Fraud, corruption, bribery. Across the globe, these challenges hit close to home for legal and IT professionals regularly called on to collect, analyze and produce data in support of an active investigation or compliance audit.

In France, game-changing legislation is taking effect to strengthen anti-corruption efforts and U.S. businesses with global operations need to be prepared. The provisions of new anti-corruption legislation, Sapin II, have just come into force in France (as of May 2017). Sapin II, adopted on November 8, 2016, is modeled on the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.

SAPIN II: THE KEY TO CLOSING LOOPHOLES IN FRANCE

In 2005, Sapin II was first proposed and named after Michel Sapin, a French politician and France’s Finance and Economic Minister. Like many countries, France has attempted to combat fraud through multiple anti-corruption laws. However, these laws had several loopholes. The main aim of Sapin II was to strengthen existing anti-corruption legislation by implementing provisions that would close existing loopholes in France’s anti-corruption laws.

Sapin II is a comprehensive anti-corruption framework, some parts of which are more important than others. Below are a few key provisions of Sapin II, along with brief explanations.

1. France’s Expanded Jurisdictional Reach: Prior to Sapin II, French prosecutors had limited jurisdiction in bribery cases. Sapin II removed these restrictions and gave criminal prosecutors the opportunity to charge more offenders in bribery cases.

2. Creation of the French Anti–Corruption Agency (AFA): Sapin II created a new administrative agency known as the AFA. The AFA has replaced the Central Service for the Prevention of Corruption (SCPC). It is monitored by a presidential appointee and a sanction commission. The AFA has four major responsibilities:

• Prevent and detect corruption in the private and public sector;
• Help companies implement compliance programs that are required;
• Report violations of the law to prosecutors; and
• Oversee the monitorships of corporations.

The AFA sends informative reports to the Justice and Budget Ministries to work together to keep up with fraud and anti-corruption strategies.

3. Compliance Program Requirement: Under Sapin II, a company must have a compliance program in place when there are more than 500 employees and the company has a gross revenue exceeding 100 million euros. This is applicable to both French subsidiaries and non-French companies who fulfill the above criteria. There are eight criteria that must be met in order for a compliance program to be deemed to be sufficient by the AFA. The most important criteria are that there must be corporate risk mechanisms and disciplinary procedures in place. Failure by a company to have a compliance program could lead to directors and managers being sanctioned by the AFA.

4. Whistleblower Protection Provision: Sapin II protects those who with good faith report against those who have violated any of France’s laws, international treaties where France is a party, or have threatened the public interest. In order for the whistleblower to receive protection he or she must notify a supervisor directly or indirectly. If the issue is not resolved within a reasonable amount of time then external parties may be notified and if three months have gone by and it is still not resolved, the public may be notified about the violation. Retaliation against a whistleblower can lead to both criminal and civil punishment.

5. French Deferred Prosecution Agreements (DPA): Sapin II’s DPA is modeled on the U.S. DPA. French corporations are forced to argue facts that have been listed by the DPA. Whether a corporation is punished depends on the judgment from a court through a public hearing. If found guilty, a fine of 30 percent of the company’s average revenue for the past three years must be paid to the French Treasury.

6. New Criminal Offenses and Bribery: It is now a crime for any company or individual to offer a donation, gift or reward to sway a public officer to abuse their discretion with public authority or government. This new criminal offense combines both French criminal law and anti-corruption efforts to stop and prevent fraud.

SAPIN II AND EDISCOVERY TECHNOLOGY

As legal and technology professionals in law firms and corporations begin to work under the new provisions of Sapin II, it will be increasingly important to turn to technology solutions to audit compliance programs and investigate fraud. Of particular interest within Sapin II, is the requirement that companies implement a procedure for assessing the effectiveness of a particular compliance program. The review of corporate electronic communication is one way of ensuring that organizations are complying with anti-corruption laws and ediscovery technology can be a critical piece of a thorough compliance audit. For example, the data analytics features in many leading ediscovery review platforms can help detect hidden or emerging compliance risks under anti-corruption laws.

In addition to assisting with a compliance review, legal professionals have increasingly leveraged ediscovery technology to facilitate the investigation and analysis of specific fraud matters. For example, in sensitive investigations, companies can rely on computer forensic experts to collect data and make use of mobile ediscovery technology which allows data to be processed, hosted and reviewed at the company’s premises, if need be. Data need not leave the premises while a sensitive investigation is underway. Most importantly, in France or anywhere around the globe, companies need to seek guidance from local experts to assist in the navigation of local data protection laws and with the collection, processing and analysis of electronic evidence in investigations and litigation.

Whether fighting fraud in France, investigating money laundering in Brazil or collecting data from a Chinese subsidiary in a U.S.-based litigation, organizations all over the world can manage a wide range of business and legal challenges using ediscovery technology.

James Farnell, KrolLDiscovery, Legaltech News

Editor’s note: this article originally appeared in Legaltech News.

As the world contemplates the ramifications of the EU referendum, we’ve speculated as to how Brexit might change the way our clients handle data transfers in litigation and investigations.

What legislative regime would govern the UK?

The UK currently operates under the Data Protection Act 1998, which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain has voted to leave the EU it is likely that the Data Protection Act 1998 will remain unchanged at least during the transition period.

For businesses operating solely within the UK, this means business as usual. However, things become complicated when a business needs to transfer data to or from another European country.

The EU is currently in the midst of replacing the General Data Protection Directive with the General Data Protection Regulation (GDPR) and had Britain voted to remain, British businesses would have had to comply with this new, tougher legislation which includes:

• Increased fines, up to 4% of the annual global turnover
• A “Privacy by design” provision requiring that data protection is designed into business services. Companies will need to ensure they are adopting measures to protect data right from the start of a client engagement.
• Explicit consent being obtained for the collection and processing of data.
• The appointment of an independent Data Protection Officer.
• A “Right to be forgotten”. A client has the right to request the erasing of personal data. Companies will need to take steps to understand how they can comply with such a request.
• A prohibition on data being transferred outside the EU without approval from the relevant supervisory body.

However, Brexit is not simply a case of “in” or “out” and much of the potential consequences of leaving depend on whether or not Britain becomes part of the European Economic Area (EEA) or completely severs ties.

If Britain becomes part of the EEA, this would afford Britain the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR.  In business terms, this would make data transfers somewhat easier, assuming the EU found the UK’s safeguards to be appropriate.  However, this would mean that the UK would still be subject to the DPD and from May 2018, the GDPR, when transferring data across borders to comply with legal obligations in other countries.

An EU-UK Privacy Shield?

If the UK does not become part of the EEA, the UK would probably have to negotiate an agreement similar to the EU-US Privacy Shield in order for UK companies to continue to transfer data between the UK and countries in the EU.

In this scenario it is likely the Article 29 Working Party would suggest similar terms to the US:

• An ombudsman to handle complaints from EU citizens about the UK security services accessing their data.
• UK Security services / the Home Office to provide written commitments that Europeans’ personal data will not be subject to mass surveillance.
• An annual review or audit to check the new system is working properly.

The Upshot

Data protection legislation is changing regardless of the outcome of the referendum and British businesses need to be prepared for these changes. Until the UK finalises its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across European borders. However, business does not have to come to standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices and data centres to continue to process and transfer data in Europe in a compliant and cost-effective manner. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.