The General Data Protection Regulation - Another Key Compliance Area for Global Business.

• Author: Abraham, Richard

By: Colin Loveday and Richard Abraham

Colin Loveday is a Partner in the Commercial Litigation team in the Sydney office of Clayton Utz.

Richard Abraham is a Senior Associate in Colin's team at Clayton Utz. (1)

ON May 25, 2018, the European Union implemented the General Data Protection Regulation (the "GDPR"). (2) The GDPR, which replaces the 1995 Data Protection Directive, will apply in each EU member state, regulating the processing of personal data without the need for national implementation. (3) The scope of processing is defined broadly to mean the operations performed on personal data, including collection, storage, alteration, use and disclosure (hereinafter "Processing").

EU members will supplement the GDPR with their own laws, including laws that identify the relevant national supervisory bodies. The GDPR will grant individuals the ability to take direct action for infringement, and national supervisory bodies the right to levy significant fines against companies that breach it. Importantly, the GDPR will apply to organizations without an EU establishment if Processing of personal data is related to either:

(a) offering goods or services to data subjects in the EU; or

(b) monitoring data subjects' behavior as far as it takes place in the EU.

The potential impact of the implementation of the GDPR not only within the EU, but for those organizations who do business with, or deal with information concerning, EU citizens and businesses is readily apparent.

Like data protection, anti-bribery and corruption is a current focus of regulators, politicians and the press. An organization's exposure to risk in both of these areas will increase together with their involvement in the global economy - indeed, even greater degrees of globalization are only made possible by rapidly increasing developments in technology - and the capacity to process enormous quantities of data instantaneously.

There are further similarities: an attempt at uniformity of regulation, an expansive approach to jurisdiction, and the potential for large fines for contravention.

Therefore, while at first anti-bribery legislation and the GDPR may appear to be strange bedfellows, the nature and potential impact of the GDPR gives rise to some apparent parallels. One thing is certain, both are going to be areas of considerable focus for legal and compliance personnel in the coming years.

This paper provides a short refresher of key provisions of the Foreign Corrupt Practices Act, looks at how similar (but not identical) legislation has been enacted in other jurisdictions, and in particular how the enforcement of similar laws has occurred across various jurisdictions. We then discuss some of the key provisions of the GDPR and consider what lessons may be drawn from the development and enforcement of FCPA-style provisions when considering the potential impact of the GDPR.

1. Anti-Bribery and Corruption Regulation

   1. Setting the Benchmark - the FCPA

      The Foreign Corrupt Practices Act of 1977 (5) was enacted for the purpose of making it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business. As is well understood, for present purposes there are two broad offenses under the FCPA:

      * the anti-bribery provisions: Under the FCPA, it is a criminal offense to make a payment or offer payment to a foreign official for the purposes of obtaining business for any person; and

      * the 'books and records' provisions: the FCPA also requires companies whose securities are listed in the United States to meet the so-called "books and records" accounting provisions. These were designed to work in tandem with the anti-bribery provisions and require corporations covered by the provisions to (a) make and keep books and records that accurately and fairly reflect the transactions of the corporation; and (b) devise and maintain an adequate system of internal accounting controls.

      A convenient guide on the ins and outs of the FCPA is the detailed joint guidance first published by the Department of Justice and Securities and Exchange Commission in November 2012 - the Resource Guide to the U.S. Foreign Corrupt Practices Act. (6)

      The anti-bribery provisions of the FCPA originally applied to all U.S. persons and certain foreign issuers of securities. However following amendments in 1998, the anti-bribery provisions now also apply to foreign firms and persons who cause, directly or through agents, an act in furtherance of such a corrupt payment to take place within the territory of the United States. The DOJ takes an expansive approach to jurisdiction - an approach has been mirrored more recently in the legislation and prosecutorial approach in other countries.

      1. Recent Developments Concerning Investigation and Enforcement

      Just as the DOJ takes an expansive approach to jurisdiction, it also takes a "global", rather than "local" approach to investigation and enforcement. The rationale for such an approach was recently articulated by Deputy U.S. Attorney General Rosenstein:

      Foreign Corrupt Practices Act enforcement focuses on the global marketplace, because the world is interconnected. Economic problems in distant places affect American businesses and financial markets. So too does foreign corruption. (7) This has translated in practice to increased international cooperation. For example, when discussing a recent DOJ enforcement action Deputy U.S. Attorney General Rosenstein confirmed that the DOJ had cooperated with enforcement authorities in the UK, Brazil, Austria, Germany, the Netherlands, Singapore and Turkey, and noted that the DOJ looked forward to continued international cooperation. (8) This move to increased cooperation is supported by 2016 figures, which showed that more than 40% of the resolutions in U.S. foreign bribery cases involved cooperation with foreign law enforcement agencies. (9)

      The involvement of multiple regulatory authorities (both within and across different jurisdictions) gives rise to the potential that an organization may face multiple enforcement actions in respect of the same conduct - or to adopt the sporting analogy used by the Deputy Attorney General - regulators "piling on" a tackled player. (10)

      In...