Privacy and Global Investigations

January 17, 2017

In 2017, we expect that regulators and authorities investigating misconduct will demonstrate increased sophistication in navigating the complex and disparate privacy and confidentiality regimes around the world.  The globalization of government enforcement actions and investigations, along with their increased frequency, means that regulators and authorities are now well-versed in the ground rules for obtaining the information they seek.  Being so well-versed means that these regulators and authorities have studied the relevant legal regimes, have heard a wide spectrum of differing opinions on the implications of such regimes and, particularly in matters in which cooperation is key, including cartel cases, are pushing companies to adopt the least conservative view of these laws.

We believe the uptick in global investigations by regulators and authorities targeting conduct outside of their jurisdictions will continue.  But, we think the trend towards increased cooperation between regulators and authorities from different jurisdictions may wane in the near term, potentially increasing the pressure on companies to provide foreign information to domestic authorities that may be increasingly less able to obtain it through international intergovernmental channels.

These issues highlight the critical need for companies to manage the process by which information is gathered, collected and communicated to respond to such investigations.

The Race to Charge

U.S. regulators and authorities—among others—remain focused on the foreign conduct of foreign-based companies, given the perception that targeting such companies creates a more even playing field for domestic companies.  Regulators and authorities are also increasingly focused on quickly identifying specific individual employees and entities involved in alleged misconduct in an effort to be the first to fine or bring charges.  How companies convey foreign information to domestic regulators and authorities will be critical to securing credit for cooperation but will present challenges to companies from confidentiality and privacy perspectives.

Multijurisdictional Cooperation, Multijurisdictional Discovery

Companies should strategize where to store and with whom to share data relevant to an investigation.   Regulators and governmental authorities are increasingly taking the view that any data within the scope of their investigation is fair game for them to collect or demand, regardless of where that data is stored and they are increasingly putting the onus on the company seeking cooperation credit to navigate confidentiality and privacy laws without the need for what is seen as burdensome intergovernmental assistance.  As a result, companies will face growing pressure to produce evidence concerning alleged misconduct on a voluntary basis.  A company’s ability to minimize its risks under data privacy laws can depend on how the data has been shared within the organization.  Regulators and authorities will look with a high degree of skepticism upon arguments that data transferred between jurisdictions for the company’s own purposes, for example to conduct an internal investigation, cannot be provided to the authorities and regulators in those same jurisdictions.  Thus, companies that find themselves subject to a multijurisdictional investigation should prepare for the requirements of the jurisdictions in which facts are investigated, as well as what facts such investigators seek.

Penalties on the Rise for Breach of EU Personal Data Protection Rules

A new EU personal data protection regulation will come into force on May 25, 2018, which will impose heavier burdens on companies.  Compared with the existing rules, the new regulation will continue to govern all processing of data relating to identifiable individuals but will, among other novelties, make it more difficult to obtain the consent from the relevant individuals as a valid ground to process their data, and add new obligations to proactively demonstrate compliance with the regulation.  At the same time, regulators and authorities in various jurisdictions investigating misconduct have  made it clear that the production of relevant information is a prerequisite to cooperation credit or leniency.  Such production will virtually always entail the review of documents including personal data.  In light of the new EU regime’s higher fines of up to four percent of a group’s annual, worldwide turnover and broadened geographic reach to cover non-EU companies that offer goods and services or monitor individuals in the region, companies will be incentivized to choose where they host and process personal data strategically, bearing in mind that their files and records may have to be produced as evidence in proceedings outside Europe.

Further, the recent repeal of the United States—EU Safe Harbor (which allowed the free transfer of personal data from the European Union to certain companies in the United States that agreed to submit themselves to high personal data processing standards) has left uncertainty regarding the available channels for transatlantic data transfers.  While mechanisms still exist for transferring personal data from the European Union to the United States, each of these has been demonstrated to have limitations (including the “Privacy Shield” scheme, which succeeded the Safe Harbor).  Thus, companies may need to re-assess the historical avenues through which data from Europe can be transmitted to U.S. regulators and authorities to comply with the new EU personal data regime.