Data Privacy and Transfers in Cross-border Investigations
The proliferation and expansion of different data protection regimes in jurisdictions around the world is making cross-border investigations increasingly challenging.
In particular, Department of Justice (DOJ) investigations of multinational companies for violations of the Foreign Corrupt Practices Act (FCPA), rate manipulation, US sanctions or export-control violations, or other cross-border economic crimes often require counsel representing the target company to assemble and review information from a web of complex corporate structures in different jurisdictions that implicate overlapping and at times inconsistent data privacy laws. In the course of such investigations, the DOJ will commonly request information about employees of the subject company – or about third parties who have interacted with the subject company – that is housed in another jurisdiction. Moreover, the information requested may reside in emails sent or received by employees that work for affiliated entities in other countries. And, often, even when the subject company wishes to cooperate with the DOJ investigation, it may find itself constrained in its ability to divulge the requested information because of a non-US jurisdiction’s laws, including data protection laws, employment laws, and laws that protect the secrecy of correspondence.
DOJ leadership has acknowledged this development while at the same time conveying a degree of scepticism towards companies’ inability to disclose information on these grounds. In remarks given in March 2016, for example, the then-Assistant Attorney General in charge of the Criminal Division, Leslie Caldwell, noted that investigators were working to address ‘myriad foreign data privacy regulations’ in the course of investigating global white-collar criminal offences and suggested that in certain situations, ‘non-cooperative companies make invalid assertions about particular data privacy laws in an effort to shield themselves from our investigations.’1 In previous remarks, Caldwell had stated that the DOJ is ‘looking closely – with an ever more sceptical eye – to ensure’ that companies’ invocations of data privacy laws as obstacles to sharing information are ‘honest and not obstructionist.’2
Perhaps because of that scepticism, the DOJ has released guidance regarding cooperation in FCPA investigations – an area in which this issue commonly arises – which states that companies must specifically establish which data privacy laws actually prohibit transfers of requested information.3 And companies are expected to ‘work diligently to identify all available legal bases to provide’ the requested information wherever possible.4 (The DOJ has issued similar guidance in the context of export control and sanctions investigations.)5
In short, companies facing DOJ investigations cannot simply raise the spectre of ‘foreign data privacy laws’ to avoid requests to produce documents or other information – particularly if they wish to gain cooperation credit. At the same time, and as described below, many foreign laws do indeed impose onerous restrictions against the collection and transfer of personal information into the United States that must be analysed in connection with efforts to cooperate with a US investigation.
The proliferation of different data protection regimes
More than 100 countries around the world have data protection laws. Those laws all have common elements which require that individuals be afforded certain rights and that specific steps be taken before personal information can be collected and shared with third parties and outside of the country. Some core principles are as follows.
Individuals must be informed in advance about the types of personal information that a company will obtain, the ways in which a company will use that information, and to whom the company will disclose the information in order for the collection and use to be considered fair.
A basic principle under privacy laws is that the individual at issue has a choice about whether or not his or her personal information is collected, used and shared (unless there is another valid legal basis for processing the information, as discussed below). An individual can agree to the collection of his or her personal information and specific uses and disclosures of it, if the individual has been provided sufficient information and the consent is voluntary.
Limitations on sharing with third parties (including governments)
Having possession of personal information does not give a company licence to disclose the information to any third parties, or for any purposes, that it sees fit. The company can share the information with those recipients, and for those purposes, about which the individual has been informed, and it may need to execute a contract with the recipients to limit their use and further disclosure of the information.
Limitations on cross-border transfers
Privacy laws require special measures to transfer personal information outside the country’s borders to recipients located in other jurisdictions that are regarded as having weaker privacy protections; such measures may include the individual’s consent or an appropriate contract with the recipient.
European Union data privacy protections
The European Union and its member states impose strict data protection obligations through a number of mechanisms, the first and foremost of which is the General Data Protection Regulation (GDPR). The GDPR was adopted by the Council of the European Union and the European Parliament in 2016. As of 25 May 2018, it became enforceable and superseded the prior EU data protection framework that existed under the Data Protection Directive 95/46 (the Directive).6 Whereas member states needed to transpose the Directive into implementing national legislation, the GDPR, as an EU regulation as opposed to an EU directive, is directly applicable in all member states. Furthermore, the GDPR’s impact extends beyond Europe; article 3(2) of the GDPR provides for extra-territorial application to organisations that offer goods or services to individuals in the European Union or that monitor behaviour of individuals, where the behaviour takes place in the European Union. As a result, if a company located in the United States were to conduct an investigation of its own EU-based staff by means that monitored their behaviour, the US company could fall within the GDPR’s extraterritorial provisions and might need to comply with the GDPR in relation to the monitoring.
The GDPR is designed to extend a high level of protection for all ‘personal data,’ which is defined to mean:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.
Article 13 of the GDPR specifies an extensive list of information that should be provided to individuals regarding processing of their personal information in accordance with the notice obligation. Another key obligation the GDPR imposes is the article 25 requirement to implement data protection by design and by default. For investigations, this may mean that the company, both at the time it determines how it will conduct investigations and at the time of an actual investigation, should consider the risks to individuals’ privacy and should institute appropriate technical and organisational measures to minimise the processing of personal data to that which is necessary for the purposes of the investigation and to otherwise protect the information. Additionally, the GDPR requires a ‘legal basis’ or good reason to collect, use or share personal information (which is generally referred to as ‘processing’ personal information). The following legal bases may potentially be used to justify an investigation:
• the processing is necessary for the company to comply with a legal obligation; this only refers to compliance with a European legal obligation and not to compliance with a US statute or regulation (but certain member states may allow for an obligation to comply with an order issued by a foreign court);
• the processing is necessary for the purposes of legitimate interests of the company or of a third party to whom the data is disclosed, except where the individual’s interest in his or her fundamental rights and freedoms override those interests;
• the processing is necessary to perform a contract to which the individual is party (eg, the employment contract); or
• the individual has unambiguously consented to the processing.7
An even higher threshold applies for processing certain types of personal data, including ‘special categories’ of personal data as well as personal data relating to criminal convictions and offences. Processing special categories of personal data – meaning data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data used for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person’s sex life or sexual orientation – is prohibited unless an exception applies. Under the GDPR, a company that processes these types of information for purposes of an investigation can do so:
• if the processing is necessary to carry out specific obligations on the company under an employment-related law of the European Union or member state or under a collective agreement with employees under the member state’s law;
• with the individual’s explicit consent;
• to establish, exercise or defend against a legal claim; or
• if the processing is necessary for purposes of a substantial public interest based in EU or member state law.8
Information relating to an individual’s criminal convictions and offences, which may include allegations of criminal activity, can only be processed when authorised by an EU or member state law.9 Additionally, if special category or criminal data will be processed on a large scale, the company must carry out a data protection impact assessment prior to the processing to evaluate the risk to the rights and freedoms of individuals and how those risks can be mitigated.10
Thus, if a company needs to do an email review and the matter involves sensitive data such as health information, the company may need to obtain explicit written consent from the individuals whose information is at issue, unless it is obligated to review this information under the employment law of the member state (which would be unlikely for a foreign company), or it is necessary for a substantial public interest found in an EU or member state law), or the review is necessary to establish, exercise or defend a legal claim. The requirements to meet the condition of defending a legal claim may differ from one member state to another. For example, while one country may require there be an actual legal proceeding in which the EU affiliate that controls the data is named as a party, another may allow the company to process sensitive personal information as part of an investigation on the grounds of a legal claim that the company seeks to exercise or defend in the future. However, if the investigation entails an employee’s criminal acts, there might need to be an EU or member state law that authorises processing the information.
In addition to having to have a legal basis for each act of processing, the GDPR imposes restrictions against sharing personal information outside the European Union or the European Economic Area (EEA, the members of which adopt EU data protection laws). The European Commission (EC) has determined that a handful of countries provide ‘adequate’ levels of protection for personal data, which means data can be transferred to those countries without meeting additional conditions. But the United States has not been deemed to provide adequate protection to personal information. As such, organisations operating in an EEA country are constrained in their ability to transfer personal data into the United States (eg, by moving it to an affiliate or parent company that is based in the United States).
The GDPR sets out three circumstances in which personal data may be transferred outside of the EEA in the absence of an adequacy determination:
• a mechanism exists which provides ‘appropriate safeguards’ for the data;
• the data is transferred subject to a ‘derogation’ envisioned by the GDPR; or
• a judgment of a court or tribunal, or a decision of an administrative authority, in the destination country requires the transfer, and the judgment or decision is based on an international agreement between the destination country and the European Union or member state (eg, a mutual assistance treaty).
The GDPR provides that there are appropriate safeguards for transferring personal information from a European company to one in the United States under the following mechanisms, provided that individuals can enforce their data protection rights and have effective legal remedies for their breach:
• the US company has been certified to the US–EU Privacy Shield;
• the European company and the US company have entered into a form agreement containing standard contractual clauses that have been adopted by the EC, or adopted by a data protection authority and approved by the EC;
• a group of affiliated companies have agreed to be bound by an approved set of binding corporate rules (BCRs), which has been approved by the competent member state’s data protection authority;
• the European company has undertaken to adhere to a code of conduct (eg, one developed for a particular industry) approved by the competent data protection authority or by the EC, and the US company has made a binding and enforceable commitment to apply the appropriate safeguards provided by the code of conduct; or
• the European company has been certified pursuant to a data protection certification mechanism approved by a data protection authority or by the European Data Protection Board, and the US company has made a binding and enforceable commitment to apply the appropriate safeguards provided by the certification mechanism.11
Beyond the appropriate safeguards, the GDPR also allows transfers from an EEA organisation to a US company in the United States when one of the following derogations applies:
• the individual whom the data concerns has given his or her explicit consent, after having been informed of the risks;
• the transfer is necessary for the performance of a contract with, or concluded in the interests of, an individual, or for pre-contractual measures taken at the individual’s request;
• the transfer is necessary for important reasons of public interest, where the interest is recognised by EU or member state law; or
• the transfer is necessary to establish, exercise or defend a legal claim.12
Thus, companies either need to put in place a mechanism to share the information between an entity in the European Union and an affiliate in the United States or ensure that a derogation applies. In addition, a cross-border mechanism or derogation would be needed to share the information with the DOJ.
Additional development: UK data privacy restrictions in the shadow of Brexit
The United Kingdom is scheduled to leave the European Union at 11pm (GMT) on 29 March 2019. Accordingly, on 9 January 2018, the EC produced a ‘Notice to Stakeholders’ on the implications of the United Kingdom’s withdrawal (the Notice). The Notice serves as an official statement from the EC that post-Brexit, EU law – including the GDPR – will cease to apply to the United Kingdom and it will be considered a ‘third country’ (ie, one that is not a member of the European Union). A data transfer mechanism consequently will be necessary to facilitate data flows from the European Union to the United Kingdom, unless the United Kingdom is determined to provide an ‘adequate’ level of data protection.
For its part, the UK government has signalled that, as part of Brexit negotiations, it will be seeking an enhanced mechanism for UK–EU data transfers that builds on the ‘adequacy’ model. If adequacy status (or some enhanced status) were to be granted to the United Kingdom by the EC, this would allow the free flow of personal information from the European Union to the United Kingdom without the EU company having to implement any additional safeguards, or being subject to further legislative conditions. This is of course the ideal scenario for the United Kingdom, and will provide the smoothest transition for entities that rely on the flow of data between the European Union and the United Kingdom. However, there remain legal questions as to whether an adequacy decision could be granted before the United Kingdom leaves the European Union and if not, how soon thereafter.
The United Kingdom, meanwhile, has enacted the Data Protection Act 2018 (2018 Act), the main provisions of which took effect on 25 May 2018. The 2018 Act serves as a successor to the United Kingdom’s previous law, the Data Protection Act 1998. The 2018 Act is meant to be read alongside the GDPR. In addition, it regulates certain types of processing that fall within the United Kingdom’s national law rather than EU law. The 2018 Act also supplements certain provisions of the GDPR that anticipate possible further regulation under national laws. For example, the 2018 Act clarifies that special category personal data, as well as criminal conviction and offence information, may be processed under the ‘substantial public interest’ condition if necessary for:
• preventing or detecting unlawful acts;
• protecting the public against dishonesty;
• complying with or assisting others to comply with a regulatory requirement to take steps to establish whether a person has committed an unlawful act or been involved in improper conduct;
• preventing fraud;
• making disclosures related to suspicion of terrorist financing or money laundering;
• safeguarding children and individuals at risk;
• protecting the economic well-being of certain individuals; or
• purposes of insurance.13
The 2018 Act provides that personal data related to criminal convictions and offences may additionally be processed when the individual has consented, or if the processing is necessary in connection with a legal proceeding (including a prospective legal proceeding), to obtain legal advice, or to establish, exercise or defend a legal right.14
Data protection regimes in Asia, Latin America and Africa
There is so much focus on Europe that companies often forget about some of the obligations in Asia, Latin America and Africa. The number of jurisdictions in these regions that have data privacy laws continues to increase. Such laws tend to have a number of common elements, including with respect to notice, choice, data security, the right of the individual to access and correct personal information relating to him or her, and data integrity and retention. In general – consistent with privacy regimes throughout the world – these laws require that individuals be told what personal information is collected, why it is collected, and with whom it is shared. The laws also require consent mechanisms, though they vary by country. Some countries in the Asia-Pacific region, such as South Korea and Hong Kong, require affirmative opt-in consent for at least some uses of data, while in other countries, such as New Zealand, there is less of an emphasis on consent. In Latin America, all relevant privacy laws include choice requirements, though some countries, such as Colombia, have a much stronger emphasis on affirmative consent than others.
Much like other privacy regimes, these laws also require organisations that collect, use and disclose personal information to take reasonable precautions to protect that information from loss, misuse, unauthorised access, disclosure, alteration and destruction. With respect to access and correction rights, however, many countries in Asia either do not specify specific time frames for honouring access or correction requests, or provide a manageable time frame similar to those found in European countries. By contrast, many Latin American privacy laws impose very short time frames for responding to access and correction requests. Finally, these privacy laws generally require that organisations that collect personal information ensure that their records are accurate, complete and kept up to date for the purposes for which the information will be used and also that they retain the personal information only for the period of time required to achieve the purpose of the processing.
With regard to cross-border transfers, a number of these countries restrict the transfer of personal information to countries that do not adequately protect personal information. In most cases in the Asia-Pacific region, however, data protection authorities have not provided guidance on what countries provide adequate protections; companies can mitigate uncertainty by implementing mechanisms such as contractual agreements to facilitate cross-border transfers without running afoul of these rules. By contrast, in the Latin American region, privacy laws rely more heavily on consent for cross-border transfers. In Africa and the Middle East, there are 19 countries, plus areas within the United Arab Emirates and Qatar, that have enacted comprehensive privacy laws, almost all of which include cross-border limitations. These laws do for the most part provide that a company can transfer data to another country if it is a contractual necessity (though not merely based on the legitimate interest of the company).
Beyond data protection regimes: employment and correspondence secrecy laws
Outside of the United States, several other types of laws may affect a company’s ability to conduct an internal investigation in a given jurisdiction, most notably employment laws and correspondence secrecy laws. As with data protection laws, these laws have nuances in their formulation and interpretation so that the operative rules differ from country to country.
Many countries have laws protecting the secrecy of correspondence. This right may be established by a country’s constitution or provided by the civil or criminal code or by telecommunications law. Such provisions guarantee the secrecy of closed correspondence and require consent of the parties to such a communication in order to access its contents. While originally envisioned to protect sealed letters, in many countries the secrecy of correspondence is held inviolable not only for written correspondence but also extends to telephone calls, emails and other electronic communications. Correspondence secrecy rules will typically become an issue if the company permits its employees to make incidental personal use of company computer systems. Where such personal use is allowed, there is potential for the company to access employees’ private communications in the course of collecting and reviewing emails and other documents for the investigation. As a result, the collection and review generally can proceed only with the employee’s informed consent, which may be withdrawn at any time.
Furthermore, employment laws in many countries regulate the manner and extent of control that an employer can exercise in relation to its workers. In the context of an internal investigation, a company is obligated, in some countries, to provide a specific notice to applicable employees to inform them about the pending investigation. This notice is in addition to any general privacy notice that the employer may have provided its employees. The specific notice must be provided to an employee under investigation informing him or her of the allegations or suspicions at issue and providing the employee an opportunity to address those allegations. Generally, the specific notice should be provided prior to any data collection, although some countries allow for delaying the notice until there is no longer a risk of the employee destroying evidence. Employment laws, in combination with data protection laws, also require a company to minimise the intrusion that an internal investigation has into employees’ private affairs. Thus, where private correspondence is encountered during document review, it should be not be reviewed and should be disregarded, even if the employee has consented to the investigation accessing private correspondence. In some countries, it is recommended practice to give the employee the option to be present when his or her emails or other documents are being reviewed, so that the employee can indicate which ones are private in nature and should be discarded.
Additional development to watch: the CLOUD Act
In March 2018, Congress enacted the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). The legislation significantly alters the legal landscape for US businesses covered by the Stored Communications Act (SCA).15 It makes clear that the SCA provides a mechanism for the US government to request data that such companies store overseas. A second part of the legislation paves the way for US businesses covered by the SCA to be served with requests by certain non-US governments for data stored inside the United States. The impact of this second part of the law, however, will only become effective once the US government begins entering into executive agreements with other governments.
US government requests for information stored outside the United States
The crux of the first part of the CLOUD Act is a requirement that US companies served with court orders under the SCA turn over data to the US government no matter where the data is stored – so long as it is within the US company’s ‘possession, custody or control’. Prior to enactment of the CLOUD Act, the Supreme Court had heard arguments on this very issue in February 2018 in United States v Microsoft, in which Microsoft, supported by other technology companies, argued that the then-existing text of the SCA did not cover requests for the contents of communications stored outside the United States.16 The CLOUD Act rendered moot the question presented in Microsoft: it leaves no doubt that the SCA applies to data stored overseas by companies subject to jurisdiction in the United States.
At the same time, the CLOUD Act contains a provision that US technology companies strongly supported. It allows providers served with orders or subpoenas under the SCA to file a petition to modify or quash the order or subpoena if the provider reasonably believes that:
• the target of the request is not a US person and does not reside in the United States; and
• the required disclosure creates a material risk that the provider would violate the laws of another country with which the US government has an executive agreement (discussed in the next part below).
A court can quash the subpoena or order if it finds that both of these factors are met and that the overall interests of justice favour the provider’s challenge. The statute lists a number of considerations that must be taken into account in the interests-of-justice assessment, including considerations of international comity.
In assessing the impact of these changes, it is important to emphasise that the SCA does not apply to all types of businesses or all types of data. It applies to providers of ‘electronic communication services’ and ‘remote computing services’. Generally speaking, these terms include businesses that facilitate electronic communications by customers (eg, email or electronic messaging) and businesses that provide members of the public with computer storage services (eg, cloud computing services).17 These businesses are generally prohibited from disclosing the contents of communications to the government (or to anyone else) other than through the process set out in the SCA, which includes judicial review. For other types of businesses subject to US jurisdiction, the impact of this first part of the CLOUD Act will be more limited – as the records of such businesses could typically already be obtained by the US government through other means of legal process such as a grand jury subpoena.
Non-US government requests for information stored inside the United States
The CLOUD Act’s second part will allow the US government to enter into executive agreements with other countries that will permit US companies covered by the SCA and other provisions of the Electronic Communications Privacy Act to respond to those other countries’ requests for data. This aspect of the legislation resembles a proposal introduced by the Obama administration in 2016, which was designed to enable data-sharing between the United States and the United Kingdom. Under the SCA as it currently stands, a US company subject to the SCA that is served with a court order or other request for data by a foreign government is generally prohibited from complying. The CLOUD Act changes this by permitting these types of businesses to respond to requests from foreign governments that have entered into an executive agreement with the United States.18 For example, if an executive agreement between the United States and the United Kingdom is reached, a US company that is subject to the United Kingdom’s jurisdiction could be served with an order under the laws of the United Kingdom to produce customer data; if that data is stored in the United States, the company would be permitted to disclose it.
The CLOUD Act sets numerous parameters for these executive agreements, which will need to be approved on an individual basis by the Attorney General and the Secretary of State. Congress will also have 180 days in which it can vote to disapprove a new proposed executive agreement. Key requirements include the following:
• the other country’s laws must afford robust protections for privacy, civil liberties, and other human rights;
• the other country must adopt procedures to minimise the collection and dissemination of information provided under the agreement that concerns US persons;
• the agreement must prohibit the other country from intentionally targeting US persons or anyone else who is located in the United States; and
• the agreement must prohibit the other country from issuing orders for data at the behest of the US government or a third country.
Additionally, orders issued under these executive agreements must:
• be for the purpose of investigating or preventing serious crimes;
• target a specific person or identifier (such as an email account or phone number);
• be reasonably justified based on articulable and credible facts; and
• be subject to oversight or review by a court or other independent authority.
The introduction of an executive agreement regime will significantly reduce the hurdles for authorities in foreign countries seeking to compel production of documents and data located in the United States.
In light of the complex and often inconsistent data privacy frameworks that regulate multinational companies – along with the DOJ’s repeated scepticism toward generalised refusals to comply with a US investigation on data privacy grounds – it is imperative that those conducting cross-border investigations have a firm grasp of the specific requirements applicable to their circumstances. The landscape in both Europe and the United States has changed significantly over the past year in light of the GDPR and enactment of the CLOUD Act. These developments bear close monitoring not only by attorneys principally engaged in data privacy work but also by those who counsel clients regarding cross-border investigations.
1 ‘Assistant Attorney General Leslie R Caldwell Speaks at American Bar Association’s 30th Annual National Institute on White Collar Crime,’ 4 March 2016, www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-speaks-american-bar-association-s-30th.
2‘Remarks by Assistant Attorney General for the Criminal Division Leslie R Caldwell at the 22nd Annual Ethics and Compliance Conference,’ 1 October 2014, www.justice.gov/opa/speech/remarks-assistant-attorney-general-criminal-division-leslie-r-caldwell-22nd-annual-ethics.
5 US Dep’t of Justice, ‘Guidance Regarding Voluntary Self-Disclosures, Cooperation, and Remediation in Export Control and Sanctions Investigations involving Business Organizations’ at 6, 12 October 2016.
6 See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC.
7 GDPR article 6(1). Article 6 provides additional legal bases for processing personal information, but these are unlikely to be relevant to an investigation.
8 GDPR article 9. Article 9 also provides further conditions for processing special category personal information, but these are unlikely to be useful for an investigation. Beyond the conditions for processing sensitive personal data provided by the GDPR, member state data protection laws may specify additional grounds for collection and use of sensitive personal data, some of which may be relevant to investigations.
9 GDPR article 10.
10 GDPR article 35.
11See GDPR article 46(2). Some of the transfer mechanisms on this list, including codes of conduct and data protection certification, are new under the GDPR and the relevant programmes have not yet been established.
12 GDPR article 49(1). Article 49 provides other derogations for cross-border transfer of personal data; however, they are generally unlikely to apply in the context of investigations.
13 2018 Act Section 10(1)-(6); Schedule 1, Part 2. Specific requirements apply with respect to each of these purposes. See Schedule 1 Parts 1–2 for further circumstances in which special category personal data can be processed.
14 2018 Act Section 10(5)–(6); Schedule 1, Part 3.
15 See 18 USC Sections 2701 et seq.
16 See David Newman, ‘In US v. Microsoft, a Decades-Old Law Leaves Few Good Options’, Wired (1 March 2018), https://www.wired.com/story/us-v-microsoft-supreme-court-oral-argument/.
17 See 18 USC Sections 2510(15), 2711(2).
18 Service providers would also be permitted to conduct live interceptions of communications – ie, wiretaps – pursuant to orders from foreign governments, subject to a set of additional requirements described in the legislation.