Data Privacy & Transfer in Investigations

Last verified on Monday 2nd November 2020

Data Privacy & Transfer in Investigations: USA

Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

Freshfields Bruckhaus Deringer

All questions

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

USA

Unlike Europe, the United States doesn’t have a generally applicable and comprehensive privacy regime. Instead, there’s a maze of laws, each of which may or may not apply to a company’s activities depending on the types of personal information involved, who the data subject is, the industry involved and the company’s size. Some privacy provisions are hidden away in laws that aren’t fundamentally about privacy. Unless you are steeped in these areas of law, you might not think to look for privacy provisions in, for example, autonomous car testing regulations or anti-discrimination laws.

Luckily for lawyers involved in investigations, there’s a more manageable number of privacy laws that tend to impact their work. Three tend to come up more than others. These three will be the focus of this chapter.

CCPA. The most important general-purpose privacy law is, for now, the California Consumer Privacy Act (the CCPA). It’s the closest thing we have to the GDPR. Subject to some important caveats (more on this later), it governs data relating to California residents, and it applies regardless of what industry you’re in.

GLB. The federal Gramm–Leach–Bliley Act (GLB) governs how financial institutions and adjacent companies handle non-public information on financial consumers. Because GLB defines ‘financial institutions’ broadly, it may come into play for investigations of companies in the financial sector and maybe some other businesses as well.

HIPAA. The ‘Privacy Rule’ of the Health Insurance Portability and Accountability Act (HIPAA) governs patient confidentiality and applies to most healthcare providers, health insurers and healthcare information clearinghouses (called covered entities) – plus anyone who provides certain services to companies in these categories (called ‘business associates’). HIPAA comes up mostly in healthcare fraud investigations but also occasionally in antitrust or other investigations in the healthcare space.

Note that these three principal laws share a characteristic: they are all mostly about the privacy of consumers rather than a company’s employees or its counterparties’ employees. For example, the CCPA contains an express exception so that it doesn’t apply to employees or counterparty employees. GLB applies only to the personal information of consumers. And HIPAA applies only to the information of patients. For an investigations lawyer, this commonality is important: because most internal investigations focus on the behaviour of employees or a counterparty’s employees, it means that these laws matter more where an investigation zooms in on a company’s interactions with individual human customers.

Aside from these three laws, a few others come up occasionally and will not be the focus of this chapter. These include the following.

Recording laws. Where an investigations lawyer needs to record a conversation or obtain access to previously recorded conversations, he or she will need to think about laws governing recording of conversations. These laws vary from state to state, and there is a federal version as well. In general, they may require a lawyer to get the consent of one or all parties to a conversation before recording. The bottom line is that before an investigations lawyer records a conversation, he or she should either announce to all parties of a conversation that it will be recorded and give them an opportunity to end the conversation, or should check the laws of the states for all participants in the conversation.

Wiretapping and hacking laws. Various criminal laws prohibit the unauthorised interception of or access to telephone conversations, electronic communications, or other electronic content. In particular, the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act (ECPA) – and their state law counterparts – prohibit anyone from hacking into computers or communications systems. For purposes of conducting investigations, these laws usually won’t prohibit a company from looking into its own communications systems (such as its email systems), but usually will prohibit a company from surreptitiously looking into the personal communications systems of its employees or others (like an employee’s personal email account). The devil is in the details. When employees access their personal communications using an employer’s computer systems, or where employers openly demand access to an employee’s personal accounts, a more complex analysis is needed.

Public-sector and telecommunications privacy laws. Providers of computing and telecommunications services will sometimes be called upon to help with law enforcement, national security, or foreign intelligence investigations. In these cases, ‘public sector’ privacy laws such as the Electronic Communications Privacy Act or the Foreign Intelligence Surveillance Act may come into play. And even without the involvement of law enforcement, these laws may come into play if one of these providers wants to investigate its own customers. Other public-sector laws such as the Privacy Act of 1974 may govern what the government itself does with personal data. These laws are complex, fascinating, controversial – and beyond the scope of this chapter.

Commitments. Finally, all companies need to be mindful of privacy commitments they’ve already made. For example, if a company has transferred certain personal data from Europe by promising to comply with the ‘model clauses’ or even by promising to comply with the (now defunct) Privacy Shield framework, or if the company made promises in its privacy policies, the company will need to assess whether those commitments allow it to use the data in an investigation. 

There are, of course, other privacy laws that could conceivably come into play in unusual circumstances. The most broadly applicable privacy law in the US is section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices and which the Federal Trade Commission has interpreted to prohibit certain deceptive practices around personal data. Many states have similar consumer protection laws. But it will be an unusual situation where reviewing personal data in an internal investigation or turning it over to authorities will be deemed unfair or deceptive. The Fair Credit Reporting Act is fundamentally a privacy law concerning how companies share information about creditworthiness. The Children’s Online Privacy Protection Act imposes obligations on companies that know or should know that they are collecting data online for persons under 13 years of age. And, as noted above, there are a surprising number of special-purpose privacy laws hidden in state codes and regulations. Investigations lawyers should keep these laws in the backs of their minds, but they ordinarily won’t come into play, so this will be the last we speak of them.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

2. What other laws and regulations may prevent data sharing in the context of an investigation?

USA

Aside from laws protecting personal privacy, companies may occasionally encounter laws about information that’s important to law enforcement or that bears on national security. For example, anti-money laundering (AML) and countering the financing of terrorism (CFT) laws may require certain entities to report suspicious financial activity; when they do, they ordinarily need to keep the reports and surrounding circumstances secret. Similarly, where companies receive requests from law enforcement, they may be obligated to keep the requests (or their responses) secret. In both cases, the purpose is to prevent tipping off persons under investigation. There are also export control laws that may prevent the transfer of certain information – usually information about technology relevant to national defence – outside the US, to certain countries, or to certain people or organisations.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

3. What can constitute personal data for the purposes of data protection laws?

USA

Because the US doesn’t have a comprehensive privacy law, the US also doesn’t have a consistent definition of personal data. The definitions tend to fall into three categories.

First, there are various defined terms that approximate what we think of as ‘personal data’ under most global privacy laws – any information that is, or reasonably could be, identified with a living individual. For example, see the following.

CCPA. The CCPA covers ‘personal information’, which closely tracks GDPR’s definition of ‘personal data’: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In other words, anything related to a person. Importantly, something can be personal information whether or not you think it’s sensitive: it includes a person’s social security number and favourite colour alike. It also doesn’t matter if it’s information you collect or create, since the category can include observations you make about a person or even inferences that you draw to create a profile about a person’s preferences and characteristics. It also generally doesn’t matter if the information is already public; the CCPA’s narrow ‘public information’ exception applies only to information made available in official government records. 

There are some exceptions to this broad definition of ‘personal information’, but three are particularly important for investigations. First, the CCPA excludes data already covered by GLB or HIPAA. Second and third, the CCPA generally doesn’t apply to a business’s own employees or people acting for the business’s counterparties. As noted above, this exception limits the CCPA’s impact on investigations – for now. For now, these exceptions sunset at the end of 2021. Maybe they will be extended in the November referendum on the proposed ‘CCPA 2.0’. If, on the other hand, the employee and counterparty exceptions of the CCPA are allowed to sunset, the CCPA will assume a much bigger role in US investigations.

GLB. GLB protects consumers’ ‘nonpublic personal information’ (NPI). NPI is any personally identifiable information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. But not all information that can be used to identify an individual falls under GLB; the key distinction is the connection between the information and the underlying financial services. For example, a car dealership may be a financial institution because it leases vehicles or gives loans, but the mere fact that a person bought a car from the dealership, without any information about whether the person obtained financing, isn’t NPI. 

HIPAA. HIPAA covers ‘protected health information’ (PHI), which means individually identifiable health information that is held or transmitted by entities subject to HIPAA (called ‘covered entities’ and ‘business associates’, and discussed later in this chapter). Practically, HIPAA will cover almost all information that a healthcare provider, insurer or clearinghouse, or a business associate of those covered entities, holds about a patient.

Second, you may have heard of ‘personally identifiable information’ (PII). Sometimes people use the phrase in the literal sense of information identifiable with a person, in which case it basically just means ‘personal data’. But a second use has gained currency amongst some US lawyers who use it as shorthand for the sorts of data that would trigger notification obligations under state data breach notification laws. Things such as social security numbers, financial account numbers, online credentials, etc. For present purposes, forget that this usage exists – it is irrelevant for the US privacy laws that may impact an investigation.

Third, some US laws protect a person’s (or company’s) communications rather than their personal information more broadly. The ECPA and wiretapping laws, for example, protect the entirety of conversations, emails, messages and other communications that a person sends or receives. As noted above, these laws may be important in certain types of investigations, but are beyond the scope of this chapter.

Importantly, personal data doesn’t have to stay personal data forever. At least under the CCPA, GLB and HIPAA, there are various ways to ‘anonymise’ or ‘de-identify’ personal data so that it falls outside the scope of law. Practitioners should keep this option in mind when dealing with tricky investigation issues, particularly around disclosure of information to authorities.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

4. Does personal data protection relate only to natural persons or also legal persons?

USA

US privacy laws generally apply only to natural persons, but there are some exceptions. First, the CCPA also protects information relating to households even if it’s not identified specifically with an individual in that household. This feature of the CCPA mainly matters where companies monitor activity on shared household computers for marketing purposes; it will rarely matter in investigations. Second, the laws against wiretapping and laws protecting electronic communications may protect parties to communications whether the parties are individuals or companies.

It is important to remember that even where the laws apply only to natural persons, they don’t apply to all natural persons: the CCPA applies only to persons resident in California, GLB applies only to financial consumers, and HIPAA applies only to healthcare patients. And even where wiretapping laws or electronic communications laws protect people and companies, they don’t protect all people and companies.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

5. To whom do data protection laws apply?

USA

US privacy laws apply, in some form or another, both to companies that collect and hold data – roughly, what might be called a 'controller' by many global privacy regimes – and those that do things with data on another’s behalf – roughly, what might be called a 'processor' under those regimes. But none of the laws use the terms ‘controller’ or ‘processor’, and the analogy is imperfect. Often, the laws apply only to certain controllers who are active in a particular industry, have a certain nexus to a jurisdiction, or meet other thresholds.

CCPA. The CCPA applies to ‘businesses’ and ‘service providers’. Businesses under the CCPA are roughly analogous to ‘data controllers’: they are entities that ‘determine the purposes and means of the processing of consumers’ personal information’. But there are limits: the definition covers only for-profit entities that ‘do business in California’ (a phrase that isn’t defined but may sweep broadly) and meets one or more thresholds: (i) has gross annual revenue of over $25 million; (ii) buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or (iii) derives 50 per cent or more of their annual revenue from selling California residents’ personal information. In contrast, the law also defines ‘service providers’, which roughly equate to ‘data processors’: they are for-profit entities that process information on behalf of a business. It is unclear whether the CCPA imposes statutory duties directly on service providers, but in any event, it requires businesses to put in place an agreement with service providers that creates contractual duties.

GLB. GLB directly applies to ‘financial institutions’, which are defined as institutions that are significantly engaged in financial activities – plus businesses that are adjacent to those institutions. Certain businesses that we may not intuitively categorise as financial institutions can be captured. For example, the GLB can apply to car dealers who arrange for financing or leasing of cars. In the view of the US FTC (one of GLB’s enforcers), it can even include career counsellors in the financial industry. It also applies to service providers and other entities that receive NPI from a financial institution.

HIPAA. As noted above, HIPAA applies to ‘covered entities’, which is roughly analogous to ‘controllers’, and ‘business associates’, which is roughly analogous to ‘processors’. A ‘covered entity’ is limited to: (i) a health plan; (ii) a health information clearinghouse; or (iii) most healthcare providers. ‘Business Associate’ means a person who on behalf of such a covered entity processes PHI for business functions or provides services to a covered entity involving the processing of PHI.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

6. What acts or operations on personal data are regulated by data protection laws?

USA

See question 7.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

7. What are the principal obligations on data controllers to ensure the proper processing of personal data?

USA

The core principle of US privacy laws is transparency about a company’s collection, use and disclosure of personal data. Each of the main laws we are discussing regulates ‘collection’ in that the laws generally require notice to be provided before a company collects personal data. Each regulates processing and disclosure in that each requires that companies process data in a way that is consistent with how the company has told data subjects it would use or disclose data – and in some cases, in accordance with the data subjects’ choices regarding further disclosures. These laws also grant data subjects certain rights to demand access to, modification of or deletion of their data.

For purposes of an investigations lawyer, the critical considerations under US law are narrower. First, there is purpose: does the law allow using the data for the purpose of an investigation or compliance with a legal demand? Second, there’s disclosure: does the law allow transferring or disclosing the data to lawyers and adjacent parties, to regulators and other authorities, or to other third parties?

CCPA. Under the CCPA, a business can use personal information only for the purposes listed in the ‘collection notice’ that it provided when it collected the personal information. If a business wants to use the information for a purpose that’s ‘materially different’ from the purposes it listed, it must go back to the consumer for consent. This is the CCPA’s version of the ‘purpose limitation’ principle.

For purposes of an investigation, this principle arguably means the business must have previously disclosed, in its ‘collection notice’, that the business might someday use the data for some purpose that fairly includes an investigation. On the other hand, the purpose-limitation principle may not matter much for an investigation. Companies’ collection notices often disclose that they may use information broadly for legal and compliance matters. Moreover, the CCPA has various exceptions for particular activities. There’s an exception for compliance with demands from US law enforcement or compliance with US law. There’s also an exception for engaging in communications that are privileged under California law. These exceptions don’t necessarily cover the world of investigative activities, but they may help. So, for many investigations, the purpose-limitation requirement will be easy to satisfy or inapplicable in the first place.

As for disclosure, a business can share personal information in a few ways relevant to an investigation.

First, businesses can disclose personal information without any restriction if the disclosure isn’t for ‘monetary or other valuable consideration’. But the CCPA’s structure suggests that this phrase may be interpreted broadly. Some argue that the phrase goes beyond contract law concepts and encompasses any situation where data is disclosed in a way that benefits the business disclosing it. This is a deeply unsettled (and unsettling) question; for now, the point is that most companies are reluctant to rely on the ‘consideration’ requirement except in crystal-clear circumstances.

Second, businesses can of course disclose a consumer’s personal information if the consumer directs the business to do so, but this principle won’t arise often in investigations.

Third, a business can also disclose a consumer’s personal information to one of its service providers. To qualify for this exception, the business must be sharing the data for a ‘business purpose’ defined under the CCPA. Luckily, the CCPA’s definition of ‘business purpose’ is generally understood to include most sorts of operational activities. The business and service provider must sign a compliant service-provider agreement that commits the provider to use and process the data only for the specific purpose of providing the services.

Fourth, and as noted above, businesses can disclose information to respond to US law enforcement requests, to exercise or defend legal claims, or within the confines of a legally privileged relationship under California law (eg, attorney-client privilege). But these exceptions wouldn’t cover, for example, disclosures to foreign authorities or investigations that wouldn’t be privileged under California law.

Unless one of these exceptions applies (or a few others not relevant here), a disclosure of personal information will be deemed a ‘sale’. Businesses can sell personal information only if they have laid some groundwork. At the time the data was originally collected, the business must have posted a public notice that it sells data, given consumers a way to opt out of sales, and given the consumer a link to the opt-out mechanism. If the consumer has opted out of sales, the business must honour that request in most circumstances.

GLB. GLB doesn’t directly regulate the purposes for which financial institutions process NPI; it merely regulates how they disclose it. Generally speaking, a financial institution can disclose information to a non-affiliated third party only if it has given notice of that disclosure and a reasonable opportunity for the consumer to opt out. One exception is for disclosures to service providers. To use this exception, the financial institution needs to have entered into a contractual agreement prohibiting the third party from disclosing or using the information other than to carry out the purposes for which the financial institution discloses the information. And you need to have told consumers that you might share information with service providers in your initial privacy notice to the consumers or in a revised notice. The other set of pertinent exceptions is for, roughly speaking, risk and compliance activities. You can disclose NPI, among other things, ‘[t]o protect against or prevent actual or potential fraud, unauthorised transactions, claims, or other liability’; ‘[f]or required institutional risk control or for resolving consumer disputes or inquiries’; ‘[t]o comply with Federal, State, or local laws, rules and other applicable legal requirements’; ‘[t]o comply with a properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities’; or ‘[t]o respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorised by law’. For purposes of investigations, this covers a lot, but not quite everything.

HIPAA. HIPAA categorises purposes for using PHI: there are purposes for which a covered entity or business associate can use PHI outright; for others, the entity must get the patient’s affirmative authorisation; for yet others, it must give an opportunity to object. One of the most important purposes for which entities can use PHI outright is ‘healthcare operations’, a relatively broad term that includes ‘conducting or arranging for [...] legal services […] and auditing functions including fraud and abuse detection and compliance programs’. This will, in most cases, cover investigations.

HIPAA governs disclosures in a few ways. First, the ‘business associate’ provisions govern how covered entities share information with their service providers. A covered entity needs to take various steps to ensure that its business associates are processing PHI properly and safely; chief among them is entering into a compliant ‘business associate agreement’ with the service providers. The Department of Health and Human services has provided sample clauses at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. Second, HIPAA has separate provisions governing how covered entities or business associates share information with various government authorities. In summary, these provisions allow disclosures when required by law, to health oversight agencies, in judicial and administrative proceedings, and to law enforcement – in each case, with limitations.

In addition to purpose and disclosure limitations, HIPAA contains an overarching principle of minimisation. That means that covered entities need to consider whether it is using or disclosing PHI more than needed to achieve whatever purpose it has for processing the PHI. (This is, of course, a sound strategy for dealing with privacy exposure whether you’re dealing with HIPAA or any other law.)

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

8. Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

USA

In general, US privacy laws don’t restrict data transfers across borders. So long as a company has obtained the data lawfully from a data subject or a third party, it doesn’t matter that data might have been brought over from another country.

The big exception, perhaps, is data brought into the United States using the Privacy Shield mechanism. Privacy Shield is – or rather, was – a mechanism by which companies could transfer personal data out of Europe to the United States in compliance with GDPR. To use this mechanism, companies would make public commitments to adhere to the Privacy Shield principles in how they process data from Europe, and those commitments were primarily backed up through potential enforcement by the US Federal Trade Commission. In July 2020, the European Court of Justice invalidated the Privacy Shield mechanism on a prospective basis. Nonetheless, companies that previously imported personal data from Europe pursuant to Privacy Shield should be mindful that the invalidation decision did not necessarily wipe away their previous commitments.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

9. Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

USA

In an investigation, companies often rely on third parties to analyse data that may be subject to data protection laws. External lawyers, document vendors and consultants, for example, may need to wade through documents and data, which can (and usually does) include personal data. (For simplicity, we refer to these entities as ‘lawyers and adjacent parties’.) Luckily, our three main laws allow companies to share personal data with lawyers and adjacent parties with just a few restrictions.

CCPA. Under the CCPA, sharing personal data with a lawyer isn’t hard. The CCPA expressly states that its core provisions ‘shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication’. So, if a business needs a lawyer to look through the business’s documents to render advice, it can turn them over without much worry. The business also doesn’t need to have given consumers any prior notice of the disclosure, and it’s not required to tell them about the disclosure after the fact. But what about a discovery vendor or expert? The Kovel doctrine will usually help. The Kovel doctrine often allows companies to share information and documents with experts and specialists on a legally privileged basis, at least where the sharing is supporting a lawyer’s work. The ins and outs of the doctrine are beyond the scope of this chapter. For present purposes, it is enough that Kovel means that the CCPA’s privileged-communication exception will often allow disclosure of personal information to discovery vendors, experts and others who are involved in a privileged investigation. So, if a business wants to share personal information in the context of an investigation, it should first and foremost make sure that privilege applies.

Still, the CCPA’s privileged-communication exception is untested and there are questions around the margins. In some investigations, there may be circumstances in which personal information needs to be shared outside a relationship that’s privileged under California law. In these unusual cases, you need to look at other options.

Under the CCPA, a business can share personal information with a third party acting as a service provider. As noted above, to make use of the service-provider exception, the business must be sharing the data for a ‘business purpose’ – luckily, the CCPA’s definition of ‘business purpose’ is generally understood to include most sorts of operational services. And the business and service provider must sign a compliant service-provider agreement.

Finally, if the service-provider avenue isn’t available, there is one last possibility: the business could treat the sharing of personal information with a third party as a ‘sale’. But as discussed above, this is rarely desirable, and the company needs to have laid extensive groundwork for ‘sales’ when it originally collected the data.

GLB. In most cases, a financial institution will need to disclose NPI to third parties under the ‘service provider’ exception. To qualify for that exception, the financial institution must have provided an initial notice to the relevant consumers whose personal information is involved. Those notices must have disclosed, among other things, the categories of NPI that might be shared with third parties and the categories of third parties that might receive it. Further, the financial institution and service provider must put in place an agreement that prohibits the service provider from using or disclosing the NPI except to carry the purposes for which the financial institution is disclosing the information.

But under some circumstances, a financial institution can disclose NPI to third parties for certain legal purposes without strings attached. For example, it can disclose NPI to third parties to ‘protect against or prevent actual or potential fraud, unauthorised transactions, claims, or other liability’ or ‘for required institutional risk control or for resolving consumer disputes or inquiries’. Some investigations will fall under one of these justifications for a disclosure.

HIPAA. To provide lawyers or adjacent parties with PHI for an investigation, a covered entity will normally need to set up a ‘business associate’ relationship. As noted above, that means forming a ‘business associate’ agreement and taking the required steps to diligence and supervise the business associate. Once the relationship is set up, the covered associate can share most information with the lawyer and adjacent parties. (Although a few types of PHI are considered extra sensitive and require more work, they should come up in investigations rarely.)

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

10. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

USA

None of the privacy laws that we’ve been discussing necessarily require consent before processing personal data as part of an investigation. Various exceptions and permissions will usually permit using personal data as part of an investigation. But if the usual avenues are unavailable, then you may need to turn to consent. For example:

CCPA. Under the CCPA, if an investigation requires disclosure of the information to lawyers or other third parties, and if the privileged-communications exception doesn’t apply, and if the company can’t disclose the information within the confines of a service-provider relationship, and if the company has not already laid the groundwork to treat the disclosure as a sale, then the business will need to go back to the consumer for consent. The number of ‘ifs’ in the previous sentence should show that the need to get consent should be rare.

GLB. Similarly, if a financial institution needs to disclose NPI to a lawyer or third party for an investigation, but hasn’t delivered the required Gramm-Leach-Bliley notice to the consumer, or the notice didn’t disclose that NPI may be handed to service providers, then the financial institution may need to go back and get consent. Again, that should be an unusual case.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

11. If not mandatory, should consent still be considered when planning and carrying out an investigation?

USA

Not applicable.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

12. Is it possible for data subjects to give their consent to such processing in advance?

USA

Not applicable.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

13. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

USA

Data subject access rights have become a problem for many sorts of investigations and litigations. A person under investigation can abuse these rights to demand information about themselves – which may include information uncovered by the investigation – or to demand deletion of their information – which obviously would impede future conduct of the investigation. Luckily, of the privacy laws we’ve been discussing, only the CCPA and HIPAA have data subject access rights. And in most cases, these will not impede an investigation.

CCPA. Even if a consumer requests what information a business holds on the consumer, the business doesn’t need to provide the information if doing so would reveal the contents of communications privileged under California law. If a consumer demands deletion of his or her information, the business can refuse if, among other things, keeping the data is necessary to ‘detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity’; ‘enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business’; ‘[c]omply with a legal obligation’; or ‘[o]therwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information’. These exemptions will justify most refusals to delete data that is relevant to an ongoing investigation.

HIPAA. Under HIPAA, patients can request that their PHI be disclosed to them; however, a covered entity may refuse to provide information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding. This exception will cover most uses in an investigation. The patients’ rights to amend or delete information has the same limitation. The hardest piece under HIPAA is the right of a patient to demand that a covered entity limit disclosures of PHI; patients can do this for disclosures for ‘health care operations’, which is the definition that covers most legal activities. The only exception is where a disclosure is affirmatively required by law.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

TRANSFER FOR LEGAL REVIEW AND ANALYSIS

14. How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

USA

CCPA. Under the CCPA, there’s a strong argument that there’s simply no need to characterise lawyers, document vendors, and other privileged parties. By virtue of the privileged-communication exception discussed above, they can receive, hold, or disclose personal information within a privileged relationship without restriction. Nonetheless, some businesses may choose to treat their lawyers as service providers.

GLB. Under Gramm-Leach-Bliley, outside lawyers will generally be service providers – though in some circumstances, a financial institution may be able to disclose information to lawyers without treating them as such.

HIPAA. Under HIPAA, outside lawyers will be considered business associates.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

15. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

USA

Not applicable.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

16. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

USA

As noted above, US privacy laws don’t restrict cross-border data transfers. But companies may face lingering obligations as a result of data they previously transferred into the United States. For example, if a company imported personal data into the United States from Europe pursuant to Privacy Shield, it may remain subject to certain restrictions on ‘onward transfers’ to third countries.

Companies also need to consider laws other than privacy law. In particular, US export controls law may prevent certain exports of information relevant to US national security. If your investigation involves documents that might contain export-controlled information – particularly in the defence and technology sectors – you may need to take steps to search for that information before shipping data abroad.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

17. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

USA

US privacy laws tend to have broad carveouts for compliance with regulatory and law enforcement demands coming from US authorities.

CCPA. For example, the CCPA expressly permits businesses to comply with any civil, criminal or regulatory inquiry, investigation, subpoena or summons by US authorities.

GLB. Similarly, GLB allows disclosure to comply with US law, or with any properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by US authorities. GLB could, perhaps, be clearer about whether it covers informal requests from authorities. But in those edge cases, many practitioners will negotiate a ‘friendly subpoena’ with law enforcement to remove any doubt.

HIPAA. Under HIPAA, there are three main provisions relevant to disclosures to authorities. First, covered entities can disclose protected health information in judicial proceedings. When facing an actual court order, you can simply disclose; when facing subpoenas or discovery requests, you need to attempt to notify the patients involved or seek a compliant protective order. Second, covered entities can disclose protected health information in response to certain law enforcement requests. Again, when facing an actual order, you can simply disclose. Same with a grand jury subpoena. But if facing a mere administrative request or investigative demand, then the covered entity also needs to ensure that the information is relevant and material to a legitimate inquiry, limited in scope, and that there’s no way to de-identify the information. Third, there is a broad carve-out for disclosing information to an agency involved in health oversight activities overseen by law.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

18. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

USA

US privacy laws tend to be less permissive when it comes to compliance with regulatory and law enforcement demands coming from foreign authorities.

CCPA. For example, the CCPA carveout for complying with legal demands is specifically limited to demands from US authorities or investigations relating to US law. This means that businesses facing foreign demands have to go down two unhappy roads: They can decide that the disclosure to a foreign authority isn’t for 'monetary or other valuable consideration'. But even though this argument has strong intuitive appeal, it remains untested and companies tend to be reluctant to rely on it. Or, the business can treat the disclosure as a sale, with all of the headaches described above.

GLB. GLB is slightly more permissive. It allows disclosures ‘[t]o comply with Federal, State, or local laws, rules and other applicable legal requirements; [t]o comply with a properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorised by law’. The first two provisions are limited on their face to US laws and authorities. The third provision isn’t, and so presumably includes foreign authorities; but if interpreted to include foreign authorities, the third provision makes the limitation in the first two provisions irrelevant. There are perhaps ways to thread this needle, but financial institutions will have to consider their own risk tolerances for this problem.

HIPAA. HIPAA, unlike the CCPA and GLB, doesn’t expressly limit disclosures to government authorities in the US; instead, it simply refers to ‘authorities’, ‘courts’, etc, without qualifier. However, certain other provisions in HIPAA distinguish between ‘authorities’ and ‘foreign authorities’. This suggests that when the HIPAA regulations refer to authorities, courts, etc, without qualification, they mean domestic authorities, courts, etc. Again, most covered entities and business associates will need to take an approach to this problem in line with their risk tolerances.

When in doubt, investigations lawyers often try to turn foreign demands into domestic ones. Depending on the relationship with the foreign authority, it may be possible to encourage the authority to work with US authorities through a Multilateral Assistance Treaty process or some other arrangement. Although these processes take time, they usually provide an avenue for companies to comply with foreign requests with a minimum of privacy risk.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

19. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

USA

There’s no magic formula for responding to a regulator’s request, and often the analysis will need to be highly bespoke. But a few common-sense steps will help frame the analysis. First, determine which law applies to the data at issue. Second, consider what notices were provided to the data subject when the data was collected – and consider how that notice stacks up against the requirements of the law. Third, consider whether the relevant law’s disclosure restrictions apply; if they do, consider what exemptions might trump those restrictions. Fourth, consider what commitments the company has made with respect to the personal data. If, at the end of this analysis, it seems that disclosure still isn’t allowed, then go back and see if you can change any of the variables. For example, working with the regulator to get a friendly subpoena or encouraging the regulator to work through the MLAT process may help change the equation. Or maybe, if you (carefully) decide to approach the regulator with your privacy concerns, you’ll find that the regulator doesn’t really need the personal data and is happy with anonymised or de-identified information. In unusual circumstances, getting the data subject’s consent may change the analysis too.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

20. What are the sanctions and penalties for non-compliance with data protection laws?

USA

CCPA. CCPA fines are up to $2500 for unintentional violations and $7500 for intentional violations – per violation.

GLB. Gramm-Leach-Bliley fines can be serious; violations can give rise to fines of $100,000 for financial institutions and up to $10,000 or five years imprisonment for officers and directors

HIPAA. HIPAA penalties are divided into two major categories: ‘Reasonable Cause’ fines range from $100 to $50,000 per incident and don’t involve jail time; but ‘Willful Neglect’ fines range from $10,000 to $50,0000 per incident and may result in criminal charges.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

21. What are the continuing obligations on the original data controller that apply in an investigation?

USA

Not applicable.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

22. What are the continuing obligations on any intervening data controller that apply in an investigation?

USA

Not applicable.

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

USA

Answer contributed by Peter Jaffe, Jillian Simons, Allie Bian and Jue ‘Allie’ Bian

Get unlimited access to all Global Investigations Review content