Illya Antonenko (iantonenko@traceinternational.org) is Privacy Counsel at TRACE International, Inc. in Annapolis, MD.
Compliance and ethics professionals know that anti-bribery due diligence of third parties involves processing large amounts of personal data about individuals associated with the third party. In May, the European Union’s (EU) General Data Protection Regulation (GDPR) will have a significant impact on anti-bribery due diligence processes of US companies as long as there is a chance that the individuals under review reside in the European Union. Companies “established” in the European Union must comply with GDPR requirements with respect to personal information of individuals regardless of where they reside. Much has been written about the GDPR and its complex, burdensome requirements. In this piece we will focus only on one such requirement.
As one of the initial GDPR thresholds for processing personal data of EU residents, the controller must determine which of the six lawful bases under the GDPR’s Article 6 applies to such processing. If none of the six bases apply, such personal data processing would be deemed unlawful under the GDPR. The six bases are: (1) an express consent of data subjects, (2) performance of a contract with the data subject or a request of the data subject before such contract is executed, (3) a legal obligation imposed by an EU or EU member state law, (4) vital interests of the data subject or another individual, (5) a public interest task or processing under official authority, and (6) legitimate interests of the controller or a third party.[1]
We have outlined below the general considerations in support of our choice of using legitimate interests of the controller as the Article 6 basis for processing of personal data in the context of anti-bribery due diligence and rejecting each of the other five bases. In our analysis, we have been guided by the Article 29 Data Protection Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 36 (WP 217).
Express consent of data subjects
GDPR’s Articles 4(11) and 7 make it clear that “consent” or authorization made by a representative of the third party on behalf of all data subjects would not be adequate under the GDPR. Obtaining the express consent of each individual data subject associated with a third party under review is not suitable or even feasible in the context of anti-bribery due diligence, because each of the potentially large number of data subjects would in effect be able to disrupt or significantly delay business relationships and business operations of at least two companies. This may occur even if a data subject does not have any objections to the processing of his or her data but fails to provide a timely response to a consent request through inaction or oversight. Even though a data subject’s right to object in the context of the “legitimate interests” basis may lead to a similar result, a data subject’s right to object is not absolute and may be overridden by a showing of compelling legitimate grounds for such processing, while a failure to provide consent and consent withdrawal do not have a similar mechanism.[2]
The GDPR right of data subjects to withdraw their consent at any time and the right to data portability, which arises when processing is based on consent, would also be inappropriate for anti-bribery due diligence.
Moreover, anti-bribery due diligence by its nature seeks to prevent or detect unlawful acts. If data subjects engage in such acts, giving them the opportunity to preclude the due diligence review would prejudice the purposes of prevention or detection of unlawful acts.
Finally, for consent to be valid under the GDPR, it must be “freely given,” among other things. In circumstances where the failure by a data subject to give consent to anti-bribery due diligence may result in a loss of business, it is unlikely that the European data protection authorities would see such consent as freely given.