Navigating Cross Border Document Transfers in Investigations. Privacy Considerations and Practical Tips

Similar documents
EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

ORMAT TECHNOLOGIES, INC. ANTI-CORRUPTION POLICY

Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions

Ampco-Pittsburgh Corporation

Beyond the FCPA. A Global Change in Anti-Corruption Enforcement. Presented by: Dana Choi John Irving Sonya Strnad. July 19, 2011

France Takeover Guide

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

2017 Year-End Review: Anti-Corruption Trends and Other Corporate Enforcement Issues

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

US MERGER CONTROL MARCH 1, 2003

CODE OF BUSINESS CONDUCT AND ETHICS

COMMISSION OF THE EUROPEAN COMMUNITIES INTERIM REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

BE PREPARED FOR THE NEW EU DATA REGULATION

Anti-Bribery and Sanctions June 2011

Amgen Binding Corporate Rules (BCRs) Public Document

John G. Chou, Executive Vice President and General Counsel Hyung J. Bak, Vice President, Group General Counsel and Secretary

Partner Code of Conduct and Business Ethics

European Union General Data Protection Regulation

NEOGEN CORPORATION INSIDER TRADING

Defending Corporations and Individuals in Government Investigations Ethics & Whistleblower Issues In Investigations

Excerpt from White paper on the requirements of the GDPR to business activities of debt collection agencies

Munich, January 26, Legal Proceedings

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

CBOE GLOBAL MARKETS, INC. AND SUBSIDIARIES CODE OF BUSINESS CONDUCT AND ETHICS. Adopted October 27, 2017

Insider Trading Policy

SEC Adopts Final Rules on the Dodd-Frank Whistleblower Program But Is This a Game Changer?

How to Conduct an Internal Investigation

EFFECTIVE DATE August 17, ISSUED BY: Compliance and Legal Department APPROVED BY: Board of Directors

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Policy on Inside Information and Insider Trading

RIMINI STREET, INC. INSIDER TRADING POLICY and Guidelines with Respect to Certain Transactions in Securities

Data Privacy Notice. Who are we and why do we register and use personal data?

Multi-Jurisdictional Investigation Issues

The European Court of Justice Invalidated EU/US Safe Harbor: What Does the Future Hold?

DATA PROCESSING AGREEMENT

NEOGEN CORPORATION INSIDER TRADING

Purpose Explanation Legal basis Data processing duration

Anti-Bribery and Corruption Policy

ENERGY FUELS INC. (the Company ) INSIDER TRADING POLICY

DATA PROCESSING ADDENDUM

Client Update First French DPAs for Corruption Offences

Privacy Policy. For the purposes of Data Protection Legislation the data controller is the Company.

NORTHERN OIL AND GAS, INC. INSIDER TRADING POLICY. and Guidelines with Respect to Certain Transactions in Company Securities. (Adopted March 12, 2012)

SAPIN 2 LAW Anti-corruption provisions How to prepare

Client Update Draft EU Guidelines on Cross- Border Data Transfer

DATA PROCESSING ADENDUM

R E P R I N T JAN-MAR Inside this issue: The evolving role of the chief risk officer Managing your company s regulatory exposure

Current TP Litigation Scenario Alternative Resolution Mechanisms MAP & APA August 2010

Welcome To Your Data Protection Journey. Paula Tighe Information Governance Executive

INSIDER TRADING POLICY

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

CODE OF BUSINESS CONDUCT AND ETHICS

Anti-Bribery & Corruption Policy. OneMarket Limited ACN (Company)

TEREX CORPORATION DATA PROTECTION POLICY

ON24 DATA PROCESSING ADDENDUM

NEW DUTIES OF FRENCH AN D HONG KONG COMPANIES IN LINE WITH OECD S UPSCALED STANDARD TO FIGHT AGAINST MONEY LAUNDERING WORLDWIDE 1 OUTLINE

(Updated and Effective as of April 24, 2012)

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

PPG GLOBAL ANTI-CORRUPTION POLICY

CODE OF ETHICS AND BUSINESS CONDUCT

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

CHARITY & NFP LAW BULLETIN NO. 419

UNITED STATES OF AMERICA before the SECURITIES AND EXCHANGE COMMISSION

Transatlantic Trends in Private M&A Transactions

Potential Exposure Under The FCPA

Code of Conduct. This Code of Conduct covers all associates. When appropriate, it also covers all members of the Company's Board of Directors.

University of California, Berkeley

POLICY AND PROCEDURE. Department: Compliance. Title: Antitrust Compliance Policy. Effective Date: 2/2017. Annual Review Date: 2/2018.

CODE OF CONDUCT AND ETHICS POLICY ON BRIBERY & IMPROPER PAYMENTS

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

ROYAL HOLDINGS, INC. BUSINESS CONDUCT POLICY

Recent privacy legislation in the European Union has posed specific

EFFECTIVE DATE November 1, ISSUED BY: Compliance and Legal Department APPROVED BY: Board of Directors

OVERVIEW OF INTERNATIONAL ANTI-BRIBERY LAWS

AMERICAN INTERNATIONAL SPECIALTY LINES INSURANCE COMPANY 175 Water Street Group, Inc. New York, NY 10038

Double Jeopardy in Investigations and Prosecutions: Risks and Best Practices for companies and individuals

Global Anti-Trust Policy

LPL FINANCIAL HOLDINGS INC. INSIDER TRADING POLICY

EVRAZ Anti-Corruption Policy

DATA PROTECTION POLICY. AtonLine Limited

Proprietary SUBJECT. WABTEC CODE OF BUSINESS CONDUCT and ETHICS

The U.S. Foreign Corrupt Practices Act (FCPA):

F. EFFECTIVE DATE AND

Best Practices for Cross-Border Investigations and Due Diligence. European Compliance & Ethics Institute February 27, 2018

CORPORATE INTEGRITY AGREEMENT BETWEEN THE OFFICE OF INSPECTOR GENERAL OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES AND TEXAS GENERAL SURGEONS

The Foreign Corrupt Practices Act (FCPA): Doing Business Internationally. Washington, DC August 21, 2014

The New EU General Data Protection Regulation (GDPR)

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

DOJ s New Policy Incentivizes Voluntary Self- Disclosure of Criminal Export Controls and Sanctions Violations.

Liechtenstein. I. Brief Introduction to the Legal System of Liechtenstein

EMPLOYMENT & COMPLIANCE ISSUES & PITFALLS IN CROSS- BORDER M&A TRANSACTIONS

INSIDER TRADING POLICY

Anti-bribery andforeign Corrupt Practices Act Policy

Data Privacy Statement

IRIS Group of Companies Customer Data Processing Terms

DATA PROCESSING ADDENDUM

Pension Trustees. Final Countdown to the GDPR

INFORMATION ON THE PROCESSING OF PERSONAL DATA

DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)

Transcription:

Navigating Cross Border Document Transfers in Investigations Privacy Considerations and Practical Tips 1

Key Perspectives Europe: privacy is a fundamental right The object of laws on processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy US: Privacy rights based on piecemeal legislation, case law and constitutional interpretation Property right (who owns the data)? By subject matter: HIPPA By subject: children 2

Directive vs. General Regulation Current law: Directive 95/46/EC implemented through country specific legislation Directive establishes a base-line Results in inconsistencies country by country Difference in interpretation by country DPAs Contemplated Regulation Would be binding Would create a single EU-wide framework May be even more restrictive because of the Snowden disclosures 3

Protected Data Any information related to an identified or identifiable natural person Identifiable means that a natural person can be identified, directly or indirectly, such as by an identification number or characteristics Would include name, address, email address, telephone numbers, etc. Corporations are not natural persons 4

Processing Personal Data Processed fairly Collected for specified, explicit and legitimate purposes Adequate, relevant and not excessive Accurate and kept up to date Not kept in a form that identifies a data subject any longer than necessary 5

Notice to Data Subjects Identity of the data controller and its representatives Purpose for which data will be processed Intended recipients Whether responding to the request is voluntary or obligatory Right to access and rectify their data 6

Processing Only in Limited Circumstances Unambiguous consent For compliance with a legal obligation to which the Data Controller is subject Processing is necessary for legitimate interests pursued by the Data Controller or the third parties to whom the data are disclosed except where such interests are overridden by the interests for fundamental rights of the Data Subject 7

Transfer to a Third Country Transfer may only be made to a nonmember state if that country ensures an adequate level of protection US does not qualify Safe harbor provisions Binding corporate rules Model contractual clauses 8

Sedona Conference WG6 Developed a set of best practices for addressing privacy considerations in the context of US discovery six principles Manage discovery by: Order acknowledging special safeguards Phase discovery to explore alternate sources Narrow scope Anonymize data Record compliance with legislation 9

Public Policy Considerations Differ in Investigations In litigation, weigh fundamental privacy rights against two differing systems of dispute resolution with same objective (fair resolution) In investigations, weigh regulatory considerations, potential for data controller criminal exposure due to acts of its employees, and corporate governance considerations Differences may be persuasive to a Data Protection Authority, but may drive interest in the underlying investigation 10

Compare/Contrast Litigation Notify and preserve narrowly then expand Staged One or more countries of origin to one destination country Investigation Preserve, collect broadly and process narrowly Avoid tipping targets Avoid spoliation Avoid cover-up Simultaneous Multiple countries of origin to multiple destination countries 11

Compare/Contrast Litigation One proceeding Timing set by court order or stipulation Investigation Potential for parallel proceedings in multiple countries Timing set by agency or other corporate considerations Often short 12

Compare/Contrast Litigation Subject to judicial supervision Parties can agree to scope limitations or court may order them Investigation Not automatically subject to judicial supervision Agency may use broadly worded requests and may (or not) negotiate 13

Compare/Contrast Litigation Protective orders common Parties bring discovery disputes to the court with modest down side risk Investigation Protection via agency statutory requirements Agencies seek enforcement from courts Generally given wide latitude Risk is creating rift with governing agency 14

Compare/Contrast Litigation Negotiating leverage equal Investigation Government may have more leverage Threat of sanctions Impact on cooperation credit Delay of deal until production completed 15

Compare/Contrast Litigation Private parties only No exercise of police powers to obtain data Investigation Government parties or agency involvement Civil or informal requests may be coupled with the use of police powers to obtain data Risk of different data sets before different agencies 16

Compare/Contrast Litigation Potential for tactical abuse Investigation Potential for tactical abuse by company Potential for tactical abuse by Data Subject 17

Compare/Contrast Litigation Potential for sanctions Investigation Potential for sanctions, penalties Potential for obstruction of justice charges 18

Consents and Notices Use for notification purposes even if the consents may not be effective to authorize processing Indicate the potential for sharing data with US agencies Special attention to purpose of collection May be valid with senior employees and in some countries Works councils 19

Additional Tips Unless an exception applies, enter into an appropriate contract incorporating the model clauses Pass model clauses through to your contractors Collect and process documents in the EU Transfer only the key relevant documents to the US to minimize risks and maximize defenses Anonymize where possible to further reduce risk 20

Other Countries: Complexity OECD Privacy Principles Asia Pacific Economic Cooperation Cross Border Privacy Enforcement (U.S., Canada, Taiwan, Mexico and Japan) Russia (requiring storage on servers physically located in Russia) China: Complex privacy rights vis-à-vis non-state entities China State Secrets Law: prohibits removal of state secrets from China 21

Other Issues Remember that privacy laws are only one set of considerations Blocking statutes Employment protections Understand requirements for termination for cause Benefit may be worth the risk of local employment litigation Emphasizes need for local counsel 22

Case Study Worldwide ( WW ), a US publicly traded company, sells nuclear fuel additives to power plants across the globe. It is one of only two companies that sell these additives. A WW employee recently anonymously notified WW s hotline that WW s employees in France have bribed to obtain government tenders in the Middle East and that US senior management were aware of the bribes. WW launches an internal investigation in the US, France and several countries in the Middle East. It discloses the investigation to the DOJ and SEC and in its securities filings. French anticorruption authorities become aware of the issue through press reports and execute a search warrant on WW s French offices. French prosecutors charge two WW France employees with corruption. When WW s primary competitor reads the press reports and reviews WW s securities disclosure, it sues WW for antitrust violations alleging bid rigging of tenders for WW s additives. The competitor serves discovery requests asking for all relevant documents including ESI in the US, France and the Middle East. 23

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback