ORDER A REPORT
SECURE FILE UPLOAD

International (outside of the US) refers to any country, jurisdiction, business activity, individual, or data operation that exists beyond the territorial boundaries of the United States. In compliance and regulatory contexts, “international” typically includes foreign entities, cross‑border transactions, global data transfers, multinational operations, and activities governed by non‑U.S. laws.

This term is widely used in legal, financial, and employment frameworks to distinguish between U.S.‑based requirements and those governed by foreign regulations, such as GDPR in the EU, PIPEDA in Canada, or local labor and privacy laws in Asia‑Pacific, Latin America, Africa, and the Middle East.

Consent for International Searches

A basic principle of conducting international searches on an individual is that you need a lawful basis for processing personal data. This principle applies to both employment-purpose and commercial background checks.

Although the number and type of lawful bases vary from one country to another (especially with the enactment of new data protection and privacy laws in many countries over the last several years), a lawful basis for processing personal data common to all international searches is the consent of the individual search subject. From a compliance perspective, obtaining an individual’s consent for the searches is the best practice.

Other than the requirements that the subject’s express consent be unambiguous and freely given, there is no universally prescribed format or wording for an international consent form.

If the subject’s consent cannot be obtained, you can look to a country’s data protection and privacy laws to determine if a different legal basis may be applicable for processing personal data that does not require the subject’s consent. It is always up to the controller of the data to determine the appropriate legal basis for processing personal data.

For individuals located in the EU or UK, there are several legal bases that will satisfy the compliance requirements under the EU GDPR, the UK GDPR and the Data Protection Act of 2018 (UK) if consent cannot be obtained. The controller can still request these searches if it has a legitimate interest in obtaining the individual’s personal data or needs the data to perform a contract.

If the request for the searches is based on a legitimate interest or performance of a contract, the individual must receive a notice of the controller’s intention to process the data. Notice can be given in several different ways, including directly to the individual, in an engagement letter or similar document, or by publication on the client’s website. The way the controller gives notice is their decision.

February 25th, 2022|Categories: Compliance Corner for Employment Decisions|Tags: , , |

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Categories: Compliance Corner for Employment Decisions|Tags: , , , , , |

The Swiss-U.S. Privacy Shield Framework is approved

 

The Swiss-U.S. Privacy Shield Framework (the “Framework”) made its debut on January 12, 2017 without much fanfare when Swiss federal councillor Johann Schneider-Ammann announced the Framework’s approval as a valid legal mechanism to comply with Swiss requirements for transferring personal data from Switzerland to the United States. The Framework, designed by the U.S. Department of Commerce (the “DOC”) and the Swiss government to align with the EU-U.S. Privacy Shield, will immediately replace the U.S.-Swiss Safe Harbor. The DOC will begin accepting self-certifications starting April 12, 2017 to give organizations ample time to review the new Framework’s principles and compliance requirements. For more of Scherzer International’s coverage of the EU-U.S. Privacy Shield, click here.

February 2nd, 2017|Categories: Commercial Transactions Due Diligence|Tags: , |

European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

 

What this is about 
On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview: The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program: 
The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:
The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.
Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.
For further information, please contact us at 1-866-723-2287.
July 14th, 2016|Categories: Commercial Transactions Due Diligence|Tags: , , |

The EU-US Privacy Shield Framework text is now available

U.S. Secretary of Commerce Penny Pritzker released a statement regarding the historic agreement, noting that the “EU-US Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”

The EU-US Privacy Shield Framework (the “Framework”) was designed by the U.S. Department of Commerce (the “DOC”) and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The Framework provides robust and enforceable protections for the personal data of EU individuals, mandating transparency for participating companies, strong U.S. government oversight, and increased cooperation with EU data protection authorities. Offering EU individuals access to multiple avenues to address concerns regarding participants’ compliance and a free dispute resolution, the Framework makes it easier for EU individuals to understand and exercise their rights.

The European Commission proposed that the Framework be deemed adequate to enable data transfers under EU law, which is now in the approval process. Once an adequacy determination is made, the DOC will begin accepting certifications under the Framework. Similar to the certification process of the now invalid Safe Harbor, if a U.S. based-company wishes to join the Framework, it will be required to self-certify to the DOC and publicly commit to comply with the Framework’s requirements. While joining the Framework will be voluntary, once an eligible company certifies compliance, the commitment will become enforceable under U.S. law.

Read the fact-sheet about the EU-US Privacy Shield Framework here.

Read the full text of the EU-US Privacy Shield Framework here.

February 29th, 2016|Categories: Compliance Corner for Employment Decisions|Tags: , , , |

Judicial Redress Act of 2015 signed into law

 

On February 24, 2016, President Obama signed the Judicial Redress Act of 2015 (“the Act”) into law, a major step toward formalizing the recently announced privacy framework, the EU-U.S. Privacy Shield, which will replace the Safe Harbor program that was declared invalid by the European Court of Justice in October 2015. The Act’s intent, as explained by House Judiciary Committee Chairman Bob Goodlatte (R-VA), is to reestablish the United States’ credibility with the European Union following the highly-publicized leaks of classified information in the recent years.

The Act extends to the citizens of EU countries that permit commercial transfers of personal data

[to the United States] similar rights to those enjoyed by US citizens under the Privacy Act of 1974, which established a code of fair information practices that govern the federal government’s collection, maintenance, use, and dissemination of information about individuals. The citizens of these EU countries will now be allowed to sue the United States for unlawful disclosure of their personal information obtained in connection with international law enforcement efforts. Under current law, only US citizens and legal residents can bring such claims against the federal government.

Read the text of the Act here.

February 28th, 2016|Categories: Compliance Corner for Employment Decisions|Tags: , |

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

February 24th, 2016|Categories: Compliance Corner for Employment Decisions|Tags: , , , |

Province of Ontario passes the Police Record Checks Reform Act

On December 1, 2015, Ontario passed the Police Record Checks Reform Act, 2015 (the “Act”) which has significant implications regarding criminal record checks. The Act establishes comprehensive standards governing the type of information that can be disclosed by police in response to record check inquiries, and is intended to remove unnecessary barriers to employment, licensing, holding office, applying to educational programs and participating in volunteer activities. Its main objective is to prevent the inappropriate disclosure of non-conviction and non-criminal records, such as information obtained from street checks or “carding,” as well as mental health information.  

Possibly the most significant requirement under the Act is that the individual must review the requested information and then consent to its disclosure. In the event that potentially inappropriate non-conviction information is included in a record, the Act provides that the individual may request a reconsideration of the disclosure. As a result, employers who conduct employment criminal record checks will now only be able to obtain the results if the applicant/employee has consented to the disclosure. 

December 22nd, 2015|Categories: Compliance Corner for Employment Decisions|Tags: , , |

Bribing for business: Russia and China score lowest in fighting corruption

According to a survey released on November 3, 2011, by Transparency International, a non-profit, corruption watchdog, Russia and China got the lowest scores in its 2011 Bribe Payers Index, which ranked the top 28 largest economies according to the probability of companies headquartered in these countries practicing bribery. The scores were calculated from responses of 3,016 executives in 30 countries who had business dealings in those economies.

Companies based in China and Russia scored below 7 on a scale of 10, at 6.5 and 6.1, respectively. Mexico, with a 7.0 score, was third from the bottom. Companies in the Netherlands and Switzerland tied for first place with scores of 8.8, with Belgium, Germany, and Japan rounding out the top five.
The survey also ranked the business sectors in which bribery was perceived to be prevalent. Public works and construction were reported as the most pullulated along with oil and gas. Agriculture and light manufacturing were ranked as the cleanest.

The report noted that “there is no country among the 28 major economics whose companies are perceived to be wholly clean and do not engage in bribery.” And the scores, on average, have not improved significantly from the 2008 Bribe Payers Index. The average score of 22 countries increased only 0.1 points to 7.9 in the latest edition.

The survey also found that “international business leaders reported the widespread practice of companies paying bribes to public officials in order to, for example, win public tenders, avoid regulation, speed up government processes or influence policy.” However, companies are almost as likely to pay bribes to other businesses, according to the survey, which looked at business-to-business bribery for the first time. This suggests that corruption is not only a concern for the public sector, but for many businesses, and carries major reputational and financial risks.

November 3rd, 2011|Categories: Commercial Transactions Due Diligence|Tags: , , |

U.K. Bribery Act now slated to take effect July 1, 2011

After receiving widespread criticism for the lack of guidance and compliance clarification, the U.K. Bribery Act of 2010 (Bribery Act) originally scheduled for implementation in April 2011, is now set to take effect July 1, 2011. The act’s jurisdiction extends to commercial organizations incorporated or formed in the U.K. or “which carr

[y] on a business or a part of a business in the U.K. irrespective of the place of incorporation or formation.” Determination of such existence will be made by the U.K. courts and will require “a demonstrable business presence.” The official guide states that an organization will not be deemed to be carrying on a business in the U.K. merely by virtue of having its securities listed on the London Stock Exchange or by having a U.K. subsidiary.

Unlike the anti-bribery provisions of the U.S. Foreign Corrupt Practices Act (FCPA), which focus primarily on corruption involving non-U.S. government officials, the Bribery Act  widens its scope to prohibit domestic and international bribery across both private and public sectors. And while the FCPA allows exceptions for facilitation payments (generally small payments to lower-level officials for “routine government actions,”) the Bribery Act does not. These payments were illegal under the previous legislation and the common law, but the difference under the Bribery Act is that non-U.K. organizations are broadly subjected to these restrictions for the first time.

The Bribery Act specifically criminalizes the offering, promising or giving a bribe (active bribery) and the requesting, agreeing to receive or accepting a bribe (passive bribery) to obtain or retain business or secure a financial or other advantage. It also contains a provision whereby an organization that fails to prevent bribery by anyone associated with the organization can be charged under the Bribery Act unless it can establish the defense of having implemented preventive “adequate procedures.” The official guide recommends the following six principles as foundation for developing “adequate procedures” to prevent bribery:

  • Proportionality – Actions should be proportionate to the risk, nature, size and complexity of the organization.
  • Top-level Commitment – Board of directors, owners, officers or equivalent top level- management should establish and promote a culture where bribery is never acceptable and be committed to preventing bribery, both within the organization and with anyone associated with the organization externally.
  • Risk Assessment – Various risk exposures, both internal and external, such as country of operation, business sector, types of transaction, new markets, and business partnerships should be evaluated and documented on an ongoing basis.
  • Due Diligence – Proportionate, risk-based approach to due diligence procedures assessing existing and proposed relationships should be taken to ensure trustworthy associations and mitigate identified bribery risks.
  • Communication – Appropriate channels of communication, awareness and training, both internal and external, on anti-bribery policies and procedures should be implemented and evaluated on a regular basis.
  • Monitoring and Review – Anti-bribery policies and procedures should be monitored on an ongoing basis and amended as quickly as possible when activities and risks change.

The penalties for violating the Bribery Act are severe, with individuals facing up to 10 years in prison and organizations facing unlimited fines. Violations also may result in damaging collateral consequences such as director disqualification, ineligibility for public contracts, and asset confiscation.

 

May 9th, 2011|Categories: Compliance Corner for Employment Decisions|Tags: , , , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top