Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Overview - Forensic technology

You’ve been alerted by a whistleblower to a prospective fraud, but you want to confirm its validity before you report it to the authorities. Or you’ve learned some employees have been accused of bribing an official in a foreign country and the company is under investigation. As an organisation doing business in multiple international jurisdictions, conducting an internal investigation or responding to an external probe will require not only that you unearth the information necessary to mount your defence, but that you gather the data, preserve, handle or transfer it in accord with stringent laws and regulations that can vary widely from nation to nation. Violations can result in harsh fines and penalties, sufficiently severe in some jurisdictions that they have taken down businesses, even resulted in jail sentences. Not just your evidence, your process must also be defensible.

Investigating or responding to investigations can be complicated and challenging. But with a robust process and the correct team of professionals, the daunting task of securing data for an investigation can be brought under control. 

Technology and data

An ever-increasing explosion of data volumes coupled with globalisation trends or remote working practices is probably the most significant challenge legal teams – internal and external – face when trying to understand the scope of a white-collar regulatory investigation or litigation matter that spans multiple jurisdictions.

Even moderate-sized organisations can end up storing significant amounts of data that run into the multiples of Terabytes. Widespread adoption of cloud storage services has added to the complexity faced by those tasked with managing an investigation. Organisations that have adopted Microsoft Office 365, one of the most popular cloud platforms, are storing emails, spreadsheets, presentations and Word documents externally on Microsoft servers, sometimes in multiple jurisdictions. A 2016 report by the Institute of Directors (a UK professional body) found in a survey that 59 per cent of businesses interviewed were outsourcing data storage but that 43 per cent of those surveyed were not aware of where their data was stored.

Organic data growth can provide further challenges. Few organisations have information governance initiatives or plans in place to remove data that has passed its “sell by” date and should no longer be held within the company. This redundant data is a liability that can be very damaging to a company that finds itself under investigation. Most organisations focus on staying competitive and maintaining day-to-day operations, therefore could be totally unprepared when the need arises to conduct an investigation or respond to litigation in a jurisdiction that requires disclosure obligations.

Many employees’ hoard emails that are no longer required, often retaining years’ worth of data. Now multiply this practice by several hundred or even thousands of employees, and you can see how the data burden for a company quickly becomes enormous and even overwhelming. This problem is often exacerbated if the organisation has offices or staff in multiple jurisdictions further complicated by national state, banking or commercial secrecy acts as well as local HR and data privacy laws. This becomes critical as individuals located in one country could be accessing or wanting to access data from another country. For investigators this can be a real headache as the search can be likened to looking for the proverbial needle in the haystack.

Technology has dramatically and permanently changed how data is gathered and handled in investigations. But while poor implementation of technology can cause problems with the disparity and variety of data in a corporate investigation and inadequate data management processes can create the perfect storm of unwieldy data pots, the advent of technology can also help to provide solutions for managing investigations. Companies that are presented with the challenge of advising on data governance, such as eDiscovery providers and law firms, are embracing technology to efficiently cut through terabytes of data. Artificial intelligence and its powerful data analytical algorithms are being employed effectively by eDiscovery companies and law firms, as well as by regulatory bodies, to support human investigators, allowing them to sift through millions of documents quickly and when executed correctly it can reduce the investigation timeline by years and save millions in legal review fees. 

Building an investigation team and the data gathering process

While technology is playing its part in shaping the future of investigations, it must be coupled with a practical and rigorous strategy based on project management fundamentals to ensure a defensible process for preserving, collecting, storing and transferring data.

The first and most fundamental piece in any investigation involves information governance, specifically identifying all the relevant information or data. This process involves a data mapping exercise that is, determining all the locations where data relevant to the investigation resides and understand the various sources and types of data. Typically, an investigation will require collection and analysis of both unstructured and structured data. Structured data refers to information residing inside complex applications, such as transactional and financial databases and unstructured data consists of a broad variety of data, such as corporate email data, user-generated files that reside on file servers and end user devices including computers, laptops and mobile phones.

Unstructured data by its very nature is more challenging to deal with; however, it often underpins the direction of the investigation and leads to the discovery of critical evidence. For example, even obscure sources of data such as mobile phone geolocational coordinates can be used to prove or disprove a point. Additional sources of unstructured data can include shared server locations such as document repositories. SharePoint, for example, can store relevant data for an investigation as well as yield millions of documents. Other complex applications related to telephony and chat data are potential sources of vital data relevant to an investigation. An example of such is Bloomberg messaging, which was squarely in the sights of regulators during the Libor investigation cases. Indeed, regulators are increasingly taking more sophisticated approaches of analysing other forms of communication that typically reside on mobile devices such as WhatsApp, Facebook Messenger or Snapchat as well as standard text messaging. As such, a comprehensive data map is a key foundation for any thoroughly managed investigation. By identifying all potential data sources that could be in scope at the outset of an investigation, the organisation can help to avoid mission creep and eliminate unforeseen costs at a later stage.

Increasingly with cross-border investigations it is critical to understand the geographical location of custodial data sources. Once the investigation has commenced, the clock starts ticking and during the early stages of an investigation it is imperative to lock all data sources down as quickly as possible. With some enterprise server-based systems, such as email management systems (eg, Microsoft Exchange), built-in features such as document retention settings or litigation hold features can be used to lock down data. However, locking down data on end user systems such as computers or tablets is infinitely harder because the devices are often under the control of data custodians and are often not centrally backed up.

As the investigative process gathers pace, an investigation steering committee (ISC) should be assembled to maintain project governance and manage communications. The steering committee at a minimum should comprise a lawyer and an eDiscovery professional. On larger investigations the ISC is likely to include project managers, senior IT staff and senior management from within the organisation. The timing and content of communications relating to the investigation needs to be carefully managed since the very act of alerting the wider organisation to the investigation may provide ample opportunity for individuals under investigation to purge potentially relevant data. Therefore, the project steering committee should be advised on the full scope of the investigation at the earliest stage possible so it can act quickly and decisively. The ability to lock down data in good time will also come under scrutiny by any external regulators and any inability to lock down data that has been proved to be deleted could be punished with financial sanctions.

There are a number of activities that can be employed to accurately map the data landscape in an organisation:

  • utilising IT asset lists, which indicate the number and type of user devices in circulation within an organisation;
  • generating IT-specific questionnaires and interviewing key IT staff about systems;
  • reviewing IT infrastructure diagrams to understand the server technology an organisation uses and where it could be geographically located; and
  • studying IT service management documentation such as data retention policies or IT handbooks that mandate how the company’s IT systems are used.

Such activities can deliver a robust data lockdown plan. 

When an organisation has a duty to preserve relevant information or data, a hold notice must be issued which is an official notification to inform records custodians of their duty to preserve relevant information. When hold notices are issued, the investigation team must ensure they reach all intended departments. Case studies are rife with examples of how hold notices were not disseminated to the correct teams or individuals, allowing for ongoing overwriting of backup tapes or destruction of physical paper records, sometimes unwittingly destroyed according to company retention policies and schedules. These mistakes can be particularly damning and result in fines for data spoliation.

A custodian interview at the point of data collection can be an effective method to understand how custodians interact with company data. For example, do they store documents on their office computers? On a server? Do they use personal email accounts to send business communications? Do they exchange documents through services such as Dropbox? Do they use a home computer to do company work? Utilising a standard questionnaire at the time of interview can help to determine where their personal data resides so it can be identified and excluded from the investigation where local laws advocate custodians’ right to have personal data segregated.

Data preservation

Identifying data pertinent to an investigation is one thing; preserving it is yet another. The greatest risk of data spoliation is the data that is under the data custodian’s control and not managed by the company’s IT department, such as data stored on computers, tablets and other mobile devices. Here speed is of the essence. It is critical to create a plan to preserve end user data as quickly as possible and to capture it forensically before it can be ruined or disposed of. The data held on end user devices can often yield the most pertinent information, particularly if an organisation’s IT system policies are overly lax. For example, end users may use internet mail systems such as Gmail, or instant messaging tools such as Viber or WhatsApp, to communicate outside corporate systems. Securing pertinent end user data quickly is therefore vital.

When should data custodians be told of hold notices? Advance notice could provide time and leverage for purging documents, meaning the investigation could lose access to critical documents and the company could be held liable for data spoliation. On the other hand, failure to communicate a document retention notice to data custodians could mean that important documents or emails get routinely purged in the normal course of business.

Therefore, the timing for sending out hold notices needs to be carefully considered. In a large investigation with many data custodians and where the availability of technical data-collections personnel could be limited, the ISC will likely want to focus first on the data custodians they decide are most involved. Names on a custodian list should be ranked in order of importance, a particularly important procedure in multi-jurisdictional investigations where quite often the strategy involves immediately preserving the data then storing it in the jurisdiction.

Skilled forensic personnel should be used to ensure all data collection activities are performed in a forensic manner and fully documented with respective chain-of-custody information to ensure data provenance. The data should be encrypted in containers to ensure it cannot be compromised. The evidence should also be secured in tamper-proof evidence bags, then stored with a trusted intermediary either within the organisation, or in high-risk scenarios, with a trusted third party, such as a law firm or an eDiscovery provider, or in a bank security box.

Jurisdictional and data privacy issues

Once the relevant source data has been collected and secured, a decision needs to be made about the logistics of processing, hosting and reviewing the data. Increasingly, nations are seeking to protect the data held by organisations that operate within their borders. For example, the French Blocking Statute prevents the international transfer of data captured for the purpose of cross-border investigations. If there is doubt whether a transfer can be made from a jurisdiction, then data should be maintained and reviewed within country whenever possible. This is even more important if the data contains restricted content, such as state secret information, as the penalties for exporting restricted data across borders can be harsh, including imprisonment. 

For ordinary non-restricted data, mechanisms enabling the transfer data across borders include:

  • Individual consent – where a data custodian provides their consent to transfer their data;
  • Binding corporate rules (BCRs) – which require comple­tion of an application. Approved BCRs permit the flow of data among the defined corporate group;
  • Standard contractual clauses – SCCs are sets of contract clauses issued by the European Commission for purposes of establishing safeguards to allow for the transfer of personal data from the EU to non-EU countries;
  • Mutual Legal Assistance Treaty – an agreement between countries to share information; and
  • Privacy Shield – a framework to facilitate transfer of personal data from the EU and Switzerland to the US.

It is worth noting that strategic decisions regarding data made today in litiga­tion or investigation may be called into question in the future, particularly in Europe, and how such decisions will be viewed by EU judges or data commissioners is unknown. Therefore, companies and their counsel collecting data in the EU should involve expert data privacy and transfer experts from the outset in any cross-jurisdictional investigations, as penalties for non-compliance could be severe.

Excluding private data

Culling personal or private data from the investigation involves first understanding where data custodians store their personal data. Once the locations have been identified, eDiscovery software tools can be used to segregate the private data – there are nuances to the practice. For example, a file marked “personal” might contain responsive material to the investigation. Statistical tests must be performed to safeguard against a deliberate attempt by the data custodian to hide relevant data under personal folders; such tests could reveal a disproportionate amount of data sitting in a “private” file or folder. Investigation-specific keywords can be used to alert investigators to potentially relevant documents and increasingly technology assisted review (TAR) algorithms can be used to assess so-called private locations for relevant data. A robust document review strategy that uses a combination, of search terms, date ranges, data analytics and TAR algorithms can ensure only the most relevant data population is presented for review.

Such a strategy is even more critical in “big data” investigations where the document population can exceed multiple millions of files. The principle of proportionality can be used where it can be argued that it is disproportionate and cost-prohibitive to look at all of the documents. However, before adopting a review strategy the ISC should consult with any regulatory body or opposing parties involved in the investigation to ensure agreement on the proposed strategy. Failure to do so can result in severe sanctions and increased costs to revise the review methodology.

GDPR: Europe’s next privacy safeguard

Despite the current rising tide of nationalism, there is no denying the increasing internationalisation of business and related data flows across borders. Recognising the lack of consistency among privacy safeguards in member states, in May 2018, the EC implemented the General Data Protection Regulation (GDPR). The GDPR requires organisations to diligently protect personal data and prove how they do it. It applies to any organisation in the world that stores or processes EU consumer data. To comply, organisations will need to educate themselves on multiple factors, including how the GDPR defines personal data, where that data is located in their systems, how it is used and who can access it. 

GDPR replaces Data Protection Directive 95/46/EC. While the replaced regulation is based on notification requirements, the GDPR focuses on accountability. This means an organisation’s data controller will have to implement technical and organisational measures as well as demonstrate compliance.

Some of the provisions of the GDPR all firms gathering information internationally should be aware of:

• Expanded territorial reach

The new regulation is no longer limited to data controllers and processors within the EU. Instead, those whose processing activities related to the provision of goods or services to, or monitoring the behaviour of EU data subjects, will require the appointment of a representative within the EU.

• Code of conduct

The GDPR endorses the use of compliance codes of conduct and certifications.

• Consent

A data subject’s consent to process their personal data is required to be as easily withdrawn as it is granted.

• International transfers risk awareness

Although the GDPR removes self-assessment as a basis for transfer, the consent derogation has undergone changes. Data subjects are required to be adequately informed of the risks to them of their data being transferred outside the EU.

• Breach notification

Data controllers are required to report most data breaches to the new Data Protection Authority, where possible, within 72 hours of awareness, together with appropriate justification. 

• Right to access

Individuals will have the right to access their personal data so they are aware of and can verify the lawfulness of the data processing.

• Right to be forgotten

Individuals will have the right to request the deletion or removal of personal data.

• Appointment of Data Protection Officers (DPOs)

DPO designation will be mandatory for controllers and processors whose core activities consist of processing operations.

• Fines and penalty

The GDPR introduces a tiered penalty approach for breaches, where fines for breaches are much higher than under previous regulations, up to 4 per cent of annual worldwide turnover or €20 million.

Based on the changes, it is clear that the GDPR introduces significant undertakings and potential risks for all parties affected. 2019 has already seen two major companies, British Airways and Marriott, face steep fines for data breaches in which millions of customers had their personal data stolen. This will no doubt give organisations some pause for concern to make sure personal data is sufficiently secured but to also respond in mitigation to the level of fines imposed versus the severity of the data breach.

Europe is not alone in adopting new safeguards. China, for example, implemented new regulations in October 2016 requiring data collections to be performed by a minimum of two investigators and to be witnessed by a notary and filmed wherever possible. Further, in May 2018 the new National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 was implemented. The laws represent a new standard for data protection handling, which complement and clarify various existing data protection laws. In almost all cases, the data is not allowed to leave the country. The penalties for violating China’s privacy laws can be onerous. According to a June 2015 report by the Guardian, an investigator on assignment by pharmaceutical firm GlaxoSmithKline and his wife were judged in violation of a Chinese statute and sentenced to jail, where he was retained for more than two years.

“The couple, who were paraded on state television in handcuffs and orange prison vests, were charged with illegally purchasing information about Chinese citizens, including IDs and phone numbers,” the report noted.

A clear strategy

In light of the varied regulations and penalties, best practices involve first collecting and preserving the information according to local legislation and guidance, then considering how to interrogate the data. Have the data stored locally, encrypt it, then process and review the data in accordance with the relevant law(s). It is always preferable to work with the data in the country where it has been collected, and with a vendor in that country who can handle, process and host the data and make it available for in-country review either through their own data centre, in country cloud or via a mobile eDiscovery platform.

Clearly, a data strategy is vital to any investigation where data could reside in multiple jurisdictions. Crucial considerations include knowing:

  • what data is being considered;
  • the jurisdiction where the data resides;
  • applicable data privacy regulations; and
  • what clearance is required and from whom prior to the data collection, let alone transfer. 

Finally, in light of the many and varied regulations and the onerous penalties for non-compliance, companies and their counsel conducting investigations that involve collecting data internationally should involve data privacy and transfer experts from the outset in any cross-jurisdictional investigations. It is also important to remain current with technology advances. Technology firms are continuing to push the envelope with new innovations being rolled out all the time and many (or even most) of which result in huge volumes of data – often sensitive and/or personal data – being handled and stored. For example, Apple filed a patent for facial recognition software in 2013, this is one example of technology that is so new the law is yet to fully catch up with its implications. This data type is now making its way into corporate investigations with a number of companies developing eDiscovery software programmes to bolt onto their current offerings. The significance of being able to capture and analyse data relating to a person’s face cannot be underestimated. Indeed, facial recognition data captured at a distance by security cameras is already being used to track down football hooligans and to identify previously convicted shoplifters. The deployment of this software is somewhat evocative, particularly in now democratic countries that have had a prior history of so-called state spying or state interrogation. In 2019, the first legal challenge to facial recognition took place in the UK. Therefore, it is probably best to consider at all times not just the law as it exists today but also how it may evolve over time as it seeks to catch up (or not) with technology. Further, there is no doubt the current evolution of technology will change the face of white-collar law enforcement and related investigations and litigation.