Data Governance, Transfer and Protection Trends in Multi-Jurisdictional Investigations

Since FRA's inception 20 years ago, we have specialized in complex data transfer and privacy matters. From our first major engagement manoeuvring Swiss banking privacy constraints to find Holocaust-era accounts, to our current work advising clients on data governance in a GDPR world, our experts have accumulated a wealth of first-hand experience managing regulatory and internal investigations in an evolving global environment of data regulation. In this recent webinar hosted by Lexology, FRA founding partners Frances McLeod and Greg Mason and director Doel Kar share their perspectives on the impact of recent trends on investigations, tapping on their practical experience helping clients build customised solutions.

Navigating Conflicting Laws and Regulations, both Present and Future

The past few years have seen various data protection regulations emerge, some of which conflict with each other in certain areas. It may be insufficient for a company to focus narrowly on meeting the standards of the EU GDPR or US CLOUD Act if your business operates - or may one day operate - in jurisdictions where there are national (e.g. China Cyber Security Law) and even state laws (e.g. the forthcoming California Consumer Privacy Act) to be considered.

A multi-national company that wants to cooperate with an investigating authority in one place may fall foul of a different authority in the process, due to blocking statutes or industry-specific data restrictions. It is worth noting that enforcement agencies around the world are also grappling with the implementation of these emerging laws and regulations and may not be available to offer pre-emptive advice to the degree and urgency that a company might want.

Furthermore, there is a tremendous reliance on technology in companies of all sectors and sizes today. Cloud storage, user-generated data and remote working arrangements are a few examples of how business models today rely on technology, but such business should build strategies for managing the resulting complexity in data privacy and protection matters before an investigation arises.

For these reasons, building a completely compliant and future-proof strategy across multiple jurisdictions may be an unrealistic goal. Companies must strike a balance between respecting varying privacy regulations and being forthcoming with reporting requirements. The best starting point is to aim to develop a data governance plan that is largely compliant and defensible, documenting your decisions along the way, should they come into question further down the line.

Where do you start?

We advise our clients to adopt a multi-disciplinary approach when preparing their data management strategy - ideally well before an investigation arises. Choosing the right partners in designing this strategy will depend on factors such as the nature of the investigation, maturity of the company's infrastructure and the jurisdictions involved. Our top priorities in guiding clients through this process are:

1. Data mapping. A clear data strategy is vital to any company that has data that may reside in several jurisdictions. This is an area for collaboration between compliance and IT, possibly with the assistance of consultants who have expertise in this cross-over. The data mapping exercise can also serve as a risk assessment to help identify priority areas and resources.
2. Collection and Preservation. A proper audit trail underpins a successful investigation at this stage. There may be sector-specific considerations as well. While some companies undertake this stage on their own for cost reasons, you need someone to validate that your process is forensically sound and will stand up under investigation.
3. Training and Escalation. Protocols and processes must be defensible. We advise having appropriate counsel in each jurisdiction who understand the respective laws and regulations.
4. Data Transfer Strategy. Consult and involve expert data privacy and transfer experts from the outset of any cross-jurisdictional investigation, weigh the risks of using untested or controversial data transfer mechanisms. Our advice to minimize chances of breaching future data transfer laws is to err on the side of caution and keep data within its jurisdiction of origin as far as possible.

As end-users of data ourselves, FRA always has an eye on emerging technology that could help investigations. Our Mobile Discovery Solution equipped with air-gap technology, for example, has been an essential innovation in many of our customized solutions for multi-jurisdiction investigations. As for the next generation of revolutionizing artificial intelligence tools, they will have to be calibrated with the expertise of people who understand best practice and stay abreast of the latest legal requirements and developments.

FRA Case Study

One of our most complex and innovative client solutions was designed before GDPR came into effect and has managed to satisfy various state secrecy laws, data privacy laws, national defence and intellectual property concerns. Read more here.

FRA is also undertaking a monitorship of a European company in which we developed different "data rooms" in order to be GDPR compliant - one in the EU where data will only be available for review locally with strict access rights and an automated trail), and another where the company can move necessary documents for reporting to the foreign investigating authority after redacting any personally identifiable information. Our approach has been validated by the relevant enforcement agencies.