By Tim Rich
European data protection legislation is being used to hinder investigations into Latin America’s greatest corruption scandal.
Trafigura, a commodities broker based in Switzerland, has refused to hand over emails from two of its employees, who are being investigated as part of the Petrobras scandal that has seen the former president of Brazil, Luiz Lula da Silva, jailed and forced the resignation of his successor, Dilma Rousseff.
Earlier this month, Trafigura was asked by a judge in the Brazilian state of Parana to send over email archives belonging to Mariano Marcondes Ferraz and Marcio Pinto Magalhaes, who work for Trafigura’s Brazilian operation. Both men deny charges of bribing Petrobras officials.
Trafigura claimed it was not able to comply as releasing the two men’s emails would breach article 49 of the General Data Protection Regulation that came into force across the European Union in May last year.
The regulation states that data cannot be shared without the explicit consent of the owners of that data.
Trafigura stated that, if it were found guilty of a breach of GDPR it would be liable for a fine of four per cent of its global revenue, which last year stood at $180.4 billion.
Although Trafigura is based in Switzerland and is registered in Singapore, it claims it would still be liable under EU regulations, which cover companies that ‘offer goods and services within the European Union.’
Trafigura’s IT server is based in London while its holding company is headquartered in the Netherlands. In 2010 the Dutch government fined the company £840,000 for illegally dumping toxic waste off the shores of the Ivory Coast, which contaminated 30,000 inhabitants.
The Petrobras scandal which broke in March 2014, centred around Brazil’s state-controlled oil company – the largest in Latin America – accepting multi-billion-dollar bribes from construction firms bidding to build a petrochemical plant in Iraboraj near Rio de Janeiro, as well as other Petrobras projects across South America.
Some 50,000 workers had moved to the city to take what proved non-existent jobs when the plant was not built.
The four-year investigation into Petrobras’ culture of bribery, which allegedly included Presidents Lula and Rousseff, code-named Operation Car Wash, uncovered vast numbers of alleged underhand payments to local and national politicians and their associates.
The charges against Ferraz and Magalhaes, state that they bribed Pretrobas executives to sell them oil at a reduced rate. Three other Swiss-based companies – Vitol, Glencore and Mercuria Energy – are also being investigated for illegal trading with Petrobras.
Initial studies suggest Trafigura is within its rights to use European data protection legislation to attempt to block the investigation.
Toby Duthie of the Forensic Risk Alliance said: ‘Employees are required to give informed consent to the provision of their data to third parties. ‘The basis of this consent may change over time as the matter evolves.’
He said the fact that consent might be given to an internal investigation or civil litigation did not mean it could be handed to a criminal investigation ‘if the individual became personally implicated or liable in such a case’. This was not the case with the UK’s Data Protection Act which was replaced by GDPR.
The only way for the judiciary in Parana to proceed against Ferraz and Magalhaes would be to ask the European Union for ‘mutual assistance’ or to ask the Swiss government to intervene directly. Switzerland has similar data protection legislation to the rest of the European Union.
There are many who believe the EU’s determination to enforce GDPR whatever the cost has impeded trans-national fraud investigations. Tanguy van Overstraeten, a partner at the multi-national law firm, Linklaters, said: ‘One of the reasons sanctions under the GDPR have increased so much is to oblige companies to seriously consider the risk of violating EU law. This has even further confused the positioning of European companies, as solutions can only be found at a EU political level.’