Data Privacy & Transfer in Investigations: Introduction

Investigations by regulators and enforcement agencies, as well as internal investigations by companies, are increasingly common. Successfully managing the risks arising from these investigations requires expertise across a number of areas particularly where relevant information is held in multiple locations worldwide. Data privacy considerations are key to ensuring these investigations are conducted lawfully and that both entities conducting, and subject to, investigations are aware of their obligations in relation to the protection of such information.

Every jurisdiction has its own laws and regulations concerning the collection, review and storage of information that relates to identifiable individuals, including in relation to cross-border transfers of such information. For example, as well as the General Data Protection Regulation (GDPR) in the EEA, last year saw the California Consumer Privacy Act come into effect and China has recently passed the Data Security Law and the Personal Data Protection Law. Data privacy issues arise under multiple applicable laws on an investigation, and at different phases during its course.

Where an investigation requires the extraction of significant amounts of information from multiple jurisdictions, including by those acting on behalf of an organisation, such as forensic accounts, consultants and lawyers, it is likely that such information will include personal data. The organisations conducting, or the subject of, an investigation may wish to transfer such information between jurisdictions for the purposes of conducting review and analysis, to meet requests or demands from authorities, or to be cooperative. This requires careful analysis. The conflict of laws presented by requests or demands for documents and other information by overseas authorities, in particular, is a significant problem. Data privacy laws, bank confidentiality and ‘blocking statutes’ in some jurisdictions, often place organisations in a position where they are required to weigh competing risks that arise from conflicting legal or regulatory requirements.

There are, however, steps that can be taken to reduce those risks in a given situation. For example, it may be possible to negotiate the scope of the request, pre-review the information disclosed, and redact documents. It may be possible to rely on mutual legal assistance treaties and other mechanisms as a basis for sharing information with overseas authorities. Each request should be considered on a case-by-case basis to determine whether, and to what extent, a company is able to comply, and to determine whether any steps can be taken to undertake the disclosure and transfer of the personal data in accordance with applicable law.

Data privacy is, therefore, a key consideration when planning, structuring and carrying out – or responding to – an investigation. The data protection and litigation teams at Allen & Overy have produced these guides to assist with identifying key issues from a data protection perspective when managing complex domestic or cross-border investigations. However, other laws, regulations, contractual requirements or voluntary codes may also restrict the disclosure of certain types of data. Further information on the restrictions and requirements affecting transfers of data from one jurisdiction to another can also be found on aosphere’s Rulefinder Data Privacy tool (

Get unlimited access to all Global Investigations Review content