The particularly stringent data privacy laws in France and the active enforcement of these laws increases challenges faced by companies that operate in both the United States and France in conducting FCPA due diligence on business partners in France.  As compliance officers are probably well aware, conducting adequate background diligence on potential third parties in France while respecting France’s strict data privacy laws can be a difficult path to navigate.
In recent years, the Department of Justice (“DOJ”) and Securities and Exchange Commission (SEC) increasingly have enforced the FCPA’s prohibition on corrupt third party payments.  Assistant Attorney General Lanny Breuer has made clear that “[t]he use of intermediaries to pay bribes will not escape prosecution under the FCPA.”  http://www.justice.gov/opa/pr/2009/November/09-crm-1220.html.

Mitigating FCPA Liability

To mitigate FCPA liability for corrupt payments by third parties, companies are expected to conduct due diligence prior to entering into relationships with business partners.  As discussed below, adequate third party due diligence necessarily involves collecting and documenting personal information concerning potential third parties.
At the same time, in recent years the French data protection authority, la Commission nationale de l’informatique et des libertés (“CNIL”), has increased its oversight and enforcement of French laws that protect individuals’ right to data privacy.  In 2010, the last year for which data is available, the CNIL conducted 308 inspections of companies to ensure compliance with data privacy laws, a 14% increase over the previous year.  http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/

The CNIL planned to conduct 400 inspections in 2011, with particular emphasis on ensuring that French and U.S. companies that engage in international data transfers respect the privacy rights of French citizens.http://www.cnil.fr/la-cnil/actu-cnil/article/article/programme-des-controles-2011-une-ambition-reaffrmee-des-competences-elargies/?tx_ttnews%5BbackPid%5D=2&cHash=91ae300acd

 Incompatible requirements

Companies that operate in the United States and France, therefore, are faced with two seemingly incompatible requirements: third party FCPA due diligence, on the one hand, and protecting a third party’s right to data privacy, on the other hand.  In addressing these issues, this article will (1) provide an overview of the FCPA and French anti-bribery legislation concerning third party payments; (2) review relevant European Union and French data privacy laws; and (3) outline factors that companies may wish to consider in implementing programs to address both third party due diligence and data privacy requirements.

FCPA requirements

The FCPA prohibits companies and individuals subject to the FCPA from making payments to third parties while “knowing” that all or a portion of such payments will be passed on to foreign officials in order to obtain or retain business, or secure an improper advantage.   The DOJ and SEC have taken the position that the term “knowing” includes conscious disregard or willful blindness of “red flags” that would alert a reasonable person to the risk that a third party may make corrupt payments to foreign officials.  The FCPA itself contains an express definition of “knowing” that reflects a congressional determination that willful blindness or conscious avoidance constitutes knowledge. 

The DOJ and SEC have made clear that, either as part of an issuer’s obligations under the 1934 Securities Exchange Act’s mandate to implement internal controls reasonably designed to prevent FCPA anti-bribery violations, or simply as a matter of good compliance (a key factor in how the government evaluates any violations that may arise), companies subject to the FCPA are expected to conduct third party due diligence prior to entering into business relationships in order to reduce the risk of corrupt payments by third parties.  The DOJ suggests that such due diligence include, among other things, verifying whether a potential third party is qualified for the relevant position, determining whether the third party has personal or professional ties to foreign governments or government officials, and assessing the third party’s reputation with the US Embassy or Consulate and with business associates.

Raising a red flag

The DOJ also recommends that companies be aware of “red flags” raised during the due diligence process or while negotiating business relationships with third parties.  Such “red flags” may include the history and risk of corruption in the relevant foreign country, unusual payment patterns or financial arrangements, unusually high commissions, and a lack of transparency in expenses and accounting records.  Best practice suggests that companies follow up on any “red flags” with further investigation and proceed with the business relationship only if red flags can be resolved to an appropriate level of comfort.

Best practice further suggests that companies document and retain the results of any third party due diligence for a sufficient period to enable companies to respond to DOJ and SEC inquiries and to defend themselves as needed.  Given the statute of limitations for FCPA violations, many companies utilize a retention period of between five and ten years.  The DOJ has further indicated that it would view favorably a U.S. company’s retaining due diligence documentation in the United States.  http://www.justice.gov/criminal/fraud/fcpa/opinion/2008/0801.pdf.

The transfer of due diligence documentation

We note that the transfer of due diligence documentation collected in France to the United States, as well as the retention of such documentation in the United States, raise a number of issues under European Union and French data privacy laws that are outside the scope of this article.  http://www.cnil.fr/fileadmin/
The CNIL generally must authorize transfers of personal data from France to the United States, subject to limited exceptions commonly known as the “French Blocking Statute,” prohibiting French individuals and entities from communicating certain categories of information to foreign public officials that would be harmful to France’s interests, and further prohibiting requesting, investigating or communicating such information for use in foreign judicial or administrative proceedings).

In practice, implementing FCPA due diligence standards often requires that companies obtain, document, and retain information that may be considered “personal data” under European Union and French data privacy law concerning potential third parties who are natural persons; the directors, principals and other employees of a third party that is a legal entity; and foreign officials who are closely related to these natural persons.  Best practice suggests that this personal information include any government or political party affiliations, prior criminal conduct, and financial information.  Companies often employ a number of investigative tools to obtain this information, including detailed FCPA due diligence questionnaires to be completed by potential third parties and private investigation firms to conduct additional on-the-ground due diligence.

French anti-bribery legislation

In addition to the FCPA, companies that operate both in the United States and France are subject to French anti-bribery legislation.  Similar to the FCPA, French anti-bribery legislation prohibits corrupt payments to public officials, directly or indirectly through third parties, as well as the solicitation and acceptance of corrupt payments by public officials, directly or indirectly through third parties.  

In enacting this anti-bribery legislation, France incorporated the terms of several international anti-bribery initiatives, including the Organization for Economic Cooperation and Development’s Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (OECD Anti-Bribery Convention).  Of particular significance to companies operating in France, the OECD recommends that, in complying with its Anti-Bribery Convention (which was incorporated into French law), companies should implement ethics and compliance programs that would be applicable to third parties and that would include conducting “properly documented risk-based due diligence” with respect to the hiring and regular oversight of third parties.  http://www.oecd.org/dataoecd/5/51/44884389.pdf.

European Union impact

Despite the similarities between U.S. and French anti-bribery legislation’s prohibition of corrupt third party payments, as well as the OECD’s recommendations concerning third party due diligence, companies that operate both in the United States and France are faced with tensions between the expectations regarding FCPA third party due diligence and legislation enacted and enforced in the European Union and France to protect a natural person’s right to privacy in his or her personal data.

A. European Union French Data Protection

An individual’s right to protection of personal data is considered to be a fundamental right in the European Union.  The centerpiece of European Union legislation on personal data protection is Directive 95/46/EC of the European Parliament and Council (EU Data Privacy Directive). The Directive was enacted to protect individuals’ fundamental right to privacy with respect to the processing of personal data, and to guarantee the free flow of personal data among E.U. Member States.  The “processing” of “personal data” includes the collection, recording, organization, storage, use, disclosure by transmission, or dissemination of any information that could be used to directly or indirectly identify an individual or the individual’s habits or tastes.  http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF.  The Directive applies to the processing of personal data by any person whose activities are governed by European Community law, including situations in which a person in a third country uses processing means located in the European Union. As such, the Directive sets forth principles and standards that Member States must implement in regulating the processing of personal data within their jurisdiction.  These principles include fairness, proportionality, consent, and transparency. The Directive also establishes “special categories” of particularly sensitive data, which must not be processed except under specified circumstances.

 B. French Data Privacy protections

1. The French Data Protection Act

French Law No. 78-17 on Information Technology, Data Files and Civil Liberties (the “French Data Protection Act”) incorporates, and enhances, many of the EU.Data Privacy Directive’s protective principles.  The French Data Protection Act applies to the processing of personal data if the data controller carries out its activity on French territory; or if the data controller, although not established on French territory or in another EU Member State, uses processing means located in French territory. 

The French Data Protection Act sets forth the conditions under which personal data must be processed in France.  In particular, processing may be performed only if the personal data, among other factors, is:

(1) “obtained and processed fairly and lawfully;”

(2) obtained for “specified, explicit and legitimate purposes;”

(3) limited in scope to personal data that is “adequate, relevant and not excessive” in relation to the purposes for which the data is obtained; and

(4) “stored in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which [the data] are obtained and processed.” 

The French Data Protection Act also specifies that the processing of “special categories” of personal data, including data revealing racial or ethnic origin and political opinions, is prohibited except under specified circumstances.  Id. art. 8.  In addition, the processing of personal data relating to offenses and convictions may be conducted only by certain entities, including courts, public authorities and legal entities that manage public services. 

The French Data Protection Act further specifies that data subjects must be informed of certain details concerning the personal data to be processed and generally must “consent” to the processing of personal data. The term “consent” is not defined in the French Data Protection Act; however, the EU Data Privacy Directive specifies that “the data subject’s consent” means “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement” to the processing of personal data. 

Building upon the directive’s definition, EU member states and advisory bodies have promulgated additional requirements and guidance concerning the elements of valid consent.  http://ec.europa.eu/justice/policies/privacy/docs/ Given the complexity of this framework, counsel knowledgeable in European Union and French data privacy laws should be consulted prior to obtaining consent with respect to data processing.

2. The CNIL

The French Data Protection Act created a French data protection authority, the CNIL, to inform data subjects and controllers of their rights and duties, and to enforce French data privacy laws.  The CNIL, therefore, must be notified of any automatic processing of personal data.  The CNIL also must authorize any processing, whether automatic or not, of “special categories” of personal data, as well as data relating to offenses or convictions.  See French Data Protection Act, art. 25.

3. Sanctions for Data Privacy Violations

The French Data Protection Act empowers the CNIL to impose fines in cases of non-compliance with French data privacy laws and provides for criminal penalties as set forth in the French Penal Code.  The CNIL may impose fines if a data controller fails to comply with a warning and formal notice from the CNIL.  In such cases, the CNIL may impose a fine of up to €150,000 for a first violation.  Id. art. 47.  For a second violation within five years from the date of the first penalty, the CNIL may impose a fine of up to €300,000 on natural persons, or a fine of 5% of gross revenue for the latest financial year, up to €300,000, on legal persons. 

The French Data Protection Act further provides for criminal penalties, as set forth in France’s Penal Code. In particular, France’s Penal Code prohibits the following acts:

(1) processing of personal data, including through negligence, without respecting the formalities required by statute;

(2) collecting personal data by fraudulent, unfair or unlawful means;

(3) recording or preserving in a “computerized memory” “special categories” of personal data or name-bearing information relating to offenses and convictions without the express agreement of the persons concerned; and

(4) retaining personal data beyond the length of time specified by statute, in the request for authorization or notice sent to the CNIL, or in the preliminary declaration sent to the CNIL. Each of the above violations by natural persons is punishable by five years’ imprisonment and a fine of €300,000.  Violations committed by legal persons are punishable by a fine of five times the applicable fine for natural persons, or €1,500,000. 

Reconciling the tension between third party due diligence and data privacy

Companies that must comply with the FCPA and other international anti-bribery legislation by conducting due diligence on third parties in France are therefore faced with competing obligations under European Union and French data privacy laws intended to protect the data privacy rights of individuals associated with these third parties.

Common FCPA due diligence practices, such as employing private investigation firms to conduct discrete due diligence on individuals, often without their knowledge or consent, may violate data privacy laws.  In addition, information essential to FCPA due diligence, such as political affiliations and criminal convictions, may qualify as “special categories” of personal data that may not be collected by private companies operating in France under most circumstances.  Furthermore, the scope of information gathered, and the documentation and storage of such information by companies for up to 10 years, may be deemed excessive under data privacy laws.

Striking the right balance

As in-house counsel and compliance officers at many multinational firms know, these tensions are not easily resolved.  Striking the right balance between FCPA compliance obligations and French legal requirements must be achieved on a company-by-company basis, ideally with the assistance of counsel knowledgeable about both the FCPA and French and European Union data protection regimes. 

Considerations that should be taken into account include notice provided to third parties, the types of sources used in performing third party diligence, how questions are crafted in questionnaires completed by third parties, how information is recorded in diligence documentation, how information is transferred outside of France, and the length and method of storage of due diligence documentation.  Some companies may decide to seek authorization from the CNIL for their specific third party compliance practices.

Companies may find that implementing FCPA third party due diligence programs that comply in good faith with conflicting data privacy obligations necessitates compromise approaches that may prevent these programmes from complying with best practice standards.  Companies that have adopted such compromise approaches to third party due diligence programs have typically incorporated data protection measures, including:

(1) limiting due diligence searches on individuals to public sources;

(2) omitting individual names and identifying information when reporting negative information discovered during diligence on legal entities using proprietary sources and private investigation firms;

(3) carefully wording sensitive questions on FCPA due diligence questionnaires; and

(4) limiting access to due diligence results to small, relevant groups.  Although FCPA third party due diligence programs that incorporate data protection measures such as these generally would be viewed as appropriate, these “compromise” programs may not meet best practice standards with which leading firms aspire to comply in other parts of the world. 

Adding to the tension in this arena, it remains unclear whether the CNIL would authorize or at least refuse to prosecute the implementation of such “compromise” due diligence programmes in France.Given the challenges faced by multinational companies in complying with these competing obligations, it is clear that cross-border cooperation between U.S. and French authorities to resolve these tensions would be highly beneficial.  Several international bodies, including the OECD and the European Commission, have recommended that Member countries develop effective international mechanisms to facilitate cooperation with foreign authorities in the enforcement of data privacy laws.  http://www.oecd.org/dataoecd/43/28/38770483.pdf;  Thus far, these recommendations have focused on ensuring cross-border enforcement of such laws.

Co-operating with the authorities

However, effective cross-border enforcement necessarily involves cooperating with foreign authorities to resolve conflicts with foreign laws and policies that would hinder the enforcement of data privacy laws. Cooperation between, and guidance from, U.S. and French authorities, therefore, would enable companies to better comply with both FCPA third party due diligence and data privacy standards in good faith and in accordance with best practice.  Absent such co-operation and guidance from regulators on both sides of the Atlantic, companies that operate in both the United States and France need to be aware of, and strive to implement programs to resolve, these tensions in the nevertheless unsatisfactory and uncertain legal environment that presently exists.

Paul Berger is a partner and Erin Sheehy and Margot Laporte are associates in the Washington, DC office of  law firm Debevoise & Plimpton LLP. Frederick Davis is a partner in the firm’s Paris office. They are members of the Litigation Department and White Collar Litigation Practice Group.The authors may be reached at prberger@debevoise.com, ftdavis@debevoise.com, ewsheehy@debevoise.com, and mlaporte@debevoise.com.  Further information can be found at www.debevoise.com