International background screening
Expanding the due diligence process to include international background checks when the principal has a significant foreign history or the company is a non-U.S. entity is essential to sound risk management.
Availability of Information
The scope of the background check, while taking into consideration the risk level of the transaction, will depend on the information that is available in the public domain, and the customs, culture, and laws of each country. What may seem perfectly routine and acceptable in the United States may confuse or offend those in other countries. For example, credit checks are virtually unheard of abroad.
The collection of criminal information can also present logistical challenges. Many countries do not have an organized court system, and, records, if available, must be searched on a regional or town-by-town basis, or at multiple agencies (such as the police station, the court venue or a government agency, for example). Certain countries offer what is known as a “police certificate” which provides confirmation of the information about a subject found in police records.
Taking a “reasonable” approach to international background checks is particularly important in emerging markets, where many public records are unavailable or unreliable. The situation is improving, however, as it is now possible to obtain from almost any country business registration information regarding the owners and directors of a corporate entity, with the exception of the secrecy jurisdictions, such as the British Virgin Islands where ownership information remains inaccessible to the public. Most jurisdictions also maintain lists of debarred persons and companies. This is especially common in countries with well-regulated stock markets, such as Hong Kong and Singapore. Singapore also allows access to criminal records, while many emerging market jurisdictions consider an individual’s criminal record to be private.
Civil litigation records too are becoming more available; however, local knowledge and an understanding of the judicial system are critical to obtaining information legally. Searches in China, for example, are especially complex, as the filings can be held at either county, municipal, provincial or state level.
Media searches are possibly the most significant element of any international background check. If these checks are not performed locally, they at least should be conducted in the native language in the international databases available in the United States and the Internet.
Legal Compliance – Privacy Laws
Information privacy or data protection laws prohibit the disclosure or misuse of information maintained about private individuals. According to a report published by the United Nations Conference on Trade and Development, 66% of countries have enacted data privacy protection laws; 10% have legislation in draft form; 19% have no such laws, and 5% have no data available.
Arguably, the European Union (EU) has set the bar for privacy protection of personal data with its General Data Protection Regulation (GDPR) that went into effect in May 2018. The GDPR’s holistic view of personal data, defined as anything that can identify an individual — including a person’s address and image — is seen as the gold standard, differing from the patchwork of laws in the United States and some other countries.
Under the GDPR, global companies that transfer personal information of individuals located in the European Economic Area (EEA) to the U.S. must have a legal mechanism for these transfers. Until recently, hundreds of U.S. multinationals relied on the EU-US Privacy Shield (the “Privacy Shield”) framework to meet the GDPR requirements. Then, in July 2020, an unexpected ruling was handed down by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) that invalidated the Privacy Shield which had been in place since 2016.
Now companies that subscribed to the Privacy Shield must find another GDPR-compliant solution for the transfer of data. The European Data Protection Board indicated in its July 23, 2020 FAQs that it will not be providing a grace period as the authorities had done for the EU-U.S. Safe Harbor framework following the “Schrems I” decision. Notably, the CJEU’s decision expressly stated that the standard contractual clauses (“SCCs”) previously promulgated by the European Commission are still a valid tool for data transfers from the EU to the United States. The SCCs are sets of contractual terms and conditions that the controller and the processor of personal data both execute to comply with GDPR’s requirements. The CJEU did not directly reference binding corporate rules (“BCRs”) which are used for intragroup data transfers and require prior approval of the competent data protection authority. For now, this means that BCRs remain a valid transfer mechanism under the GDPR as BCRs are of a similar nature to SCCs (they are both considered an “appropriate safeguard” pursuant to Article 46 GDPR). For some situations, an alternative is to look to the narrow derogations under Article 49 of the GDPR, such as to perform a contract, for “legitimate interest” purposes or base the transfer on the subject’s explicit consent.