The Impact of Global Laws on a Records Retention Schedule

advertisement
The Impact of Global Laws on a
Records Retention Schedule
The Impact of Global Laws on a Records Retention Schedule
By Tom Corey and Laurie Fischer
• Multinational companies employ over 23 million workers in the United States.1
• 48% of private U.S. companies have an international presence.2
• 75% percent of mid-market companies say going global is an integral part of their growth strategy.3 • 1/4 of small businesses indicated they are involved in global business.4
Companies are going global, and records managers must now know, or question, which countries’ laws will impact
their record management policies; understand the laws of those countries; and create a records retention schedule, or
multiple records retention schedules, to address their company’s global operations. This article discusses the general
principles determining which countries may have jurisdiction, global regional differences in records retention laws,
and guidelines for creating a global record retention schedule.
Identifying potential jurisdiction
Nationality principle
Country jurisdiction is the ability of a court within a
specific country to hear an action, criminal or civil, against
a person or company and hold them accountable to that
country’s law.5 International law recognizes five general
principles of jurisdiction: territorial, nationality, effect,
protective, and universality.6 A review of these principles
will help provide some guidance to records managers in
evaluating their global footprint.
The nationality principle states that a country has
jurisdiction over the citizens and/or nationals of its country.8
Under this principle, a country has the right to regulate the
activities of its own citizens. The most common applications
of this principle are anti-bribery/foreign corruption laws.
These laws prosecute people and corporations for illegal
activities conducted in foreign countries in an effort to
promote a commercial interest.9 The nationality principle is
distinct from the territorial principle, which is based on the
location of the activity. When evaluating which countries
Territorial principle
The nationality
principle is used to
enforce citizens’
compliance with antibribery laws.
The Federal Trade
Commission (FTC) has
invoked the effects
principle in anti-trust
cases involving nonU.S. companies.
The territorial principle states that a country has jurisdiction
over conduct that takes place within the country.7 For
example, if a company has employees working in a
country, then the labor laws of that country apply. In some
cases, the records related to that labor are located in other
countries; perhaps when an international company has
a centralized HR department. The record requirements,
however, are not based on the location of the records, but
on the location where the labor occurred.
1
U.S. Department of Commerce, Bureau of Economic Analysis, Summary
Estimates for Multi-National Companies: Employment, Sales and Capital
Expenditures for 2010, April 18, 2012 (Available at http://www.bea.gov/
newsreleases/international/mnc/mncnewsrelease.htm, last viewed July 19,
2013)
2
PRNewswire, PwC Survey Finds US Family Businesses More Optimistic
About Growth Prospects Than Global Peers, Showing Greater Appetite for
New Ventures Than Two Years Ago, January 7, 2013 (Available at http://www.
prnewswire.com/news-releases/pwc-survey-finds-us-family-businessesmore-optimistic-about-growth-prospects-than-global-peers-showing-greaterappetite-for-new-ventures-than-two-years-ago-185868352.html, last viewed
July 19, 2013)
3
Dan Tiemann, KPMG LLP, Mid-Market Companies are Going Global,
December 2012 (Available at www.kpmg.com/.../mid-market-companies-aregoing-global.pdf last viewed July 19, 2013)
Factors influencing whether the territorial principle applies,
giving a country jurisdiction over a company, may include
the following:
•
•
4
UPS, Perceptions of Global Trade Survey, 2011
5
Restatement (Third) of the Law of Foreign Relations § 402 (1988)
Whether the company is incorporated or organized
within that country
6
Id.
7
Restatement (Third) § 402(1)(A)
Whether the company has an actual location within
that country
•
Whether there are company employees within
that country
•
Whether the company files taxes within that country
1-866-229-8700 | huronconsultinggroup.com/legal
8
Restatement (Third) § 402(2)
9
See The Organisation for Economic Co-operation and Development (OECD)
Anti-Bribery Convention (available at http://www.oecd.org/daf/anti-bribery/
anti-briberyconvention,last viewed July 19, 2013), and Unites State Foreign
Corrupt Practices Act, 15 U.S.C. § 78dd
2
The Impact of Global Laws on a Records Retention Schedule
government.15 In cases like this, record management
is essential to show that the company paid employees,
recorded injuries sustained while employed, and was
compliant with the law of the country where the activity
occurred.
might have jurisdiction under the Nationality Principle, a
company should look at the location of the company and its
agents and employees.
Effects principle
Under the effects principle, a country has jurisdiction when
the actions of a party cause injury to another party in that
country.10 Under the effects principle, the country where
the injury occurred has jurisdiction. This principle applies
in product liability cases, for example. The effect principle
also applies in cases where the product is a web service.
Examples of web services that invoke the effects principle
include intellectual property infringements and cases where
the content (e.g., adult material) is illegal in the country
where the material is received. When considering whether
the effects principle applies, a company should look at
where its products and/or services are marketed and sold.
In sum, as a general rule, if a company or organization
actively pursues or engages in commerce within a
jurisdiction, either by people, product or service, then it
is subject to the laws and regulations of that jurisdiction.
A good rule to follow is if you want the protection and
privileges of a jurisdiction, you must apply the rules and
regulations of that jurisdiction.
Protective principle
The protective principle gives countries the right to protect
their national functions.11 The activities may occur inside
or outside of the country and may be by citizens of any
country. Examples of matters where the protective principle
applies include counterfeiting of national currency or
state seal, forging government documents, espionage, or
conspiracy to violate a country’s immigration or customs
laws. If a company’s activities threaten the state function of
a country, then the protective principle will apply and that
country will have jurisdiction.
Regional international distinctions
Both Spain and the
United Kingdom invoked
the universality principle
to bring charges against
Chilean President
Augusto Pinochet.
Once a company determines it is potentially subject to the
jurisdiction of a country, it should become familiar with the
laws of that country. This includes the company’s record
manager, who must become familiar with the country’s
laws to ensure the records retention schedule is compliant
with those laws. Often this requires specialized help, such
as a local attorney or firm familiar with records laws in that
country.
If you want the
protection and privileges
of a jurisdiction, you
must apply the rules and
regulations of
that jurisdiction.
The following section discusses some distinctions in laws
that impact records management in different regions
throughout the world. This analysis includes record
management issues associated with personally identifiable
or sensitive information (PII) and legal status of electronic
records, retention requirements associated with corporate
filings, customs, labor, and tax, and other considerations
such as statutes of limitations.
Universality principle
The universality principle recognizes the right of any state
to bring criminal proceedings regarding certain crimes,
irrespective of the location of the crime and the nationality
of the perpetrator or the victim.12 “It is based on the
notion that certain crimes are so harmful to international
interests that states are entitled – and even obliged – to
bring proceedings against the perpetrator, regardless of the
location of the crime and the nationality of the perpetrator
or the victim.”13 Normally these crimes include heinous
actions such as genocide, torture, or slavery.
United States and Canada
In both the United States and Canada, electronic records
are generally acceptable when records are legally required
to be kept.16
10
Restatement (Third) § 402(1)(C)
11
Restatement (Third) § 402(3)
12
Xavier Philippe, The Principles of Universal Jurisdiction and Complementarity:
How Do the Two Principles Intermesh? 88 Int’l Rev. of Red Cross 375, 377
(June 2006)
13
Typically these are crimes committed by governments or
government officials, but corporations become complicit in
these crimes when companies provide services that further
or advance these crimes.14 For example, the United States
claimed jurisdiction in a case against a pipeline company
when, to build a pipeline for Burma’s military, the company
used employees tortured and enslaved by Burma’s
Id. (citing Mary Robinson, ‘Foreword,’ The Princeton Principles on Universal
Jurisdiction, Princeton University Press, Princeton, 2001, p. 16)
14
Kendra Magraw, Corporate-Complicity Liability Under the Principle of Universal
Jurisdiction, 18 Minn. J. Int’l L. 458 (2009)
15
Id. at 472 (referencing Doe v. Unocal Corp., 403 F.3d 708 (9th Cir. 2005))
16
See 15 U.S.C. § 7001 and State Versions and Canadian Provincial Versions of
Electronic Transaction Act
17
See 16 C.F.R. § 318 et. seq. and State Versions
3
Countries may use the
protective principle to
protect the integrity of
their currency.
Companies have a responsibility to protect PII, and must
notify those impacted by a potential breach of that PII.17 In
the U.S., the laws promote safe handling of PII by placing
liability and notification requirements on the holder if there
is a breach. The U.S. approach is essentially a back-end
approach, addressing the issue only when a liability or
problem occurs, creating a financial burden on the holder of
PII to remedy the problem.
and retention requirements. The list can have nearly
2,000 record types with specified retention periods.21 In
addition to areas familiar to record managers in the United
States, the covered records include information technology,
building maintenance, correspondence, and various types
of contracts. Generally speaking, in the former Soviet
countries, if a company has a document (electronic or hard
copy), there is a specific retention requirement addressing
that specific type of document.
The federal governments in both Canada and the United
States provide retention requirements for corporate records
and customs documents. The federal governments, states,
provinces, and territories stipulate retention requirements
associated with labor (payroll, unemployment, health and
safety), environment, and tax. The United States and Canada
also have limitation periods for certain causes of actions
that companies may consider when determining a retention
period.
Some former Soviet Bloc and Eastern European countries
also impose long retention times on labor-related records.
In the United States and in most regions, retention
requirements for labor records (excluding certain medical
health records) typically range from three to 10 years.
In some of the former Soviet Bloc and Eastern European
countries, companies are required to maintain many
standard employment records for 75, 100, or 150 years, or
indefinite periods.22
Western Europe/European Union
Latin and South American countries
For countries within the European Union (EU), one of
the most distinguishing record management concepts
addresses the issue of handling PII. Unlike the back-end
U.S. approach, which addresses the issue only when a
liability or problem occurs, the EU regulates PII on the front
end, placing specific requirements on the actual handling of
PII. Among the restrictions are requirements that the holder
safely dispose of the PII when the company achieves the
purpose for which the PII was collected.18 For example, if PII
is used to determine whether a company should issue credit
to a person, once the company makes that decision, the
company should safely dispose of the PII.
In Europe the handling
of personally sensitive
or identifiable
information is a major
issue.
Many former Soviet
countries have detailed
record retention
requirements.
General distinctions in Latin and South America include their
approach to electronic records, handling of PII, and their
reliance on a general limitation period for record retention. In
the U.S. and in most regions, when a law requires a record,
an electronic version of that record satisfies the record
requirement unless specified otherwise.23 Many countries
in Latin and South America have not accepted electronic
versions of records and often require hard copies, with
supplemental electronic records being optional.24
As discussed above, in Europe, holders of PII are required
to dispose of the information when it is no longer needed.
In Latin and South America, by contrast, some countries
impose specific maximum periods for PII, such as two or
five years.25 Companies are free to dispose of the records
Also, under EU regulations, a company within the EU may
not transfer PII to another country that does not comply with
EU privacy regulations.19 In response to this requirement,
the U.S. Department of Commerce established a selfcertifying approach (“safe harbor”) to bridge the differences
between the disparate approaches and provide U.S.
companies a streamlined way to meet European privacy
regulations.20
18
European Parliament and of the Council of 24 October 1995, Directive 95/46/
EC, § II, Art. 7(f) (note – EU Directives are then implemented by member-state
laws or regulations)
19
U.S. Dept. of Comm., U.S.-EU Safe Harbor Program (available at http://export.
gov/safeharbor/eu/eg_main_018365.asp, last viewed July 19, 2013)
Eastern Europe/former Soviet Bloc countries
21
Examples of countries with this type of list include Georgia, Kyrgyzstan,
Lithuania, Moldova, Russia and Ukraine
The former Soviet Bloc countries have more developed
record retention requirements than other regions. For
example, in the United States and in most regions, there
are retention requirements for specific industries, and
generally for customs, environment, labor, and tax. In the
former Soviet countries, however, almost every type of
document has a defined retention period. Many of the
former Soviet countries have one law with a list of record
1-866-229-8700 | huronconsultinggroup.com/legal
Id. at § IV, Art. 25(1)
20
22
Referencing labor laws in Bosnia and Herzegovina, Bulgaria, Kyrgyzstan,
Macedonia, Montenegro, Romania, Serbia, and Slovenia
23
15 U.S.C. § 7001 and State Versions
24
Referencing various record management laws in Bolivia, Guatemala, Mexico
and Uruguay
4
25
Referencing Argentina, Brazil, Nicaragua, and Uruguay
26
Mexico Cd. of Comm., Art. 1047
The Impact of Global Laws on a Records Retention Schedule
before that time, but they may not hold on to the information
for a longer period.
Current member states include the United Arab Emirates,
Bahrain, Saudi Arabia, Oman, Qatar, and Kuwait.30 For
those countries, the GCC impacts retention requirements for
customs records: the GCC Customs Union, created in 2003,
includes retention requirements associated with the import
and export of goods.31
Latin and South America do not have many retention
requirements, but they do have well accepted norms of
retention that rely heavily on general limitation of action
periods. Mexico is a classic example of this, where
companies often defer to a 10-year retention period for
many records based on the general 10-year statute of
limitation that applies to many different types of actions.26
Creating a global records retention schedule
Creating a global records retention schedule or schedules
is a daunting task for today’s record manager. Nevertheless,
the variety of jurisdictions a company may be subject to
and the differences among these countries’ requirements
make this task necessary. Three potential approaches to
creating a global records retention schedule are: (1) create
a schedule for each country, (2) create a base schedule
and apply exceptions where required by law, and (3) create
regional schedules. The first two steps in the creation any
of these global schedules are to determine which countries
have probable jurisdiction and therefore impact the
company’s record retention schedule, and then to identify
each of those countries’ legal requirements associated with
record management.
Asia Pacific
The record management requirements of Asian Pacific
countries seem to parallel many of the general principles
used in other regions.27 For example, companies may
not hold PII longer than necessary, but there are not the
EU’s heavy restrictions with regard to the transfer of PII to
countries with different standards.
Asian Pacific countries generally have accounting
regulations that are common to most countries throughout
the world, but uncommon in the U.S. In the U.S., there are
implied requirements for accounting records through tax
assessment laws, but unless a company is specifically
regulated (either by industry or the Securities and Exchange
Commission), there are no real accounting retention
requirements. For most Asian countries and countries
throughout the world, if a company is registered in that
country, it is normally obligated to maintain accounting
records for ten years. Countries can audit these accounting
records for a number of purposes, including investigations
into anti-bribery/foreign corruption activities.
Individual country schedules
Under this approach, a company creates a separate records
retention schedule for each country where the company
engages in commerce. This approach has several benefits.
First, the schedule is better able to address the actual scope
of operations in each country. For example, if a company
is incorporated in but has no employees in that country,
it may not need to include labor records in the schedule.
Second, the schedule is better able to address the nuances
of that country’s laws. This approach also has some
downsides, however. One downside is a lack of corporate
uniformity. If a corporation is trying to have uniform policies,
then a separate schedule with separate policies for each
Middle East/Central Asia/North Africa
Many of the countries in Middle East, Central Asia, and
North Africa have legal concepts based on Islamic laws and
traditions known as Sharia Law. Sharia, which comes from
the word “path” in Arabic, guides all aspects of Muslim life,
including daily routines, familial and religious obligations,
and financial dealings.28 Some countries in this region
govern using dual secular and Sharia systems, while
others rely more on one or the other. For example, Saudi
Arabia relies heavily on Sharia law. As a result, in Saudi
Arabia there are few laws specifying retention periods and
limitation of action periods do not apply. However, in the
United Arab Emirates, the record management policies are
similar to those of Western Europe and Asia Pacific.
27
Countries reviewed include China (incl. Hong Kong), Indonesia, Japan,
Malaysia, Philippines, South Korea, Taiwan, Thailand, and Vietnam
28
Council on Foreign Relations, Islam: Governing Under Sharia, Jan. 9, 2013
(available at http://www.cfr.org/religion/islam-governing-under-sharia/p8034,
last viewed July 19, 2013)
29
Gulf Cooperation Council Website http://www.gcc-sg.org/eng/ (last viewed July
19, 2013)
30
Gulf Corporation Member States (available at http://www.gcc-sg.org/eng/
indexc64c.html?action=GCC, last viewed July 19, 2013)
31
Implementation Procedures for the GCC Customs Union (available at http://
www.gcc-sg.org/eng/index9038.html?action=Sec-Show&ID=93, last viewed
July 19, 2013)
Another consideration in the Middle East is the impact of
the Gulf Cooperation Council (GCC).29 The GCC is a regional
authority, similar in scope (without the currency) to the EU.
32
Attributed to Lao-tzu (c. 604-c. 531 BC), founder of Taoism
5
Many Latin American
countries still rely
heavily on hard copies
of records.
Sharia law plays an
important role in many
Islamic countries, but
provides little record
retention guidance.
country hinders that objective. This approach is also timeconsuming, and it is expensive to create and maintain many
schedules if a company does business in a number of
countries. Separate country schedules are good, however,
for companies with unique and independent operations in
each country.
using a regional approach. For countries within a region that
have longer retention requirement for certain records, the
schedule can note exceptions. While this approach takes
a great deal of organization, it is an efficient method for
companies with a large multi-national presence.
Conclusion
Base schedules with exceptions
The Tao proverb states that “the journey of a thousand
miles starts with a single step.”32 For companies facing
the challenges of records management in a globalized
environment, the first step is determining which countries
may have jurisdiction over them, their products, or their
services, and how that jurisdiction impacts their records
retention schedule. To avoid obstacles in the road,
companies should recognize that countries treat record
management differently, and therefore need to examine
each of those countries’ laws and regulations that impact
their schedules. Based on this information, companies
can determine the best path for their global retention
schedules. Like all great journeys, the route to a global
retention schedule never really ends. Companies change,
laws change, and as a result, records retention schedules
change. Companies should constantly re-examine their
schedules so as to stay on the right course.
A base schedule is one schedule used by the whole
company, including international offices. By using a base
schedule, a company is able to create a schedule that
satisfies a sufficient amount of legal requirements to make
the schedule efficient, and to promote company uniformity.
For countries with longer retention requirements, the
schedule includes an exception field. Organizations in
countries impacted by the exception field are required to
maintain the excepted records longer than organizations
in other countries. This approach is more desirable than
just choosing the longest retention period. Some countries
have excessively long retention period for records that
are costly to retain, and there can be additional indirect
costs related to locating and producing them in the event
of litigation. While schedules created with this approach
tend to be based on the legal and business concepts of the
company’s home country and sometimes do not take into
account regional differences, it is an efficient method if is
the company has a limited multi-national presence.
Regional schedules
Companies should
constantly re-examine
their records retention
schedules so as to stay
on the right course.
By examining the similarity of laws within certain regions, a
company can create a limited number of regional schedules
that capture the legal concepts of the countries in which it
operates, and still promotes uniformity. To be clear, there is
no such thing as “regional law.” Each country has its own
laws and regulations and the company needs to be aware
of those laws for the countries where it operates, but a
company can capture most of those laws in a few schedules
SeeThingsDifferently.
1-866-229-8700
huronconsultinggroup.com/legal
Huron Legal provides advisory and business services to assist law departments and law firms to enhance organizational effectiveness and reduce
legal spend. Huron Legal advises on and implements strategy, organizational design and development, outside counsel management, operational
efficiency, and discovery solutions, and provides services relating to the management of matters, contracts, documents, records, digital evidence
and e-discovery.
© 2013 Huron Consulting Group Inc. All Rights Reserved. Huron is a management consulting firm and not a CPA firm, and does not provide
attest services, audits, or other engagements in accordance with standards established by the AICPA or auditing standards promulgated by the
Public Company Accounting Oversight Board (“PCAOB”). Huron is not a law firm; it does not offer, and is not authorized to provide, legal advice
or counseling in any jurisdiction.
6
Download