Earlier this month, The Sedona Conference released a comprehensive report, five years in the making, that attempts to synthesize the best practices for companies, data protection agencies, and investigatory agencies in matters of cross-border data transfers in the context of internal and governmental investigations. The report culminates in eight principles aimed at encouraging companies to take certain precautions when handling personal data, while also encouraging intra-governmental cooperation to avoid placing multinational companies in the crossfire of potentially conflicting laws protecting the movement of personal data across borders.
The report is an offshoot of The Sedona Conference’s 2011 report on data protection in the context of discovery in US litigation. Like that report, this year’s report is intended to build consensus around the best practices for handling sensitive data—personal data in particular. The report notes that a major issue facing multinational corporations, particularly in light of increasingly tight regulations on personal data—especially following the implementation of the General Data Protection Regulation (GDPR)—is how to effectively collect, review, and produce relevant material in response to multiple contemporaneous document demands from government agencies all undertaking an investigation into the same underlying incident. To that end, the report lays out eight principles to provide guidance in this quickly evolving area of the law.
The report’s first principle encourages companies to be proactive about building internal frameworks to process and organize data ahead of time. The report notes that companies should be implementing concrete steps for archiving, organizing, and safeguarding employee data for quick access when the data is requested by an investigatory agency. For example, companies should consider separate policies for handling the data of a current employee versus handling the data of a former employee. Companies that operate in multiple jurisdictions also might be wise to develop jurisdictional-specific practices consistent with local laws.
The next principle is directed at government agencies charged with protecting personal data. In the context of data produced in the course of a lawful investigation, the report encourages data protection authorities to consider yielding to the interests of the investigating agency. Both the company under investigation and the investigating agency have a direct interest in weeding out criminal conduct, and agencies responsible for protecting personal data should be mindful of potentially impeding an otherwise successful investigation.
Third, the report encourages the investigatory agencies to take stock of the impact of data privacy laws and to recognize the burdens such laws place on companies. Investigating authorities should recognize that asking a company to move personal data across borders triggers a host of compliance-related considerations. Investigating agencies should encourage—and potentially reward—companies that attempt to produce data in a timely manner while simultaneously trying to find solutions encountered by data protection laws.
The next three principles relate to effective communication and information sharing. The report encourages early, frequent, and candid dialogue between the company and the investigatory agency about potential barriers to production. In particular, for investigations that could expand into different areas, companies should proactively communicate potential future data protection issues before the issues arise. The report also notes that direct data sharing among governmental agencies is rare, but should be encouraged to minimize the production burden on the company. As part of this, the report admonishes investigatory agencies to consider coordinating production requests to minimize conflicts.
Similarly, the report suggests that data protection authorities should sometimes yield to a sister country’s policy goal of conducting an unfettered investigation into criminal wrongdoing. While investigatory agencies should put reasonable bounds on the data sought, principles of comity compel countries to recognize and accommodate data requests.
Finally, the report encourages judges and investigatory agencies to evaluate a complying party’s conduct against a standard of good faith and reasonableness. Both investigatory agencies and data protection agencies should consider the competing compliance demands and should view an organization’s responsiveness in light of these challenges.
For both companies and governments, The Sedona Conference’s report provides a potential starting framework for preparing for and managing cross-border transfer of personal data. Undoubtedly, as investigations increase in complexity and as handling of personal data becomes more tightly regulated, companies will be faced with competing—and sometimes conflicting—demands. Proactively preparing policies for these issues will position companies to better manage these demands when they inevitably arise.