1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data?
Unlike Europe, the United States doesn’t have a generally applicable and comprehensive privacy regime. Instead, there’s a maze of laws, each of which may or may not apply to a company’s activities depending on the types of personal information involved, who the data subject is, the industry involved and the company’s size. Some privacy provisions are hidden away in laws that aren’t fundamentally about privacy. Unless you are steeped in these areas of law, you might not think to look for privacy provisions in, for example, autonomous car testing regulations or anti-discrimination laws.
Luckily for lawyers involved in investigations, there’s a more manageable number of privacy laws that tend to impact their work. Three tend to come up more than others. These three will be the focus of this chapter.
CCPA. The most important general-purpose privacy law is, for now, the California Consumer Privacy Act (the CCPA). It’s the closest thing we have to the GDPR. Subject to some important caveats (more on this later), it governs data relating to California residents, and it applies regardless of what industry you’re in.
GLB. The federal Gramm–Leach–Bliley Act (GLB) governs how financial institutions and adjacent companies handle non-public information on financial consumers. Because GLB defines ‘financial institutions’ broadly, it may come into play for investigations of companies in the financial sector and maybe some other businesses as well.
HIPAA. The ‘Privacy Rule’ of the Health Insurance Portability and Accountability Act (HIPAA) governs patient confidentiality and applies to most healthcare providers, health insurers and healthcare information clearinghouses (called covered entities) – plus anyone who provides certain services to companies in these categories (called ‘business associates’). HIPAA comes up mostly in healthcare fraud investigations but also occasionally in antitrust or other investigations in the healthcare space.
Note that these three principal laws share a characteristic: they are all mostly about the privacy of consumers rather than a company’s employees or its counterparties’ employees. For example, the CCPA contains an express exception so that it doesn’t apply to employees or counterparty employees. GLB applies only to the personal information of consumers. And HIPAA applies only to the information of patients. For an investigations lawyer, this commonality is important: because most internal investigations focus on the behaviour of employees or a counterparty’s employees, it means that these laws matter more where an investigation zooms in on a company’s interactions with individual human customers.
Aside from these three laws, a few others come up occasionally and will not be the focus of this chapter. These include the following.
Recording laws. Where an investigations lawyer needs to record a conversation or obtain access to previously recorded conversations, he or she will need to think about laws governing recording of conversations. These laws vary from state to state, and there is a federal version as well. In general, they may require a lawyer to get the consent of one or all parties to a conversation before recording. The bottom line is that before an investigations lawyer records a conversation, he or she should either announce to all parties of a conversation that it will be recorded and give them an opportunity to end the conversation, or should check the laws of the states for all participants in the conversation.
Wiretapping and hacking laws. Various criminal laws prohibit the unauthorised interception of or access to telephone conversations, electronic communications, or other electronic content. In particular, the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act (ECPA) – and their state law counterparts – prohibit anyone from hacking into computers or communications systems. For purposes of conducting investigations, these laws usually won’t prohibit a company from looking into its own communications systems (such as its email systems), but usually will prohibit a company from surreptitiously looking into the personal communications systems of its employees or others (like an employee’s personal email account). The devil is in the details. When employees access their personal communications using an employer’s computer systems, or where employers openly demand access to an employee’s personal accounts, a more complex analysis is needed.
Public-sector and telecommunications privacy laws. Providers of computing and telecommunications services will sometimes be called upon to help with law enforcement, national security, or foreign intelligence investigations. In these cases, ‘public sector’ privacy laws such as the Electronic Communications Privacy Act or the Foreign Intelligence Surveillance Act may come into play. And even without the involvement of law enforcement, these laws may come into play if one of these providers wants to investigate its own customers. Other public-sector laws such as the Privacy Act of 1974 may govern what the government itself does with personal data. These laws are complex, fascinating, controversial – and beyond the scope of this chapter.
Commitments. Finally, all companies need to be mindful of privacy commitments they’ve already made. For example, if a company has transferred certain personal data from Europe by promising to comply with the ‘model clauses’ or even by promising to comply with the (now defunct) Privacy Shield framework, or if the company made promises in its privacy policies, the company will need to assess whether those commitments allow it to use the data in an investigation.
There are, of course, other privacy laws that could conceivably come into play in unusual circumstances. The most broadly applicable privacy law in the US is section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices and which the Federal Trade Commission has interpreted to prohibit certain deceptive practices around personal data. Many states have similar consumer protection laws. But it will be an unusual situation where reviewing personal data in an internal investigation or turning it over to authorities will be deemed unfair or deceptive. The Fair Credit Reporting Act is fundamentally a privacy law concerning how companies share information about creditworthiness. The Children’s Online Privacy Protection Act imposes obligations on companies that know or should know that they are collecting data online for persons under 13 years of age. And, as noted above, there are a surprising number of special-purpose privacy laws hidden in state codes and regulations. Investigations lawyers should keep these laws in the backs of their minds, but they ordinarily won’t come into play, so this will be the last we speak of them.
2. What other laws and regulations may prevent data sharing in the context of an investigation?
Aside from laws protecting personal privacy, companies may occasionally encounter laws about information that’s important to law enforcement or that bears on national security. For example, anti-money laundering (AML) and countering the financing of terrorism (CFT) laws may require certain entities to report suspicious financial activity; when they do, they ordinarily need to keep the reports and surrounding circumstances secret. Similarly, where companies receive requests from law enforcement, they may be obligated to keep the requests (or their responses) secret. In both cases, the purpose is to prevent tipping off persons under investigation. There are also export control laws that may prevent the transfer of certain information – usually information about technology relevant to national defence – outside the US, to certain countries, or to certain people or organisations.
3. What can constitute personal data for the purposes of data protection laws?
Because the US doesn’t have a comprehensive privacy law, the US also doesn’t have a consistent definition of personal data. The definitions tend to fall into three categories.
First, there are various defined terms that approximate what we think of as ‘personal data’ under most global privacy laws – any information that is, or reasonably could be, identified with a living individual. For example, see the following.
CCPA. The CCPA covers ‘personal information’, which closely tracks GDPR’s definition of ‘personal data’: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In other words, anything related to a person. Importantly, something can be personal information whether or not you think it’s sensitive: it includes a person’s social security number and favourite colour alike. It also doesn’t matter if it’s information you collect or create, since the category can include observations you make about a person or even inferences that you draw to create a profile about a person’s preferences and characteristics. It also generally doesn’t matter if the information is already public; the CCPA’s narrow ‘public information’ exception applies only to information made available in official government records.
There are some exceptions to this broad definition of ‘personal information’, but three are particularly important for investigations. First, the CCPA excludes data already covered by GLB or HIPAA. Second and third, the CCPA generally doesn’t apply to a business’s own employees or people acting for the business’s counterparties. As noted above, this exception limits the CCPA’s impact on investigations – for now. For now, these exceptions sunset at the end of 2021. Maybe they will be extended in the November referendum on the proposed ‘CCPA 2.0’. If, on the other hand, the employee and counterparty exceptions of the CCPA are allowed to sunset, the CCPA will assume a much bigger role in US investigations.
GLB. GLB protects consumers’ ‘nonpublic personal information’ (NPI). NPI is any personally identifiable information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. But not all information that can be used to identify an individual falls under GLB; the key distinction is the connection between the information and the underlying financial services. For example, a car dealership may be a financial institution because it leases vehicles or gives loans, but the mere fact that a person bought a car from the dealership, without any information about whether the person obtained financing, isn’t NPI.
HIPAA. HIPAA covers ‘protected health information’ (PHI), which means individually identifiable health information that is held or transmitted by entities subject to HIPAA (called ‘covered entities’ and ‘business associates’, and discussed later in this chapter). Practically, HIPAA will cover almost all information that a healthcare provider, insurer or clearinghouse, or a business associate of those covered entities, holds about a patient.
Second, you may have heard of ‘personally identifiable information’ (PII). Sometimes people use the phrase in the literal sense of information identifiable with a person, in which case it basically just means ‘personal data’. But a second use has gained currency amongst some US lawyers who use it as shorthand for the sorts of data that would trigger notification obligations under state data breach notification laws. Things such as social security numbers, financial account numbers, online credentials, etc. For present purposes, forget that this usage exists – it is irrelevant for the US privacy laws that may impact an investigation.
Third, some US laws protect a person’s (or company’s) communications rather than their personal information more broadly. The ECPA and wiretapping laws, for example, protect the entirety of conversations, emails, messages and other communications that a person sends or receives. As noted above, these laws may be important in certain types of investigations, but are beyond the scope of this chapter.
Importantly, personal data doesn’t have to stay personal data forever. At least under the CCPA, GLB and HIPAA, there are various ways to ‘anonymise’ or ‘de-identify’ personal data so that it falls outside the scope of law. Practitioners should keep this option in mind when dealing with tricky investigation issues, particularly around disclosure of information to authorities.
4. Does personal data protection relate only to natural persons or also legal persons?
US privacy laws generally apply only to natural persons, but there are some exceptions. First, the CCPA also protects information relating to households even if it’s not identified specifically with an individual in that household. This feature of the CCPA mainly matters where companies monitor activity on shared household computers for marketing purposes; it will rarely matter in investigations. Second, the laws against wiretapping and laws protecting electronic communications may protect parties to communications whether the parties are individuals or companies.
It is important to remember that even where the laws apply only to natural persons, they don’t apply to all natural persons: the CCPA applies only to persons resident in California, GLB applies only to financial consumers, and HIPAA applies only to healthcare patients. And even where wiretapping laws or electronic communications laws protect people and companies, they don’t protect all people and companies.
5. To whom do data protection laws apply?
US privacy laws apply, in some form or another, both to companies that collect and hold data – roughly, what might be called a 'controller' by many global privacy regimes – and those that do things with data on another’s behalf – roughly, what might be called a 'processor' under those regimes. But none of the laws use the terms ‘controller’ or ‘processor’, and the analogy is imperfect. Often, the laws apply only to certain controllers who are active in a particular industry, have a certain nexus to a jurisdiction, or meet other thresholds.
CCPA. The CCPA applies to ‘businesses’ and ‘service providers’. Businesses under the CCPA are roughly analogous to ‘data controllers’: they are entities that ‘determine the purposes and means of the processing of consumers’ personal information’. But there are limits: the definition covers only for-profit entities that ‘do business in California’ (a phrase that isn’t defined but may sweep broadly) and meets one or more thresholds: (i) has gross annual revenue of over $25 million; (ii) buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or (iii) derives 50 per cent or more of their annual revenue from selling California residents’ personal information. In contrast, the law also defines ‘service providers’, which roughly equate to ‘data processors’: they are for-profit entities that process information on behalf of a business. It is unclear whether the CCPA imposes statutory duties directly on service providers, but in any event, it requires businesses to put in place an agreement with service providers that creates contractual duties.
GLB. GLB directly applies to ‘financial institutions’, which are defined as institutions that are significantly engaged in financial activities – plus businesses that are adjacent to those institutions. Certain businesses that we may not intuitively categorise as financial institutions can be captured. For example, the GLB can apply to car dealers who arrange for financing or leasing of cars. In the view of the US FTC (one of GLB’s enforcers), it can even include career counsellors in the financial industry. It also applies to service providers and other entities that receive NPI from a financial institution.
HIPAA. As noted above, HIPAA applies to ‘covered entities’, which is roughly analogous to ‘controllers’, and ‘business associates’, which is roughly analogous to ‘processors’. A ‘covered entity’ is limited to: (i) a health plan; (ii) a health information clearinghouse; or (iii) most healthcare providers. ‘Business Associate’ means a person who on behalf of such a covered entity processes PHI for business functions or provides services to a covered entity involving the processing of PHI.
6. What acts or operations on personal data are regulated by data protection laws?
See question 7.
7. What are the principal obligations on data controllers to ensure the proper processing of personal data?
The core principle of US privacy laws is transparency about a company’s collection, use and disclosure of personal data. Each of the main laws we are discussing regulates ‘collection’ in that the laws generally require notice to be provided before a company collects personal data. Each regulates processing and disclosure in that each requires that companies process data in a way that is consistent with how the company has told data subjects it would use or disclose data – and in some cases, in accordance with the data subjects’ choices regarding further disclosures. These laws also grant data subjects certain rights to demand access to, modification of or deletion of their data.
For purposes of an investigations lawyer, the critical considerations under US law are narrower. First, there is purpose: does the law allow using the data for the purpose of an investigation or compliance with a legal demand? Second, there’s disclosure: does the law allow transferring or disclosing the data to lawyers and adjacent parties, to regulators and other authorities, or to other third parties?
CCPA. Under the CCPA, a business can use personal information only for the purposes listed in the ‘collection notice’ that it provided when it collected the personal information. If a business wants to use the information for a purpose that’s ‘materially different’ from the purposes it listed, it must go back to the consumer for consent. This is the CCPA’s version of the ‘purpose limitation’ principle.
For purposes of an investigation, this principle arguably means the business must have previously disclosed, in its ‘collection notice’, that the business might someday use the data for some purpose that fairly includes an investigation. On the other hand, the purpose-limitation principle may not matter much for an investigation. Companies’ collection notices often disclose that they may use information broadly for legal and compliance matters. Moreover, the CCPA has various exceptions for particular activities. There’s an exception for compliance with demands from US law enforcement or compliance with US law. There’s also an exception for engaging in communications that are privileged under California law. These exceptions don’t necessarily cover the world of investigative activities, but they may help. So, for many investigations, the purpose-limitation requirement will be easy to satisfy or inapplicable in the first place.
As for disclosure, a business can share personal information in a few ways relevant to an investigation.
First, businesses can disclose personal information without any restriction if the disclosure isn’t for ‘monetary or other valuable consideration’. But the CCPA’s structure suggests that this phrase may be interpreted broadly. Some argue that the phrase goes beyond contract law concepts and encompasses any situation where data is disclosed in a way that benefits the business disclosing it. This is a deeply unsettled (and unsettling) question; for now, the point is that most companies are reluctant to rely on the ‘consideration’ requirement except in crystal-clear circumstances.
Second, businesses can of course disclose a consumer’s personal information if the consumer directs the business to do so, but this principle won’t arise often in investigations.
Third, a business can also disclose a consumer’s personal information to one of its service providers. To qualify for this exception, the business must be sharing the data for a ‘business purpose’ defined under the CCPA. Luckily, the CCPA’s definition of ‘business purpose’ is generally understood to include most sorts of operational activities. The business and service provider must sign a compliant service-provider agreement that commits the provider to use and process the data only for the specific purpose of providing the services.
Fourth, and as noted above, businesses can disclose information to respond to US law enforcement requests, to exercise or defend legal claims, or within the confines of a legally privileged relationship under California law (eg, attorney-client privilege). But these exceptions wouldn’t cover, for example, disclosures to foreign authorities or investigations that wouldn’t be privileged under California law.
Unless one of these exceptions applies (or a few others not relevant here), a disclosure of personal information will be deemed a ‘sale’. Businesses can sell personal information only if they have laid some groundwork. At the time the data was originally collected, the business must have posted a public notice that it sells data, given consumers a way to opt out of sales, and given the consumer a link to the opt-out mechanism. If the consumer has opted out of sales, the business must honour that request in most circumstances.
GLB. GLB doesn’t directly regulate the purposes for which financial institutions process NPI; it merely regulates how they disclose it. Generally speaking, a financial institution can disclose information to a non-affiliated third party only if it has given notice of that disclosure and a reasonable opportunity for the consumer to opt out. One exception is for disclosures to service providers. To use this exception, the financial institution needs to have entered into a contractual agreement prohibiting the third party from disclosing or using the information other than to carry out the purposes for which the financial institution discloses the information. And you need to have told consumers that you might share information with service providers in your initial privacy notice to the consumers or in a revised notice. The other set of pertinent exceptions is for, roughly speaking, risk and compliance activities. You can disclose NPI, among other things, ‘[t]o protect against or prevent actual or potential fraud, unauthorised transactions, claims, or other liability’; ‘[f]or required institutional risk control or for resolving consumer disputes or inquiries’; ‘[t]o comply with Federal, State, or local laws, rules and other applicable legal requirements’; ‘[t]o comply with a properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities’; or ‘[t]o respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorised by law’. For purposes of investigations, this covers a lot, but not quite everything.
HIPAA. HIPAA categorises purposes for using PHI: there are purposes for which a covered entity or business associate can use PHI outright; for others, the entity must get the patient’s affirmative authorisation; for yet others, it must give an opportunity to object. One of the most important purposes for which entities can use PHI outright is ‘healthcare operations’, a relatively broad term that includes ‘conducting or arranging for [...] legal services […] and auditing functions including fraud and abuse detection and compliance programs’. This will, in most cases, cover investigations.
HIPAA governs disclosures in a few ways. First, the ‘business associate’ provisions govern how covered entities share information with their service providers. A covered entity needs to take various steps to ensure that its business associates are processing PHI properly and safely; chief among them is entering into a compliant ‘business associate agreement’ with the service providers. The Department of Health and Human services has provided sample clauses at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. Second, HIPAA has separate provisions governing how covered entities or business associates share information with various government authorities. In summary, these provisions allow disclosures when required by law, to health oversight agencies, in judicial and administrative proceedings, and to law enforcement – in each case, with limitations.
In addition to purpose and disclosure limitations, HIPAA contains an overarching principle of minimisation. That means that covered entities need to consider whether it is using or disclosing PHI more than needed to achieve whatever purpose it has for processing the PHI. (This is, of course, a sound strategy for dealing with privacy exposure whether you’re dealing with HIPAA or any other law.)