be in connection with a formal, legally defined process involving a legal claim or defense. See Guidelines of the article 29 Data Protection Working Party, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614232 .
27 GDPR article 49(e).
28 GDPR article 49(g).
31 See Guidelines of the article 29 Data Protection Working Party, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614232 (discussing need to ensure that the use of article 49(e) is necessary, limited to specific situations, and done in a manner that protects fundamental privacy rights).
31 This would help demonstrate the ‘necessity’ of the transfer under article 49(e). See id.
32 See USAM Section 9-47.120, Section 3(b).