Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Data Privacy & Transfer in Investigations

Regulators and enforcement authorities across the globe are continuing their focus on the activities of banks, corporations and their employees. Investigations are frequently cross-border and involve accessing information held in multiple jurisdictions. Successfully managing the risks arising from these investigations requires expertise across a number of areas and, as the enforcement of data privacy laws becomes a higher priority in multiple jurisdictions, those areas include data protection and privacy. Data protection considerations present growing challenges to clients in their planning and conduct of internal and government investigations as individuals and regulators become increasingly alert to how data is collected and used, more data is generated and stored electronically, and regulators and enforcement authorities make expansive requests for that information, often without regard for national boundaries.

Every jurisdiction has its own laws and regulations concerning the collection and review of data and what information may be transferred out of the country. In the EU, for example, the data protection landscape changed with the introduction of the General Data Protection Regulation (GDPR), which took effect on 25 May 2018.  Data protection issues may therefore arise under multiple applicable laws on an investigation, and at different phases during its course. 

Where an investigation requires the extraction of significant amounts of information from multiple jurisdictions by banks, corporations and/or third parties (eg, forensic accounts or consultants), it is likely that a large proportion of that information will include personal data (also known as personally identifiable information) of a client’s employees and clients (or individuals connected with those clients, such as their employees). The bank or corporation may wish to transfer that data between countries for the purposes of conducting review and analysis, or in order to meet requests or demands from authorities, or voluntarily to provide information to them in order to be cooperative. Any such actions require careful analysis. The conflict of laws presented by requests or demands for documents and other information by overseas authorities, in particular, is a significant problem for many banks or corporations. Data protection laws, bank confidentiality and “blocking statutes” in some jurisdictions, such as France, often put banks and corporations in a position where they are having to weigh competing risks that arise from conflicting legal or regulatory requirements.

There are, however, steps that can be taken to reduce or negate those risks in a given situation. For example, in order to limit or avoid data privacy or confidentiality issues, it may be possible to negotiate the scope of the request, pre-review the information disclosed, redact documents or take other steps to mitigate the risk. Each request should be considered on a case-by-case basis to determine whether, and to what extent, a company is able to comply, and to determine whether any particular steps can be taken lawfully to undertake the disclosure and transfer of the personal data.

Data protection should therefore be a key consideration for clients when planning, structuring and carrying out an investigation. The data protection and litigation teams at Allen & Overy have produced these guides to assist with identifying some of the issues that will need to be considered from a data protection perspective when managing complex domestic or cross-border investigations.  However, it should be noted that other laws, regulations, contractual requirements or voluntary codes may also restrict the disclosure of certain types of data. Further information on the restrictions and requirements affecting transfers of data from one jurisdiction to another can also be found on aosphere’s Rulefinder Cross Border Data Transfer (www.aosphere.com/aos/cbdt).

Finally, as noted above, the GDPR took effect on 25 May 2018. This new EU data protection framework contains some onerous obligations and sanctions for non-compliance of up to 4 per cent of annual worldwide turnover, including in relation to breach of cross-border transfer restrictions. This significant increase in fines may cause many banks and corporations to re-evaluate whether they are willing to risk breaching EU data protection law to accede to a request from a regulator or enforcement authority.