The Intersection of the Foreign Corrupt Practices Act and Data Privacy
On April 5, 2016, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released an Enforcement Plan and Guidance (the “Plan”) regarding the Foreign Corrupt Practices Act (“FCPA”). The Plan contains three components designed to enhance the DOJ’s ability to detect and prosecute violations of the FCPA: (1) a substantial increase in law enforcement resources; (2) increased coordination with foreign jurisdictions; and (3) implementation of a pilot program (the “Pilot Program”) offering substantial cooperation credit to companies that meet certain specified standards for “(1) voluntary self-disclosure of criminality, (2) full cooperation, and (3) remediation.”
One of the enumerated requirements for companies to achieve “full cooperation” (and thus earn maximum cooperation credit) under the Pilot Program is that companies must effectuate “[d]islcosure of overseas documents, the location in which such documents were found, and who found the documents.” This requirement comes with an exception for situations in which “such disclosure is impossible due to foreign law, including but not limited to foreign data privacy laws.” The requirement and exception are followed by a note stating that:
Where a company claims that disclosure is prohibited, the burden is on the company to establish the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.
Thus, companies seeking to avail themselves of the cooperation credit offered under the Pilot Program may find themselves trying to strike a delicate balance between compliance with foreign data privacy laws, such as those in the European Union that restrict the transfer of personal data, and compliance with the DOJ’s “full cooperation” requirement.
On April 13, 2016, Andrew Weissman—Chief of the Fraud Section of the Criminal Division of the DOJ—provided further details on the DOJ’s approach to a situation in which a would-be cooperating company, under the Pilot Program, contends that it is prohibited from producing overseas documents. Weissman noted that the “Fraud Section is quite sophisticated in analysis of data privacy issues,” and that companies contending they are legally prohibited from producing all relevant overseas documents “can expect lots of factual and legal questions.”
With respect to factual questions, companies may be asked—among other things—whether the documents at issue are traditionally kept overseas, whether they are available on a server that can be accessed in the United States, and may also face questions about corporate structure (i.e., if the overseas documents are held by a subsidiary of a U.S. parent corporation, the parent corporation could potentially be deemed to have control over the documents). With respect to legal questions, companies may be asked—among other things—about the specific foreign data privacy law purported to prevent the company from providing overseas documents to the DOJ. For instance, Weissman indicated that a company claiming a proscriptive interpretation of a foreign data privacy law will face pushback from the DOJ if other cooperating companies have found a way to provide overseas documents subject to that same law.
Finally, Weissman addressed the exact nature of the “burden” upon companies contending that they are prohibited from producing all relevant overseas documents, noting that it is not as high as “proof beyond a reasonable doubt” but that a granular definition of the precise burden is not necessary. Weissman noted that he views the Fraud Section as “a place that people can go and expect to have a rational, mature discussion with people in the DOJ and feel like they got a fair shake.”
In short, companies seeking to avail themselves of the Pilot Program will be expected to produce all relevant overseas documents. If a company believes that a foreign data privacy law prohibits them from doing so, then the company will bear the burden of convincing the DOJ of the prohibition. While there is not a precise definition of that burden, companies can expect to face questions from, and engage in dialogue with, government attorneys who are well-versed in foreign data privacy laws and who have the benefit of knowing how other similarly situated companies have interpreted such laws.
 Weissman’s comments were reflective of his personal view of the relevant issues, and are not necessarily the views of the DOJ.