Foreign Corrupt Practices Act (FCPA), SEC investigations and other US civil litigation often span multiple countries, and personal data is frequently reviewed or transferred, particularly in e-mail searches. The French Data Protection Authority (the CNIL) earlier this year focused attention on the issue of data protection in the context of US civil litigation, issuing a warning memorandum on this subject.
There has been underlying concern for some time in France and other European countries that companies are being compelled to provide information to agencies of the US government and for purposes of US civil litigation in ways that contravene EU data protection legislation. The CNIL memorandum indicates that efforts to protect that legislation are now being stepped up. Appropriate cross-border data transfer mechanisms are being given more attention as a result.
The data gathering with which the CNIL is particularly concerned is copies of employees’ hard drives and copies of e-mail folders. Their memorandum reviewed scenarios in which such data may be required to be transferred to the US: "litigation holds" or "litigation freezes" – where information is gathered at or prior to the commencement of litigation, where litigation appears to be inevitable and routine data deletion is interrupted; pre-trial discovery; investigations by the DOJ or SEC; and requirements under US laws criminalizing document destruction for purposes of obstructing investigations.
Having set out the problem, the CNIL states that they, together with their European counterparts, are taking the discussion to the European level and to the "Article 29" Working Party, the body that coordinates European data protection authorities.
Data Principles in Responding to Government Investigations
This is not a new issue. In November 2006, an EU-US "High Level Contact Group" was formed for the purpose of discussing information sharing and privacy and personal data protection in government bodies and investigations. In May 2008, the Group produced a report on identifying the common principals of an effective regime in the context of privacy and personal data protection. These principles are intended to be the minimum standards when processing personal data. The report focused exclusively on government agencies’ obligations during data transfers and recognized that further discussions would be required on the subject of consistency in private entities’ obligations during data transfers.
Still, it is instructive to consider the principles that the Group considered fundamental to EU privacy data protection. These included that personal information:
- Should be processed for a specific, legitimate law enforcement purpose;
- Should be maintained with such accuracy, relevance, timeliness and completeness as is necessary for lawful processing;
- May only be processed to the extent that it is relevant and appropriate to accomplish the law enforcement purpose;
- Must be protected by all appropriate technical, security and organizational procedures to guard against loss, corruption, misuse, unauthorized access etc; and
- Revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life may not be processed unless domestic law provides appropriate safeguards.
Personal Data Transfer in Investigations and Litigation
Particular consideration should be given to ensure the personal data gathered is necessary and relevant to a clear purpose – this would require employees’ hard drives and e-mail folders to be searched using specific search terms and the more limited relevant results being transferred to the US entity, rather than all of the data being gathered up wholesale and transferred en masse. This approach will reduce the amount of personal data that is being transferred.
There will inevitably be trade-offs in which country’s compliance regime is best satisfied. In US civil litigation, adherence to EU data protection norms is possible and often can be effectively managed. In US government investigations, a good faith attempt at compliance with EU data protection and cross-border transfer vehicles should also be undertaken.
Companies carrying out multi-country investigations should identify each of the countries from which data is to be gathered and take local advice on the specific data collection and transfer requirements. This advice should also cover exceptions or "derogations" to various EU country data protection rules, i.e. those circumstances in which data gathering and transfer is permitted, for example, for "defense of rights." If it cannot be established that personal data has been excluded, it should be assumed that it is included, and appropriate protections then applied.
The best way to comply with the data transfer obligations, at least in the EU, is by way of agreements and an effective cross-border data transfer strategy: EU model clause data protection agreements, consents embedded in employment letters or other documents, and/or the US entity filing for Safe Harbor.
The CNIL has achieved their aim to bring this issue into focus. As a result, it is likely that the relevant authorities in Europe will be scrutinizing US and cross-border litigation and investigations more closely to ensure compliance. Data protection is, therefore, an issue that should be at the forefront of planning an FCPA or other internal investigation.
Having an effective data protection strategy in place should enable organizations to avoid the tug-of-war between US and European obligations, not just in FCPA investigations, but in the context of cross-border litigation as a whole.