Data Privacy & Transfer in Investigations: Introduction
Regulators and enforcement authorities across the globe are continuing their focus on the activities of corporations and their employees. Investigations are frequently cross-border and involve accessing information held in multiple jurisdictions. Successfully managing the risks arising from these investigations requires expertise across a number of areas. Data privacy and protection considerations present growing challenges to clients in their planning and conduct of internal and government investigations as individuals and regulators become increasingly alert to how data is collected and used, more data is generated and stored electronically, and regulators and enforcement authorities make expansive requests for that information, often without regard for national boundaries.
Every jurisdiction has its own laws and regulations concerning the collection and review of data and what information may be transferred out of the country. In the EU, the data privacy landscape changed with the introduction of the General Data Protection Regulation (GDPR) in 2018. More recently, the California Consumer Privacy Act came into effect in 2020. Data privacy issues may therefore arise under multiple applicable laws on an investigation, and at different phases during its course.
Where an investigation requires the extraction of significant amounts of information from multiple jurisdictions by corporations and/or third parties (eg, forensic accounts or consultants), it is likely that a large proportion of that information will include personal data (also known as personally identifiable information) of a client’s employees and clients (or individuals connected with those clients, such as their employees). The corporation may wish to transfer that data between countries for the purposes of conducting review and analysis, or to meet requests or demands from authorities, or voluntarily to provide information to them to be cooperative. Any such actions require careful analysis. The conflict of laws presented by requests or demands for documents and other information by overseas authorities, in particular, is a significant problem for corporations. Data privacy laws, bank confidentiality and “blocking statutes” in some jurisdictions, such as France, often put corporations in a position where they are having to weigh competing risks that arise from conflicting legal or regulatory requirements.
There are, however, steps that can be taken to reduce those risks in a given situation. For example, to limit data privacy or confidentiality issues, it may be possible to negotiate the scope of the request, pre-review the information disclosed, redact documents or take other steps to mitigate the risk. Each request should be considered on a case-by-case basis to determine whether, and to what extent, a company is able to comply, and to determine whether any particular steps can be taken lawfully to undertake the disclosure and transfer of the personal data.
Data privacy should, therefore, be a key consideration for clients when planning, structuring and carrying out an investigation. The data privacy, protection and litigation teams at Allen & Overy have produced these guides to assist with identifying some of the issues that will need to be considered from a data protection perspective when managing complex domestic or cross-border investigations. However, it should be noted that other laws, regulations, contractual requirements or voluntary codes may also restrict the disclosure of certain types of data. Further information on the restrictions and requirements affecting transfers of data from one jurisdiction to another can also be found on aosphere’s Rulefinder Cross Border Data Transfer (www.aosphere.com/aos/cbdt).
the disclosure of certain types of data. Further information on the restrictions and requirements affecting transfers of data from one jurisdiction to another can also be found on aosphere’s Rulefinder Cross Border Data Transfer (www.aosphere.com/aos/cbdt).