Trafigura, citing GDPR concerns, tells Brazilian courts it cannot disclose emails in bribery case

Multinational trading company Trafigura, implicated in a bribery scheme with Brazilian state-controlled oil giant Petrobras, has told Brazilian authorities it can't disclose the contents of emails of two former officials of the company to the courts because doing so could violate European data protection laws, according to court filings.

In a letter dated December 31, Trafigura told its Brazilian unit that “After consulting with our external legal counsel […] we have concluded that we will need to take further, detailed legal advice from local counsel in a number of jurisdictions (including, at least, the United Kingdom, Netherlands, and Switzerland) in order to understand whether and how historical e-mails can be transferred to Brazil in compliance with law.”

The company cited its operations in Europe.

“As a European company with e-mail servers located in Europe, Trafigura is subject to the European Union General Data Protection Regulation and relevant national member state laws. These laws prohibit the transfer of personal data outside of the European Economic Area, unless certain conditions are met. These conditions are strict and limited, and the EU does not have a mutual recognition of Brazil as having adequate data privacy protections,” the UK Trafigura unit said.

Trafigura’s IT servers are located in London; the main holding company of the group is Dutch, and its headquarters is in Switzerland, the multinational wrote. Penalties for GDPR violations could reach up to 4 percent of annual global turnover, or 20 million euros — whichever is greater.

Trafigura’s lawyers in Brazil told the federal court handling the case they will continue to inform it about developments on the matter.

In a recent filing, federal prosecutors who charged Mariano Marcondes Ferraz and Marcio Pinto de Magalhães, two former employees of the company, asked Trafigura to sign a document promising to preserve the data of the mailboxes until the matter is solved. Prosecutors fear evidence could be lost without access to those emails.

The external legal counsel letter, signed by international law firm Quinn Emanuel Urquhart & Sullivan, said that in providing emails to any regulatory authority, Trafigura “must satisfy itself that it has a lawful basis for doing so under article 6 of the GDPR.”

It also said Trafigura must balance interests, rights and expectations of data subjects. “Again, this is an issue that requires closer examination and analysis and written consideration of the balancing exercise in accordance with the accountability principle in the GDPR.”

The external counsel acknowledged that Brazil recently passed its own data protection law but noted that “this law is not currently relevant to the GDPR analysis, since it does not enter into force until 2020.”

On Dec. 14, Mariano Marcondes Ferraz and Marcio Pinto de Magalhães were charged with corruption offenses. The Lava Jato corruption task force is investigating bribery schemes involving multinational trading companies and Petrobras officials.