Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Last verified on Wednesday 21st August 2019

United States

Tony Mansfield, Jonathan Flynn and Derek Jackson
Allen & Overy LLP
  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

  2. There is no overarching federal law or regulatory regime governing the collection and processing of personal data in the US. Similarly, there is no US-wide personal data regulator.

    There are a number of sectoral laws that may impose requirements on the transfer of data depending on the category of information transferred, such as financial or health information, or the activity being conducted, such as marketing. These include, for example:

    • Title V, subtitle A of the Gramm-Leach-Bliley Act, 15 USC §§ 6801-6809 (privacy provisions);
    • the Health Insurance Portability and Accountability Act, 42 USC § 1301 (the HIPAA);
    • the Cyber Security Act, Pub L No 114-113, Div. N, 129 Stat. 2242 (2015);
    • the Electronic Communications Privacy Act 18 U.S.C. §2510;
    • the Computer Fraud and Abuse Act 18 U.S.C. §1030;
    • the Freedom of Information Act, 5 U.S.C. § 552; and
    • the Federal Trade Commission Act §15 USC §§ 41-58 (the FTCA), which is enforced by the Federal Trade Commission (the FTC).

    There are various industry guidelines and best practice standards that may affect the legality of processing and monitoring of personal data in the US. The law of the individual state in question may also apply and California in particular has passed a comprehensive data privacy law that has subsequently been mirrored in draft legislation by several other states. An analysis of any state law requirements is beyond of the scope of this article.

  3. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?

  4. Consumer financial privacy

    Consumer financial privacy in the US at the federal level is regulated by Title V, subtitle A of the Gramm-Leach-Bliley Act and the regulations promulgated thereunder (together, the GLBA). 

    The GLBA only applies to non-public personal information about natural persons who obtain financial products or services from a financial institution primarily for personal, family, or household purposes (consumers). Note that, under the GLBA, “customers” are a sub-set of “consumers” and, thus, are also only natural persons. Customers are individuals with a continuing relationship with the financial institution under which the institution provides one or more financial products or services that are to be used primarily for personal, family or household purposes. Financial institutions have additional obligations to customers under the GLBA, including providing annual privacy notices. The GLBA does not apply to entities (non-natural persons) or those who obtain financial services or products for business reasons.

    Non-public personal information is generally any information that is not publicly available and that (i) a consumer provides to a financial institution to obtain a financial product or service from the institution; (ii) results from a transaction between the consumer and the institution involving a financial product or service; or (iii) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service. Information is considered publicly available if an institution has a reasonable basis to believe that the information is available lawfully to the general public from government records, widely distributed media or legally required disclosures to the general public (examples include information in a published telephone book or a publicly recorded document, such as a mortgage or securities filing).

    Under the GLBA, if an exception allowing disclosure does not apply (which are described below), financial institutions are generally permitted to share consumers’ non-public personal information with a non-affiliated third party only where:

    • the financial institution provides the consumer with an initial notice of its policies and procedures regarding its disclosure and protection of non-public personal information;
    • the financial institution gives the consumer an opt-out notice including, among other things, a reasonable means to opt out of the sharing of the consumer’s information with non-affiliated third parties (reasonable means may include check-off boxes, a reply form or a toll-free telephone number, but would not include a requirement that a consumer write his or her own letter to opt out);
    • the financial institution gives the consumer a reasonable opportunity, before the financial institution discloses the information to the non-affiliated third party, to opt out (what constitutes a reasonable opportunity depends on the circumstances, but, as an example, allowing 30 days to respond would be reasonable); and
    • the consumer does not take the opportunity to opt out.

    Broadly, a financial institution is defined as any institution in the business of engaging in activities that are financial in nature or incidental to activities that are financial in nature. A list of examples of the activities that are covered can be found in the Bank Holding Company Act of 1956, as amended. Financial institutions can include banks, securities brokers and dealers, futures commission merchants, commodity trading advisors, commodity pool operators, insurance underwriters and agents, finance companies, mortgage bankers and other companies. The GLBA applies to US financial institutions and to certain non-US financial institutions operating in the US. This includes the US branches and agencies of foreign banks.

    There are exceptions to the notice and opt-out requirements in the GLBA. For example, a financial institution can share non-public personal information with a non-affiliated third party in the following circumstances:

    • to perform certain services or functions for or on behalf of the financial institution (such as marketing), as long as the financial institution fully discloses to the consumer that the consumer’s data will be shared and contracts with the third party to maintain the confidentiality of the data and use the information only for specified purposes (Exception 1). See response to question 9.
    • as necessary to effect, administer or enforce a transaction that a consumer requests or authorises, or under certain other circumstances relating to existing relationships with consumers (Exception 2).
    • for specified other disclosures that a financial institution normally makes, such as (i) to protect against or prevent actual or potential fraud, (ii) to the financial institution’s attorneys, accountants and auditors, or (iii) to comply with applicable legal requirements, such as the disclosure of information to regulators or law enforcement agencies or to comply with a properly authorised civil, criminal or regulatory investigation or subpoena or summons by federal, state or local authorities (Exception 3). 

    With respect to Exceptions 2 and 3, unlike with respect to Exception 1, there is no requirement that the financial institution and the third party enter into a confidentiality or other agreement, but there are limits as to what the third party can do with the information. Under the GLBA, a third party that receives non-public personal information from a financial institution under Exceptions 2 or 3 may disclose and use the information it receives only as follows:

    • the third party may disclose the information to the financial institution’s affiliates;
    • the third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
    • the third party may disclose and use the information pursuant to an exception under the GLBA in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

    Certain state privacy laws may also regulate the collection, processing and use of personal data by financial institutions, provided that they are not inconsistent with, and provide at least equivalent protection to, the GLBA. An analysis of any state law requirements is beyond of the scope of this article.

    Freedom of Information Act

    Many governmental bodies, including the Department of Justice and administrative agencies like the Securities Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC) and the FTC are vested with authority to compel the production of information, including, but not limited to, personal data, in connection with the investigation of potential wrongful conduct. Information once possessed by a governmental body may then be subject to potential disclosure to the public pursuant to the Freedom of Information Act (FOIA), 5 U.S.C. § 552. However, there are a number of bases upon which a governmental body may decline to produce information in response to a FOIA request. For example, because disclosure would:

    • include trade secrets and commercial or financial information obtained from a person;
    • include personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy;
    • "reveal investigatory records compiled for law enforcement purposes whose disclosure would deprive the submitter of a right to a fair trial or an impartial adjudication";
    • "reveal investigatory records compiled for law enforcement purposes whose disclosure would constitute an unwarranted invasion of personal privacy of the submitter";
    • "reveal investigatory records compiled for law enforcement purposes when disclosure would interfere with enforcement proceedings or disclose investigative techniques or procedures ..."  5 U.S.C. § 552(b).

    Memoranda of understanding

    It is often the case that multiple governmental bodies exercise jurisdiction over the same markets. Given this overlapping authority, it is not uncommon for multiple governmental bodies both within the US and outside the US to investigate the same underlying conduct. To facilitate the sharing of information gathered for investigative purposes, governmental bodies often enter into memoranda of understanding (MOU), setting out the terms for, and limitations of, sharing information. Such MOUs often limit data sharing in the context of an investigation. Criminal authorities also share information pursuant to mutual legal assistance treaties (MLAT). An MLAT is an agreement between two or more countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws.

    For example, in the US, the SEC has authority to regulate securities. However, the CFTC has the authority the regulate futures, including certain futures linked to an underlying basket of securities. To facilitate inter-agency cooperation, the two agencies have entered into a bilateral MOU, which was most recently updated in 2018 to reflect the expanded jurisdiction of the agencies under the Dodd-Frank Act.  The MOU permits each party to request information and data from the other in areas of common regulatory interest.  Such MOUs often limit data sharing in the context of an investigation. For example: 

      • non-public information shared under the MOU is accorded confidential treatment.
      • the receiving agency will notify the sharing agency of any FOIA request relating to the shared information.
      • the receiving agency will be bound by the same limitations imposed on the sharing agency in connection with disclosure of the shared information to a third party. See, for example, memorandum of understanding between the Environmental Protection Agency and the Commodity Futures Trading Commission on the Sharing of Information Available to EPA Related to the Functioning of Renewable Fuel and Related Markets.
  5. 3.

    What can constitute personal data for the purposes of data protection laws?

  6. As there is no overarching data protection regime in the US, there is no global definition of personal data. The information regulated by each law depends on the law in question. For example, depending on the law, protectable data may include:

    • personal medical information;
    • data that would reveal the identity of a specific living individual;
    • trade secrets; and
    • commercial or financial information.
  7. 4.

    Does personal data protection relate only to natural persons or also legal persons?

  8. As noted in question 3, there is no global definition of personal data in the US. The regulations in place in individual industries may vary as to whether they apply to natural and/or legal persons. For example:

    • the GLBA only applies to non-public personal information collected by a financial institution from consumers (who, as described above, are only natural persons).
    • the FTCA, while it does not regulate specific categories of data, prohibits unfair or deceptive acts or practices that do not safeguard personal information of consumers (ie, natural persons); and
    • the HIPAA applies to protected health information, which is individually identifiable health and medical information maintained or transmitted by a “covered entity” or its “business associate” (see question 5 for the definitions of these terms).
  9. 5.

    To whom do data protection laws apply?

  10. As noted in question 1, there is no overarching federal law or regulatory regime governing the collection and processing of personal data in the US. It follows that there is no general distinction made between, for example, “data controllers” and “data processors”. The individual laws and guidance apply to those who handle personal information in the relevant sector or activity. 

    The GLBA applies to “financial institutions”. A financial institution is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956, as amended. Financial institutions can include banks, securities brokers and dealers, futures commission merchants, commodity trading advisers, commodity pool operators, and introducing brokers, insurance underwriters and agents, finance companies, mortgage bankers and other companies. 

    The FTCA applies to most companies and individuals who conduct business in the US, with the exception of certain financial, telecommunications and transportation companies (which are primarily regulated by other national agencies). 

    The HIPAA applies to “covered entities” (including health plans, healthcare clearinghouses and health care providers that transmit any certain information in an electronic form) and “business associates” (ie, a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a “covered entity”).

  11. 6.

    What acts or operations on personal data are regulated by data protection laws?

  12. The individual laws and guidance for the relevant sector or activity will determine the acts or operations that are regulated.

    The GLBA applies to the collection, use, sharing and disclosure of non-public financial information by a financial institution. The GLBA’s Safeguards Rule requires financial institutions to have measures and practices in place to keep this information secure.

    The FTCA prohibits unfair or deceptive acts or practices that fail to safeguard personal information of consumers. In line with enforcement action taken by the FTC, this can include failure to protect consumers’ personal data (leading to vulnerability to cyber-attacks), change to privacy policies without adequate notice being given and failure to comply with a published privacy policy.

    The HIPAA regulates the use and disclosure of protected health information, as well as the collection, use, maintenance or transmission of electronic protected health information.

  13. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?

  14. As noted above, there is no concept of "data controllers" in the US. The individual laws and guidance for the relevant sector or activity will determine the principal obligations, as set out below.

    Under the GLBA, financial institutions must, among other things:

    • provide consumers with an initial notice of their privacy practices. The requirements for written notice of privacy practices will vary depending on whether a consumer or a customer is concerned (see question 2 for the distinction between these terms).  In particular, a customer should receive the privacy notice at the time the customer relationship is established, and at least annually thereafter;
    • unless an exception applies, inform consumers that they are able to opt-out where they do not wish their non-public personal information to be shared with such non-affiliated third parties, and provide a reasonable means and reasonable opportunity to opt-out of certain disclosures;
    • adhere to limitations in terms of the disclosure of non-public personal information of consumers to non-affiliated third parties; and
    • adhere to any regulatory requirements or guidance with respect to safeguarding non-public personal information of consumers, including creating and implementing a written plan to identify and control risks to consumer information and consumer information systems, and to properly dispose of consumer information.

     In terms of the FTC and the FTCA:

    • the FTC’s Behavioural Advertising Principles (which are voluntary but are generally considered by companies to constitute best practice) advise website operators to:
      • disclose their data collection practices related to online behavioural advertising (although there is no requirement under the FTCA for a company to have or disclose a privacy policy);
      • disclose that consumers are able to opt out (via an opt-out mechanism provided); and
      • obtain customers’ express consent before using sensitive customer data (which includes, financial data, data regarding children, health information, geo-location data and social security numbers); and
    • under the FTCA (and in line with enforcement action taken by the FTC), companies should comply with their own privacy policies (if they have disclosed them), safeguard data they have collected, and refrain from retroactively amending its privacy policy unless data subjects are given a chance to opt out of the new privacy practices. 

    Under the HIPAA, a covered entity must:

    • provide notice to data subjects of its privacy practices and of the data subject’s rights under the HIPAA;
    • generally obtain written, dated consent signed by the data subject and containing certain prescribed statements before disclosing data, although there are certain exceptions; and
    • comply with the following rules:
      • the privacy rule: covered entities should implement appropriate safeguards to protect the privacy of protected health information, and comply with the limits and conditions on the uses and disclosures that may be made of such information without patient authorisation;
      • the security rule: covered entities should implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information; and
      • the transactions rule: covered entities should comply with the uniform standards established for certain electronic transactions.

    DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  15. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

  16. While there are no specific steps required under individual laws and guidance (eg, the GLBA, FTCA or HIPAA), it is advisable to check that non-locally generated data was transferred to, or within, the US in compliance with relevant data protection laws and regulations. This may include: ascertaining what data has been transferred to, or within, the US and the natural and/or legal persons to which that data relates, and whether this processing or transfer had a lawful basis. 

    In this regard, we note that many jurisdictions outside the US have data privacy laws, which limit the use of personal data and, importantly, the transfer of such data outside the jurisdiction. For example, the European Parliament approved Regulation (EU) 2016/679, known as the General Data Protection Regulation (the GDPR), on 14 April 2016 and the GDPR was enforced beginning on 25 May 2018. The GDPR (and data privacy laws generally) impacts the transfer of personal data into the US and should be consulted in this regard.

    A framework data-sharing accord between the EU and the US (known as the Privacy Shield) has been deemed by the European Commission to be adequate protection for the transfer of data under EU law. US-based persons can signify compliance with the Privacy Shield by self-certifying. The Privacy Shield’s companion legislation, the Judicial Redress Act, provides natural persons in certain "covered" countries with a private cause of action against US federal agencies that intentionally disclose their records without consent or refuse an individual’s consent to amend its records. 

  17. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

  18. Under the GLBA, disclosure of non-public personal information to non-affiliated third parties that will process the data on behalf of the financial institution would likely be made under Exception 1. The GLBA permits disclosure of a consumer's non-public personal information by a financial institution to a non-affiliated third-party service provider without providing the consumer the right to opt out (under Exception 1) only in circumstances where all of the following conditions are met:

    • the disclosure is to a third party who will use the non-public personal information to perform services for the financial institution;
    • the financial institution provides the required initial notice to the consumer; and
    • the financial institution and the third party enter into a contractual agreement that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the financial institution disclosed the information to the third party. 

    Please see the response to question 2 for information about the applicable requirements if disclosure is made pursuant to Exceptions 2 or 3 rather than Exception 1.

    The FTC has issued a number of rules that limit the sharing and use of financial information and credit report information with a financial institution’s affiliates. However, the FTCA does not contain any additional requirements regarding disclosure to a non-affiliated entity.

    Under the HIPAA, covered entities may disclose protected health information to business associates if an agreement is put in place that restricts that business associate’s use of the data (to the same purposes as for the “covered entity”) and obliges it to safeguard the data from misuse and assist in compliance with certain of the covered entity’s duties.

  19. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

  20. Under the GLBA, consumers must be provided with the opportunity to opt out of certain disclosures of non-public personal information to third parties before the time that such information is initially disclosed. However, as noted in question 2, there are certain exceptions to this requirement. An opt-out notice is not required in certain circumstances, including those in which the information is disclosed (i) to protect against or prevent actual or potential fraud, or (ii) to comply with applicable legal requirements, such as the disclosure of information to regulators or law enforcement agencies or to comply with a properly authorised civil, criminal or regulatory investigation or subpoena or summons by federal, state or local authorities. See question 2 for more detail.

    The FTCA itself does not specifically address consent. However, as noted above, the FTC (in its Behavioural Advertising Principles) advises website operators to obtain express consent before using sensitive consumer data. Express consent will also be required where consumer data is to be used in materially different ways from the privacy policy applicable when the data was collected. Website operators should therefore check that the processing of consumer data as part of an investigation is covered by the relevant privacy policy and, if necessary, obtain express consent.

    Under the HIPAA, written, dated consent signed by the data subject and containing certain prescribed statements would be required before data is disclosed as part of an investigation (unless an exception applies).

  21. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?

  22. As noted in question 10 above, consent may be a mandatory action in certain circumstances, depending on the sector and activity to which the investigation relates. However, in other circumstances, a person controlling protected data may be precluded even from notifying the subject of the protected data, for example, in the case of the prevention of fraud or violations of federal law. See, for example, 31 C.F.R. § 1026.320.

    That said, consent should be considered as an enabling action when planning an investigation (although obtaining consent to the processing of data may be practically challenging).

  23. 12.

    Is it possible for data subjects to give their consent to such processing in advance?

  24. For the purposes of the GLBA, consumers and customers may choose not to opt out in advance provided that the particular disclosure has been identified and the requisite opportunity to opt out provided. Particular disclosures may include notice that the financial institution will disclose the consumer’s information, including personal data, to comply with applicable legal requirements, such as the disclosure of information to regulators or law enforcement agencies or to comply with a properly authorised civil, criminal or regulatory investigation or subpoena or summons by federal, state or local authorities. To note, however, consumers do not have the ability to opt-out of such disclosures by the financial institution (see Exception 3). 

    Given the nature of investigations, it may be unlikely that customers or consumers have been provided with the opportunity to opt out of disclosure in connection with the investigation in question.

    Consent provided pursuant to the FTC’s Behavioural Advertising Principles is unlikely to be able to be provided in advance, given that the use of such data as part of an investigation is likely to be materially different from the uses already set out in the relevant privacy policy.

    Given the nature of the consent required under the HIPAA (written, dated, signed by the data subject and containing certain prescribed statements), it is unlikely that data subjects could provide their consent in advance.

  25. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

  26. The GLBA does not generally permit consumers or customers access to data, although, as noted above, they are permitted to opt out of certain disclosures by the financial institution. Consumers and customers also do not have a right under the GLBA to request deletion of their data. 

    In general, the FTCA does not permit data subjects to access their data. Data subjects also do not have a right under the FTCA to request deletion of their data.

    Under the HIPAA, a data subject is permitted to request access to and to correct his or her own protected health information where inaccurate (although the covered entity is not obliged to correct the data).

    TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  27. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

  28. Under the GLBA, financial institutions are permitted to disclose non-public personal information about consumers to non-affiliated third parties without giving consumers the option to opt out of such disclosure in certain circumstances (described above in response to question 2, Exception 1).

    The requirements for initial notice and for the opt-out notice (described above in response to question 2, Exception 3) do not apply to a financial institution’s disclosure of non-public personal information about consumers to its attorneys. Under the GLBA, unlike certain other service providers, attorneys and law firms are not required to enter into confidentiality or other agreements with their financial institution clients before receiving non-public personal information. However, under the GLBA, a law firm may disclose and use the non-public personal information it receives only as follows: 

    (i) the law firm may disclose the information to the financial institution’s affiliates;

    (ii) the law firm may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the law firm may disclose and use the information; and

    (iii) the law firm may disclose and use the information pursuant to an exception under the GLBA in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

  29. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

  30. See response to question 14.

  31. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

  32. There are currently no federal law provisions regulating the transfer of personal data from the US to another jurisdiction.

    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  33. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

  34. Many regulators and enforcement authorities have the power to compel the production of information, including protected data. There is generally no ability to resist the submission of responsive information on privacy grounds. Also, as noted in question 2, in certain circumstances, a person controlling protected data, including personal data, is required to submit information voluntary to the enforcement authority, for example, to prevent fraud or based on suspected violation of federal law. See, for example, 12 C.F.R. § 208.62; 31 C.F.R. § 1026.320. Finally, in addition, as part of its general oversight role, the US Congress may be authorised to request non-public data directly from regulatory agencies.

    As described above in response to question 2, Exception 3 under the GLBA permits a financial institution to provide non-public personal information about consumers to regulators and law enforcement agencies, among others, without providing the consumers the ability to opt out of such disclosure 

    A person submitting information to a regulator or enforcement authority may request confidential treatment of the information under FOIA. See question 2. To the extent that the regulator or enforcement authority grants the request for confidential treatment, the information will not be made available to the public, at least during the pendency of the investigation.

  35. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

  36. To facilitate cross-border cooperation and information sharing, many US regulatory and enforcement authorities have entered into cooperative MOUs with their counterparts in other jurisdictions. For example, the SEC and CFTC are both signatories to the International Organization of Securities Commissions’ Enhanced Multilateral MOU Concerning Consultation and Cooperation and the Exchange of Information (IOSCO EMMOU). The IOSCO EMMOU is a multilateral enforcement cooperation arrangement among global securities and derivatives regulators which provides for the exchange of information related to the investigation of cross-border securities and derivatives violations, including manipulation, insider trading and customer fraud.

    The IOSCO EMMOU facilitates the sharing of information, including records of securities and derivatives transactions and bank, brokerage, and client identification records and the use of that information in civil and criminal proceedings. Drafted in 2019, the EMMOU broadened IOSCO’s 2002 MOU by expanding the information-sharing mechanisms to account for the growing importance of technology and the centrality of electronic data in financial investigations.

    In addition to multilateral MOUs, US regulators may be participants in bilateral MOUs across jurisdictions. The SEC and CFTC, for example, also have bilateral memoranda of understanding with numerous non-US counterparts to address specific regulatory and enforcement issues. As noted in question 2, the sharing of information among enforcement authorities often is contingent on the receiving agency being bound by the same limitations imposed on the sharing agency in connection with disclosure of the shared information to a third party.  

    The provisions applying to cross-border data transfer generally (see question 16) also apply to the transfer of data to regulators and enforcement authorities outside of the US.

  37. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

  38. Confidential treatment should be expressly requested under FOIA for any personal data submitted to a US regulator (see question 2).

  39. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?

  40. Companies that do not comply with applicable information security requirements can face enforcement of the relevant regulations by the regulator (see question 7) and, in certain cases, private litigants.

    The Cybersecurity Act of 2015 establishes a framework for companies to share information with federal and private entities in the event of a cyber security breach. Participation in this network is voluntary but “good faith” compliance with the Act’s provisions creates a safe harbor from liability. Compliance with the Act requires a company to remove personally identifying information from data prior to sharing. A bad faith effort to comply with the provisions may create legal liability.  In addition, many states have some form of data breach notification rule in place already. The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act also regulate the interception of electronic communications and computer tampering in the US. 

    CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  41. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?

  42. As noted in question 1, there is no unified federal law or regulatory regime governing data privacy in the US, and no general categorisation of entities as "data controllers" or "data processors". 

  43. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?

  44. As noted in question 1, there is no unified federal law or regulatory regime governing data privacy in the US, and no general categorisation of entities as "data controllers" or "data processors".

    RELEVANT MATERIALS

  45. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Interested in contributing to this Know-how?

E-mail our Insight Manager


Questions

  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?


  2. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?


  3. 3.

    What can constitute personal data for the purposes of data protection laws?


  4. 4.

    Does personal data protection relate only to natural persons or also legal persons?


  5. 5.

    To whom do data protection laws apply?


  6. 6.

    What acts or operations on personal data are regulated by data protection laws?


  7. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?


  8. DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  9. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?


  10. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?


  11. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?


  12. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?


  13. 12.

    Is it possible for data subjects to give their consent to such processing in advance?


  14. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?


  15. TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  16. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?


  17. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?


  18. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?


  19. TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  20. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?


  21. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?


  22. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?


  23. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?


  24. CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  25. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?


  26. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?


  27. RELEVANT MATERIALS

  28. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.