FRA founding partners Toby Duthie, Frances McLeod and Greg Mason joined GIR in a live webinar to discuss key considerations and practical tips for managing conflicts of law in a global investigation. The below is a report produced from the webinar.
Geopolitics of data transfer
In the last few years there have been some significant developments in data privacy regulation including repeal of Safe Harbor, introduction of the EU-US Privacy Shield and Swiss-US Privacy Shield, approval of the General Data Protection Regulation (GDPR), Brexit and the election of Donald Trump to the US Presidency. With the increasing reliance on technology to conduct cross-border business there will be no relaxation in data protection laws. Regulatory investigations frequently span several years so strategic decisions made today around data transfer will have important ramifications in the future.
In 1995, the European Commission (EC) issued a Directive, which prohibited the transfer of personal data to non-EU countries that do not provide an ‘adequate’ level of privacy protection. It was intended to provide a mechanism to enable the free transfer of data between Europe and the US. The US-EU Safe Harbor Framework was developed that essentially promised to protect EU citizens’ data if it is transferred by American companies to the US. But, with the increasing internationalization of business and related data flows across borders, the EC recognized the lack of consistent safeguards around data privacy and therefore proposed introducing true consistency with the General Data Protection Regulation (GDPR).
A year after the EC began to draft the GDPR in 2012, Edward Snowden copied and leaked information about the extent of the National Security Agency’s (NSA’s) mass surveillance and data collection practices, and almost concurrently an investigation into Facebook’s European privacy practices was launched by the Irish data protection watchdog. Edward Snowden’s revelations of mass surveillance on EU citizens made the need for reform even more pressing.
The European Court of Justice reviewed the ‘adequacy’ criteria of data protection in the US. In October 2015, the Court of Justice of the European Union (CJEU) declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. In July 2016 the EC deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. In January 2017 the Swiss Government announced the approval of the Swiss-US Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. The intent of the shield is to provide more accountability and oversight over data protection privacy. US and EU officials described the Shield as “a framework that protects privacy and creates certainty” and provides assurances that “any access to personal data for law enforcement or national security is limited to what is necessary and proportionate”. The Shield however remains untested in court and is therefore vulnerable to future legal challenges.
A recent executive order issued by president Trump could have significant implications for the data sharing agreement between the European Union and the United States. The new order excludes immigrants and foreigners in the US from the protections of the Privacy Act which could lead to millions being unprotected.
GDPR will be in force from 25 May 2018. Unlike previous regulations, the GDPR introduced a tiered penalty approach for breaches. Organizations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. The GDPR aims primarily to give control back to citizens and residents over their personal data. Key changes introduced by the GDPR include:
- Expanded territorial reach – non-EU organizations that do business in the EU with EU data subjects’ personal data will need to comply with the regulation and will be required to appoint a representative within the EU
- Consent – a data subject’s consent to process their personal data is required to be as easily withdrawn as it is granted
- Breach notification – data controllers are required to report most data breaches to the new Data Protection Authority, where possible, within 72 hours of awareness, together with appropriate justification. Where the risk to individuals is high, then the data subjects must be notified
- International transfers risk awareness – although the GDPR removes self-assessment as a basis for transfer, data subjects are now required to be adequately informed of the risk of transferring data outside of the EU
Companies with operations in the UK may be particularly vulnerable to the uncertainties arising from the GDPR. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will still apply. Should the UK administration decide to opt out of the GDPR following Brexit, the US and the UK could create a unique environment for data transfers, but the obligations under the Regulation for UK businesses operating in Europe would remain.
There is a lack of clarity creating uncertainty for companies operating for corporations involved in cross-border litigation and investigations. This leaves investors, management and stakeholders susceptible to uneasy regulatory transitions, high costs and exposure to heavy fines. There is no single solution but there are measures that can be taken in preparation to mitigate risks.
- Data mapping – a clear data strategy is vital to any investigation where data may reside in several jurisdictions. Considerations include; what data is being considered, where the data resides, applicable data privacy regulations and what clearance is required before data collection and transfer
- Collection and preservation – ensure appropriate risk management tools have been engaged, steps have taken to ensure compliance with data privacy regulations. We counsel collection and preservation of data in its jurisdiction of origin
- Training and escalation – all personnel involved in investigations and data transfers should have
- up-to-date training on data transfer protocols and jurisdictional data privacy regulations, trained to properly document considerations and safeguards throughout, escalation protocols should be in place, identify and engage the appropriate counsel in each jurisdiction
- Data transfer strategy – develop a data transfer strategy that takes into consideration the nature of the data, its origin, data privacy and other data related constraints, consult expert data privacy and transfer experts in any investigation
Practical steps to remain compliant
Think carefully about data management as fines for non-compliance can be severe. Be cautious when travelling to the US and travel with a blank laptop and do not carry any confidential documents on you. Avoid transferring personal data altogether. Use local data centers as transferring data across the Atlantic is still a challenging and complex procedure. Predictive coding ensures compliance with the ‘privacy by design’ requirement.
Toby Duthie, Founding Partner
Frances McLeod, Founding Partner
Greg Mason, Founding Partner