Privacy considerations can be complex and varied, but they are critical to the success of your investigation.
Data has cemented its place as a valuable commodity that can pose considerable risk to personal privacy if exploited unscrupulously. It is being created in ever-increasing volumes and detail, recording multiple aspects of our lives, from what we do at work to how we interact with the world around us. A steady stream of data-related scandals and controversies, from cyber breaches to data misuse, has brought privacy concerns to the fore and drawn attention to the need for data protection rules.
When it comes to corporate investigations, data is increasingly the primary source of evidence – whether it’s the messages on a mobile phone, the emails between key people, or records in databases and accounting systems – people lie, but data doesn’t. During an investigation a wide range of methods are used for preserving information from mobile phones, hard drives, databases and cloud services. Gathering the data so that it can be processed, searched and reviewed often involves cross-border data transfers, sometimes electronic and sometimes by carrying hard drives through customs checks at airports. For data-intensive investigations, it is imperative to understand, navigate and comply with the relevant legal boundaries.
The changing data landscape
The regulatory landscape has changed substantially in recent years. Data privacy, protection and residency laws are now widespread. They are also increasingly complex, and lawyers specialise in distinguishing what is permitted from what is not. One of the biggest hurdles that investigators and legal advisors face is how to navigate the byzantine set of rules that international regulators are adopting to keep up with advances in technology.
As well as the mounting volume of data protection legislation, a key problem is the level of variation between countries. In Control Risks’ RiskMap2019 forecast of political and security risk, inconsistent data regulation appeared in the Top Five Risks facing international business (appearing alongside escalating cyber security threats). This was partly due to the differing attitudes to data protection across regions – with China, the US and Europe taking very different approaches. We advised organisations to “brace for the challenge of collecting, storing and transferring data within and between these three domains against a backdrop of inconsistent enforcement”. Each of these domains has its own unique priorities and characteristics and understanding this is key to avoiding pitfalls that can scupper an investigation before it has begun.
The member states of the European Union (“EU”) were already highly regulated in relation to the data privacy rights of citizens; then the EU introduced even stronger measures through the EU General Data Protection Regulation (GDPR), which has been enforced since May 2018. The GDPR is a broad-ranging, extraterritorial regulation designed to give EU citizens more extensive control of their personal data. The most serious breaches can result in fines of up to 4% of annual global turnover or €20 million, whichever is greater.
Organisations must therefore have robust controls in place to secure the personal data of those citizens. Complicating things further, each EU member state has leeway to extend privacy protections beyond the baseline set in the GDPR. The UK government is expected to absorb GDPR into UK law at the point of leaving the EU. However, a no deal Brexit would complicate matters, and organisations should refer to guidance published by the UK Information Commissioner’s Office regarding data protection if there’s no Brexit deal.
Conversely, the US has no unified, overarching privacy regulation, and privacy rights have been granted through a patchwork of federal and state law and a growing body of case law. It is therefore important in an investigation in the US to determine how both federal and state law might apply, and whether there are any special considerations that limit the scope of the collection or analysis of the data.
China’s laws grant its citizens strong privacy rights and require businesses to protect a broadly defined set of personal data. In addition, the Chinese government has enacted localization regulations that require personal data and information about critical infrastructure to be stored in-country. The country’s state secrets laws extend to an expansive range of information, all of which should be subjected to a risk review when conducting an internal investigation.1 Additional Control Risks commentary about China’s cyber security and data protection approach can be found on our China page.
Outside these three key regulatory regimes, there are a wide variety of active and proposed data protection laws. Given the wealth of jurisdictions an investigator may operate in, it is likely that one or more of these will be encountered at some point in time. In Asia, for example, it is important for investigators to be aware of Vietnam’s Law on Cybersecurity (which went into effect on 1 January 2019), and South Korea’s Personal Information Protection Act (PIPA) and Network Act (the amendment of the latter coming into effect on 19 March 2019). In countries such as Russia and Switzerland, mistakes at the data collection stage can leave the client (and the individuals collecting the data) in conflict with local legislation, at risk of prosecution and render the data unusable.
What does this mean in practice for corporate investigations?
Privacy is of particular concern in investigations because of the need to capture and analyse electronic records that may be deeply personal and heavily regulated. It is not unusual to find an employee’s private emails, personal browsing history, tax returns, medical records, or legal communications on a work computer. The problem is more pronounced with mobile phones, partly because of issues of data ownership. Imagine the problems that arise when you consider the proportion of employees who use their own smartphone for work – 86% according to a survey of 3,500 mobile workers in 2015.2 You don’t own the device, so how can you show that you own the data?
Control Risks in action
Control Risks was engaged by a US law firm to assist an investigation that involved a European company’s subsidiaries in Africa. As a first step, we preserved the devices of employees based in Africa, and collected records relating to the subsidiaries from an accounting system in the EU. So where could we host all of this data, which needed to be reviewed in the US? This question is more complicated than it first appears. We had to answer the following questions:
- Did the accounting data contain personally identifiable information, and if so, did it relate to EU citizens? If personal data is present, transferring the data out of the EU would only be acceptable if the destination has equivalent data protection legislation. Even then, anonymisation and pseudonomisation procedures would need to be considered.
- Could the forensic copies of devices be transferred from Africa to Europe for analysis? This depends on the case: it may present less risk to retain data locally, rather than transfer it into jurisdictions with a different regulatory regime. Data localisation issues have created a need for data centres in multiple locations: in this particular investigation, our Relativity instances in Johannesburg and Frankfurt were both considered as potential locations.
- Can the documents be reviewed remotely from the US? Some clients ask us not to permit remote access of this kind, despite the existence of the EU-US Privacy Shield. Consideration should also be given to whether personal information on EU citizens could potentially be disclosed as part of US court proceedings. We recommend checking for sensitive information before documents are produced, ideally using analytics software to automate the detection process.
Business records from enterprise systems can be laced with protected data such as personal healthcare information, credit card records, and drivers’ license numbers. Other categories of data must be carefully handled during investigations to comply with laws other than data privacy and protection, e.g. financial data and data protected by state secret laws in Vietnam.
An in-depth discussion of data privacy law is well beyond the scope of this article. What follows are some tips related to common privacy issues that come up during corporate investigations.
Privacy is local – Check local privacy rules before starting, and make sure there are adequate controls in place. Engage local support when needed and consult with counsel familiar with local laws and regulations. It is highly recommended that the legal advice received is from counsel that is experienced in dealing with white-collar crime. The advice received will be pragmatic and will pre-empt and offer solutions to pitfalls that may emerge.
Get consent – In many jurisdictions it is helpful to an investigation if the employer has published policies that favourably lay out data ownership rights and employment contracts set out the employee’s consent to access personal data.3 Such consent can give an investigation’s team leeway to operate, but it’s not straightforward and legal advice may still be needed. In the EU, the GDPR has added to requirements around valid consent and in addition, courts in some EU member states have determined that an employee cannot freely give consent to a request from an employer or its counsel during an investigation.4 China’s data privacy and employment laws require that informed consent be obtained from the data subject/employee before data collection, processing and cross-border export occur, and the employee can revoke consent at any time. In addition, there is a requirement to ensure that the collection process is witnessed by an “authorised notary public” when there is a possibility that the data may be used in legal proceedings in a Chinese court. The most important takeaway is that investigators need to move in lockstep with lawyers in every jurisdiction, familiar or not.
Localising the review – After collection, be prepared to store, process and review digital evidence in its country of origin (or in a country that meets the adequacy requirements of local data protection legislation). In many countries, data must remain in-country until it has been reviewed and redacted for privacy. On some investigations we have deployed mobile review environments to client sites and conducted live document reviews without transferring any data from the client’s network. Some countries will allow you to export the data without redaction, as long as it is going to another country with adequate privacy protections. Bear in mind that many countries consider US data privacy protections inadequate and restrict US-bound data transfers. There are other considerations that may also drive the decision for localising a review, such as the need for nativelanguage reviewers or translators or consideration of national security laws. This topic has been covered by our colleague Allison Griffin in her article on data localisation in The FCPA Blog. 5
Culture matters – Clearly, as we have set out in this article, some parts of the world have a greater expectation of data privacy than others. A digital forensics team collecting electronic data needs to understand local jurisdictional requirements and attitudes toward privacy. For example, a notary may need to be present when collections are conducted in Spain or China. In many countries, employees surrendering their data will be reluctant to cooperate unless clear instructions have come through the local chain of command. They can be more apprehensive in countries where people fear the government.
Be judicious, use discretion – People can act rashly and be less forthcoming when they believe that embarrassing or damaging personal information will be exposed, even if they have done nothing wrong. If the subject of the collection is made aware that their data is being captured for review and expresses alarm, consider explaining the purpose of the investigation (to the extent appropriate) and the scope of the evidence sought. Find a way to let them know that the investigators are not interested in unrelated, potentially embarrassing information. If there are concerns that individuals may destroy or hide electronic evidence, it is imperative that data is collected quickly
Encryption, encryption, encryption – Nobody wants to become the target of a data breach investigation, including the investigator. All collected electronic evidence should be encrypted and secured at the point of collection, in transit, and at its destination – lost data can expose investigators, lawyers and clients to financial, legal and reputational risk, and the data subject to potential harm.
Know when to freeze – Stop your work, freeze and quarantine the data, and consult counsel if you run into illegal or highly protected information. This could include, for example, child pornography, documents affecting national security or another party’s privileged legal documents.
Data proliferation, and the rules and regulations that have followed, have turned corporate investigations into a data management minefield. As laws in this area grow increasingly complex, investigations teams need to understand what is permitted and what is not, and need an up-to-date assessment of the legal, political and cultural context. The technical capabilities of a digital forensics team must be augmented by sound legal strategy around data privacy and protection, particularly when approaching cross-border investigations.