Catch 22: What You Need to Know About GDPR’s Restrictions on Criminal Data Collection

“Companies are facing a quandary. On the one hand they must perform adequate due diligence for anti-corruption purposes. On the other hand they need to comply with Article 10 of the GDPR.”

Imagine this scenario: You’re in charge of sales at your company and you’re looking to sell your product in a foreign land. You’ve found an agent with local knowledge of that country who is ready to help you strike a deal with a state-owned customer. Before retaining her, you get ready to conduct a criminal background check — only to find that a new law prohibits you from doing so.

It might sound far-fetched, but for companies doing business in Europe this is the new reality.

The General Data Protection Regulation (GDPR), which went into effect last year, provides individuals with important privacy rights and has consequently changed how almost every entity doing business in Europe handles personal data.

But the sweeping new law has also resulted in some unintended consequences. Specifically, Article 10 of the GDPR prohibits the processing of personal criminal background information unless it is conducted for official purposes, or it is authorized by the EU, or by a member state. This prohibition in Article 10 presents a significant obstacle for companies conducting investigations in order to comply with the Foreign Corrupt Practices Act (FCPA) and other anti-corruption laws.

“Companies are facing a quandary. On the one hand they must perform adequate due diligence for anti-corruption purposes. On the other hand they need to comply with Article 10 of the GDPR,” said V&E partner Devika Kornbacher, who is the head of the firm’s Cybersecurity and Data Privacy Task Force.

Kornbacher and V&E Government Investigations and White Collar Criminal Defense associate Pete Thomas recently sat down to answer questions about the implications of Article 10, the varying ways in which EU member states have responded to Article 10, and what companies should be doing in the face of criminal data collection restrictions. Here’s what they had to say.

How important are criminal background checks and what risks would companies face if they stopped doing them?

Due diligence is an essential component of any effective anti-corruption compliance program. While the FCPA — and most other anti-corruption laws — do not require criminal background checks, both the SEC and DOJ take a company’s efforts to explore a third party’s criminal background into consideration when deciding how to conclude corporate investigations.

Probing a third party’s background helps companies lower their liability risks should problems arise. “Companies with a robust compliance program are in a much better position to negotiate a positive resolution if under investigation,” Thomas said.

Conversely, not collecting criminal history data in connection with high-risk transactions prevents a company from having critical information as it decides whether or not to pursue a relationship with a third party.

Depending on the level of risk presented by the location and nature of the intended activities of the third party, due diligence could involve determining whether the third party has ever been subject to law-enforcement proceedings or sanctions for a corruption-related offense. Previous corrupt conduct is a red flag.

Does every country subject to the GDPR prohibit the processing of criminal data by private parties or are there some exceptions?

The GDPR provides member states with some discretion on how the law is implemented, allowing member states to introduce “derogations” in certain areas. In the case of Article 10, member states can pass laws authorizing private entities to process Article 10 data.

As of now, the vast majority of European countries — 24 out of 30 — are “silent states,” meaning they have not passed laws that allow for the processing of criminal history data. But six countries do authorize criminal history collection, under varying circumstances.

In the UK, the Data Protection Act 2018 allows private entities to process criminal data to detect and prevent crimes. Ireland has authorized its data regulator to create a legal mechanism which, if implemented, would have a similar result.

Several other countries, such as Denmark and Iceland, authorize private entities to process Article 10 data, but only if the subject of the investigation has provided consent. As one would imagine, obtaining consent, especially consent under the GDPR, is not always easy or desirable.

In an entirely different category is France, where the legal authorization to process criminal data remains unclear.

France’s anti-corruption law, Sapin II, requires companies of a certain size to implement anti-corruption compliance programs. France’s anti-corruption compliance agency, the Agence Française Anticorruption (AFA), has issued guidelines to assist companies in implementing their compliance programs. Among other things, the guidelines recommend that companies look into a third party’s past prosecutions or convictions. Nonetheless, the AFA guidelines do not have the force of the law.

The legality of Article 10 processing for anti-corruption purposes in France is an open question at this point.

In light of the GDPR’s restrictions on criminal data collection, what should companies do?

Be aware. Companies conducting business within a country subject to the GDPR should be cognizant of the GDPR’s impact on their anti-corruption compliance programs. “The first thing to do is be aware of this conflict, and make a decision on how the company will address it. Keeping in mind that the company is creating its own record, documentation regarding this decision, if any, should be factual and not overly positional,” Kornbacher said.

Document. “When Article 10 of the GDPR impedes due diligence into a person or entity’s criminal history, companies should document that impediment to their diligence efforts in case the issue comes up in a later investigation,” Thomas said.

Track. In the absence of EU-wide legislation, individual member states will decide whether or not to pass legislation that authorizes the processing of Article 10 data in the context of anti-corruption due diligence. Some have already done so. It’s up to companies and their counsel to stay on top of the shifting landscape.

V&E has created an interactive map that will be tracking these developments.

“Check in often,” Kornbacher said. “Companies that process data that is subject to the GDPR should monitor legislation in the EU and member states to enable the company to adjust its anti-corruption due diligence practices accordingly.”