In the current multi-jurisdictional enforcement environment, internal investigations have become an essential tool for multinational companies to detect and investigate improper conduct imputable to the company. Cross-border investigations present peculiar challenges, as they often involve players and information located in several countries, and subject to different laws.
One of these challenges stems from the need to comply with applicable data privacy requirements1. This article focuses on the practical considerations organisations should take into account when collecting, reviewing and transferring personal data as part of a cross-border internal investigation and prior to disclosing personal data to a third party.
The EU Data Protection Directive
The European Union has embraced the concept of data privacy as a fundamental human right since 1950, and has since taken significant steps to provide substantial data privacy protection. The EU Data Protection Directive2 (the Directive) introduced a legal framework for the recognition and protection of the privacy of personal data throughout the EU member states3. While the Directive directs all EU member states to enact legislation aimed at protecting the right to privacy, the way the Directive has been implemented in each EU member state is not consistent, which can affect how the data protection authority (DPA) in a particular EU member state applies and enforces those data protection laws in practice.
The Directive broadly defines ‘personal data’4 as data that identify a living individual or from which a living individual is identifiable, and ‘processing’ as any collection, recording, organisation, storage, alteration, consultation, use and disclosure of personal data. The Directive imposes several obligations on the entity which determine the purposes and the means of the processing (the data controller) and establishes certain rights for the persons whose personal data are processed (the data subjects).
The Directive provides, among other things, that the processing must be fair, lawful, relevant and not excessive in relation to the purposes for which the data are processed (proportionality principle). The proportionality principle is particularly relevant to internal investigations, as it dictates that the processing should be limited to the personal data that are strictly necessary to pursue the data controller’s legitimate interests. Accordingly, efforts should be made to collect, review and, where necessary, transfer documents that are material to the investigation.
Challenges created by EU data protection requirements
The standards set by the Directive as implemented in the national data protection laws need to be understood when conducting internal investigations in EU member states. In particular, the differences among EU member states’ national laws implementing the Directive must be carefully considered at the outset and during each subsequent phase of an internal investigation, as they may significantly influence the scope, the timing and the course of the investigation, the investigative techniques that are applicable and effective, as well as how information is processed.
During the initial stages of an investigation, it is important to identify what jurisdictions are at issue and to assess the procedural requirements of the relevant national data protection laws. In some EU member states, for example, notifications are required to be made to the local DPA as to the processing of personal data and of transfers of personal data outside the EEA. Any necessary filings or amendments should be made to the relevant DPA prior to commencing the investigation.
Given the differences between the EU member states’ national data protection laws, it is not surprising that the requirements applicable in the context of an internal investigation have lead to some uncertainty. In an effort to provide clarity, the European Commission’s Working Party on the Protection of Individuals with regard to the processing of Personal Data (the article 29 Working Party)5 has adopted guidance (the Guidance), which attempts to reconcile EU data protection obligations with information disclosure requirements in some foreign jurisdictions, such as the United States.6
Legal ground for processing of personal data
In order for an internal investigation to be conducted in compliance with EU data protection laws, the processing of personal data must be legitimate and satisfy one of the legal grounds set out in the applicable national law implementing the Directive. Although the Directive sets out several legal grounds for processing personal data, in practice the Guidance identifies three legal grounds relevant to an internal investigation. These include cases where the processing: is carried out with the consent of the data subjects; is necessary for compliance with a legal obligation to which the controller is subject; or is necessary for the purposes of the legitimate interests of the data controller, or of the third party or parties to whom the personal data are disclosed.
Where consent is the ground being relied on this must be freely given, specific and informed.7 For consent to be freely given the data subject must have a genuine choice whether to consent or not. As a result, the view in some EU member states is that it can be difficult to obtain valid consent, particular from an employee owing to a relationship of dependence that exists between an employer and an employee8.
Consent must also be specific, that is, given in relation to the specific purpose of the processing. In the context of an internal investigation, this means that blanket consent forms signed by employees as part of their hiring process may not be a valid tool to obtain consent, because they do not refer to the purpose, the scope and the potential consequences of the particular internal investigation.
Finally, consent must be informed, which requires that the data subject – typically, in the context of an internal investigation, employees, former employees and business partners – be provided with accurate and full information of all relevant aspects of the investigation, including what personal data will be processed, by whom it will be processed and for what reasons it will be processed. The data subjects must also be informed of their right to withhold consent and the consequences of doing so9.
However, even where consent is properly obtained, it may still be withdrawn by the data subject at any time and for any reason, which may disrupt the investigation. Moreover, in some instances seeking consent may not be practical where, for example, the company needs to process the personal data of former employees or third parties. For these reasons, a company involved in an internal investigation should consider relying, where possible, on an alternative legal ground for processing. This approach is supported by the article 29 Working Party, which notes that, ‘[a]s a principle, consent should not be seen as an exemption from the other data protection principles, but as a safeguard’.
Compliance with a legal obligation
While the Directive recognises compliance with a legal obligation as a ground for data processing10, the Guidance clarifies that an obligation imposed by a foreign legal statute or regulation ‘may not qualify as a legal obligation by which processing in the EU would be made legitimate’11. However, as commented in the Guidance, on a legal obligation in an EU member state to comply with a foreign court order, such as a court order made under the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (the Hague Convention), would satisfy this legal ground12.
Necessary for the purposes of a legitimate interest
As mentioned, another possible legal ground to process personal data as part of an internal investigation is where the processing is in the legitimate interests of the data controller, or a third party to whom the data are disclosed, provided that such legitimate interests are not overridden by the fundamental rights and freedoms of the data subject13. In order to rely on the ‘legitimate interests ground’, the interests of the data controller in performing the document review should be balanced with the interests of the data subject whose personal data is being collected and reviewed. This balancing test should take into account issues of proportionality, the relevance of the personal data, the consequences for the data subject, the interest of the data subject in the data not being disclosed, transferred or otherwise processed (including the interest in not being made the subject of administrative, court or criminal proceedings) and whether there are less intrusive measures available which can be taken first.
To ensure proportionality, adequate safeguards should be implemented to try to limit where practical the collection and review of personal data to what is objectively relevant to the internal investigation. The Guidance suggests the following safeguards may be appropriate:
- performing a filtering process in the EU member state where the personal data are located and before any transfer outside the EU, to determine that the data are relevant.
- assessing the filtered documents to determine if personal data are contained in the documents by reviewing the filtered paper files and e-mails; and
- if the documents do contain personal data, considering whether personal data could be anonymised or redacted to remove the personal data.
Document preservation and data protection notices
After determining the relevant legislative requirements and legal grounds for an internal investigation, a document preservation notice should be sent to employees, instructing them to retain, and refrain from altering, documents that could be relevant to the investigation. In some EU member states, consideration should also be given to the potential role of ‘works councils’ in issuing preservation and collection notices.
Under the Directive, data subjects must also be informed of the processing of their personal data and their rights with respect to the processing. In particular, data subjects should be informed of: the identity of the data controller; the purposes of the processing; further information such as the recipients or categories of recipients; and the existence of certain rights, such as a right of access to the data and the right to correct inaccurate or incorrect data14.
Clearly, there are instances where informing the data subject of the investigation may impair the efficient progress of an investigation. There are limited exceptions to the requirement to give a data protection notice, including where it is necessary to safeguard the prevention, investigation or detection of a criminal offence15. The Guidance interprets this exception to apply where giving a notice would create a substantial risk of jeopardising the ability of a party to investigate the matter properly, or gather the necessary evidence.16 Such exceptions must be considered carefully, as their applicability and exact scope depend on the precise facts and the relevant EU member state data protection laws.
Document collection and review
In a subsequent step and prior to the actual collection, companies should consider involving employees familiar with the company’s record management and storage systems to learn where relevant hard copy and electronic files may be located and how they can be retrieved. Identifying relevant data at the outset of the investigation is important in meeting data protection requirements. Under the Directive, data may only be collected for specified, explicit and legitimate purposes and may not be used for incompatible purposes17. Investigators should therefore limit the collection to information that is relevant to the investigation.
Efficiently staffing the document review team is also critical, as the responsibility to review relevant personal data for the purposes of the investigation as a practical matter lies with the reviewers who have access to the entire set of documents collected.
In addition, data controllers are required to take all appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction or accidental loss and unauthorised disclosure or access18 such as the use of encryption, access limitation and password protection19. In cases where a data processor is engaged to process the personal data on behalf of the data controller (eg, an e-discovery consultant), the data controller must obtain sufficient guarantees from the data processor as to the appropriateness of its security measures and ensure compliance with those measures, as the responsibility for processing remains with the data controller.
Transfers outside the European Economic Area
Cross-border internal investigations often require that at least some of the documents collected be transferred outside the EEA. The Directive imposes a prohibition on transfers of personal data to countries outside the EEA that do not ensure an adequate level of protection, except in certain limited circumstances20.
The European Commission has made findings of adequacy for a limited number of countries outside the EEA (for example, Argentina, Canada, Guernsey, Jersey, New Zealand and Switzerland) and so transfers to these countries are not subject to data transfer restrictions. Transfers of personal data to a country that is not considered to provide an adequate level of protection, such as the United States, are only permitted pursuant to one of the exemptions set out in the Directive21.
The most relevant exemptions include transfers:
- with the consent of the data subject, subject to the limitations discussed above;
- under the EU’s ‘standard contractual clauses’ for transfer of personal data to third countries, which are standard form data transfer agreements between a data exporter in the EU and a data importer outside the EU;
- to US companies listed by the US Department of Commerce as subscribing to the principles of the Safe Harbor Framework, which covers transfers of personal data from the EU and from Switzerland to the United States22;
- under ‘Binding Corporate Rules’, which are effectively a global code of practice based on European data protection standards allowing, once approved by relevant DPAs, an international organisation to transfer personal data outside the EEA to its other group companies; and
- where necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims. There is little guidance on the use of this exemption, however, the article 29 Working Party has commented that where the transfer of personal data for litigation purposes is a single transfer then the exemption can be used.23 The article 29 Working Party has also commented that another example of when this exemption would apply is where a parent company outside the EU is sued by an employee at a European subsidiary and the parent company requests the European subsidiary to transfer certain data relating to the employee if the data are necessary for the defence24.
As part of an investigation these exemptions need to be carefully considered to determine which is the most appropriate depending on the facts of the case.
Careful consideration of EU data protection requirements is necessary before a company initiates a cross-border internal investigation involving the EEA, to determine what exemptions, if any, from data protection requirements should be relied upon based on national data protection laws, whether any registrations need to be amended or made to the DPA, and the legal basis for any transfers of personal data from the EEA.
After this preliminary analysis, the investigation should comply with applicable requirements set out in EU data protection laws, such as the fair and lawful collection, the processing of data for specified, explicit and legitimate purposes, and the proportionality principle. Reconciling these requirements with the goal of conducting a thorough and conclusive internal investigation can sometimes be challenging, and requires a careful balance of the competing interests involved.
Finally, it is worth mentioning that the EU data protection regime is currently undergoing reform. The proposed EU Data Protection Regulation (the Regulation), which will replace the Directive, is likely to be adopted by the end of 2015, or early 2016. From the perspective of an internal investigation, the proposed Regulation is expected to introduce several additional requirements and concerns, including:
- application to businesses outside the EU;
- large fines for non-compliance of up to 5 per cent of annual worldwide turnover;
- enhanced transparency and consent requirements;
- detailed record keeping obligations; and
- a new right to request erasure of personal data.
However, perhaps the most significant proposed provision in the Regulation for investigations is the non-enforceability of judgments or decisions of non-EU courts or authorities that request personal data (without prejudice to existing international agreements), along with the data controller’s obligation, where such requests are made, to notify and obtain authorisation from the relevant DPA. If adopted, these additional requirements will require careful consideration when conducting cross-border internal investigations.
- Consideration should also be given to other national legislation such as blocking statutes in some EU member states and employment law.
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- The territorial application of certain parts of the Directive extends beyond the 28 EU member states, including also the non-EU member states that are part of the European Economic Area – namely Iceland, Liechtenstein and Norway. See Agreement on the European Economic Area, Annex XI on Electronic Communications, Audiovisual Services and Information Society as amended by Decision of the EEA Joint Committee No. 83/1999 of 25 June 1999 amending Protocol 37 and Annexe XI (Telecommunication services) to the EEA Agreement, OJ L 296 of 23/11/2000.
- Personal data is defined under the Directive to mean ‘any information relating to an individual or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.
- Processing is defined very widely to include ‘any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’.
- The article 29 Data Protection Working Party is an independent advisory board established under article 29 of the Directive, and arguably the most authoritative interpreter of the Directive’s provisions. It comprises data protection representatives from each EU member state and the European Data Protection Supervisor. It advises on data protection matters.
- Working Document 1/2009 on pretrial discovery for cross-border civil litigation adopted on 11 February 2009 WP158 [WP158].
- Directive, article 2(h).
- Opinion 15/2011 on the definition of consent adopted on 13 July 2011, WP187 [hereinafter: WP187] page 13; referring, inter alia, to Opinion 8/2001 on the processing of personal data in the employment context adopted on 13 September 2011, WP48, in which the article 29 Working Party takes the view that ‘[r]eliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment’, p. 28.
- WP187, pp. 19–20. The ECJ held that the requirement that consent be informed implies that the data subject be directly provided with the necessary information – making the information available does not suffice. See Judgment of the Court (Grand Chamber) of 5 October 2004, Pfeiffer, Roith, Süß, Winter, Nestvogel, Zeller, Döbele in joined Cases C-397/01 to C-403/01.
- See WP187, p. 7.
- See Directive, article 7.
- See WP158, p. 9.
- The Hague Convention sets out a procedure for obtaining evidence by means of ‘letters of request’ issued by a judicial authority of a contracting state to the competent authority of another contracting state. However, not all EU member states are parties to the Hague Convention and some (for example, Germany) have declared that they will not execute letters of request for the purpose of obtaining pretrial discovery of documents.
- See Directive, article 7(f).
- See Directive, article 10.
- Id., article 13(1)(d).
- See WP158, p. 12.
- See Directive, article 6.
- See Directive, article 17.
- The Sedona Conference International Principles on Discovery, Disclosure and Data Protection: Best Practices, Recommendations & Principles for Addressing the Preservation Discovery of Protected Data in US Litigation, European Union Edition, published in December 2011 – principle 5, 20.
- See Directive, article 25.
- Id., article 26.
- The US-EU Safe Harbor Framework was agreed between the Department of Commerce and the European Commission in 2000. The separate US–Swiss Safe Harbor Framework was agreed through an exchange of letters signed on 9 December 2009 by the Swiss Federal Data Protection and Information Commissioner.
- WP158, p. 13.
- WP114, p. 15.