Foreward by Andrew Chilvers
As companies continue to look for opportunities in global markets, directors from diverse jurisdictions are hired to serve on the boards of foreign businesses as well as domestic ones that have operations and assets in other countries.
Enterprises across the world look for directors from other jurisdictions for any number of reasons. Hiring board directors from other countries can help to build investor confidence, for example. Likewise, an enterprise that is headquartered in a different jurisdiction but with a subsidiary in the US or Europe could seek directors to gain expertise and credibility. The director may have valuable international or local geographic expertise regarding business objectives, strategy, operations and risk management.
Nevertheless, serving as a director on the board of a global enterprise can bring major challenges. It’s true that during the past few years corporate governance laws and regulations have started to converge across regions, but there remain critical international differences regarding the responsibilities and liabilities of directors.
With recent data protection legislation across different jurisdictions, companies are now being held to account regarding their use of personal data. Will this result in a more litigious culture for companies and what does this mean for boards?
Colombia has a very robust data protection legislation. It emerged from article 15 of 1991’s Political Constitution along with the enactment of laws 1266 of 2008, 1581 of 2012, and regulatory decrees 1727 of 2009, 2952 of 2010, 1377 of 2013 and 886 of 2014.
These norms impose many obligations on companies. They must have a policy for data protection and can only process data after obtaining an informed consent that can be consulted. The data processing must adhere to approved purposes, a notice of privacy ought to be granted, security measures should be guaranteed and the development of a risk management system is required. Furthermore, the international transfer of data requires a signed agreement between the data processing controller and processor; or a declaration of conformity regarding the data protection level of the country of destination, issued by the Superintendence of Industry and Commerce (SIC).
Other obligations include the registering of databases and reporting security incidents regarding processing of personal data to the SIC.
Thus, knowledge of foreign legislation is required for the transfer and transmission of international data in order to comply with the verification requirement that the countries receiving the information have levels of protection that are deemed adequate by the Colombian authority. Thereby, it is possible to confirm that in Colombia there is familiarity with other jurisdictions at least regarding organisations that carry out multinational or global management or have international interaction.
Colombian law applies to the processing of personal data performed in Colombian territory, abroad by entities established in Colombia and when applicable under international treaties to controllers or processors not established in Colombia. Therefore, a violation of the Colombian regime in a foreign territory, in the mentioned cases, can be investigated by the SIC, or questioned by the affected data holders.
Habeas data is a fundamental right recognised in Colombia’s national constitution which allows a particular action established in Law 1581 of 2012. This action requires a prior exhaustion of the process of consultation or claim before the entity that carried out the habeas data violation. If there is no attention to the claim, the complaint can then be made to the SIC, which has the power to investigate and impose economic sanctions on the offending company.
As for class actions, we have no knowledge of any being filed in Colombia in relation to habeas data. However, we consider this scenario to be perfectly plausible if there is a violation of subjective rights (which is the case of habeas data) to a group of individuals (which is possible considering the processing of personal data usually refers to several people) with the objective of obtaining the payment of compensation for suffered damages.
Company directors must be aware that the violation of data protection regulations can cause their companies and them, as individuals, significant economic damages. Not only because they are potential subjects of economic sanctions from the SIC, but because they can also be condemned to the payment of damages to data holders in class actions.
In Colombia there is a so-called Responsibility of the Administrators who must act in strict compliance with legal provisions. This requires them to act professionally, diligently and proactively so that their organisation complies effectively and rigorously with regulations in general, which includes data protection regulations. They are jointly and unlimitedly liable for damages caused by negligence or fault, to the company, the partners, or third parties.
With global directors now increasingly in demand, how important is it for boards and directors to understand the different expectations of directors and different cultures of governance?
As mentioned above, it is essential that both Boards and global directors understand the different governance cultures in other jurisdictions, so that global organisations build policies and procedures in compliance with local regulations of the countries in which they have operations or with which they interact.
It is also essential to have programmes that allow effective risk management and the effective and timely attention of complaints and claims regarding data protection, so that they can prove, in the event of an investigation or litigation, that their duty to act diligently and proactively was fulfilled; so they will not be involved in personal responsibility as administrators, given the responsibility of administrators established in Colombian law.
How important is an effective board that follows core principles of international corporate governance? Does this give boards a shield against litigation and other issues such as bankruptcy and bribery?
In this case, ‘tone from the top’ is essential. A corporate culture that comes from headquarters is key for the implementation of risk control systems regarding personal data. These systems must allow the effective reception and response of requests, complaints and claims from data holders, and must guarantee the exercise of their rights. For example, when a data holder requests the deletion of their data in global databases, or when they request proof or evidence of having given consent, all this must be addressed in the term and manner established in Colombian law.
From our experience as legal advisors to multinational companies, we see that policies and procedures are usually coherent. However, since the rules given by headquarters are applicable to the entire organization, sometimes the particularities of local legislation are not considered, especially in terms of procedure.