As internal, regulatory and criminal investigations become increasingly global, cross-border data protection and privacy issues are more critical than ever, especially given the tightening of data privacy laws worldwide.
Why data is crucial to investigations
Reviewing data is an essential part of most investigations. It often includes assessing large amounts of data to trace funds, gather evidence and detect crimes. Getting data protection and privacy issues right in investigations is crucial for companies to mitigate the risk of having the admissibility of evidence challenged or hefty fines being levied. Under the GDPR regime, for example, regulators have already imposed more than €1.29bn in fines for a range of issues.
Accordingly, data privacy and protection issues are integral to any investigation. With increased global ways of working – particularly due to more remote working during the COVID-19 pandemic, much of the information to be reviewed in investigations may only be available in electronic form.
Reviewing electronic data is also important for detecting and preventing financial crime, which has spiked during the pandemic. Reviewing electronic data may be the only way to detect and gain information about how certain crimes occur, their scope and who may have been involved. For example, data review is integral to tracing the flow of funds and asset tracing in money laundering investigations. Large amounts of deleted data can be a red flag if it occurs immediately after a data preservation notice is issued or an investigation commences.
Data analytics and AI-powered tools are proving invaluable in helping to identify real-time patterns of suspicious activity or transactions, and to find irregularities within historical data that can assist in investigations, as well as in the prevention of fraud and other misconduct within organisations.
Key considerations on collection, review and processing of data
Complexity in investigations can arise due to the international nature of business. While misconduct or a cyber incident may occur in one jurisdiction, the relevant data may be held, collected or reviewed in several other locations. With so many countries potentially involved, multi-jurisdictional legal requirements, as well as country-specific company policies and procedures for the processing, review and collection of data, need to be considered carefully at the beginning of any investigation. Additional care is needed given the inevitability that the collected data will contain personal and/or sensitive information, which brings further complexities including issues around the transfer of data.
In some jurisdictions, a regulator’s right to access data needs to be considered and balanced against confidentiality and legal privilege. For example, in some Middle East or North African countries, prior to collecting, transferring, processing, or reviewing personal data, employee consent may be required. Further, in some jurisdictions, such employee consent can be withdrawn.
In the context of cybercrimes, organisations may have incident management or reporting obligations in the jurisdiction in which the incident occurred or where data is affected. In cybercrimes and other (potential) criminal or regulatory investigations, managing data in a secure manner that prevents tampering is crucial for evidence-based conclusions.
Data security laws can also restrict the transfer of data. For example, certain laws in China forbid, without prior approval, the transfer to foreign judicial or law enforcement agencies of personal data that is stored within China, creating an extra layer of complexity in China-related investigations. Similarly, cybercrime laws in certain Middle Eastern countries restrict the disclosure of electronic information relating to government entities.
Organisations must also consider telecommunications laws, which can present additional challenges when reviewing communications.
Overall, the data protection issues in any internal investigation or in response to any government agency review are not easy to navigate and raise important issues to consider at the planning stages of any investigation.
GDPR standards to data privacy and protection in investigations
Often the data in question is personal data, which engages relevant data protection laws, for example the GDPR. GDPR standards are an important reference given the GDPR is becoming the benchmark for data protection legal reform in different parts of the world.
Under the GDPR, there are five central aspects to ensuring that organisations are compliant when processing personal data during an investigation:
- Scoping and principles: Organisations should only collect the personal data that they need. Article 5 of the GDPR enshrines principles like data minimisation, storage limitation, and purpose limitation. To strike the right balance between successfully handling an investigation and protecting data subjects’ rights, organisations might, depending on the circumstances, consider redacting personal or sensitive data before disclosing it, as well as having a suitable process in place for destroying data at the appropriate time following an investigation.
- Lawful basis: Article 6 of the GDPR states that organisations must rely on a lawful basis to process personal data. Generally, organisations may not wish to rely on obtaining consent as the lawful basis, as it can slow down an investigation and may also minimise its possible success. Instead, organisations can often argue that they are collecting the personal data for a legitimate interest because, in most cases, an investigation is of extremely high importance to the business. The most obvious benefits of an investigation, which represent legitimate interests, are to detect crimes, avoid fines and to prevent reputational damage.
- Agreements: In many cases, organisations rely on the support of external service providers. These service providers act as instructed by the organisations and are therefore ‘processors’. In such cases, concluding data processing agreements is mandatory.
- Transparency: When processing personal data, the GDPR requires organisations to inform data subjects about the ways in which their data may be processed by way of a privacy notice, so it is important to check this has been done in advance.
- Documentation: To comply with the documentation obligations under the GDPR, organisations should record the measures they have taken during an investigation with regard to data and data privacy. This is important, as the risk of a potential audit from a supervisory authority is real, especially as data privacy is often used as a weapon by individuals who are the subject of an investigation and who may face disciplinary or other action.
Finding the balance between protecting individuals’ data and disclosing information to a regulator can be particularly hard when it comes to data subject access requests (DSARs). Under the GDPR, organisations are obliged to answer DSARs in a timely manner and to provide the requested information in an accessible format. Nevertheless, organisations need to assess whether it is appropriate to disclose the requested information in light of the investigation or whether an exemption or restriction, like confidentiality or legal privilege, may apply.
Data is crucial for the success of an investigation. When handled correctly, data can help organisations detect and prevent crimes, cooperate with the authorities, and serve as important evidence in investigations. Organisations should be prepared for investigations before they occur, eg by reviewing IT use policies and privacy notices. Throughout all phases of an investigation, the applicable legal framework in all relevant countries and the implications of data privacy laws must be considered to avoid the risk that the handling of the data in the context of an investigation becomes the subject of a complaint, or even of significant fines.
This is the fifth in our 2022 Global Enforcement Outlook blog series, which looks at key enforcement and investigations trends. All other blogs in the series will be made available here.