Horizon 2020

Continued focus on individual liability

US and global regulators remain focused on pursuing the individuals responsible for corporate misconduct. Recent trials against individuals have, however, exposed the government’s liability theories to heightened scrutiny and, sometimes, rejection. As an example, the DOJ lost one of its first two spoofing prosecutions, and has faced mixed results in recent bribery-related trials. In the UK, the courts this past year rejected prosecutors’ attempts to hold the leaders of UK financial institutions criminally liable for alleged mismanagement during the financial crisis. Such outcomes have been less common with corporate defendants, which tend to settle enforcement actions well before trial.

With the DOJ’s charging theories increasingly tested, companies and their management teams should be aware that prosecutors have begun to explore novel legal avenues by which to pursue individuals – charging them under different, more accommodating laws that, for example, toll the statute of limitations or lack a complicated history of judicial interpretation.

Expansion of, and more experience with, the FCPA Corporate Enforcement Policy

The DOJ continues to revise and expand its 2017 Corporate Enforcement Policy (CEP), extending its principles to successor companies and beyond the Foreign Corrupt Practices Act (FCPA) context. In addition, in late 2019 the DOJ published revisions to the CEP, clarifying that companies should self-disclose potential violations as early as possible as opposed to waiting until after an investigation has been substantially completed. Put differently, the CEP continues to demonstrate how focused the DOJ is in getting companies in the door.

Companies eager to reap the CEP’s potential benefits should still, however, be mindful that authorities in different jurisdictions have divergent expectations with respect to corporate cooperation. The potential for a penalty reduction or declination from the DOJ may become less attractive if achieving it would result in hefty consequences in other jurisdictions (along with potential civil litigation exposure).

Discovery and privacy challenges: navigating conflicting regulatory requirements

Multinational companies have long faced challenges handling and producing data across borders. The 2018 implementation of 1. the EU General Data Protection Regulation (GDPR), and 2. the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) have done little, in practice, to simplify the data protection landscape, especially for companies caught at their intersection. Indeed, such businesses (particularly internet service providers) are subject to potential conflicts between US authorities and non-US privacy regulators, where the former might seek evidence stored abroad, the disclosure of which may run afoul of the GDPR (or of any of the myriad other data protection regimes, blocking statutes, and other data-related restrictions around the world).

Companies caught in the middle should:

1. be thoughtful about where and how they store their data across business units and corporate entities;

2. document efforts to comply with the GDPR, the CLOUD Act and other data-related regimes to defend against claims of breach; and

3. be aware that, in the wake of the first UK-US Bilateral Data Access Agreement, it has become easier for authorities in each country to obtain data directly from firms in the other by removing conflicting privacy restrictions facing these businesses.

Cyber enforcement focuses on disclosure and unfair trade practices

The US lacks an all-purpose, comprehensive data protection regime like the EU’s GDPR or those found in other jurisdictions. Nevertheless, US federal and state regulators have used a patchwork of special-purpose regimes – derived from statutory, regulatory and common law sources at both the federal and state levels – to bring enforcement actions, including in particular in relation to cyber incidents. Here, recent high-profile cases have stemmed from allegations of unfair/deceptive trade practices. For further information, please see our section on technology and business.