15 October 2020

Compliance challenges in changing times

We are living in an era that in many ways, is being defined by crises – first financial, and now health. At the same time, the role and impact of corporate actors is growing to unprecedented levels. The influence of these actors reaches well beyond the economic sphere and into broader public and political arenas. Because of their growing significance, companies increasingly find themselves at the centre of society's expectations and demands. The many potential ramifications – from negative publicity and criticism, to litigation and regulatory exposure – are numerous. What will this new exposure mean for companies' legal compliance functions? This article highlights the recent trends.

Crises create change

All serious crises lead to regulatory changes. The Great Depression in the 1930s led to the regulatory state in the US. And – more recently – the 2008 financial crisis resulted in the current European financial supervision structure. The latter arising not only as black letter law but also – under much public pressure – affecting and regulating attitudes in the financial sector. So what will the Covid-19 crisis lead to and what are likely to be the consequences from a compliance perspective? Below, we focus on financial criminal law, health & safety, data & privacy, export control & sanctions, and competition law.

Financial, economic and corporate criminal law

The Covid-19 crisis will likely accelerate and mirror the developments that arose for the financial sector after the 2008 crisis. The financial crisis led to several shifts: from corporate trust to corporate distrust; from irregularities as perceived exceptions to good corporate behaviour to a perceived confirmation of general corporate irresponsibility; from regulation and enforcement as a last resort, to the belief that change does not come from within and that supervision is not enough, and that punitive enforcement by criminal law is necessary. It also accelerated legal flexibility regarding enforcement (risk-based regulation), the importance of principle based norms (client interest, duty of care, CDD, integrity) and the departure from strict legal boundaries (lex certa). This will likely lead to even greater distrust in corporates, a desire to control markets and a willingness to depart from legal due process requirements. For the financial sector, we expect no change as the generally expected relaxation of the regulatory approach is no longer in the cards. More specifically, we think financials will see further growth in their responsibilities clients and other third parties in more recent areas such as corruption and sanctions & export control. As for corporates, we foresee an increased scrutiny and distrust by the public, an increase in enforcement actions by authorities and a continued use of flexible (open) norms by legislators. For compliance, this will mean that the difference between ethically wrong versus illegal will continue to fade, and that the norms will continue to move from black and white, to a world dominated by grey. Navigating companies and employees safely in this environment will be the main future task of compliance.

Health, safety & environment

In the last decade, we have seen shifts in focus in the area of Health, Safety & Environment (HSE). First, it seems that compliance with occupational health and safety by corporates includes a public perspective; compliance is not only internally directed, but externally, too. Second, complying with regulatory regimes does not seem to be enough: there is more public scrutiny of the "licence to operate" and there seems to be less social acceptance of business activities impacting the environment. The third shift is that, currently it's not only the corporate stakeholders' perspective that is relevant: attention needs to be given to public expectations, customer pressure and stakeholder activism. Fourth, as society becomes increasingly more complex, regulations and decisions of regulators tend to be based on scientific insight and expert opinion rather than on policy objectives only. We see this now, amidst the Covid-19 crisis. This also implies that regulations or decisions tend to be more susceptible to public misunderstanding or distrust. And finally, as the Urgenda judgment and other cases before the courts show, there is a trend towards civil litigation against public bodies and corporates as a means to force compliance or even go beyond that – in addition to regulatory and criminal enforcement. These developments imply that HSE compliance is no longer a singular topic within an organisation dealing with public supervising authorities. It tends to be shifting more to the core of the organisation. How to be prepared? On the one hand, we suggest staying in close contact with the business to understand what the goals, ambitions and threats are. On the other hand, we recommend continuing to face outwards: are we keeping pace with society? What are the expectations we need to meet? In the end, we expect more litigation on HSE issues.

Data privacy

The Covid-19 crisis has unveiled the urgency of balancing public health and fundamental rights to data privacy. It has also accelerated the speed of change in the public and private enforcement-risk landscape. Since early March 2020, the European Data Protection Board (EDPB), which comprises Data Protection Authorities (DPAs) from all EU member states, has enhanced its coordinating efforts at unprecedented speed. It has swiftly issued several pieces of guidance on the use of personal data in the context of the Covid-19 outbreak, whereas issuing guidance would have otherwise taken months. It is clear that the EDPB has increased its authority and effectiveness over the last couple of months. Unlike enforcement in other areas, such as competition law, enforcement of the General Data Protection Regulation (GDPR) is still primarily organised at the level of the EU member states. This is why coordination between national DPAs is important to prevent fragmentation of rules and enforcement actions across Europe. Another, more recent factor that is likely to lead to more cooperation within the EDPB is the criticism issued by the European Commission in the first evaluation report of the GDPR for not making "full use" of the cooperation tools provided by the GDPR. Illustrating this increased cooperation are the three task forces – the only task forces ever formed by the EDPB – that were created within the EDPB in the last few months in order to coordinate enforcement actions and develop guidance. The pandemic has also increased people's reliance on technologies in professional and personal lives and shifted the patterns of consumption towards online commerce. This trend is bound to increase data monopolisation, which has been a concern for European competition, EU member states competition, consumer and data protection authorities already before the Covid-19 outbreak. Enforcement actions against companies' collection and use of personal data coming from consumer and competition authorities – rather than or in addition to DPAs – are even more likely in the future.. The public debate about the use of personal data – especially data about location and health – to contain the pandemic has increased public awareness and sensitivity about the use of personal data generally. Civil society and NGOs are becoming increasingly well organised and are obtaining sufficient funds (sometimes due to cooperation with professional claims funders) to seek injunctions and damages, both against the government in the context of Covid-19 and – more generally – against companies using personal data for commercial purposes. There are new avenues for them to do this effectively. First, article 80 GDPR, which allows for representative actions and, second, a new regime for mass claims in the Netherlands (in effect from 1 January 2020), which offers a possibility to claim damages in a mass claim. More than two years into the GDPR's effective date, there is also growing frustration by privacy NGOs and civil society about the relatively low impact of the GDPR enforcement by public authorities. It will therefore not come as a surprise that a combination of public and private enforcement will become the new normal in the GDPR enforcement landscape.

Export control & sanctions

In the expert controls and sanctions sector, a clear shift can also be observed. The classic purpose of export controls has been the prevention of the proliferation of weapons of mass destruction, as well as of items that can be used for their development and production, and the protection of national security in this traditional sense. Objects (including goods, software and technology) are typically "dual use" items, military items and other controlled items. Economic sanctions are aimed at countries, organisations, companies or individuals and are meant to change unwanted behaviour. In the traditional sense, sanctions are considered temporary political or geopolitical measures intended to force behavioural change and deter others from unwanted behaviour. Now, we are beginning to see export controls and economic sanctions with a new lens. We see export controls and economic sanctions aimed at securing economic and industrial interests in light of geo-political developments (Iran, Russia, China) and interests. But we also see an uptick in export controls that secure supply chains, focusing on areas such as biotechnologies, personal protective equipment and medical equipment, and on semiconductor manufacturing and rare earth minerals processing. In this context, we have seen a growing importance of interstate strategic competition. These developments take place against the backdrop of further divergence between the US and EU.

Competition Law

Competition law has an important role to play in assessing the legitimacy of economic actions taken by EU businesses in dealing with the impact of the coronavirus. Competition authorities continue to be supportive of sector-wide initiatives that are justified in view of the challenges posed by Covid-19. Cooperation between competitors may, for example, help to improve, or even guarantee, the distribution of food (supermarkets) and medicines. From a compliance perspective, these actions were pro-actively reported to and discussed with the relevant competition authorities. They often gave up-front comfort. The cooperation with and positive stance of the authorities towards these sector-wide initiatives might possibly serve as a blueprint in other important policy areas, such as sustainability (see our earlier article on this). However, Covid-19 does not lead to a carte blanche under competition law. The crisis is leading to certain product shortages, for example, personal protective equipment (PPE). In a free market, when demand outstrips supply, prices go up. However, given the current situation, competition and consumer authorities alike will continue to be keen to counter those price hikes.


We see compliance becoming more complex in all sectors. Overall, compliance is under public scrutiny and there seems to be less space for customisation or public trust. For the foreseeable future, the sector is sure to more tense and sensitive to the public eye and opinion.