After a period of uncertainly, there’s now a better understanding of how trans-Atlantic data transfer and data privacy laws will operate in a post-Safe Harbour world. Perhaps it’s optimistic to think so, but it seems almost certain that the proposed EU-US Privacy Shield will be approved by the European Commission’s Article 29 Working Party in the not too distant future, writes Toby Duthie, Partner at London-based consultancy Forensic Risk Alliance.
However, until this happens, there is no global, over-arching framework in place to allow the transfer of personal data belonging to EU citizens out of the region – and companies face the risk of potential fines and prosecutions if they do so. This is important for companies to take this into consideration in their day to day operations, but it’s particularly important for those involved in cross-border investigations or any business issued with an eDiscovery request from the Department of Justice (DoJ) in the USA.
To understand the impact of this decision upon corporate internal investigations, it is important to understand exactly what is “personal data” for the purposes of the protections provided by EU law. EU directive 95/46 defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person includes one who can be identified directly or indirectly. This covers identification by reference to specific physical, physiological, mental, economic, cultural or social factors. It is, by any measure, a broad and embracing concept intended to extend well beyond what would be regarded as personal information in an everyday context. The courts have attempted, on a number of occasions, to give guidance on the application of the test in the directive.
At this time, particular care will need to be taken when handling personal data in a cross-border investigation. We recommend that data collection, hosting, review and analysis is performed within the relevant country using tools that allow local review and segregation of data. For companies in Europe, this means ensuring that data is collected, processed and analysed in Europe and not transferred to the US. Clearly, this will provide peace of mind but will involve additional costs to ensure that the teams of forensic and legal specialists can be available in the relevant jurisdiction. Further considerations will also come into play in the event that the company wishes to self-report to the DoJ or provide documents containing personal data to the DoJ. It may be that the exception to the normal prohibition can be employed in these circumstances, allowing a company to transfer data where it is necessary to defend or establish its legal rights.
Once the relevant data has been segregated, however, several options are available to accommodate a potential cross-border information request. Coordinating with the country’s local data protection authority would ultimately be the best course of action in the first instance. They may recommend redacting any sensitive information on the segregated relevant data so that it can be transported out of the country, or suggest that the company can provide restricted access via the internet while ensuring the physical location of the data remains in the country.
It’s also worth conducting vendor due diligence to avoid vicarious third-party liability. In many cases, companies being fined are often at fault for the actions of their vendors – it is therefore important to employ vendors that comply with any relevant legislation, and have the capabilities to implement robust and secure in-country solutions. Experienced vendors will work at the outset with the company’s legal team to adopt the most appropriate approach to data transfers.
In a wider context, all companies operating in Europe need to re-examine where they are storing data that pertains to EU citizens and make sure they are adhering to local data protection laws in the first instance. This may mean relocating sensitive personal customer and employee data to EU based data centres, and even checking where the back-ups of that data are stored. This is because some EU-based data centres back up data onto servers outside of the EU, which potentially contravenes local data protection laws within EU member states.
The abandonment of Safe Harbour and confusion around the EU-US Privacy Shield while the mechanism is finalised only serves to demonstrate the importance of long-term and consistent observance and monitoring of local data protection laws and policies. FRA’s position has always been to treat local data protection and transfer laws as a priority and first point of reference for any business wishing to store or transfer sensitive customer or employee data. FRA maintains the position it have always held – that companies and their lawyers wanting to transfer data across borders from the EU or indeed elsewhere (as of January of last year 109 countries had data privacy legislation in place) must not take potentially false comfort from using Safe Harbour or indeed any future “privacy shields” as the mechanism for transfer. Ultimately, it is the national privacy regulators and European judges who are responsible for determining whether transfers could or should have been made (and whether they were done appropriately) not the US Department of Commerce or the Commission.
About Forensic Risk Alliance
Forensic Risk Alliance (FRA) is an international consultancy specialising in anti-corruption compliance testing, forensic accountancy, and supporting clients facing regulatory investigations and cross-border, multi- jurisdictional litigation. FRA provides multi-jurisdictional analysis in financial and electronic forensics. Visit www.forensicrisk.com.
