Data Privacy & Transfer in Investigations

Last verified on Thursday 30th September 2021

Data Privacy & Transfer in Investigations: USA

Brock Dahl and Kimberly Zelnick

Freshfields Bruckhaus Deringer

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

USA

Unlike Europe, the United States does not have a generally applicable and comprehensive privacy regime. Instead, there are range of laws that may or may not apply to a company’s activities depending on the types of personal information involved, who the data pertains to, the industry involved and a company’s size. Some privacy provisions are found in laws that are not fundamentally about privacy, such as autonomous car testing regulations or anti-discrimination laws. Moreover, while California was in the lead in enacting state privacy laws, additional states, including Virginia and Colorado, have recently passed comprehensive privacy statutes that go into effect in 2023. Prognosticators expect additional states will follow suit.

Nonetheless, as of the time of writing, three US privacy laws tend to more regularly arise for lawyers involved in investigations. This chapter will focus on these three.

CCPA

As of the time of writing, the most influential general-purpose privacy law in the United States is the California Consumer Privacy Act (the CCPA). Subject to some important caveats addressed later, the CCPA governs data relating to California residents and applies across all industries. California has recently enacted amendments to the CCPA under the title of the California Privacy Rights Act (the CPRA), which becomes operative on 1 January 2023. Because the exact contours of the CPRA have not yet been set by regulation, this chapter will address the CCPA in its current form, but practitioners should maintain vigilance over the evolution of California statutory and regulatory requirements, and other state privacy laws change coming in the next few years.

GLB

The federal Gramm–Leach–Bliley Act (GLB) governs how financial institutions and adjacent companies handle the non-public information of financial consumers. Because GLB defines ‘financial institutions’ broadly, it may come into play for investigations of companies in the financial sector and potentially other businesses.

HIPAA

The ‘Privacy Rule’ issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA) governs patient confidentiality and applies to most healthcare providers, health insurers and healthcare information clearinghouses (called ‘covered entities’ under the statute) – plus anyone who provides certain services to companies in these categories (called ‘business associates’). HIPAA considerations may arise in healthcare fraud, antitrust or other investigations in the healthcare space.

These three principal laws share a characteristic: they focus on the privacy of consumers rather than a company’s employees or its counterparties’ employees. For example, the CCPA contains an express exception, though it will change in 2023, so that it does not apply to employees or counterparty employees. GLB applies only to the personal information of consumers. HIPAA applies only to the information of patients. For an investigations lawyer, this commonality is important because many internal investigations focus on the behaviour of employees or a counterparty’s employees. Thus, these laws are more frequently implicated where an investigation pertains to a company’s interactions with customers.

Aside from these three laws, a few others occasionally come into play, but will not be the focus of this chapter. These include the following.

Recording laws

Where an investigation’s lawyer needs to record a conversation, federal and state laws impact their conduct. In general, they may require a lawyer to obtain the consent of one or all parties to a conversation before recording. Before an investigations lawyer records a conversation, he or she should either announce to all participants that it will be recorded and give them an opportunity to end the conversation, or should ensure that the laws of the states for all participants in the conversation allow “one-party” consent for recording.

Wiretapping and hacking law

Various criminal laws prohibit the unauthorised interception of or access to telephone conversations, electronic communications, or other electronic content. In particular, the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act (ECPA) – and their state law counterparts – prohibit anyone from hacking into computers or communications systems or generally, with few exceptions, intercepting communications. For purposes of conducting investigations, these laws usually will not prohibit a company from reviewing its own communications systems (such as its email systems), but usually will prohibit a company from surreptitiously looking into the personal communications systems of its employees or others (such as an employee’s personal email account). Whether an employer can review its own communications systems depends on, among other things, whether it is reviewing communications sitting on a server rather than in transit (in ‘real time’), what sort of notice it has given to employees about surveillance and investigations, and which state laws apply. Whether an employer can look at an employee’s personal communications sent over an employer’s network (eg, when an employee looks at a personal email account on a BYOB device connected to the office wireless system), or whether employers can demand access to an employee’s personal accounts, similarly demands a more complex analysis.

Public-sector and telecommunications privacy laws

Providers of computing and telecommunications services to the public will sometimes be called upon to help with law enforcement, national security, or foreign intelligence investigations. In these cases, ‘public sector’ privacy laws such as the ECPA or the Foreign Intelligence Surveillance Act may come into play. Even without the involvement of law enforcement, aspects of ECPA may be pertinent where a provider is considering investigating its own customers. Other public-sector laws such as the Privacy Act of 1974 may govern what the government itself does with personal data. Though they contain variegated privacy implications, these laws are beyond the scope of this chapter.

Commitments

Finally, all companies need to be mindful of privacy commitments they have made. For example, if a company has transferred certain personal data from Europe by promising to comply with the ‘model clauses’ or even by promising to comply with the (now defunct) Privacy Shield framework, or if the company made promises in privacy policies it has made publicly available, the company will need to assess whether those commitments allow it to use particular data in an investigation.

There are other laws that could impact investigatory considerations. Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive trade practices. The Federal Trade Commission has interpreted its provisions to prohibit certain practices around personal data. Many states have similar consumer protection laws. While these laws may have implications for data management, they are unlikely to bear upon reviews of personal data in an internal investigation or situations in which companies are turning data over to authorities. In addition, the Fair Credit Reporting Act is fundamentally a privacy law concerning how companies share information about creditworthiness. The Children’s Online Privacy Protection Act imposes obligations on companies that know or should know that they are collecting data online for persons under 13 years of age. And, as noted above, there are a surprising number of special-purpose privacy laws hidden in state codes and regulations. Investigations lawyers should keep these laws in the backs of their minds, but they are an atypical consideration.

Answer contributed by Brock Dahl and Kimberly Zelnick

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

USA

Aside from laws protecting personal privacy, companies may occasionally encounter laws about information that is important to law enforcement or that bears on national security. For example, anti-money laundering (AML) and countering the financing of terrorism laws may require certain entities to report suspicious financial activity; when they do, they ordinarily need to keep the reports and surrounding circumstances secret. Similarly, where companies receive requests from law enforcement, they may be obligated to keep the requests (or their responses) secret. In both cases, the purpose is to prevent tipping off persons under investigation. Certain government inquiries made pursuant to the Foreign Intelligence Surveillance Act and national security letters issued pursuant to a range of statutes may also have confidentiality requirements that restrict the ability to share information pertaining to them. There are also export control laws that may prevent the transfer of certain information – usually information about technology relevant to national defence – outside the US, to certain countries, or to certain people or organisations.

Answer contributed by Brock Dahl and Kimberly Zelnick

3. What constitutes personal data for the purposes of data protection laws?

USA

Because the US does not have a comprehensive privacy law, there is not an overarching definition of personal data in the US as exists under the European GDPR regime.

CCPA

The CCPA covers ‘personal information’, which closely tracks GDPR’s definition of ‘personal data’: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In other words, anything related to a person. Importantly, something can be personal information whether or not it can be characterised as sensitive, ranging from a person’s social security number to their favourite colour. It includes information that a company both collects and creates. It can include observations made about a person or even inferences that are drawn to create a profile about a person’s preferences and characteristics. It also generally does not matter if the information is already public; the CCPA’s narrow ‘public information’ exception applies only to information made available in official government records. 

There are some exceptions to the CCPA’s broad definition of ‘personal information’, but three are particularly important for investigations. First, the CCPA excludes from its scope data already covered by GLB or HIPAA. Second, the CCPA generally doesn’t apply to a business’s own employees or people acting for the business’s counterparties. This exception currently limits the CCPA’s impact on investigations. However, the employee and counterparty exceptions of the CCPA are scheduled to sunset at the start of 2023.

GLB

GLB protects consumers’ ‘non-public personal information’ (NPI). NPI is any personally identifiable information that a financial institution collects about an individual in connection with providing a financial product or service unless that information is otherwise publicly available. But not all information that can be used to identify an individual falls under GLB; the key distinction is the connection between the information and the underlying financial services. For example, a car dealership may be a financial institution because it leases vehicles or gives loans, but the mere fact that a person bought a car from the dealership, without any information about whether the person obtained financing, is not NPI. 

HIPAA

HIPAA covers ‘protected health information’ (PHI), which means individually identifiable health information that is held or transmitted by entities subject to HIPAA (called ‘covered entities’ and ‘business associates’ and discussed later in this chapter). Practically, HIPAA will cover almost all information that a healthcare provider, insurer or clearinghouse, or a business associate of those covered entities, holds about a patient.

Importantly, personal data does not necessarily remain subject to special treatment indefinitely. Under the CCPA, GLB and HIPAA, there are various ways to ‘anonymise’ or ‘de-identify’ personal data so that it falls outside the scope of these laws. Practitioners should keep this option in mind when dealing with tricky investigation issues, particularly around disclosure of information to authorities.

Moreover, US privacy laws generally apply only to information pertaining to natural persons, but there are some exceptions. The CCPA also protects information relating to households even if the information is not identified specifically with an individual in such a household. This feature of the CCPA mainly matters where companies monitor activity on shared household computers for marketing purposes, but it will rarely matter in investigations. Finally, though these laws generally apply only to natural persons, they do not apply to all natural persons: the CCPA applies only to persons resident in California, GLB applies only to financial consumers, and HIPAA applies only to healthcare patients.

Answer contributed by Brock Dahl and Kimberly Zelnick

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

USA

US privacy laws apply, in some form or another, both to companies that collect and hold data – roughly, what might be called a ‘controller’ by many global privacy regimes – and those that do things with data on another’s behalf – roughly, what might be called a ‘processor’ under those regimes. But none of the laws use the terms ‘controller’ or ‘processor’, and the analogy is imperfect. (The forthcoming Virginia and Colorado requirements introduce the concepts of controller and processor into US state privacy lexicon.) Often, the laws apply only to certain controllers who are active in a particular industry, have a certain nexus to a jurisdiction, or meet other thresholds.

CCPA

The CCPA applies to ‘businesses’ and ‘service providers’. Businesses under the CCPA are roughly analogous to ‘data controllers’ under the GDPR regime: they are entities that ‘determine the purposes and means of the processing of consumers’ personal information’. There are limits. The definition covers only for-profit entities that ‘do business in California’ (a phrase that is not defined but may sweep broadly) and meets one or more thresholds: (i) has gross annual revenue of over $25 million; (ii) buys, receives, or sells the personal information of 50,000 or more California residents, households or devices; or (iii) derives 50 per cent or more of their annual revenue from selling California residents’ personal information. (But note that the new CCPA amendments change these thresholds starting in 2023, and the CCPA-like laws coming into force elsewhere have slightly different definitions.)  The CCPA also defines ‘service providers’, which roughly equate to ‘data processors’: they are for-profit entities that process information on behalf of a business. It is unclear whether the CCPA imposes statutory duties directly on service providers, but it requires businesses to put in place an agreement with service providers that creates contractual duties.

GLB

GLB directly applies to ‘financial institutions’, defined as institutions that are significantly engaged in financial activities, and businesses that are adjacent to those institutions. Certain businesses that we may not intuitively categorise as financial institutions can be captured. For example, the GLB can apply to car dealers who arrange for financing or leasing of cars. In the view of the US FTC (one of GLB’s enforcers), it can even include career counsellors in the financial industry. It also applies to service providers and certain other entities that receive NPI from a financial institution.

HIPAA

As noted above, HIPAA applies to ‘covered entities’, which is roughly analogous to ‘controllers’, and ‘business associates’, which is roughly analogous to ‘processors’. A ‘covered entity’ is limited to: (i) a health plan; (ii) a health information clearinghouse; or (iii) most healthcare providers. ‘Business Associate’ means a person who on behalf of such a covered entity processes PHI for business functions or provides services to a covered entity involving the processing of PHI.

Answer contributed by Brock Dahl and Kimberly Zelnick

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

USA

See question 6.

Answer contributed by Brock Dahl and Kimberly Zelnick

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

USA

CCPA

Under the CCPA, a business can use personal information only for the purposes listed in the ‘collection notice’ that it provided when it collected the personal information. If a business wants to use the information for a purpose that’s ‘materially different’ from the purposes it listed, it must go back to the consumer for consent.

For purposes of an investigation, this requirement arguably means the business must have previously disclosed, in its ‘collection notice’, that the business might someday use the data for some purpose that fairly includes an investigation. On the other hand, this requirement may not matter much for an investigation. Companies’ collection notices often do disclose that they may use information broadly for legal and compliance matters. Moreover, the CCPA has various exceptions to the notice requirements for particular activities. There is an exception for compliance with demands from US law enforcement or compliance with US law. There is also an exception for engaging in communications that are privileged under California law. These exceptions do not necessarily cover all investigative activities, but they should be thoroughly considered.

GLB

GLB regulates how companies disclose NPI. Generally speaking, a financial institution can disclose NPI to a non-affiliated third party only if it has given notice of that disclosure and a reasonable opportunity for the consumer to opt out. One exception is for disclosures to service providers. To use this exception, the financial institution needs to have entered into a contractual agreement prohibiting the third party from disclosing or using the information other than to carry out the purposes for which the financial institution discloses the information. The financial institution also needs to have told consumers that it might share information with service providers in its initial privacy notice to consumers or in a revised notice. The other set of pertinent exceptions is for, roughly speaking, risk and compliance activities. A company can disclose NPI to, among other reasons, ‘protect against or prevent actual or potential fraud, unauthorised transactions, claims, or other liability’; ‘[f]or required institutional risk control or for resolving consumer disputes or inquiries’; ‘[t]o comply with Federal, State, or local laws, rules and other applicable legal requirements’; ‘[t]o comply with a properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities’; or ‘[t]o respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorised by law’.

HIPAA

HIPAA establishes several categories for which a covered entity might use PHI and assigns different requirements to each: for some purposes a covered entity or business associate can use PHI without specific requirements; for other purposes, a covered entity must obtain the patient’s affirmative authorisation; for yet other purposes, an entity must give a patient an opportunity to object. One of the most important purposes for which entities can use PHI outright is ‘healthcare operations’, a relatively broad term that includes ‘conducting or arranging for [...] legal services […] and auditing functions including fraud and abuse detection and compliance programs’. This will, in most cases, cover investigations.

In addition, HIPAA governs disclosures in a few ways. First, the ‘business associate’ provisions govern how covered entities share information with their service providers. A covered entity needs to take various steps to ensure that its business associates are processing PHI properly and safely; chief among them is entering into a compliant ‘business associate agreement’ with the service providers. The Department of Health and Human Services has provided sample clauses at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. Second, HIPAA has separate provisions governing how covered entities or business associates share information with various government authorities. In summary, these provisions allow disclosures when required by law, to health oversight agencies, in judicial and administrative proceedings, and to law enforcement. Certain limitations apply in each case.

Finally, HIPAA contains an overarching principle of minimisation. That means that a covered entity needs to consider whether it is using or disclosing PHI more than needed to achieve whatever purpose it has for processing the PHI.

Answer contributed by Brock Dahl and Kimberly Zelnick

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

USA

In many circumstances, personal data may be used as part of an investigation. But in some circumstances consent may be necessary.

CCPA

Under the CCPA, a business will need to obtain consumer consent if: (i) an investigation requires disclosure of the information to lawyers or other third parties; (ii) the privileged-communications exception does not apply; (iii) the company cannot disclose the information within the confines of a service-provider relationship; and (iv) no other exceptions apply.

GLB

Similarly, a financial institution would need to obtain consent: (i) if a financial institution needs to disclose NPI to a lawyer or third party for an investigation, but hasn’t delivered the required Gramm-Leach-Bliley notice to the consumer; or (ii) if the notice didn’t disclose that NPI may be handed to service providers.

HIPAA

HIPAA, too, allows covered entities to use PHI to conduct internal investigations in most cases, so the need to obtain consent should be rare and primarily relevant where disclosure is needed to an entity outside a privileged relationship, where the disclosure is not covered by one of the exceptions for legally required disclosures.

Answer contributed by Brock Dahl and Kimberly Zelnick

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

USA

Not applicable.

Answer contributed by Brock Dahl and Kimberly Zelnick

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

USA

None of the privacy laws that we’ve been discussing necessarily require consent before processing personal data as part of an investigation. Various exceptions and permissions will usually permit using personal data as part of an investigation. But if the usual avenues are unavailable, then you may need to turn to consent. For example:

CCPA. Under the CCPA, if an investigation requires disclosure of the information to lawyers or other third parties, and if the privileged-communications exception doesn’t apply, and if the company can’t disclose the information within the confines of a service-provider relationship, and if the company has not already laid the groundwork to treat the disclosure as a sale, then the business will need to go back to the consumer for consent. The number of ‘ifs’ in the previous sentence should show that the need to get consent should be rare.

GLB. Similarly, if a financial institution needs to disclose NPI to a lawyer or third party for an investigation, but hasn’t delivered the required Gramm-Leach-Bliley notice to the consumer, or the notice didn’t disclose that NPI may be handed to service providers, then the financial institution may need to go back and get consent. Again, that should be an unusual case.

Answer contributed by Brock Dahl and Kimberly Zelnick

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

USA

Not applicable.

Answer contributed by Brock Dahl and Kimberly Zelnick

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

USA

Of the privacy laws addressed herein, only the CCPA and HIPAA have data subject access rights. In most cases, such rights cannot be used to impede an investigation.

CCPA

Even if a consumer requests what information a business holds on the consumer, the business does not need to provide the information if doing so would reveal the contents of communications privileged under California law. If a consumer demands deletion of his or her information, the business can refuse if, among other things, keeping the data is necessary to ‘detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity’; ‘enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business’; ‘[c]omply with a legal obligation’; or ‘[o]therwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information’. These exemptions will justify most refusals to delete data that is relevant to an ongoing investigation.

HIPAA

Under HIPAA, patients can request that their PHI be disclosed to them; however, a covered entity may refuse to provide information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding. The patients’ right to amend or delete information has the same limitation. However, under HIPAA a patient has a right to demand that a covered entity limit disclosures of PHI. The only exception to the requirement to limit disclosures is where a disclosure is affirmatively required by law.

Answer contributed by Brock Dahl and Kimberly Zelnick

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

USA

CCPA  

Under the CCPA, lawyers and third parties may process personal data in connection with an investigation in two main ways: first, under the privileged-communication exception, or second, as a service provider. The requirements for using those exceptions are spelled out in item 6. In short, any engagement with a third party should clearly indicate that the third party’s processing is in support of obtaining legal services and bind the third party to process the data only for the purposes of the services.

GLB and HIPAA

Under Gramm-Leach-Bliley and HIPAA, lawyers and third parties processing personal information will generally be service providers or business associates, respectively, so the company disclosing the personal data should ensure that the proper service-provider and business-associate contracts are in place, as described in item 6.

Answer contributed by Brock Dahl and Kimberly Zelnick

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

USA

See question 12.

Answer contributed by Brock Dahl and Kimberly Zelnick

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

USA

CCPA

Under the CCPA, there is a strong argument that there is simply no need to specially characterise lawyers, document vendors and other privileged parties. By virtue of the privileged-communication exception discussed above, they can arguably receive, hold, or disclose personal information within a privileged relationship without restriction. Nonetheless, some businesses may choose to treat their lawyers as service providers.

GLB

Under Gramm-Leach-Bliley, outside lawyers will generally be service providers – though in some circumstances, a financial institution may be able to disclose information to lawyers without treating them as such.

HIPAA

Under HIPAA, outside lawyers, document review vendors and similar parties will generally be considered business associates.

Answer contributed by Brock Dahl and Kimberly Zelnick

15. What is the position and status of legal process outsourcing firms under data protection laws?

USA

See question 14.

Answer contributed by Brock Dahl and Kimberly Zelnick

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

USA

Not applicable.

Answer contributed by Brock Dahl and Kimberly Zelnick

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

USA

As noted above, US privacy laws don’t restrict cross-border data transfers out of the United States. But companies may face lingering obligations as a result of data they previously transferred into the United States. For example, if a company imported personal data into the United States from Europe pursuant to the Privacy Shield, it may remain subject to certain restrictions on ‘onward transfers’ to third countries.

Companies also need to consider laws other than privacy law. In particular, US export controls law may prevent certain exports of information relevant to US national security. If your investigation involves documents that might contain export-controlled information – particularly in the defence and technology sectors – you may need to take steps to search for that information before shipping data abroad.

Answer contributed by Brock Dahl and Kimberly Zelnick

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

USA

Not applicable.

Answer contributed by Brock Dahl and Kimberly Zelnick

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

USA

US privacy laws tend to have broad carveouts for compliance with regulatory and law enforcement demands coming from US authorities.

CCPA

For example, the CCPA expressly permits businesses to comply with any civil, criminal, or regulatory inquiry, investigation, subpoena or summons by US authorities.

GLB

Similarly, GLB allows disclosure to comply with US law, or with any properly authorised civil, criminal or regulatory investigation, or subpoena or summons by US authorities. GLB could, perhaps, be clearer about whether it covers voluntary and informal requests from authorities. In such circumstances, practitioners sometimes choose to negotiate a ‘friendly subpoena’ with law enforcement to remove any doubt.

HIPAA

Under HIPAA, there are three main provisions relevant to disclosures to authorities. First, covered entities can disclose protected health information in judicial proceedings. Disclosure is permitted in response to an actual court order. Before responding to subpoenas or discovery requests, covered entities must attempt to notify the patients involved or seek a compliant protective order. Additionally, covered entities can disclose protected health information in response to certain law enforcement requests. When facing an administrative request or investigative demand, a covered entity also needs to ensure that the information is relevant and material to a legitimate inquiry, appropriately limited in scope, and that it is not possible to de-identify the information. Finally, there is a broad carve-out for disclosing information to an agency involved in health oversight activities provided by law.

Answer contributed by Brock Dahl and Kimberly Zelnick

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

USA

US privacy laws tend to be less permissive when it comes to compliance with regulatory and law enforcement demands coming from foreign authorities.

CCPA

For example, the CCPA carveout for complying with legal demands is specifically limited to demands from US authorities or investigations relating to US law. Businesses facing foreign demands, therefore, would have to rely on another rationale provided in the statute to justify such a transfer.

GLB

GLB is slightly more permissive. It allows disclosures:

[t]o comply with Federal, State, or local laws, rules and other applicable legal requirements; [t]o comply with a properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorised by law.

The first two provisions are limited on their face to US laws and authorities. The third provision is not, and so arguably includes foreign authorities (at least foreign authorities having jurisdiction over examination and compliance).

HIPAA

HIPAA, unlike the CCPA and GLB, does not expressly limit disclosures to government authorities in the US; instead, it simply refers to ‘authorities’, ‘courts’, etc, without qualifier. However, certain other provisions in HIPAA distinguish between ‘authorities’ and ‘foreign authorities’. Some argue that this suggests that when the HIPAA regulations refer to authorities, courts, etc, without qualification, they mean domestic authorities, courts, etc.; others take a different view. Covered entities and business associates will therefore need to take an approach to this problem in line with their risk tolerances.

Answer contributed by Brock Dahl and Kimberly Zelnick

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

USA

The optimal options relating to regulatory responses are highly fact dependant. Nonetheless, a few common-sense steps help frame the analysis. First, determine which if any privacy law applies to the data at issue and whether there are any restrictions that would affect your ability to respond to the request. If so, consider what notices were provided to the data subject when the data was collected – and consider how that notice stacks up against the requirements of the law. If that does not change the analysis, consider whether there are available exemptions that might trump the restrictions. Last, consider what commitments the company has made with respect to the personal data. If, at the end of this analysis, it seems that disclosure still is not allowed, then go back and see if you can change any of the variables. For example, working with the regulator to get a friendly subpoena or encouraging the regulator to work through the MLAT process may help change the equation. Or maybe, if you (carefully) decide to approach the regulator with your privacy concerns, you will find that the regulator does not really need the personal data and is happy with anonymised or de-identified information. In unusual circumstances, getting the data subject’s consent may change the analysis too.

Answer contributed by Brock Dahl and Kimberly Zelnick

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

USA

CCPA. CCPA fines are up to $2500 for unintentional violations and $7500 for intentional violations or violations involving children under 16.

GLB. Gramm-Leach-Bliley fines can be serious; violations can give rise to fines of $100,000 for financial institutions and up to $10,000 or five years imprisonment for officers and directors.

HIPAA. HIPAA penalties are divided into two major categories: ‘Reasonable cause’ fines range from $100 to $50,000 per incident. ‘Willful neglect’ fines range from $10,000 to $50,0000 per incident and may result in criminal charges.

Answer contributed by Brock Dahl and Kimberly Zelnick

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

USA

 

The authors wish to express their gratitude to Peter Jaffe, Jillian Simons, and Allie Bian for their contributions to this chapter.

Answer contributed by Brock Dahl and Kimberly Zelnick

Get unlimited access to all Global Investigations Review content