SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
Unlike Europe, the United States does not have a generally applicable and comprehensive privacy regime. Instead, there are range of laws that may or may not apply to a company’s activities depending on the types of personal information involved, who the data pertains to, the industry involved and a company’s size. Some privacy provisions are found in laws that are not fundamentally about privacy, such as autonomous car testing regulations or anti-discrimination laws. Moreover, while California was in the lead in enacting state privacy laws, additional states, including Virginia and Colorado, have recently passed comprehensive privacy statutes that go into effect in 2023. Prognosticators expect additional states will follow suit.
Nonetheless, as of the time of writing, three US privacy laws tend to more regularly arise for lawyers involved in investigations. This chapter will focus on these three.
As of the time of writing, the most influential general-purpose privacy law in the United States is the California Consumer Privacy Act (the CCPA). Subject to some important caveats addressed later, the CCPA governs data relating to California residents and applies across all industries. California has recently enacted amendments to the CCPA under the title of the California Privacy Rights Act (the CPRA), which becomes operative on 1 January 2023. Because the exact contours of the CPRA have not yet been set by regulation, this chapter will address the CCPA in its current form, but practitioners should maintain vigilance over the evolution of California statutory and regulatory requirements, and other state privacy laws change coming in the next few years.
The federal Gramm–Leach–Bliley Act (GLB) governs how financial institutions and adjacent companies handle the non-public information of financial consumers. Because GLB defines ‘financial institutions’ broadly, it may come into play for investigations of companies in the financial sector and potentially other businesses.
The ‘Privacy Rule’ issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA) governs patient confidentiality and applies to most healthcare providers, health insurers and healthcare information clearinghouses (called ‘covered entities’ under the statute) – plus anyone who provides certain services to companies in these categories (called ‘business associates’). HIPAA considerations may arise in healthcare fraud, antitrust or other investigations in the healthcare space.
These three principal laws share a characteristic: they focus on the privacy of consumers rather than a company’s employees or its counterparties’ employees. For example, the CCPA contains an express exception, though it will change in 2023, so that it does not apply to employees or counterparty employees. GLB applies only to the personal information of consumers. HIPAA applies only to the information of patients. For an investigations lawyer, this commonality is important because many internal investigations focus on the behaviour of employees or a counterparty’s employees. Thus, these laws are more frequently implicated where an investigation pertains to a company’s interactions with customers.
Aside from these three laws, a few others occasionally come into play, but will not be the focus of this chapter. These include the following.
Where an investigation’s lawyer needs to record a conversation, federal and state laws impact their conduct. In general, they may require a lawyer to obtain the consent of one or all parties to a conversation before recording. Before an investigations lawyer records a conversation, he or she should either announce to all participants that it will be recorded and give them an opportunity to end the conversation, or should ensure that the laws of the states for all participants in the conversation allow “one-party” consent for recording.
Wiretapping and hacking law
Various criminal laws prohibit the unauthorised interception of or access to telephone conversations, electronic communications, or other electronic content. In particular, the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act (ECPA) – and their state law counterparts – prohibit anyone from hacking into computers or communications systems or generally, with few exceptions, intercepting communications. For purposes of conducting investigations, these laws usually will not prohibit a company from reviewing its own communications systems (such as its email systems), but usually will prohibit a company from surreptitiously looking into the personal communications systems of its employees or others (such as an employee’s personal email account). Whether an employer can review its own communications systems depends on, among other things, whether it is reviewing communications sitting on a server rather than in transit (in ‘real time’), what sort of notice it has given to employees about surveillance and investigations, and which state laws apply. Whether an employer can look at an employee’s personal communications sent over an employer’s network (eg, when an employee looks at a personal email account on a BYOB device connected to the office wireless system), or whether employers can demand access to an employee’s personal accounts, similarly demands a more complex analysis.
Public-sector and telecommunications privacy laws
Providers of computing and telecommunications services to the public will sometimes be called upon to help with law enforcement, national security, or foreign intelligence investigations. In these cases, ‘public sector’ privacy laws such as the ECPA or the Foreign Intelligence Surveillance Act may come into play. Even without the involvement of law enforcement, aspects of ECPA may be pertinent where a provider is considering investigating its own customers. Other public-sector laws such as the Privacy Act of 1974 may govern what the government itself does with personal data. Though they contain variegated privacy implications, these laws are beyond the scope of this chapter.
Finally, all companies need to be mindful of privacy commitments they have made. For example, if a company has transferred certain personal data from Europe by promising to comply with the ‘model clauses’ or even by promising to comply with the (now defunct) Privacy Shield framework, or if the company made promises in privacy policies it has made publicly available, the company will need to assess whether those commitments allow it to use particular data in an investigation.
There are other laws that could impact investigatory considerations. Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive trade practices. The Federal Trade Commission has interpreted its provisions to prohibit certain practices around personal data. Many states have similar consumer protection laws. While these laws may have implications for data management, they are unlikely to bear upon reviews of personal data in an internal investigation or situations in which companies are turning data over to authorities. In addition, the Fair Credit Reporting Act is fundamentally a privacy law concerning how companies share information about creditworthiness. The Children’s Online Privacy Protection Act imposes obligations on companies that know or should know that they are collecting data online for persons under 13 years of age. And, as noted above, there are a surprising number of special-purpose privacy laws hidden in state codes and regulations. Investigations lawyers should keep these laws in the backs of their minds, but they are an atypical consideration.
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
Aside from laws protecting personal privacy, companies may occasionally encounter laws about information that is important to law enforcement or that bears on national security. For example, anti-money laundering (AML) and countering the financing of terrorism laws may require certain entities to report suspicious financial activity; when they do, they ordinarily need to keep the reports and surrounding circumstances secret. Similarly, where companies receive requests from law enforcement, they may be obligated to keep the requests (or their responses) secret. In both cases, the purpose is to prevent tipping off persons under investigation. Certain government inquiries made pursuant to the Foreign Intelligence Surveillance Act and national security letters issued pursuant to a range of statutes may also have confidentiality requirements that restrict the ability to share information pertaining to them. There are also export control laws that may prevent the transfer of certain information – usually information about technology relevant to national defence – outside the US, to certain countries, or to certain people or organisations.
3. What constitutes personal data for the purposes of data protection laws?
Because the US does not have a comprehensive privacy law, there is not an overarching definition of personal data in the US as exists under the European GDPR regime.
The CCPA covers ‘personal information’, which closely tracks GDPR’s definition of ‘personal data’: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In other words, anything related to a person. Importantly, something can be personal information whether or not it can be characterised as sensitive, ranging from a person’s social security number to their favourite colour. It includes information that a company both collects and creates. It can include observations made about a person or even inferences that are drawn to create a profile about a person’s preferences and characteristics. It also generally does not matter if the information is already public; the CCPA’s narrow ‘public information’ exception applies only to information made available in official government records.
There are some exceptions to the CCPA’s broad definition of ‘personal information’, but three are particularly important for investigations. First, the CCPA excludes from its scope data already covered by GLB or HIPAA. Second, the CCPA generally doesn’t apply to a business’s own employees or people acting for the business’s counterparties. This exception currently limits the CCPA’s impact on investigations. However, the employee and counterparty exceptions of the CCPA are scheduled to sunset at the start of 2023.
GLB protects consumers’ ‘non-public personal information’ (NPI). NPI is any personally identifiable information that a financial institution collects about an individual in connection with providing a financial product or service unless that information is otherwise publicly available. But not all information that can be used to identify an individual falls under GLB; the key distinction is the connection between the information and the underlying financial services. For example, a car dealership may be a financial institution because it leases vehicles or gives loans, but the mere fact that a person bought a car from the dealership, without any information about whether the person obtained financing, is not NPI.
HIPAA covers ‘protected health information’ (PHI), which means individually identifiable health information that is held or transmitted by entities subject to HIPAA (called ‘covered entities’ and ‘business associates’ and discussed later in this chapter). Practically, HIPAA will cover almost all information that a healthcare provider, insurer or clearinghouse, or a business associate of those covered entities, holds about a patient.
Importantly, personal data does not necessarily remain subject to special treatment indefinitely. Under the CCPA, GLB and HIPAA, there are various ways to ‘anonymise’ or ‘de-identify’ personal data so that it falls outside the scope of these laws. Practitioners should keep this option in mind when dealing with tricky investigation issues, particularly around disclosure of information to authorities.
Moreover, US privacy laws generally apply only to information pertaining to natural persons, but there are some exceptions. The CCPA also protects information relating to households even if the information is not identified specifically with an individual in such a household. This feature of the CCPA mainly matters where companies monitor activity on shared household computers for marketing purposes, but it will rarely matter in investigations. Finally, though these laws generally apply only to natural persons, they do not apply to all natural persons: the CCPA applies only to persons resident in California, GLB applies only to financial consumers, and HIPAA applies only to healthcare patients.
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
US privacy laws apply, in some form or another, both to companies that collect and hold data – roughly, what might be called a ‘controller’ by many global privacy regimes – and those that do things with data on another’s behalf – roughly, what might be called a ‘processor’ under those regimes. But none of the laws use the terms ‘controller’ or ‘processor’, and the analogy is imperfect. (The forthcoming Virginia and Colorado requirements introduce the concepts of controller and processor into US state privacy lexicon.) Often, the laws apply only to certain controllers who are active in a particular industry, have a certain nexus to a jurisdiction, or meet other thresholds.
The CCPA applies to ‘businesses’ and ‘service providers’. Businesses under the CCPA are roughly analogous to ‘data controllers’ under the GDPR regime: they are entities that ‘determine the purposes and means of the processing of consumers’ personal information’. There are limits. The definition covers only for-profit entities that ‘do business in California’ (a phrase that is not defined but may sweep broadly) and meets one or more thresholds: (i) has gross annual revenue of over $25 million; (ii) buys, receives, or sells the personal information of 50,000 or more California residents, households or devices; or (iii) derives 50 per cent or more of their annual revenue from selling California residents’ personal information. (But note that the new CCPA amendments change these thresholds starting in 2023, and the CCPA-like laws coming into force elsewhere have slightly different definitions.) The CCPA also defines ‘service providers’, which roughly equate to ‘data processors’: they are for-profit entities that process information on behalf of a business. It is unclear whether the CCPA imposes statutory duties directly on service providers, but it requires businesses to put in place an agreement with service providers that creates contractual duties.
GLB directly applies to ‘financial institutions’, defined as institutions that are significantly engaged in financial activities, and businesses that are adjacent to those institutions. Certain businesses that we may not intuitively categorise as financial institutions can be captured. For example, the GLB can apply to car dealers who arrange for financing or leasing of cars. In the view of the US FTC (one of GLB’s enforcers), it can even include career counsellors in the financial industry. It also applies to service providers and certain other entities that receive NPI from a financial institution.
As noted above, HIPAA applies to ‘covered entities’, which is roughly analogous to ‘controllers’, and ‘business associates’, which is roughly analogous to ‘processors’. A ‘covered entity’ is limited to: (i) a health plan; (ii) a health information clearinghouse; or (iii) most healthcare providers. ‘Business Associate’ means a person who on behalf of such a covered entity processes PHI for business functions or provides services to a covered entity involving the processing of PHI.
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
See question 6.
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
Under the CCPA, a business can use personal information only for the purposes listed in the ‘collection notice’ that it provided when it collected the personal information. If a business wants to use the information for a purpose that’s ‘materially different’ from the purposes it listed, it must go back to the consumer for consent.
For purposes of an investigation, this requirement arguably means the business must have previously disclosed, in its ‘collection notice’, that the business might someday use the data for some purpose that fairly includes an investigation. On the other hand, this requirement may not matter much for an investigation. Companies’ collection notices often do disclose that they may use information broadly for legal and compliance matters. Moreover, the CCPA has various exceptions to the notice requirements for particular activities. There is an exception for compliance with demands from US law enforcement or compliance with US law. There is also an exception for engaging in communications that are privileged under California law. These exceptions do not necessarily cover all investigative activities, but they should be thoroughly considered.
GLB regulates how companies disclose NPI. Generally speaking, a financial institution can disclose NPI to a non-affiliated third party only if it has given notice of that disclosure and a reasonable opportunity for the consumer to opt out. One exception is for disclosures to service providers. To use this exception, the financial institution needs to have entered into a contractual agreement prohibiting the third party from disclosing or using the information other than to carry out the purposes for which the financial institution discloses the information. The financial institution also needs to have told consumers that it might share information with service providers in its initial privacy notice to consumers or in a revised notice. The other set of pertinent exceptions is for, roughly speaking, risk and compliance activities. A company can disclose NPI to, among other reasons, ‘protect against or prevent actual or potential fraud, unauthorised transactions, claims, or other liability’; ‘[f]or required institutional risk control or for resolving consumer disputes or inquiries’; ‘[t]o comply with Federal, State, or local laws, rules and other applicable legal requirements’; ‘[t]o comply with a properly authorised civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities’; or ‘[t]o respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorised by law’.
HIPAA establishes several categories for which a covered entity might use PHI and assigns different requirements to each: for some purposes a covered entity or business associate can use PHI without specific requirements; for other purposes, a covered entity must obtain the patient’s affirmative authorisation; for yet other purposes, an entity must give a patient an opportunity to object. One of the most important purposes for which entities can use PHI outright is ‘healthcare operations’, a relatively broad term that includes ‘conducting or arranging for [...] legal services […] and auditing functions including fraud and abuse detection and compliance programs’. This will, in most cases, cover investigations.
In addition, HIPAA governs disclosures in a few ways. First, the ‘business associate’ provisions govern how covered entities share information with their service providers. A covered entity needs to take various steps to ensure that its business associates are processing PHI properly and safely; chief among them is entering into a compliant ‘business associate agreement’ with the service providers. The Department of Health and Human Services has provided sample clauses at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. Second, HIPAA has separate provisions governing how covered entities or business associates share information with various government authorities. In summary, these provisions allow disclosures when required by law, to health oversight agencies, in judicial and administrative proceedings, and to law enforcement. Certain limitations apply in each case.
Finally, HIPAA contains an overarching principle of minimisation. That means that a covered entity needs to consider whether it is using or disclosing PHI more than needed to achieve whatever purpose it has for processing the PHI.