Last week the FCPA Blog, in a post entitled NSA spying also linked to FCPA enforcement, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others.
The FCPA Blog quoted a story from the American Spectator, Rise of the Surveillance State, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.” This coupled with the widespread additional and ongoing surveillance that we also learned about will make the compliance professional’s job more difficult in three general areas.
First is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy,” said that the “U.S. is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the U.S. criticism of “the great firewall of China;” a U.S. investor might think about the Securities and Exchange Commission’s struggle to get China to agree to allow auditors to provide data to the U.S. consistent with U.S. securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.
The second is in the area of data privacy. Here, I think that the acknowledgement of the U.S. surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. While foreign governments cannot legislate privacy as to the data collected by the U.S. government, they certainly can do so vis-à-vis U.S. companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a U.S. subsidiary.
Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the U.S. banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the U.S. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining that strikes pay dirt, could that portend or even create jurisdiction?
I think the job of the compliance practitioner just got a lot tougher.
Thomas Fox is a contributing editor of the FCPA Blog.