Robert Clark: Will the EU data protection rule block due diligence?
Monday, November 13, 2017 at 7:18AM
Robert Clark in Due Diligence, General Data Protection Regulation, data protection

Companies minimize the risk of corruption by adequately vetting their prospective representatives -- typically by reviewing information about the financial interests and relevant connections of the intermediaries’ owners and key personnel, and screening those individuals for reputational and criminal-history issues.

These routine inquiries will soon become considerably more difficult.

In May 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect, requiring affected companies to implement heightened safeguards in their collection, use, disclosure, and retention of information about individual persons.

The Regulation has a broad territorial reach, applying not only to companies based in the EU, but also to any company offering goods and services to EU residents or that uses personal data in connection with “the monitoring of [EU residents’] behavior as far as their behavior takes place within the Union.”

There is a troubling ambiguity in that phrase. The purpose of due diligence is to anticipate potential illicit acts an intermediary may be in a position to commit. Identifying such risks requires accurate information about individuals’ connections and interests. It is unclear whether such prior-history information is within the GDPR’s scope -- whether “the monitoring of behavior” includes inquiries into a person’s past activities and associations.

If so, due diligence becomes much harder.

If a “data subject” resides in the EU or has engaged in potentially relevant behavior there, the GDPR prohibits any “data controller” (here, the entity performing due diligence) from obtaining or using any information about the subject until the subject has been given notice of the information being collected, its purpose, and the right to object.

Even more troubling, information concerning a subject’s criminal history can be processed “only under the control of official authority or when the processing is authorized by Union or Member State law.” Data controllers based in the EU must comply with these requirements and restrictions even where the data subjects reside and act elsewhere.

This data-protection regime is in tension within European anti-corruption law. In 2009, the Organization for Economic Co-operation and Development squarely promoted the principle of third-party liability, calling on signatories to the OECD Anti-Bribery Convention (including 23 EU member states) to ensure that companies are liable for bribery undertaken for their benefit by agents and intermediaries.

If the GDPR inhibits or prevents companies from performing even baseline due diligence (such as criminal background checks), it will seriously weaken their ability to monitor agents’ behavior, interfering with the policy aims not only of the OECD, but of any authority committed to fighting transnational bribery.

In principle, these restrictions can be addressed by individual EU member states’ authorizing the processing of criminal-history information and indentifying anti-corruption due diligence as a “public interest” activity justifying the use of personal information. But there is no guarantee of Union-wide consistency on these points, and businesses could find themselves forced to navigate a state-by-state patchwork of information-processing restrictions, with harsh penalties (up to 4 percent of annual global turnover) for non-compliance.

This uncertainty isn’t good for business, or for anti-corruption. We need greater clarity regarding the constraints the new regulation will place on businesses’ due diligence efforts, and greater assurance of uniformity across the EU member states. If the EU wishes to remain seriously engaged in fighting corruption -- both within and outside of its borders -- it must take steps to ensure that the GDPR will not unduly interfere with companies’ efforts to responsibly research the backgrounds of their intermediaries and representatives.

TRACE has been actively working, in cooperation with our European counsel McCann FitzGerald, to bring our processes into full GDPR-compliance. At the same time, we are deeply concerned about the GDPR’s potential interference with anti-bribery compliance efforts worldwide, and we are committed to addressing these challenges together with other interested parties, both public and private.

(If you are interested in learning more about TRACE’s efforts or joining our working group, please contact us here.)

We are hopeful that the appropriate regulatory body (currently the Article 29 Working Party, soon to become the European Data Protection Board) can be prevailed upon to clarify the relation between the new data-protection regime and the due diligence research that businesses are required to perform. By doing so, it can help preserve Europe’s role as a leader in the global anti-corruption movement.


Robert Clark, pictured above, is the Manager of Legal Research at TRACE, where he oversees a team of lawyers responsible for the production of analytical content. He is the co-editor of What You Should Know About Anti-Bribery Compliance (2017) available from Amazon here.

Article originally appeared on The FCPA Blog (
See website for complete article licensing information.