Navigating Cross Border Document Transfers in Investigations Privacy Considerations and Practical Tips 1
Key Perspectives Europe: privacy is a fundamental right The object of laws on processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy US: Privacy rights based on piecemeal legislation, case law and constitutional interpretation Property right (who owns the data)? By subject matter: HIPPA By subject: children 2
Directive vs. General Regulation Current law: Directive 95/46/EC implemented through country specific legislation Directive establishes a base-line Results in inconsistencies country by country Difference in interpretation by country DPAs Contemplated Regulation Would be binding Would create a single EU-wide framework May be even more restrictive because of the Snowden disclosures 3
Protected Data Any information related to an identified or identifiable natural person Identifiable means that a natural person can be identified, directly or indirectly, such as by an identification number or characteristics Would include name, address, email address, telephone numbers, etc. Corporations are not natural persons 4
Processing Personal Data Processed fairly Collected for specified, explicit and legitimate purposes Adequate, relevant and not excessive Accurate and kept up to date Not kept in a form that identifies a data subject any longer than necessary 5
Notice to Data Subjects Identity of the data controller and its representatives Purpose for which data will be processed Intended recipients Whether responding to the request is voluntary or obligatory Right to access and rectify their data 6
Processing Only in Limited Circumstances Unambiguous consent For compliance with a legal obligation to which the Data Controller is subject Processing is necessary for legitimate interests pursued by the Data Controller or the third parties to whom the data are disclosed except where such interests are overridden by the interests for fundamental rights of the Data Subject 7
Transfer to a Third Country Transfer may only be made to a nonmember state if that country ensures an adequate level of protection US does not qualify Safe harbor provisions Binding corporate rules Model contractual clauses 8
Sedona Conference WG6 Developed a set of best practices for addressing privacy considerations in the context of US discovery six principles Manage discovery by: Order acknowledging special safeguards Phase discovery to explore alternate sources Narrow scope Anonymize data Record compliance with legislation 9
Public Policy Considerations Differ in Investigations In litigation, weigh fundamental privacy rights against two differing systems of dispute resolution with same objective (fair resolution) In investigations, weigh regulatory considerations, potential for data controller criminal exposure due to acts of its employees, and corporate governance considerations Differences may be persuasive to a Data Protection Authority, but may drive interest in the underlying investigation 10
Compare/Contrast Litigation Notify and preserve narrowly then expand Staged One or more countries of origin to one destination country Investigation Preserve, collect broadly and process narrowly Avoid tipping targets Avoid spoliation Avoid cover-up Simultaneous Multiple countries of origin to multiple destination countries 11
Compare/Contrast Litigation One proceeding Timing set by court order or stipulation Investigation Potential for parallel proceedings in multiple countries Timing set by agency or other corporate considerations Often short 12
Compare/Contrast Litigation Subject to judicial supervision Parties can agree to scope limitations or court may order them Investigation Not automatically subject to judicial supervision Agency may use broadly worded requests and may (or not) negotiate 13
Compare/Contrast Litigation Protective orders common Parties bring discovery disputes to the court with modest down side risk Investigation Protection via agency statutory requirements Agencies seek enforcement from courts Generally given wide latitude Risk is creating rift with governing agency 14
Compare/Contrast Litigation Negotiating leverage equal Investigation Government may have more leverage Threat of sanctions Impact on cooperation credit Delay of deal until production completed 15
Compare/Contrast Litigation Private parties only No exercise of police powers to obtain data Investigation Government parties or agency involvement Civil or informal requests may be coupled with the use of police powers to obtain data Risk of different data sets before different agencies 16
Compare/Contrast Litigation Potential for tactical abuse Investigation Potential for tactical abuse by company Potential for tactical abuse by Data Subject 17
Compare/Contrast Litigation Potential for sanctions Investigation Potential for sanctions, penalties Potential for obstruction of justice charges 18
Consents and Notices Use for notification purposes even if the consents may not be effective to authorize processing Indicate the potential for sharing data with US agencies Special attention to purpose of collection May be valid with senior employees and in some countries Works councils 19
Additional Tips Unless an exception applies, enter into an appropriate contract incorporating the model clauses Pass model clauses through to your contractors Collect and process documents in the EU Transfer only the key relevant documents to the US to minimize risks and maximize defenses Anonymize where possible to further reduce risk 20
Other Countries: Complexity OECD Privacy Principles Asia Pacific Economic Cooperation Cross Border Privacy Enforcement (U.S., Canada, Taiwan, Mexico and Japan) Russia (requiring storage on servers physically located in Russia) China: Complex privacy rights vis-à-vis non-state entities China State Secrets Law: prohibits removal of state secrets from China 21
Other Issues Remember that privacy laws are only one set of considerations Blocking statutes Employment protections Understand requirements for termination for cause Benefit may be worth the risk of local employment litigation Emphasizes need for local counsel 22
Case Study Worldwide ( WW ), a US publicly traded company, sells nuclear fuel additives to power plants across the globe. It is one of only two companies that sell these additives. A WW employee recently anonymously notified WW s hotline that WW s employees in France have bribed to obtain government tenders in the Middle East and that US senior management were aware of the bribes. WW launches an internal investigation in the US, France and several countries in the Middle East. It discloses the investigation to the DOJ and SEC and in its securities filings. French anticorruption authorities become aware of the issue through press reports and execute a search warrant on WW s French offices. French prosecutors charge two WW France employees with corruption. When WW s primary competitor reads the press reports and reviews WW s securities disclosure, it sues WW for antitrust violations alleging bid rigging of tenders for WW s additives. The competitor serves discovery requests asking for all relevant documents including ESI in the US, France and the Middle East. 23