One aspect of the UK Bribery Act that no one is talking about is the implications it has for data protection. Well, to be fair, one person is talking about it. Jonathan Armstrong, who was the subject of my last post. When I was going through the materials for the breakfast I wrote about, I noticed a photocopied article from Privacy Laws & Business that Armstrong authored last November.
In the article, Armstrong argues that three aspects of the Bribery Act make it problematic when it comes to data privacy: first, the Act’s emphasis on due diligence; second, the Act’s reliance on “speak up” procedures; and third, the increased number of investigations caused by more vigilant enforcement.
The Act places great emphasis on due diligence, naming it one of the six Principles of compliance. Armstrong cautions that increased diligence of the corporate supply chain will mean information collection wherever that supply chain happens to be located. Included in those geographies could be countries with their own data protection laws.
Inquiry into individuals is recommended – which every compliance program worldwide will take as a command – by the Guidance that the UK Ministry of Justice issued in early April. The idea is that collecting information on individuals who are key decision-makers in third party vendors or agents will help UK companies assess risks.
They’re right, but anytime you collect information, you have responsibilities, sometimes unknown responsibilities, imposed by local law. Ignoring local law is sure to get companies into trouble as the subjects of the due diligence enforce their rights.
The second issue revolves around “speak up” procedures, which the Act also “recommends.” As Armstrong points out, those familiar with Sarbanes-Oxley have long had to deal with international issues around whistleblower laws.
European laws, infamously, France in particular, create special problems with these types of hotlines. International companies under the jurisdiction of the Act will now be faced with the same issues that US companies faced over the last few years around setting up reporting channels.
Finally, Armstrong reminds us of the potential conflicts that can arise during investigations. The subjects of those investigations can exercise their rights under the various data protection regimes to access investigatory information, and potentially use those rights to interfere with the investigation.
As Armstrong points out, investigation subjects under the new law can be facing personal criminal liability as well as corporate liability. To make matters worse, increased emphasis on hospitality and facilitation expenses can implicate lower-level employees and more employees than before.
The implications of the broad jurisdiction and new provisions of the UK Bribery Act have yet to be fully understood. Intersections with data privacy laws, as well as other laws, like the Proceeds of Crime Act, will have to be worked out over the next few months and years as companies come to grips with the new enforcement regime.