Navigating data privacy laws in multi-jurisdictional investigations

Our investigations team has published an article for Thomson Reuters Regulatory Intelligence looking at the impact of data privacy laws on investigations in Asia. This also summarises the potential impact of Europe’s GDPR and what else is on the horizon trans-nationally.

Introduction

Enhanced regulation around data use and the proliferation of online communication channels have created a perfect storm in the investigations context. Ensuring that relevant evidence is collected legally and transferred correctly has become increasingly complex as business and private channels collide through platforms like WeChat, WhatsApp and policies like BYOD.

Various laws limit how evidence can be collected and shared with others, including rules on data protection. In Asia, these obligations and rights are drawn from a patchwork of evolving regimes. The broad extra-territoriality of Europe’s GDPR, which came into force on 25 May 2018, adds an extra layer of compliance risk. Given most regulatory and enforcement authorities have formal powers to compel the production of information in investigations, ensuring compliance with applicable data laws whilst responding to regulatory requests is more challenging now than ever.

Data collection in investigations

Rules regulating data collection vary by jurisdiction and are becoming increasingly regulated. Since investigations in Asia almost always have multi-jurisdictional elements, companies must take a holistic approach to evidence gathering, having a bird eye view not only of the laws of the immediate jurisdiction where misconduct is uncovered, but those where relevant data and individuals are located. In addition, there is the possibility that foreign agencies including those in ‘long arm’ jurisdictions like the US or UK may commence their own investigations and expect to see evidence in due course. In such cases, a company may consider voluntarily providing documents in the context of self-reporting or to show co-operation. This is prevalent in the US and UK which have established DPA and leniency regimes. Data privacy laws pose particular issues in this respect.

Complying with data privacy laws

Data privacy laws protect personal data, being information capable of identifying a living person. Stricter standards apply to sensitive personal data like information on thoughts, beliefs, political opinions and health records. Laws in Asia vary from very strict to relatively light touch.

Regardless of the maturity of the jurisdiction, generally, individuals should be notified and provide their consent to how their personal data is used and disclosed (this is “processing” in the data protection context). Consent, express or implied, is generally required for processing and employees tend to sign broad consents as part of their employment terms to allow their employers to process personal data for various purposes. Individuals may also invoke certain rights in relation to their data. This includes access, correction and deletion rights in Asia, although the time frame for compliance with such requests varies by country. Finally, individuals in Asia can expect national laws to require processors to keep their data up to date and retain it only for the purpose and time period necessary to achieve their stated purposes.

Transfer of personal data in cross-border investigations

The extent to which Asian countries restrict transfers off-shore varies. Several limit transfers to countries which are deemed to adequately protect personal data, although guidance and lists are often lacking meaning that it is difficult in practice to comply. Instead, most multinational companies tend to factor this into the employee consents signed at the on boarding stage. If consents have not been signed, applicable data privacy legislation should be analysed to see whether there is an exemption allowing for the transfer of the data in question for the purposes of the investigation. Alternative legal rights to process the data sometimes apply, express consent or providing information to authorities conducting criminal investigations being common exemptions.

For example, these exemptions can operate to exempt transfers to international law enforcement agencies (eg the US Department of Justice) of employee data stored in Hong Kong. The same would not be true under Korean or Chinese data privacy laws, whose exemptions are far more limited and generally preclude transfer in the absence of express consent.

The impact of the GDPR

Europe’s GDPR came into force on 25 May 2018 and is of much broader application than its predecessor, the Data Protection Directive. The GDPR applies to anyone who collects personal data about EU citizens, wherever in the world it may be (with some exceptions).

Companies and organisations may only handle or process such data in a legitimate, fair and transparent way, informing data subjects about their processing activities and having an appropriate legal basis for processing (which may or may not be consent). Data transfers present a further compliance issue, as companies subject to the GDPR are required to ensure that personal data is protected and consents sought when that data is transferred to a third party.

The GDPR will be binding on organisations outside the EU if they process personal data:

• in the context of an establishment of a controller or a processor in the EU (whether through a branch or a subsidiary; the presence of a single representative may be sufficient). For MNCs operating in Asia, most will have a presence in multiple locations in the EU.
• relating to the offer of goods or services to individuals in the EU (eg via a website offering delivery to the EU).
• relating to the monitoring of the behaviour of individuals in the EU (eg by using cookies to track an individual's activity on the internet).

How does the GDPR apply to investigations?

The GDPR does not apply to processing “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” (article 2). This gives authorities the right to receive from third parties, typically the investigated company or other authorities, personal data in the context of regulatory criminal investigations. Whether the company is permitted to transfer the data is another question though and this will generally depend on consent of the subject. Under the GDPR, broad consents signed as part of employment contracts may not be sufficient.

Further, in internal investigations, article 2 would not apply. In these circumstances, a combination of processing conditions under the GDPR and local law exemptions and derogations (where applicable) in the relevant jurisdiction(s) must be reviewed to assess whether they permit transfer. This needs to be assessed on a case by case basis.

The GDPR confers broad rights on data subjects (article 8), including of access to the data and the right to be forgotten. In the context of non-EU investigations, it is likely that individuals investigated (whether they are EU nationals or not) would not acquire such rights simply by visiting the EU. Something more permanent is required, akin to residency to trigger such rights under the GDPR. This should provide some comfort to corporates: investigations cannot be derailed by data subject requests simply upon an individual travelling to the EU. Where an individual under investigation is an EU resident, however, it would be a different story, as they are EU data subjects for the purposes of the GDPR. These and many other issues will likely be tested in the coming years as the GDPR beds down. At present, enforcement against non-EU companies is unclear; from a practical perspective non-EU data processors are supposed to appoint an EU representative to aid enforcement.

Looking ahead

The GDPR is not the only EU law to keep an eye on in this area. In April 2018, an e-Evidence Initiative was published by the European Commission to help EU Member States access content data and metadata (e-evidence) across national borders. This will help law enforcement to obtain data for criminal investigations, and will enable institutions to get data directly from providers (even those outside the EU).

The initiative is in part inspired by the US’s Clarifying Lawful Overseas Use of Data (the CLOUD) Act, enacted in March 2018. This empowers federal law enforcement agencies like the FBI to compel US-based technology companies to provide requested data stored on servers regardless of where it is stored.

The EU's version comes in the form of a Regulation and a Directive. The Regulation would create two new legal instruments: a European Production Order and a European Preservation Order. The Directive would give law enforcement authorities across the EU to compel providers based outside the EU to produce data, potentially regardless of which entity in the provider’s corporate group has possession or custody over the data.

This could result in a significant expansion of Member State jurisdiction over digital data held by service providers located outside the EU. In the context of both the CLOUD Act and the e-Evidence initiative, it is very much a case of “watch this space”. What is clear, however, is that data regulation is set to increase yet further in the year to come.

Originally published by Thomson Reuters © Thomson Reuters