Schrems’ decision by the European Court of Justice, US-based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However, the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question. In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the company’s property. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available. I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that the only way at this point was to obtain the consent of the investigated person. However, obtaining such consent raises a host of other problems. He said, “Can I get consent for an internal investigation? Can I speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid, the European legislation has to be fully explained, it has to be honest, and it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails, and I have to inform you that you have the right not to consent, and if you don’t consent, there’s no way I can investigate you. Could you sign the form, please?” As Armstrong went on to note, “What answer is he likely to give in an internal investigation, and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?” With these two key components of any best practices compliance program, hotlines, and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU-sourced information, I believe additional pressure will be put on the compliance function. Any US company with EU-based operations will have to take steps immediately to ring-fence such data originating in Europe. It may also mean locally based-compliance practitioners must head any inquiries. Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company seeking cooperation credit because such a company is required to turn over any information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use. Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it improbable that anyone, European or otherwise, would give such consent, but in the unlikely event such consent is given, you have told the target they are the target, and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] allegedly lost the case on how the US firm involved conducted the investigation. They will have, rightly, I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It will need much careful thought to structure data transfers and interviews. How do you move those interview notes? How do you look at emails? All this stuff will be critical so that you don’t break data privacy data protection laws and tip off witnesses, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.” How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard, it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to prescription of any FCPA violations. Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel, and the VW emissions-testing scandal, the Schrems decision will change the need for a more robust compliance program from now on to help protect a company. 

Three Key Takeaways:

1. The Schrems decision significantly impacted US-based internal investigations.
2. Study the privacy laws of the country where you are performing your investigation.
3. Informed consent is difficult to obtain, but it may be critical for your investigation.

 Take care to protect privacy concerns when performing investigations outside the US.