Data Protection in Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

40.1 Introduction

Data protection law is a misleading term because the relevant framework will be a combination of employment, whistleblower, criminal and privacy laws. Companies and practitioners must navigate domestic and international legislation that touches on data protection, while ensuring they stay on the right side of regulatory and prosecuting agencies and co-operate with them to the extent that it is of benefit.

Handling data has become increasingly complex, particularly where the data protection regimes in different jurisdictions appear to be imposing conflicting obligations on data holders.

This chapter will look at both UK (including some European) and US laws and how they frame issues around investigations and data protection. We will look at internal investigations and those conducted by authorities, and provide some specific guidance in respect of data protection and whistleblowing regimes.

In the United Kingdom, a balance must be struck between a company’s compliance and regulatory obligations that require the processing of data as part of investigations, and the protection afforded to individuals caught up in those investigations, under the General Data Protection Regulation (GDPR). Although legislation protecting individuals has existed for years, the increased sanctions for breaches under the GDPR (fines being the higher of €20 million or up to 4 per cent of annual worldwide turnover) will mean that those conducting investigations must take the protections afforded to individuals more seriously than they did previously. The GDPR (which took effect on 25 May 2018) largely harmonised the position within the European Union but does not necessarily simplify the issue between Member States. Each Member State may have its own laws in place as long as the basic standards of the GDPR are met; the GDPR is a floor and not a ceiling.

Furthermore, the GDPR not only catches EU corporations, but also affects any corporations outside the European Union that deal with EU data, even if the data is stored outside the European Union.

In the United States, there is no uniform, omnibus federal privacy regime comparable to the GDPR. However, a patchwork of federal and state privacy laws may come into play in an internal investigation, particularly in the context of reviewing and collecting employees’ electronic communications. To minimise legal risk, companies should provide employees with clear notice that their electronic communications stored on company systems or devices are subject to monitoring and search.

Furthermore, given the GDPR’s extraterritorial reach, US companies may have to grapple with GDPR compliance obligations in conducting an internal investigation or responding to criminal or regulatory investigations. Where a US company’s obligations to comply with US legal demands for personal data conflict with the GDPR’s limits on the processing and transfer of that data to the United States, the company must assess whether it can lawfully transfer responsive data to the United States that is subject to the GDPR. If not, the US company may need to negotiate with the requesting legal authority to narrow the scope of the request or to develop other ways of resolving the legal conflict. Where the conflict cannot be resolved, the US company may need to consider challenging the request on comity grounds, although such challenges have rarely succeeded in the context of criminal or regulatory investigations.

40.2 Internal investigations: UK perspective

Internal investigations will inevitably deal with personal data, particularly employees’, and in the United Kingdom this is governed by the GDPR. As a result, those conducting internal investigations will have to consider the legal justification for the processing of personal data that may otherwise be illegal under the GDPR. Consent and legitimate interest are two of the key legal bases companies and practitioners can rely on to process data in an internal investigation and they are explored in more detail below.

40.2.1 Consent

The GDPR establishes a higher standard for consent for the processing of personal data than the Data Protection Act 1998 (DPA) it replaced.^[2] Consent must be given clearly and in plain language and must be an affirmative act – consent cannot be given by inactivity, such as pre-ticked boxes in an online form.

In the typical employer–employee context of an internal investigation, the concept of consent being freely given is a complicated one. Given the dynamic, some jurisdictions consider that consent from an employee to an employer may never be freely given, a position exacerbated in an internal investigation by the added element of potential wrongdoing by the employee or another individual. Investigators should ensure they comply with the GDPR, either by getting express consent from the data subject to process their data, which may not be feasible in an internal investigation (blanket clauses in employment contracts will no longer be enough), or by relying on one of the lawful bases under the GDPR (discussed below) to lawfully process the data.

40.2.2 Derogations and legitimate interest

The GDPR allows for personal data to be processed^[3] in certain circumstances, including derogations,^[4] when consent has been given^[5] and when a country has the benefit of an adequacy decision.^[6]

Under the GDPR, data processors can consider the legitimate interests of a third party or public interest when considering the use and processing of personal data.^[7 In an internal investigation this ability could allow the lawful basis of legitimate interests (of a third party or public interest) to process personal data. The rights of individuals can, however, override a legitimate interest, if the processing of data would interfere with an individual’s fundamental rights.

The UK’s Information Commissioner’s Office (ICO) enforces data protection legislation and has stated that: ‘Legitimate interests is the most flexible lawful basis for processing’.8] The ICO has set out a three-part, cumulative test for establishing whether there is a legitimate interest in processing the data.

Purpose test: is the purpose of the processing a legitimate interest?
Necessity test: is the processing of the data necessary for the purpose?
Balancing test: is the legitimate interest overridden by the individual’s interests?^[9]

The above test can be used by those conducting internal investigations to justify the processing of data under the GDPR because it is for the legitimate purpose of the company itself, or a third party. In respect of the necessity test, companies must consider alternative means of gathering the same information before processing personal data of any kind. Best practice means such considerations should be documented.

To demonstrate compliance with the GDPR, data controllers will have to document their decisions carefully, which may be of particular value in internal investigations where data may be being processed voluntarily. Data controllers should review any existing policy or consider introducing a new one, to ensure that processing data as part of an internal investigation is justified in compliance with the GDPR. In addition, the ICO recommends the application of a legitimate interest assessment^[10] based on the three-part test, which may be a useful addition to an investigation plan.

40.2.3 Special category data

When processing data in an internal investigation, data controllers must pay increased attention when dealing with special category data. The concept of special category data is similar to that of sensitive personal data under the DPA, and includes data about a natural person’s sex life, ethnic origin and political opinions. In an internal investigation, this kind of information will often be held on a human resources file that becomes part of a review within the investigation. The concept of special category data is dealt with under Article 9 of the GDPR and it has been extended to include genetic and biometric data.

When dealing with special category data, Articles 6 and 9 of the GDPR must be satisfied, Article 6 to demonstrate a lawful basis for processing and Article 9 to show that one of the derogations apply – including consent, public interest and to make or defend a legal claim.

40.2.4 Public interest

The public interest exception may be the most useful in an internal investigation, especially where it is likely to be followed by a regulatory investigation. However, this ground will be difficult to satisfy, and controllers should be confident in their justifications before relying on this exception.

The Data Protection Act 2018 (DPA 2018) provides helpful guidance on the public interest exception in Schedule 1, Part 2. Paragraphs 10 and 11 are of particular relevance to internal investigations and relate to the prevention or detection of unlawful acts. Paragraph 11 also relates to protecting the public against dishonesty. These provisions will often assist in identifying a lawful basis for the processing of special category data in internal investigations. Note that both provisions require that processing be done without consent, to avoid prejudicing the investigation.

40.2.5 Third parties to investigations

Companies and practitioners often rely on third parties to assist with internal investigations (for example in data analysis, legal advice or document review). These third parties will very often require access to personal data in order to act. The GDPR has introduced new requirements when entering into such arrangements, which means that a contract or other legal act under European Union or Member State law is now required where controllers engage the services of processors.

This must set out the ‘subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.’^[11] These provisions have been part of many standard contracts for years (particularly to identify where data is actually located – i.e. server locations), but it is now particularly important that the correct agreements are in place from the outset of any interaction with third parties, to comply with the GDPR. In addition, any agreement must contain an obligation of confidentiality.^[12]

40.3 Internal investigations: US perspective

The United States has no single unified data protection regime. However, a patchwork of federal and state privacy laws impose various constraints on the extent to which a company may collect and review information about its employees, particularly their electronic communications.

State privacy laws in the United States vary considerably, but many states recognise a common-law right against unreasonable intrusions into a person’s seclusion or privacy. Such causes of action have been brought against employers in the context of searches in the workplace.^[13] While courts have typically upheld an employer’s right to search company-owned property, including computers and devices, there is no bright-line rule. In cases involving more unusual facts, an employee may be able to make out an invasion of privacy claim based on a workplace search.^[14] Accordingly, companies are well advised to have written policies, that all employees must acknowledge, clearly providing that the company’s network and systems are subject to monitoring and search. An employee will face difficulty establishing a right to privacy in company-controlled systems or data where such policies are in place.^[15]

Other state laws place more specific prohibitions on employers that can limit the outer bounds of a company’s investigative actions. For example, various state laws prohibit questioning an employee on issues that serve no business purpose,^[16] demanding an employee disclose passwords and other credentials to his or her personal email and social networking accounts,^[17] requiring employees to alter privacy settings on their electronic accounts,^[18] or asking employees to access social media accounts in the presence of the employer.^[19]

Various state and federal laws also restrict the collection of electronic communications, including emails^[20] (both work and personal), phone calls^[21] and social media accounts.^[22] One primary federal law is the Electronic Communications Privacy Act,^[23] which breaks down into the Wiretap Act (which generally prohibits intercepting electronic communications),^[24] the Pen Register statute (which generally prohibits use of a pen register to track communications),^[25] and the Stored Communications Act (which generally prohibits unauthorised access to stored electronic communications).^[26] These statutes do not generally prohibit an employer from searching its own email system.^[27] However, they may limit an employer’s ability to use company-owned equipment to access an employee’s communications stored with third-party providers (e.g., Gmail),^[28] at least without the employee’s consent.

Finally, besides state and federal laws, internal investigations in the United States may also be subject to the GDPR’s restrictions, given the GDPR’s extraterritorial reach. In particular, to the extent the investigation requires review of personal data stored in the European Union – for example, an employment file for an employee in an EU affiliate, stored on a server in the European Union – then the company must evaluate whether a lawful basis exists under the GDPR to transfer the data to the United States for the purpose of the investigation. In the absence of a clear lawful basis for transfer, the company may wish to consider ways of handling the data that do not involve transferring personal data to the United States – such as reviewing the relevant personal data in the European Union, or redacting personal information from the data set before it is transferred to the United States.

40.4 Investigations by authorities: UK perspective

Companies have always had to consider competing interests when dealing with investigating authorities, but until now data protection has rarely been near the top of any list of considerations. The very significant fines available under the GDPR mean that companies must take data protection much more seriously, particularly the handling of personal data to authorities both in the United Kingdom and overseas.

40.4.1 Guidance from authorities

Prior to the introduction of the GDPR, concerns were raised about the balance companies should strike between their reporting and regulatory commitments (including investigations), on the one hand, and protecting their employees’ (or anyone else’s) personal data on the other. To offer some guidance in this regard, the Financial Conduct Authority (FCA) and ICO published a joint update on the GDPR in which they made clear that they believed ‘the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook.’^[29] This belief is yet to be tested and it is unclear whether the FCA will be tolerant of delays, limitations on information and other issues caused by a company’s cautious approach to data protection.

Furthermore, the FCA has been keen to point out that it will be considering breaches of the GDPR as part of its supervision of senior management arrangements, systems and controls.^[30] Although this is limited to entities regulated by the FCA, it seems likely that other authorities will take a similar approach and companies will need to be ready to show that they have taken their data protection obligations – ongoing and as part of an investigation or data request from a investigating authority– seriously.

40.4.2 Providing data to authorities

Where authorities make requests for data, companies must be absolutely clear about the legal powers by which those requests are being made, to ensure that they can comply with the request while fulfilling their GDPR obligations. The benefits of voluntarily handing over more data than specifically required have probably disappeared with the GDPR’s tougher data regulation regime.

Given the international scope of many investigations today, companies will have to consider the practicalities of exporting data while complying with the GDPR. The transfer of data to a third country^[31] is regulated by Article 44 of the GDPR. It is unclear whether the United Kingdom will be treated as a third country following Brexit or if, given the United Kingdom’s apparent willingness to adhere to the GDPR post-Brexit, another arrangement will be reached. If the United Kingdom is to be a third country, it can apply for an adequacy decision from the European Commission, determining that a third country has an adequate level of data protection, and data may be transferred to it.^[32]

An alternative method for complying with the GDPR may be to redact personal information before handing documents over to authorities. Depending on the size of the document set; however, this may be a very expensive way of satisfying the authorities and the GDPR, particularly as it would require not only the data subject’s name to be redacted, but also any information from which the data subject could be identified.

Articles 48 and 49 of the GDPR set out the requirements for transferring data under international agreements, such as mutual legal assistance treaties (MLATs). Using MLATs provides a structured system for exchanging information and evidence, but the process can be expensive and lengthy, which is particularly unhelpful where credit for early and responsive co-operation is sought, particularly when dealing with US authorities.

The scope of the derogations under Article 49 appear to provide enough latitude for companies to engage with authorities proactively and efficiently; however, the extent of all the derogations remains untested. For the time being, companies should be cautious when transferring data, even in response to requests from authorities.

Some national regulators (such as the UK FCA and the US Securities and Exchange Commission) have reciprocal arrangements in place to transfer data. The use of these inter-regulator arrangements has a number of attractions. However, they often operate through a memorandum of understanding between the regulators, which on its face does not satisfy the definition of a legal agreement under Article 48 and so may not be an appropriate method for data transfer. While the interpretation of Article 48 remains untested, caution should be taken about permitting data to be transferred outside the jurisdiction under a memorandum of understanding between regulators.

40.5 Investigations by authorities: US perspective

As in the United Kingdom, companies in the United States must be mindful of the GDPR’s restrictions in responding to subpoenas or other compulsory demands requiring the production of documents. Under US law, a company served with compulsory demands must produce any responsive documents within its possession, custody or control – wherever the data is stored. It is common for US law enforcement agencies or regulators to issue demands for documents to companies requiring the production of large volumes of data. To the extent that responsive data is stored in the European Union, and contains personal data subject to the GDPR, the company must produce it notwithstanding its foreign location. As a result, US companies served with formal demands to produce documents may face a situation where their obligations to comply with US legal process conflict with the GDPR’s restrictions.

A US company concerned that it faces such a conflict should first discuss the issue with the regulator or law enforcement agency involved and attempt to narrow the scope of the request to avoid or minimise the need to produce GDPR-regulated data. This is particularly important because, for the company to rely on the GDPR’s legal defence derogation to produce the data to US authorities, the data must be ‘necessary for the establishment, exercise or defence of legal claims’.^[33] Accordingly, obtaining clarity from law enforcement or the regulatory agency as to what personal data is necessary to respond to the request, and redacting or otherwise anonymising the other personal data that is not needed, will put a company in a more defensible position if GDPR issues arise.

At the same time, US law enforcement authorities or regulatory agencies are likely to press for clarity as to whether the GDPR genuinely prohibits the transfer of the data in question to US authorities. The US Department of Justice has taken a robust approach previously in similar circumstances, by asserting: ‘Where a company claims that disclosure is prohibited, the burden is on the company to establish the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.’^[34] Although the risk of breaching obligations under the GDPR should be a major consideration when dealing with investigating authorities, companies must balance this against the risks of non-compliance with US authorities, which may seek sanctions (including even criminal contempt) against a company for failing to comply with investigators’ demands.

Where a company truly cannot comply with a demand for documents from US authorities without violating the GDPR’s transfer restrictions, and the company is unable to negotiate an adequate resolution with the US authorities involved, the company may choose to challenge the legal process. US courts have long held that, where it would violate foreign law for a company to produce certain documents in response to US legal process, the company may challenge enforcement based on international comity. If the court agrees that compliance with the demand for documents would give rise to a true conflict of laws, it will weigh the conflicting legal obligations of US law and foreign laws case by case.^[35] Specifically, a court entertaining such a challenge must consider, among other things, the importance of the records to the US legal matter for which they are sought, the availability of alternative means of securing the information and the extent to which noncompliance with the request would undermine important interests of the United States, or compliance would undermine important interests of the state where the information is located.^[36]

However, while courts have sometimes quashed subpoenas on comity grounds in civil litigation,^[37] they have typically rebuffed such challenges in the context of criminal investigations, finding that the domestic interest in enforcing the criminal laws trumped the foreign data privacy interests involved.^[38] The enforcement of the GDPR and the severe potential penalties that attach to non-compliance may provide greater motivation to companies to challenge US legal process if they believe there is a risk that compliance will run afoul of the GDPR’s requirements; and likewise, the prospect of GDPR penalties may lead US courts to give more weight to foreign data privacy interests than they might otherwise in such challenges. Indeed, US court decisions applying the international comity balancing test have sometimes turned, in significant part, on the low likelihood of severe penalties being imposed on the recipient of the legal process at issue if complied with.^[39] It is unclear, however, whether and to what extent the GDPR will actually change the equation in this regard – at least prior to a significant fine or other penalty for a disclosure.

40.6 Whistleblowers

The interplay between the increased protections for individuals under the GDPR and the protections for whistleblowers under existing laws is a particularly interesting one for practitioners and companies. More and more, internal and government investigations are triggered by information from (often anonymous) whistleblowers. Senior managers must be acutely aware of the respect to be shown to whistleblowers and whistleblowing laws, in particular with regards to anonymity and protection of the individual.

40.6.1 Whistleblowing policies and data protection

Companies should have in place whistleblowing policies that respect the data protection principles, also providing safeguards for the subject of any whistleblowing report, the whistleblower and any third parties mentioned in the report. Companies will also need to ensure that by default, only personal data necessary for the specific purpose of investigating a whistleblowing report is processed.

40.6.2 Right to access

Where an individual’s personal data has been processed during an investigation following a whistleblower report, the individual will still have the rights to access certain information as they would have done in any other circumstances. This includes the purpose and period envisaged for processing and how the data will be stored.^[40] The personal information in a whistleblowing report can relate to whistleblowers, the person under investigation, witnesses or other individuals that are mentioned, meaning that companies will need to uphold the data protection rights of all involved.^[41]

In addition, under the GDPR, employees may demand any information held about them; this, the European Data Protection Supervisor has noted, is ‘of particular concern in the whistleblowing context as it could, theoretically, risk exposing a whistleblower’s identity.’^[42] The Article 29 Working Party (now replaced by the European Data Protection Board) has stated that the right to access data may be restricted in order to ensure the whistleblower’s rights are protected and ‘[u]nder no circumstances can the person accused in a whistleblower’s report obtain information about the identity of the whistleblower from the scheme on the basis of the accused person’s right of access, except where the whistleblower maliciously makes a false statement.’^[43] This is reflected in the DPA 2018, which states that companies do not have to comply with a data request if it would mean disclosing information about another individual who can be identified from that information, except if the other individual has consented to the disclosure, or it is reasonable to comply with the request without that individual’s consent.^[44] Therefore, companies may be able to limit access to data following a whistleblower report, but they will still need to balance the subject’s right of access against the whistleblower’s rights and the rights of any third parties mentioned in the report.^[45]

See Chapters 19 to 21 on whistleblowers

40.7 Collecting, storing and accessing data: practical considerations

A few practical considerations for all investigations:

Involve data controllers at as early a stage as possible.
Identify any relevant documents to be transferred which contain special category data.
Document all decision-making relating to the transfer of data and consider it against Article 49 of the GDPR.
Work with authorities to agree realistic expectations for the scope and timing of data requests.
Consider all options for the transfer of data, including redactions, MLATs and the use of domestic authorities.

Footnotes

¹Stuart Alford KC, Serrin A Turner and Gail E Crawford are partners, and Mair Williams and
Max G Mazzelli are asociates, at Latham & Watkins.

²Article 7 and Recital 32 GDPR.

³Processing includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-constitutes-data-processing_en.

⁴Article 6 GDPR.

⁵Article 7 GDPR.

⁶Article 45 GDPR.

⁷This provides additional flexibility to data processors; under the Data Protection Act 1998, third-party interests were restricted to those third parties to whom the data would be disclosed.

⁸‘Legitimate Interests’ (Information Commissioner’s Office): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.

⁹‘Legitimate Interests’ (Information Commissioner’s Office): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.

¹⁰Details of this can be found at: ‘Legitimate Interests’ (Information Commissioner’s Office): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.

¹¹Article 28(3) GDPR.

¹²Article 28(3)(a)-(h) GDPR.

¹³See, e.g., Rowe v. Guardian Auto. Prods., 2005 WL 3299766 (N.D. Ohio 6 December 2005); Restatement (Third) of Emp’t Law: Emp’t Privacy & Autonomy ch. 7 (Council Draft No. 6, 2011), available at http://extranet.ali.org/docs/Employment_Law_CD6_online.pdf (introducing the tort of wrongful employer intrusion upon a protected employee privacy interest and stating that ‘[e]mployees have a right of privacy against wrongful employer intrusions upon protected employee privacy interests’ including personal information).

¹⁴See, e.g., Doe v. Kohn Nast & Graf, 866 F. Supp. 190 (E.D. Pa. 1994) (allowing invasion of privacy case to proceed to jury based on company’s opening of mail sent to the workplace that appeared to be personal in nature); Rene v. G.F. Fishers, Inc., 817 F. Supp.2d 1090 (S.D. Ind. 2011) (allowing claims under the Stored Communications Act (SCA) and the Indiana Wiretap Act to survive where company decoded the employee’s passwords to personal accounts which had been accessed on company computers).

¹⁵See, e.g., Leventhal v. Knapek, 266 F.3d 64 (4th Cir. 2000) (finding no legitimate expectation of privacy in internet use when employer’s known policy allowed monitoring of ‘all file transfers, all websites visited, and all e-mail messages’); Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996) (holding that employees did not have ‘objectively reasonable expectation of privacy’ in email messages stored on computer network); Garrity v. John Hancock Mut. Life Ins. Co., 2002 U.S. Dist. LEXIS 8343, at *5–6 (D. Mass. 7 May 2002) (that employer instructed its employees on creating personal passwords for their computers did not create reasonable expectation in privacy); Muick v. Glenayre Elecs., 280 F.3d 741 (7th Cir. 2002) (employee did not have reasonable expectation of privacy in his company-owned laptop); Thygeson v. U.S. Bancorp, 2004 U.S. Dist. LEXIS 18863 (D. Or. 15 September 2004) (employee had no reasonable expectation of privacy in websites accessed on work computer where company had a policy regarding personal computer use and monitoring); Garrity v. John Hancock Mutual Life Insurance Co., 2002 U.S. Dist. LEXIS 8343 (D. Mass. 7 May 2002) (employee had no reasonable expectation of privacy in emails transmitted on employer’s computer system where employer’s interest in preventing sexual harassment was greater than employee’s privacy interest); Restatement (Third) of Emp’t Law § 7.03 (Council Draft No. 6, 2011). (‘[A] clear employer notice or policy that a particular location is not private for employees generally defeats an employee’s expectation of privacy, unless the employer’s actual practices contravene the wording of an express notice or policy.’); O’Connor v. Ortega, 480 U.S. 709, 713 (1987) (plurality opinion) (stating that a government employee had a reasonable expectation of privacy in his desk and file cabinets where ‘there was no policy of inventorying the offices of those on administrative leave’ and ‘there was no evidence that the Hospital had established any reasonable regulation or policy discouraging employees such as Dr Ortega from storing personal papers and effects in their desks or file cabinets’).

¹⁶See 2 Cal. Code Regs. § 7286.7(b) (prohibits employers from inquiring into any issues that otherwise serve no ‘business purpose’).

¹⁷See, e.g., Cal. Labor Code § 980.

¹⁸See, e.g., 26 M.R.S.A. § 615.

¹⁹Id.; see, e.g., Cal. Lab. Code § 980 (2012) (allowing an employer to require an employee to ‘divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations,’ but information must be used solely for the investigation); 820 Ill. Comp. Stat § 55/10 (2012) (granting an employer the ability to require employees to share specific content of personal online accounts (but not username and passwords) that has been reported to the employer for purposes of investigating employee misconduct); Wash. Rev. Code § 49.44.200 (2013) (permitting an employer to require an employee to share content (but not the login information) from his or her social media account as necessary to comply with applicable laws or investigate employee misconduct).

²⁰See Scott v. Beth Israel Med. Ctr., Inc., 17 Misc. 3d 934 (Sup. Ct. N.Y. Cty. 2007) (holding that policy that employees had no privacy right over material created, received, saved, or sent using the employer’s computer system sufficient to eliminate any expectation of privacy); United States v. Etkin, 2008 U.S. Dist. LEXIS 12834, at *14-16 (S.D.N.Y. 20 February 2008) (employees do not have a reasonable expectation of privacy when employers warn the employees via log-on notices or flash-screen warnings of a policy through which the employer could monitor or inspect the computers at any time); United States v. Angevine, 281 F.3d 1130, 1135 (10th Cir. 2002) (holding no reasonable expectation of privacy where employer’s policy ‘clearly warned computer users [that] data [wa]s “fairly easy to access by third parties”’); Muick v. Glenayre Elecs., 280 F.3d 741, 743 (7th Cir. 2002) (holding that any reasonable expectation of privacy employee had in his work computer was eliminated when employer announced that it could inspect the computer).

²¹Some states require the consent of all parties to legally record a phone call. See, e.g., Cal. Penal Code § 630 et seq. (2006); Conn. Gen. Stat. § 52-570d (2006); Fla. Stat. §§ 934.01 to .03 (2005); 720 Ill. Comp. Stat. 5/14-1, -2 (2006); Md. Code Ann. Cts. & Jud. Proc. § 10-402 (2006); Mass. Gen. Laws ch. 272, § 99 (2006); Mont. Code Ann. 45-8-213; N.H. Rev Stat. Ann. §§ 570-A:l, -A:2 (2005), as amended by New Hampshire Laws Ch. 169 (H.B. 1353) (2016); 18 Pa. Cons. Stat. § 5701 et seq. (2005); Wash. Rev. Code § 9.73.030 (2006). Other states require just one party consent. See, e.g., Ariz. Rev. Stat. Ann. § 13-3005; D.C. Code Ann. § 23-542(b)(3); N.Y. Penal Law § 250.00(1); N.J. Rev. Stat. § 2A:156A-4(d); Ohio Rev. Code Ann. § 2933.52(B)(4); Tex. Penal Code Ann. § 16.D2(c)(4).

²²See, e.g., Cal. Lab. Code § 980; 19 Del. Code § 709A(b); Md. Code Lab. & Empl. § 3-712(b)(1); Nev. Rev. Stat. § 613.135; N.H. Rev. Stat. § 275:74; 820 Ill. Comp. Stat. § 55/10(b)(1).

²³See 18 U.S.C. §§ 2510-22, 2701-12.

²⁴See id. §§ 2511-2522.

²⁵See id. §§ 3121-3127.

²⁶See id. §§ 2701-2711.

²⁷See id. § 2701; see, e.g., Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107 (3d Cir. 2003) (holding that the insurance company that leased computer system to agent did not violate the Electronic Communications Privacy Act when it retrieved stored emails from computer).

²⁸See 18 U.S.C. § 2701(a); see, e.g., Lazette v. Kulmatycki, 949 F. Supp. 2d 748, 757-58 (N.D. Ohio 2013) (denying employer’s motion to dismiss claims under the ECPA where employee alleged that her supervisor accessed unopened emails from her Gmail account through her employer-issue BlackBerry).

²⁹ https://www.fca.org.uk/news/statements/fca-and-ico-publish-joint-update-gdpr.

³⁰ https://www.fca.org.uk/news/statements/fca-and-ico-publish-joint-update-gdpr.

³¹A country that is outside the EU and is not Norway, Liechtenstein or Iceland.

³²Currently, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States are recognised as having adequate protection. Adequacy talks with South Korea are ongoing, and the European Commission has commenced proceedings to adopt an adequacy decision in relation to Japan.

³³Article 49 GDPR.

³⁴ https://www.justice.gov/archives/opa/blog-entry/file/838386/download.

³⁵Linde v. Arab Bank, PLC, 706 F.3d 92, 108 (2d Cir. 2013).

36 See Société Nationale Industrielle Aérospatiale v. United States Dist. Court for S. Dist., 482 U.S. 522, 544 n.28 (1987); see also Clarifying Lawful Overseas Use of Data Act (2018), P.L. 115-141 (amending section 2523 of the Stored Communications Act and codifying the common law comity challenge with respect to compelled process for data served pursuant to the SCA).

³⁷See, e.g., In re Cathode Ray Tube (CRT) Antitrust Litig., 2014 WL 1247770 (N.D. Cal. Mar. 26, 2014); Motorola Credit Corp. v. Uzan, 293 F.R.D. 595 (S.D.N.Y. 2013); Tiffany (NJ) LLC v. Forbse, 2012 WL 1918866 (S.D.N.Y. May 23, 2012).

³⁸See, e.g., United States v. Davis, 767 F.2d 1025, 1033-34 (2d Cir. 1985) (according deference to judgment of Executive Branch that interest in enforcing criminal laws outweighed interest of Cayman Islands in preserving privacy of its banking customers); In re Grand Jury Proceedings, 532 F.2d 404 (5th Cir.), cert. denied, 429 U.S. 940 (upholding grand jury subpoena against comity challenge based on foreign banking privacy laws); United States v. First City Nat’l City Bank, 396 F.2d 897 (2d Cir. 1968) (same).

³⁹Compare, e.g., First City Nat’l City Bank, 396 F.2d at 905 (compelling production of records notwithstanding potential conflict with German law, based in part on finding that the ‘risk of civil damages [being imposed under German law] was slight and speculative’) with, Tiffany (NJ) LLC v. Qi Andrew, et al., 276 F.R.D. 143, 159 (S.D.N.Y. 2011) (declining to compel production given conflict with Chinese banking statute, where history of prosecutions demonstrated that the ‘statute has been used to prosecute individuals and that violations can result in serious punishment’).

⁴⁰Article 15 General Data Protection Regulation.

⁴¹European Data Protection Supervisor: ‘Whistleblowing’ available at: https://edps.europa.eu/data-protection/data-protection/reference-library/whistleblowing_en.

⁴²European Data Protection Supervisor: ‘Whistleblowing’ available at: https://edps.europa.eu/data-protection/data-protection/reference-library/whistleblowing_en.

⁴³Article 29 Data Protection Working Party, Opinion 1/2006, WP117 adopted 1 February 2006, available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2006/wp117_en.pdf.

⁴⁴Section 45 DPA 2018.

⁴⁵European Data Protection Supervisor: ‘Whistleblowing’ available at: https://edps.europa.eu/data-protection/data-protection/reference-library/whistleblowing_en.