by Cleary Gottlieb Steen & Hamilton LLP
Many investigations, particularly those that are cross-border in nature, are likely to present data privacy issues, and managing these issues is frequently a key consideration in an investigation. By keeping data privacy laws in mind as soon as an investigation starts, an organization will avoid the risk that it has failed to satisfy certain requirements, thereby exposing itself to the possibility of a fine or sanction from a regulator. Below we walk through chronologically how an organization might incorporate data privacy considerations at each stage of an investigation:
Outset of the Investigation
- Having a basis to process data. Typically, at the start of an investigation (whether internal or regulatory), the organization being investigated needs to collect documents or materials that are relevant to the facts driving the investigation. These could include, among other things, employee emails or communications, personnel records, or other personal, employee-specific information. Any of these types of materials would constitute personal data that is protected by data privacy regimes, and which cannot be collected or used without a basis for doing so that satisfies the relevant regime. For instance, under the EU’s GDPR, the organization that is responsible for processing any such personal data must satisfy one of six legal bases for doing so.[1] Each jurisdiction has its own regulations outlining what, if any, circumstances, merit the processing of personal data. Companies should therefore be familiar with the data privacy regimes they are subject to, and what those regimes require for processing data, at the outset of an investigation, before any data is collected and before it is processed for a new purpose. In the context of a regulatory investigation, organizations should also be alert to the potential for tension between the data privacy regime of the relevant jurisdiction and the demands of the investigating regulator; while an EU jurisdiction might restrict the processing of personal data under the GDPR, the U.S. Department of Justice would expect an organization to explore all potential routes to respond to a request. Being aware of and navigating this potential for conflict from the outset of an investigation is crucial.
- Minimizing processed data. Once an organization has determined it has an acceptable basis for processing protected data, most data privacy regimes require an organization to nonetheless limit the extent of data processing. Essentially, organizations should aim only to process data that is necessary to achieve the goals identified for the purpose of the investigation or inquiry. So, before pulling any data that could be relevant to the investigation, the organization should have processes (already in place) to help identify the breadth and depth of data that is necessary. These processes will likely include consultations with in-house and external counsel to help identify the parameters of a regulatory request or the scope of an internal investigation.
- Limiting the purposes of processed data. In keeping with the requirement that there be a basis to process data under the relevant data privacy regime, an organization must also limit the purpose of processing that data—in other words, the means of processing the data must match the ends.[2] If an organization is processing data to produce to a regulator as part of a subpoena request, that data should be stored and processed for that purpose alone. Policies and controls should generally be in place before an investigation starts, to address limitations on which individuals or entities may have access to that data and for how long. (For example, if a regulator or law enforcement agency asks for a production of documents, an outside vendor processing that data may be required to destroy or return that data after the production.)
During the Investigation
- Notifying those whose data is processed. Some data privacy regimes, including the GDPR,[3] have transparency requirements, which mean that “data subjects,” or the individuals whose data is processed, have a right to be notified. This means that, as investigations proceed, organizations need to notify (to the extent required by the applicable data privacy law) those individuals whose data is being processed. As part of this, organizations need to be prepared to share and justify the basis on which the data is being processed, including where the data is being transferred to an outside country. There are exceptions to this rule that may often come up in the context of an investigation—for instance, sharing this information is prohibited in the context of anti-money laundering investigations under the GDPR.[4] Organizations therefore need to have tools or policies in place to analyze what the basis is for processing personal data, and whether that basis mandates disclosure to data subjects or provides an exception for doing so. Organizations should also have in place processes for handling any questions or concerns that a data subject might raise, and allocate responsibility for handling such inquiries.
- Transferring data. Data privacy regimes not only protect the processing of data, but the transfer of data, in particular outside of the relevant jurisdiction. By way of example, under the GDPR, transferring personal data across borders is permitted (provided that processing data in this way is otherwise justifiable) within the European Economic Area (“EEA”), but transfers outside of the EEA are only permitted if the European Commission has found that: (1) the relevant outside jurisdiction provides adequate data protection (i.e., protection that is substantially equivalent to the level offered in the EU),[5] (2) appropriate safeguards are in place,[6] or (3) a specific legal derogation under Article 49 of the GDPR is applicable.[7] These transfer restrictions impact where data is stored, reviewed, and ultimately transferred for production or other use, and should be considered carefully at the outset of an investigation.
During and After the Investigation
- Impact assessments. Some data privacy regimes, such as the GDPR, require organizations to carry out and maintain records of “impact assessments,” which track data that is “likely to result in a high risk to the rights and freedoms of natural persons.”[8] These impact assessments should be an evolving process that are revisited throughout the course of an investigation. Data that may not have seemed as noteworthy or had the potential to jeopardize an individual’s rights at the beginning of an investigation, by the end of an investigation, may pose a greater risk. It is an organization’s responsibility to track that risk throughout the investigation.
Conclusion
Incorporating data privacy considerations into investigations requires proactive thinking before an investigation is underway. An organization should have policies already in place for all relevant data privacy regimes, both to enable an organization to meet the requirements for actually processing and transferring data, and to aid an organization in the logistics of doing so. These policies may include having pre-assigned teams ready to handle certain aspects of an investigation, such as a team whose role is to analyze what bases are legitimate for processing data, or a team whose function is to notify individuals whose data is processed, and to maintain relevant impact assessments for each of those individuals. Much time, effort, and expense can be saved in the long run if these steps are taken ahead of time.
Footnotes
[1] See Regulation 2016/279 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 6(1), 2016 O.J. (L 119) 1 (hereinafter “GDPR”).
[2] For an example, see GDPR art. 5(1)(b), which mandates that data be processed only for specific, explicit, and legitimate purposes, and may not be further processed in a way that is incompatible with those purposes.
[3] See GDPR arts. 12–14.
[4] See id. art. 14.5(b).
[5] Id. art. 45; Data Protection: Rules for the Protection of Personal Data Inside and Outside the EU, European Commission.
[6] GDPR art. 46.
[7] Id. art. 49.
[8] Id. art. 35.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.