Data Protection

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

11.1 Introduction

Data protection law is a misleading term because the relevant framework will be a combination of employment, whistleblower, criminal and privacy laws. Companies and practitioners must navigate domestic and international legislation that touches on data protection, while ensuring they stay on the right side of regulatory and prosecuting agencies and co-operate with them to the extent that it is of benefit.

Handling data about individuals has become increasingly complex, particularly when the data protection regimes in different jurisdictions appear to impose conflicting obligations on data holders.

This chapter looks at UK (and some European) and US laws and how they frame issues around investigations and data protection. We look at internal investigations and those conducted by authorities and provide some specific guidance in respect of data protection and whistleblowing regimes.

In the United Kingdom, a balance must be struck between compliance and regulatory obligations that require the processing of data as part of investigations, and the protection afforded to individuals caught up in those investigations, primarily under the UK General Data Protection Regulation[2] (UK GDPR), which effectively retains Regulation (EU) 2016/679 (EU GDPR)[3] in UK law following the end of the Brexit transition period, and the UK Data Protection Act 2018 (DPA 2018).[4] In July 2022, the UK government introduced to Parliament the Data Protection and Digital Information Bill (the UK Reform Bill),[5] detailing wide-ranging reforms to UK data protection laws, including in relation to international data transfers and legal bases for processing data. The UK Reform Bill will be further negotiated, and may be amended, as it progresses through the UK legislative process before coming into force.

UK laws governing the interception and monitoring of communications may also require navigation in internal investigations. Although legislation protecting individuals’ data has existed for years, the increased sanctions for breaches under the GDPR (maximum fines being the higher of £17.5 million/€20 million or up to 4 per cent of annual worldwide turnover) and increased regulatory focus on data privacy, mean that investigators must take the protections afforded to individuals much more seriously.

Across Europe, the GDPR largely consolidated and harmonised the previous European data protection regime, but it does not necessarily simplify the issue between Member States. Each Member State may have its own laws in place as long as the basic standards of the GDPR are met; the GDPR is a floor and not a ceiling.

Both the UK GDPR and the EU GDPR not only catch UK/EU corporations and global company groups with a UK/EU presence (including their use of personal data outside the UK/EU to the extent that use is intrinsically linked with their domestic activities), but also affect any corporations overseas with no UK/EU presence that actively offer goods and services to, or monitor the behaviour of, individuals within the UK/EU, even if the data is stored overseas. Multinational organisations may be required to comply with both the EU GDPR and the UK GDPR, depending on the scope of the investigation in question.

In the United States, there is no uniform, omnibus federal privacy regime comparable to the GDPR; however, a patchwork of federal and state privacy laws may come into play in an internal investigation, particularly when reviewing and collecting employees’ electronic communications. To minimise legal risk, companies should provide employees with clear notice that their electronic communications stored on company systems or devices are subject to monitoring and search.

Given the territorial reach of both the UK GDPR and the EU GDPR, US and multinational companies may have to grapple with both sets of compliance obligations in conducting an internal investigation or responding to criminal or regulatory investigations. Where a US or multinational company’s obligations to comply with US legal demands for personal data conflict with GDPR limits on the processing and transfer of that data to the United States, the company must assess whether it can lawfully transfer responsive data to the United States that is subject to the UK GDPR or the EU GDPR, or both.

This assessment is all the more important and complex in light of the decision of the Court of Justice of the European Union (CJEU) in Schrems II (applicable in the United Kingdom and the European Union).[6] That decision invalidated the EU–US Privacy Shield (the framework designed to regulate the exchange of personal data from organisations in the European Union to Privacy Shield-certified organisations in the United States) and imposed a number of potential caveats on the use of standard contractual clauses (SCCs) (an alternative to the EU–US Privacy Shield as a data transfer mechanism) to transfer personal data to the United States. If the US or multinational company cannot lawfully transfer responsive data to the United States, it may need to negotiate with the requesting legal authority to narrow the scope of the request or to develop other ways of resolving the legal conflict. Where the conflict cannot be resolved, the US or multinational company may need to consider challenging the request on comity grounds, although such challenges have rarely succeeded in criminal or regulatory investigations.[7]

11.2 Internal investigations: UK perspective

Internal investigations will inevitably deal with personal data, particularly employees’ data, which in the United Kingdom is governed by the UK GDPR and the DPA 2018. For those conducting internal investigations, the key obligations to consider are:

  • transparency, namely the requirement to inform individuals about how their personal data is being used (unless there is a relevant exemption);
  • data minimisation, namely the requirement to ensure that use of personal data for the investigation is proportionate;
  • establishing a legal basis for the processing of personal data, as prescribed by the UK GDPR (consent and legitimate interest are two of the legal bases companies and practitioners can commonly rely on to process data in an internal investigation);
  • if applicable, establishing a relevant condition on which to process any ‘special categories’ of personal data or any criminal offences data that are involved (in addition to a legal basis for the processing); and
  • if personal data will be transferred or accessed from outside the United Kingdom, ensuring a legal basis for that data transfer, as prescribed by the UK GDPR (in addition to a legal basis for the underlying processing).

11.2.1 Transparency

The UK GDPR and the DPA 2018 require relevant organisations to inform individuals in advance about how their personal data is processed, in a clear and accessible manner, and prescribe the minimum information to be provided.[8] Meeting these obligations in internal investigations can present practical challenges if an organisation does not have a comprehensive monitoring policy, as use of employees’ personal data for investigation purposes may well be detrimental to, and unexpected by, those employees.

There are certain exemptions under the DPA 2018 to the specific obligation to provide minimum information to individuals. When collecting personal data directly from an individual, organisations need not provide data protection information that the individual already has (e.g., if set out in an employee privacy policy). A wider range of exemptions are available in circumstances in which the personal data is obtained from other sources. The most relevant exemptions in internal investigations apply if providing the information to the individual would be impossible or would involve disproportionate effort, or would render impossible or seriously impair achievement of the objectives of the processing; or the organisation is required by law to obtain or disclose the personal data (under a binding legal obligation rather than, for example, compliance with a non-binding code of practice, an informal regulator request or a contractual obligation).

In addition to the transparency principles under the UK GDPR, the United Kingdom’s regulatory framework for communications monitoring also requires organisations to be transparent with employees about the interception and monitoring of their communications (in written policies and in consistent business practices). Taken together, in internal investigations, the data protection and communications regimes oblige organisations to be clear and open with employees about how their personal data and communications are used, and to ensure that any interception and subsequent review, use and disclosure of data and communications in an investigation is lawful and proportionate. Robust, clear and accessible data privacy information notices for employees, and policies on employee monitoring, will provide a valuable shield against claims of employee privacy infringement and non-compliant monitoring practices – at least in the United Kingdom.[9]

11.2.2 Data minimisation

The UK GDPR principle of data minimisation should be applied by organisations across their personal data activities generally, including internal (and external) investigations. Organisations should ensure that the collation, review, use and disclosure of individuals’ data during the investigation is proportionate and no more intrusive than necessary to achieve the legitimate purposes of the investigation. This will be relatively straightforward for clearly defined and focused investigations, but may prove more challenging to assess in practice in wide-ranging investigations requiring significant levels of data for loosely defined purposes.

Organisations would be well advised to document the investigation’s scope and associated personal data proportionality assessment, and to implement practical safeguards to ensure proportionality, such as appropriately limiting the scope of documentation, email and communications review and disclosure (limiting impacted custodians and individuals, using focused search terms and time periods to identify relevant information, etc.).

11.2.3 Legal basis for data processing: consent

Consent from individuals provides a legal basis for the processing of their personal data, provided the UK GDPR consent conditions are met. Consent must be given freely and clearly, and in plain language, and must be an affirmative act; it cannot be given by inactivity, such as pre-ticked boxes in an online form.[10]

In the typical employer–employee context of an internal investigation, the concept of consent being freely given is complicated. Given the dynamic, some jurisdictions consider that consent from an employee to an employer may never be freely given[11] – a position exacerbated in an internal investigation by the added element of potential wrongdoing by the employee or another individual, and tipping-off considerations.

Investigators should ensure they comply with the UK GDPR, either by getting express consent from the data subject to process their data, which may not be feasible in an internal investigation if it cannot be considered freely given or because the organisation does not want to notify the individual of the investigation (blanket clauses in employment contracts will no longer be enough), or by relying on another lawful basis under the UK GDPR to lawfully process the data.

11.2.4 Legal basis for data processing: legitimate interest

The UK GDPR provides a number of other legal bases for the processing of personal data in certain circumstances.[12]

Under the UK GDPR, an organisation can consider the legitimate interests of a third party or public interest, as well as its own legitimate interests, when assessing the use and processing of personal data.

In an internal investigation, this ability could allow an organisation to rely on the lawful basis of legitimate interests (of a third party or public interest) to process personal data. The rights of individuals can, however, override a legitimate interest if the effect on an individual’s interests or fundamental rights override the organisation’s (or a third party’s) legitimate interests.

The UK Information Commissioner’s Office (ICO) enforces data protection legislation in the United Kingdom and has set out a three-part, cumulative test for establishing whether there is a legitimate interest in processing the data:

  • Purpose test: is the purpose of the processing a legitimate interest?
  • Necessity test: is the processing of the data necessary and proportionate for the purpose (i.e., there is no alternative, less intrusive means of gathering or processing the same information)?
  • Balancing test: is the legitimate interest overridden by the individual’s interests, rights and freedoms?[13]

The UK Reform Bill proposes a number of ‘recognised legitimate interests’ for which the purpose and balancing tests are not required (although the necessity test remains), including detecting, investigating or preventing crime or apprehending or prosecuting offenders.[14] The Secretary of State is empowered to amend this list in the future, potentially expanding the range of processing activities that may be conducted on a legitimate interest basis without the need for purpose or balancing tests.[15]

To demonstrate compliance with the UK GDPR, organisations will have to document their decisions carefully (through a legitimate interests assessment).[16]

11.2.5 Special category and criminal offences data

When processing data in an internal investigation, data controllers must pay increased attention when dealing with special category data.[17] In an internal investigation, this kind of information will often be held in a human resources file that becomes part of a review within the investigation.

Employee emails or instant messages, etc., could possibly be considered special category data, as they could potentially contain data within this definition; however, it is certainly arguable that emails should not fall into this category on the basis that any special category data is incidental and not part of the primary purpose of the use of data in that context. This argument is strengthened by the application of data minimisation steps to ensure the special category data is not specifically identified or targeted as part of the investigation.

When dealing with special category data, organisations must establish both a legal basis for the data processing (e.g., consent, legitimate interests or another basis under the UK GDPR) and an additional, specific legal basis for processing the relevant special category data. The UK GDPR and DPA 2018 provide for a number of specific legal bases or conditions for the use of special category data.[18]

Information about criminal allegations, proceedings or convictions in relation to an individual may also be relevant in an internal investigation. This data is treated separately to special category data under the UK GDPR and requires a lawful basis for processing and legal or official authority to handle that data, which must be prescribed under national law.[19] These legal authority grounds are narrow, although some may be available in internal investigations, including prescribed public interest grounds, consent of the individual, and establishment or defence of a legal claim. Special category data and criminal convictions data should be handled with particular consideration, and organisations should ensure that the basis on which they are using this data is clearly documented.

11.2.6 Public interest

The public interest grounds for processing special category or criminal offences data may be useful in an internal investigation, especially where it is likely to be followed by a regulatory investigation and where consent or another legal basis is not available. These grounds are limited to the public interest purposes that are specifically provided for in national law. Under the DPA 2018, these public interest purposes are relatively narrowly defined, meaning public interest grounds will be difficult to satisfy in practice, and organisations should be confident in, and have clearly documented, their justifications before relying on this basis.

Under the DPA 2018, the public interest purposes that are of particular relevance to internal investigations relate to the prevention or detection of unlawful acts and to the protection of the public against dishonesty, in both cases provided there is also a ‘substantial public interest’.[20] Both provisions require that processing be done without the consent of the individual to avoid prejudicing the investigation. As the scope of the public interest grounds for data processing (under the EU GDPR as well as the UK GDPR) must be provided for under national law, it may vary across the European Union. Organisations should therefore seek local legal advice in the relevant Member States.

11.2.7 Data transfer outside United Kingdom and European Economic Area

Given the international scope of many investigations, companies should consider the practicalities of exporting data while complying with the UK GDPR and the EU GDPR (as applicable). If the personal data will be transferred or accessed from outside the United Kingdom or the European Economic Area (EEA) – whether from within the organisation’s corporate group or externally – that data transfer also requires a separate lawful basis under the UK GDPR or the EU GDPR, in addition to the lawful processing of the data itself. This restriction on data transfers does not apply to third countries recognised as ‘adequate’ by the UK Secretary of State or the European Commission respectively; personal data may be transferred freely to those countries.[21]

Following Brexit, relevant adequacy decisions have been passed by the European Commission and UK authorities to permit the unrestricted transfer of personal data between the EEA and the United Kingdom.

On 16 July 2020, in the Schrems II decision, the CJEU invalidated the European Commission’s EU–US Privacy Shield Adequacy Decision,[22] one of the key mechanisms for lawfully transferring personal data from the EEA to Privacy Shield-certified organisations in the United States, on the basis that the Privacy Shield did not provide an ‘adequate’ level of protection required under the GDPR for the transfer of data from the EEA to the United States. In the same judgment, the CJEU ruled that SCCs[23] remain valid in respect of any personal data export (not just EEA–US transfers), but imposed potential caveats on their use.

The data transfer safeguard most commonly relied on in investigations, for intra-group transfers within an organisation or to or from third-party providers involved in the investigation, is SCCs. These are European Commission-approved standard-form contractual agreements that put in place binding data protection obligations between the data exporting and importing entities.

For data transfers subject to the EU GDPR, the European Commission issued revised SCCs in June 2021,[24] which replaced the previous SCCs from 27 September 2021 (although contracts under the previous SCCs in place on this date could be relied on until 27 December 2022, by when all previous SCCs had to be migrated to the revised SCCs). For data transfers subject to the UK GDPR, organisations could continue to use the previous SCCs (but not the revised SCCs) until 21 September 2022 (although contracts under the previous SCCs in place on this date must be migrated to a UK GDPR data transfer mechanism by 21 March 2024) or rely on the ICO’s latest data transfer mechanisms under the UK GDPR. These UK GDPR data transfer mechanisms comprise an international data transfer agreement (a standard-form, stand-alone data transfer agreement) and an international data transfer addendum to the revised SCCs (a standard-form addendum to the revised SCCs, which allows the revised SCCs to be used for transfers subject to the UK GDPR).[25]

Following the Schrems II decision, organisations seeking to rely on the SCCs, for data transfers subject to the UK GDPR or the EU GDPR and pursuant to the revised or the previous SCCs, must assess, case by case, whether the law of the destination country ensures adequate protection for the personal data being transferred and, if required, put in place supplementary measures to ensure an essentially equivalent level of protection.[26]

In relation to data transfers to the United States specifically, the CJEU found that, in its judgment and in the context of the Privacy Shield, the US legal regime did not ensure an essentially equivalent level of protection. The CJEU was particularly focused on access rights to data by US public authorities for national security purposes, and associated individual rights and remedies. In light of the evolving SCCs requirements and enforcement landscape in practice, organisations should carefully consider use of the SCCs to validate data transfers to the United States in internal investigations, regardless of whether under the EU GDPR or the UK GDPR, and document any data transfer assessments and any supplementary measures.

There are alternatives to SCCs, although they may not be as reliable in practice for organisations conducting investigations. This includes the explicit consent of the individuals and transfers required to establish or defend a legal claim (applicable for occasional transfers only).

Different data transfer considerations apply in investigations by authorities.

11.2.8 Third parties to investigations

Companies and practitioners often rely on third parties to assist with internal investigations (e.g., in data analysis, legal advice or document review). These third parties will often need access to personal data. The UK GDPR requires that a contract (or equivalent legal act) be put in place where controllers engage the services of processors.

The contract must set out, among other information, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, as well as prescribed contractual obligations, including an obligation of confidentiality.[27]

11.2.9 Monitoring employees’ electronic communications

A framework of regulations is in place in the United Kingdom to govern the extent to which employers can intercept and monitor their employees’ electronic communications.[28] These communications regulations are triggered upon ‘interception’ of communications, which is defined as making the content of the communication available to a person who is not the sender or intended recipient, whether before, during or after transmission of the communication. In internal investigations, this will most likely be relevant when considering investigation-specific interception and monitoring of employee communications, or when assessing the legality of an organisation’s communications monitoring practices.

The default position is that employers may not intercept employee communications other than with the consent of both the sender and the recipient of the communication, or as authorised by the exemptions built into the legal framework. In practice, organisations carrying out internal investigations are most likely to rely on exemptions that permit interception: to monitor employee or external users’ compliance with rules governing use of the system (whether internal policies or legal or regulatory requirements); to maintain records and establish facts; to prevent or detect crime; or for information security purposes.[29] If consent is relied on for interception purposes, this should be distinguishable from any consent relied on for UK GDPR purposes (which sets a higher consent standard) so that both interception and data protection consents can be evidenced if required.

11.3 Internal investigations: US perspective

The United States has no single unified data protection regime; however, a patchwork of federal and state privacy laws impose various constraints on the extent to which a company may collect and review information about its employees, particularly their electronic communications.

State privacy laws in the United States vary considerably, but many states recognise a common-law right against unreasonable intrusions into a person’s seclusion or privacy. Such causes of action have arisen against employers following searches in the workplace.[30] Accordingly, companies are well advised to have written policies, which all employees must acknowledge, clearly providing that the company’s network and systems are subject to monitoring and search.

Other state laws place more specific prohibitions on employers that can limit the outer bounds of a company’s investigative actions, such as prohibiting questioning an employee on issues that serve no business purpose[31] or demanding that an employee disclose passwords and other credentials to personal email and social networking accounts.[32]

Various state and federal laws also restrict the collection of electronic communications, including emails (work and personal), phone calls[33] and social media accounts.[34] One primary federal law is the Electronic Communications Privacy Act,[35] which breaks down into the Wiretap Act (regulating interception of electronic communications),[36] the Pen Register Statute (regulating use of a pen register to track communications)[37] and the Stored Communications Act (regulating unauthorised access to stored electronic communications).[38]

These statutes do not generally prohibit an employer from searching its own email system;[39] however, they may limit an employer’s ability to use company-owned equipment to access an employee’s communications stored with third-party providers (e.g., Gmail),[40] at least without the employee’s consent. Other state laws govern an employer’s ability to collect and use ­biometric data like fingerprints, voice prints or vein patterns from employees. One such law is the Illinois Biometric Information Privacy Act, which requires informed written consent prior to collection of biometric information.[41]

Finally, besides state and federal laws, internal investigations in the United States may also be subject to extraterritorial GDPR restrictions. In particular, to the extent the investigation requires review of personal data stored in the United Kingdom or the European Union – for example, a locally stored employment file for an employee in a UK or EU affiliate – the company must evaluate whether:

  • the affiliate has a legal basis on which to disclose the data to the United States;
  • transparency obligations have been met and relevant information or notices have been provided (or an exemption applies);
  • data minimisation and proportionality principles have been applied; and
  • one of the conditions for the transfer of personal data to the United States has been met.

If the organisation cannot meet the requirement to legitimise the transfer, it may wish to consider ways of handling the data that do not involve transferring personal data to the United States, such as reviewing the relevant personal data in the United Kingdom or the European Union, or redacting personal information from the data set before it is transferred.

11.4 Investigations by authorities: UK perspective

Companies have always had to consider competing interests when dealing with investigating authorities, but data protection has, historically, rarely been near the top of any list of considerations. The very significant fines available under the UK GDPR mean that companies must take data protection much more seriously, particularly the disclosure of personal data to authorities in the United Kingdom and overseas.

The ICO has shown a willingness to use its powers under the UK GDPR to investigate and issue significant fines for breaches, as evidenced in its largest UK GDPR fines to date of £20 million against British Airways[42] and £18.4 million against Marriott International Inc,[43] both relating to significant data breaches.

It remains to be seen whether this initially robust approach to UK GDPR enforcement from the ICO will extend to the more nuanced environment of internal and regulatory investigations, with their frequently competing legal obligations. Moreover, following Brexit, organisations managing investigations that span the United Kingdom and the European Union may be subject to, and exposed to enforcement under, both the UK GDPR and the EU GDPR.

Providing data to authorities

Where authorities make requests for data, companies must be absolutely clear about the legal powers by which those requests are being made to ensure that they can comply with the request while fulfilling their UK GDPR obligations. The benefits of voluntarily handing over more data than specifically required have probably disappeared with the UK GDPR’s tougher data regulation regime. Among other things, the UK GDPR requires organisations to be transparent and provide information to individuals, minimise use of personal data, establish a legal basis for processing personal data and legitimise any transfers of data outside the United Kingdom (and the EEA, under the EU GDPR). These obligations apply equally in data disclosures to authorities.

In relation to establishing a relevant legal basis for data processing, as well as the grounds discussed above (consent, legitimate interests, etc.), the legal obligation basis may be relevant in responding to information requests and investigations by authorities. The UK GDPR and the DPA 2018 provide that personal data may be disclosed to comply with a legal obligation (excluding contractual obligations), but only to the extent necessary to comply with that legal obligation; a proportionality test applies. This ground can only be relied on to justify data processing where a clear and binding legal obligation is present under UK law. Obligations originating from outside the United Kingdom provide no legal basis for data processing on this ground, even where those obligations may be binding on a non-UK entity within an organisation’s global corporate group, for example. Organisations should carefully document the relevant legal obligation, and the associated assessment of necessity and proportionality, to evidence UK GDPR compliance.

In international investigations, companies will need to address the GDPR restrictions and requirements for the transfer of personal data outside the United Kingdom or the EEA. The considerations for organisations disclosing data to third-party authorities are slightly different from those concerning internal investigations. For example, reliance on individual consent or the SCCs is unlikely to be practicable. Transfers necessary to establish or defend a legal claim may be a helpful relevant ground in this context; however, it is only available for occasional transfers, so it may not be appropriate in ongoing investigations or longer-term engagement with authorities.

An alternative basis to consider is provided by the EU GDPR and the UK GDPR regime requirements for transferring data under international agreements, such as mutual legal assistance treaties (MLATs).[44] Using MLATs provides a structured system for exchanging information and evidence, but the process can be expensive and lengthy, which is particularly unhelpful where credit for early and responsive co-operation is sought, particularly when dealing with US authorities.

The 2019 UK–US Bilateral Data Access Agreement, in force from 3 October 2022, aims to alleviate these concerns by providing a streamlined alternative to the MLAT process, though it is limited in scope to certain communications data held by communications services providers, related to serious crime.[45]

As a general position, companies should be cautious when transferring data, even in response to requests from authorities.

Some national regulators (such as the Financial Conduct Authority and the US Securities and Exchange Commission) have reciprocal arrangements in place to transfer data. The use of these inter-regulator arrangements has a number of attractions; however, they often operate through a memorandum of understanding (MOU) between the regulators, which on its face does not satisfy the definition of a legal agreement under Article 48 of the UK GDPR and so may not be an appropriate method for data transfer. While the interpretation of Article 48 of the UK GDPR remains untested, caution should be taken about permitting data to be transferred outside the jurisdiction under an MOU between regulators.

An alternative method for complying with the UK GDPR may be to redact personal information before handing documents over to authorities, depending on the size of the document set. This may, however, be a very expensive way of satisfying the authorities and the UK GDPR, particularly as it would require not only the data subject’s name to be redacted but also any information from which the data subject could be identified. Further, determining the appropriate approach to redaction is not always straightforward: data should be sufficiently redacted to satisfy the UK GDPR, but undue redaction may not be welcomed by the receiving authorities.

11.5 Investigations by authorities: US perspective

As in the United Kingdom, companies in the United States must be mindful of GDPR restrictions in responding to subpoenas or other compulsory demands requiring the production of documents. Under US law, a company served with compulsory demands must produce any responsive documents within its possession, custody or control – wherever the data is stored. To the extent that responsive data is stored in the European Union and contains personal data subject to the UK GDPR or the EU GDPR, the company must produce it, notwithstanding its foreign location. As a result, US companies served with formal demands to produce documents may face a situation where their obligations to comply with US legal process conflict with the GDPR restrictions.

In addition, in a recent memorandum on corporate crime enforcement policies, the US Department of Justice (DOJ) reiterates its commitment to prosecuting individuals located abroad for cross-border corporate crimes, and encourages corporations to voluntarily disclose the misconduct of their employees or officers.[46] The DOJ memorandum also provides that in order for corporations to receive co-operation credit, they ‘must disclose to the Department all relevant, non-privileged facts about individual misconduct’.[47] Corporations with employees in the United Kingdom or the EEA that have committed corporate crimes subject to the DOJ’s jurisdiction may therefore face a dilemma in which their efforts to voluntarily disclose information to the DOJ to receive co-operation credit would conflict with the relevant GDPR restrictions.

A US company concerned that it faces a conflict should first discuss the issue with the regulator or law enforcement agency involved and attempt to narrow the scope of the request to avoid or minimise the need to produce data regulated under the UK GDPR or the EU GDPR. This is particularly important because, for the company to rely on the legal defence derogation to produce the data to US authorities, the data must be ‘necessary for the establishment, exercise or defence of legal claims’.[48]

At the same time, US law enforcement authorities and regulatory agencies are likely to put the burden on the US company to show that the GDPR prevents the transfer and requires the company to identify all available bases to produce the documents.[49] Although the risk of breaching GDPR obligations should be a major consideration when dealing with investigating authorities, companies must balance this against the risks of non-compliance with US authorities, which may seek sanctions (including criminal contempt) against a company for failing to comply with investigators’ demands.

Where a company truly cannot comply with a demand for documents from US authorities without violating the transfer restrictions, and the company is unable to negotiate an adequate resolution with the US authorities, the company may choose to challenge the legal process. US courts have long held that, where it would violate foreign law for a company to produce certain documents in response to US legal process, the company may challenge enforcement based on international comity.

While courts have sometimes quashed subpoenas on comity grounds in civil litigation,[50] they have typically rebuffed such challenges of criminal investigations, finding that the domestic interest in enforcing the criminal laws trumped the foreign data privacy interests;[51] on the other hand, the prospect of significant GDPR penalties may lead US courts to give more weight to foreign data privacy interests than they might otherwise. Indeed, US court decisions applying the international comity balancing test have sometimes turned, in significant part, on the low likelihood of severe penalties being imposed by foreign authorities.[52]

11.6 Whistleblowers

The interplay between the increased protections for individuals under the UK GDPR and the protections for whistleblowers under existing laws is particularly interesting for practitioners and companies. More and more, internal and government investigations are triggered by information from (often anonymous) whistleblowers. Senior managers must be acutely aware of the respect to be shown to whistleblowers and whistleblowing laws, in particular with regard to anonymity and protection of the individual.

The protection for whistleblowers in the European Union has been strengthened by national legislatures implementing the EU Whistleblowing Directive. The United Kingdom has not followed suit with similar legislation, but some of its existing laws offer more limited protections to whistleblowers.

11.6.1 Whistleblowing policies and data protection

Companies should have in place whistleblowing policies that respect the data protection principles – including specific whistleblower anonymity and privacy protections applicable in some jurisdictions – while also providing safeguards for the subject of the whistleblowing report, the whistleblower and the third parties mentioned in the report. Companies must also ensure that, by default, only the personal data necessary for the specific purpose of investigating a whistleblowing report is processed.

11.6.2 Right to access

Where an individual’s personal data has been processed during an investigation following a whistleblowing report, the individual will still have the right to access certain information as they would have done in any other circumstances. This includes the purpose and period envisaged for processing and how the data will be stored.[53] The personal information in a whistleblowing report can relate to whistleblowers, the persons under investigation, witnesses or other individuals mentioned, meaning that companies will need to uphold the data protection rights of all involved.[54]

In addition, under the UK GDPR, employees may demand any personal data held about them by their employer. This, the European Data Protection Supervisor has noted, is of particular concern in the whistleblowing context as it could, theoretically, risk exposing a whistleblower’s identity.[55] The Article 29 Working Party[56] stated that the right to access data may be restricted to ensure the whistleblower’s rights are protected and ‘[u]nder no circumstances can the person accused in a whistleblower’s report obtain information about the identity of the whistleblower from the scheme on the basis of the accused person’s right of access, except where the whistleblower maliciously makes a false statement’.[57]

This is reflected in the DPA 2018, which states that companies need not comply with a request for access to personal data if it would mean disclosing information about another individual who can be identified from that information, except if the individual has consented to the disclosure, or it is reasonable to comply with the request without that individual’s consent.[58] Companies may therefore be able to limit access to data following a whistleblowing report, but they will still need to balance the data subject’s right of access to personal data against the whistleblower’s rights and the rights of any third parties mentioned in the report.[59]

11.7 Collecting, storing and accessing data: practical considerations

Below are a few practical considerations for all investigations:

  • Involve data controllers and other relevant organisations at as early a stage as possible.
  • Identify any relevant documents to be transferred that contain special category data or any criminal offences data, and document the specific derogations or conditions on which that data will be used.
  • Document all decision-making relating to the handling of that data (particularly any assessment of legitimate interests as a lawful basis for processing).
  • Work with authorities to agree realistic expectations for the scope and timing of data requests.
  • Consider all options for the transfer of data outside the United Kingdom or the European Union, including domestic review, redactions, MLATs and the use of domestic authorities, as well as the legal bases for transfer under the GDPR, and document all decision-making relating to the international transfer of data.


[1] Stuart Alford KC, Serrin A Turner and Gail E Crawford are partners, and Hayley Pizzey, Mair Williams and Matthew Valenti are associates, at Latham & Watkins.

[2] UK General Data Protection Regulation (UK GDPR), available at 2016/679/contents. The Keeling schedule for the UK GDPR, which shows the changes made post-Brexit, is available at

[4] UK Data Protection Act 2018 (DPA 2018), available at 2018/12/contents/enacted.

[6] Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, Case C-311/1 (Schrems II).

[7] See In re Grand Jury Subpoena dated Aug. 9, 2000, 218 F. Supp. 2d 544, 554 (S.D.N.Y. 2002) (‘Courts consistently hold that the United States interest in law enforcement outweighs the interests of the foreign states in bank secrecy and the hardships imposed on the entity subject to compliance.’) (collecting cases); see also In re Grand Jury Proceedings, 532 F.2d 404 (5th Cir.), cert. denied, 429 U.S. 940 (upholding grand jury subpoena against comity challenge based on foreign banking privacy laws).

[8] This minimum information includes, among other things, the purposes of the processing, the lawful basis for the processing, the recipients or categories of recipients of the personal data, details of data transfers outside the United Kingdom and applicable data retention periods.

[9] The position in a number of European jurisdictions (including France and Germany) is considerably more protective of employee rights and restrictive of an employer’s ability to intercept or review communications or to access employee devices.

[10] UK GDPR, Article 7 and Recital 32.

[11] The Guidelines on consent under the EU GDPR of the European Data Protection Board (EDPB) deem reliance on consent to be ‘problematic’ in an employment context and recommend that it not be relied on other than in exceptional circumstances. Guidelines 05/2020 on consent under Regulation 2016/679 (4 May 2020), at p. 9, available at The UK Information Commissioner’s Office (ICO) considers that the EDPB’s guidelines and opinions may offer guidance in applying the UK GDPR, in the absence of UK-specific guidance or regulations.

[12] UK GDPR, Article 6.

[13] ICO, ‘Lawful basis for processing: Legitimate interests’, available at -processing/legitimate-interests (the Legitimate Interests Guidance).

[14] UK Reform Bill, s.5(2) and Schedule 1.

[15] UK Reform Bill, s.5(4).

[16] Legitimate Interests Guidance.

[17] Special category data is defined in the UK GDPR and the DPA 2018 as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’ (UK GDPR, Article 9; DPA 2018, s.10).

[18] UK GDPR, Article 9; DPA 2018, ss.10 and 11 and Schedule 1.

[19] In the United Kingdom, the UK GDPR and the DPA 2018 authorise the processing of criminal offences data in limited circumstances and subject to the conditions set out in the UK GDPR and DPA 2018: UK GDPR, Article 10; DPA 2018, ss.10 and 11 and Schedule 1.

[20] DPA 2018, Schedule 1, Part 2.

[21] For transfers under the Regulation (EU) 2016/679 (EU GDPR), the European Commission has recognised the following countries as having adequate protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom and Uruguay. For transfers under the UK GDPR, the UK Secretary of State has recognised the following countries as having adequate protection: all EEA jurisdictions, Gibraltar and jurisdictions recognised as adequate by the European Commission as at 31 December 2020. As at the time of writing, the United Kingdom has also agreed an adequacy decision in principle with South Korea, which is in the process of being formalised.

[22] Decision 2016/1250.

[23] Sometimes referred to as the ‘Model Clauses’.

[26] The EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (available at -supplement-transfer_en) set out the EDPB’s recommendations and guidance on how the required assessment may be carried out and provides of examples of potential supplementary measures. The ICO has published an international transfer risk assessment tool, which provides guidance and a framework for conducting the required assessment for UK GDPR transfers. A final version was released in late 2022, available at -organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/transfer-risk-assessments/#TRA-tool.

[27] UK GDPR, Article 28(3).

[28] This framework primarily comprises the Investigatory Powers Act 2016 (IPA 2016); the Interception of Communications Code of Practice under the IPA 2016; and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (Business Interception Regulations) enacted under the IPA 2016.

[29] Provided for under the Business Interception Regulations and the Interception of Communications Code of Practice.

[30] See, e.g., Rowe v. Guardian Auto. Prods., 2005 WL 3299766 (N.D. Ohio 6 December 2005); Restatement (Third) of Emp’t Law: Emp’t Privacy & Autonomy ch. 7 (Council Draft No. 6, 2011) (introducing the tort of wrongful employer intrusion upon a protected employee privacy interest and stating that ‘[e]mployees have a right of privacy against wrongful employer intrusions upon protected employee privacy interests including personal information’).

[31] See 2 Cal. Code Regs. § 7286.7(b) (prohibits employers from inquiring into any issues that otherwise serve no ‘business purpose’).

[32] See, e.g., Cal. Labor Code § 980.

[33] Some states require the consent of all parties to legally record a phone call. See, e.g., Cal. Penal Code § 630 et seq. (2006); Conn. Gen. Stat. § 52-570d (2006); Fla. Stat. §§ 934.01 to .03 (2005); 720 Ill. Comp. Stat. 5/14-1, -2 (2006); Md. Code Ann. Cts. & Jud. Proc. § 10-402 (2006); Mass. Gen. Laws ch. 272, § 99 (2006); Mont. Code Ann. 45-8-213; N.H. Rev Stat. Ann. §§ 570-A:l, 570-A:2 (2005), as amended by New Hampshire Laws Ch. 169 (H.B. 1353) (2016); 18 Pa. Cons. Stat. § 5701 et seq. (2005); Wash. Rev. Code § 9.73.030 (2006). Other states require just one party consent. See, e.g., Ariz. Rev. Stat. Ann. § 13-3005; D.C. Code Ann. § 23-542(b)(3); N.Y. Penal Law § 250.00(1); N.J. Rev. Stat. § 2A:156A-4(d); Ohio Rev. Code Ann. § 2933.52(B)(4); Tex. Penal Code Ann. § 16.0 2(c)(4).

[34] See, e.g., Cal. Lab. Code § 980; 19 Del. Code § 709A(b); Md. Code Lab. & Empl. § 3-712(b)(1); Nev. Rev. Stat. § 613.135; N.H. Rev. Stat. § 275:74; 820 Ill. Comp. Stat. § 55/10(b)(1).

[35] See 18 U.S.C. §§ 2510-22, 2701-12.

[36] Id., at §§ 2511–2522.

[37] Id., at §§ 3121–3127.

[38] Id., at §§ 2701–2711.

[39] Id., at § 2701; see, e.g., Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107 (3d Cir. 2003) (holding that the insurance company that leased a computer system to an agent did not violate the Electronic Communications Privacy Act (ECPA) when it retrieved stored emails from computers); see also Scott v. Beth Israel Med. Ctr., Inc., 17 Misc. 3d 934 (Sup. Ct. N.Y. Cty. 2007) (holding that a policy that employees had no privacy right over material created, received, saved or sent using the employer’s computer system is sufficient to eliminate any expectation of privacy); United States v. Etkin, 2008 U.S. Dist. LEXIS 12834, at *14–16 (S.D.N.Y. 20 February 2008) (employees do not have a reasonable expectation of privacy when employers warn the employees via log-on notices or flash-screen warnings of a policy through which the employer could monitor or inspect the computers at any time); United States v. Angevine, 281 F.3d 1130, 1135 (10th Cir. 2002) (holding that there is no reasonable expectation of privacy where an employer’s policy ‘clearly warned computer users [that] data [wa]s “fairly easy to access by third parties”’); Muick v. Glenayre Elecs., 280 F.3d 741, 743 (7th Cir. 2002) (holding that any reasonable expectation of privacy the employee had in his work computer was eliminated when the employer announced that it could inspect the computer).

[40] See 18 U.S.C. § 2701(a); see, e.g., Lazette v. Kulmatycki, 949 F. Supp. 2d 748, 757, 758 (N.D. Ohio 2013) (denying an employer’s motion to dismiss claims under the ECPA where an employee alleged that her supervisor accessed unopened emails from her Gmail account through her employer-issued BlackBerry).

[41] 740 ILCS 14/1 (2008); id., at § 10.

[42] BBC, ‘British Airways fined £20m over data breach’, 16 October 2020, available at

[43] ‘ICO fines Marriott 18.4 million pounds for failing to secure customer data’, Reuters, 30 October 2020, available at:

[44] EU GDPR, Article 48. The UK GDPR does not mirror this specific provision, but the United Kingdom does recognise certain treaties on mutual legal assistance.

[45] The UK–US Bilateral Data Access Agreement (signed on 3 October 2019 and in force from 3 October 2022) allows both US and UK law enforcement authorities to ask their respective domestic courts to issue electronic data production orders directly against communications services providers in the other country, for the purpose of detecting, investigating and prosecuting serious crime, without going through the mutual legal assistance treaty process. The text can be found at _the_United_Kingdom_and_the_USA_on_Access_to_Electronic_Data_for_the_Purpose _of_Countering_Serious_Crime.pdf.

[46] The US Department of Justice (DOJ), ‘Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group’, 15 September 2022, available at

[47] ibid.

[48] UK GDPR, Article 49; EU GDPR, Article 49.

[49] DOJ, ‘The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance’, 5 April 2016, available at (the DOJ asserting that ‘[w]here a company claims that disclosure is prohibited, the burden is on the company to establish the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents’).

[50] See, e.g., In re Cathode Ray Tube (CRT) Antitrust Litig., 2014 WL 1247770 (N.D. Cal. Mar. 26, 2014); Motorola Credit Corp. v. Uzan, 73 F. Supp. 3d 397 (S.D.N.Y. 2014); Tiffany (NJ) LLC v. Forbse, 2012 WL 1918866 (S.D.N.Y. 23 May 2012).

[51] See, e.g., United States v. Davis, 767 F.2d 1025, 1033–34 (2d Cir. 1985) (according deference to the judgment of the Executive Branch that interest in enforcing criminal laws outweighed the interest of the Cayman Islands in preserving the privacy of its banking customers); In re Grand Jury Proceedings, 532 F.2d 404 (5th Cir.), cert. denied, 429 U.S. 940 (upholding a grand jury subpoena against a comity challenge based on foreign banking privacy laws).

[52] Compare, e.g., First City Nat’l City Bank, 396 F.2d at 905 (compelling the production of records notwithstanding potential conflict with German law, based in part on the finding that the ‘risk of civil damages [being imposed under German law] was slight and speculative’) with Tiffany (NJ) LLC v. Qi Andrew, et al., 276 F.R.D. 143, 159 (S.D.N.Y. 2011) (declining to compel production given the conflict with a Chinese banking statute, where the history of prosecutions demonstrated that the ‘statute has been used to prosecute individuals and that violations can result in serious punishment’).

[53] UK GDPR, Article 15.

[54] European Data Protection Supervisor: ‘Whistleblowing’, available at

[55] ibid.

[56] Now replaced by the EDPB.

[57] Article 29 Data Protection Working Party, Opinion 1/2006, WP117 adopted 1 February 2006, available at

[58] DPA 2018, s.45.

[59] European Data Protection Supervisor: ‘Whistleblowing’, available at

Unlock unlimited access to all Global Investigations Review content