It’s the second Friday in October and I am continuing my HorrorFest month. I usually call it Monster Movie Fest but this year I am celebrating the films of Val Lewton who really worked more broadly in the horror genre, rather than the types of films I have previously homaged from Universal Pictures and Hammer Films. Today, I take a deeper look into Lewton’s first film The Cat People.

The film starred Simone Simon who plays Irena, a woman from Serbia living in New York City who believes she is descended from a long dead race of cat people from her ancient village. She is a newly wed and refuses to sleep with her husband because she fears that she will transform into a panther if aroused to passion. When her husband, played by Oliver Reed works a little bit too long with a female co-worker, Alice; Irena becomes insanely jealous, stalking Alice to her home. This stalking creates two of Lewton’s most famous scenes where he uses shadows and suggestion to create some of the greatest tension I have ever seen in a horror film.

The first is the scene in which Irena is following Alice through Central Park. The audience expects Irena to turn into a panther at any moment and attack. At the most tense point, when the camera focuses on Alice’s confused and terrified face, the silence is shattered by what sounds like a hissing panther – but is just a city bus pulling up to a bus stop. This technique has been used many times since. Any scene in which tension is dissipated by a shock of startlement, is a termed a “Lewton Bus”. The second occurs when Alice takes a swim at her apartment after the bus scene. Alice is stalked by an animal never shown on camera only by its shadow on the water, walls and ceiling. Alice jumps into the pool, using the water to keep the creature at bay. When Alice screams for help, Irena turns on the lights and claims to be looking for Oliver. Alice emerges, wondering if she had imagined the whole thing, until she finds her robe torn to shreds.

I thought about Lewton’s use of suggestion as I read article over the past few days on the Schrems decision by the European Court of Justice (ECJ) and its potential effects on US companies going forward. According to a client alert, entitled “European Court rules Safe Harbor invalid in Schrems case”, by the UK law firm Cordery Compliance Limited (Cordery), the decision invalidated what was known as the ‘Safe Harbor’ provision, which acts as a blanket exemption to the prohibition on transferring data outside the European Economic Association (EEA) or jurisdictions adduced by the Commission to provide adequate protection of data. This meant that US companies could claim exemption and take personal and private data of consumers and employees out of Europe and back to the US.

The ruling also held that EU member states’ data protection “regulators do have the independent power to investigate complaints about the adequacy of the level of protection of data transfers to the US and to suspend data transfers if they conclude that the US (or indeed any other jurisdiction outside the EEA) does not provide an adequate level of protection.” Cordery said the effect of this second prong of the ruling, “is that the case will go back to the Irish High Court which referred it, and the Irish data protection regulator is required to examine Schrems’ complaint swiftly and decide whether, under EU Data Protection Directive 95/46, the transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that the US does not afford an adequate level of protection of personal data. The Irish regulator has already announced that they will be addressing this matter as quickly as possible.” Moreover, “Individual data protection authorities are given more power to investigate the adequacy of the protection of data in third countries, and to suspend transfers to those countries if they find them lacking – even if there has been a European Commission Decision to the contrary.”

Now consider a company that is in the middle of a Foreign Corrupt Practices Act (FCPA) investigation or is about to begin one, say next week, with this Schrems decision and in light of the recent Yates Memorandum and the attendant commentary from the Department of Justice (DOJ), what will that process now be? First and foremost, if a company wants any cooperation credit under the US Sentencing Guidelines it must target its investigation at individuals, and then provide that information in what seems like almost real time to the DOJ. Yet if individuals are in Europe or if even the data is in Europe, this may now put the company at risk from violating this new ECJ ruling because the decision takes effect immediately.

There are a couple of ways that companies can get data out of Europe under the ruling but they are very time consuming and could involve a regulatory process that may take between 12-18 months according to Jonathan Armstrong, a Cordery partner who I interviewed for my podcast, the FCPA Compliance and Ethics Report. Armstrong said a company can adopt Corporate Binding Rules around data privacy and if it can then persuade one EU country’s regulator that’s its data protection plan is sufficient, it can seek approval from other countries in the EU. But this process will take time and that is one of the luxuries you may not have in a FCPA internal investigation.

Armstrong said that leaves you with the alternative of seeking a target in an investigations permission to obtain his personal data. This means a full disclosure of the investigation and how the information can be used and most probably that the individual may be subject to extradition to and trial in the US. Moreover, as this is civilized Europe, you cannot threaten to fire the employee if he or she refuses to acquiesce, like you would do here in the US. If you make such a threat and the employee agrees, the consent would probably be thrown out under the doctrine of duress.

As you can see, the Schrems decision may affect not only FCPA investigations but also FCPA enforcement going forward. The DOJ had taken a very dim view of companies claiming that they could not get data out of certain countries due to data privacy restrictions. Now that issue may loom even larger going forward.

[View source.]