Dealing with personal data in cross-border compliance investigations
Companies already face a large number of legal challenges when processing personal data as part of compliance investigations within a single country. The legal requirements are especially strict if the case has cross-border aspects. This article points out the main risks and looks at possible ways of dealing with these.
If a company suspects that laws have been or are being violated, its management must conduct an internal investigation and is essentially free to choose how this is to be done. This “how” includes, in particular, the measures used by management to obtain the information it needs to investigate the suspicion and deal with the violation. In practice, this often includes conducting interviews and reviewing documents and records as well as e-mail and other electronic communication.
Data protection law, however, curbs a company’s free reign in this regard as it only permits the processing of personal data under certain conditions. And if the investigation requires cross-border data access, the company must negotiate a particularly complex network of legal requirements (including data protection regulations). Violations of data protection provisions can result in significant fines (up to EUR 20 million or 4% of the consolidated annual turnover) and claims for damages by the data subjects. In addition, data collected illegally may be inadmissible in a court case. If the violation becomes public, the company could suffer damage to its reputation, and in some areas data protection violations can even prevent the company from being awarded public contracts.
General data protection requirements for compliance investigations
Since 25 May 2018, the primary source of data protection law has been Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”). This stipulates first and foremost that data processing must be lawful. It also lays down a number of organisational requirements.
Lawfulness of data processing as part of investigation
A – German – company may only process personal data for the purpose of an internal investigation if there is a legitimate interest in doing so that is not overridden by the conflicting confidentiality interests of the data subjects. If the investigation involves looking into a violation by a specific person, in particular an employee, there must also be a documented reason to believe that the employee has committed the violation in question (Article 6(1), letters (b), (f) GDPR; section 26 Federal Data Protection Act). Furthermore, the company must observe the processing principles, in particular the principle of data minimisation (Article 5 GDPR).
The company is generally deemed to have a legitimate interest if it has to safeguard its corporate interests by carrying out a comprehensive investigation into the alleged violation. For it is only when all the relevant facts are known that the company can make rational decisions on how to avoid or limit fines, defend against claims for damages or assert them itself, comply with regulatory (reporting) obligations, stop the violation or prevent similar violations, and communicate with the public. Companies must ensure that the confidentiality interests of the data subjects are taken into account by structuring the investigation in a way that complies with data protection requirements.
This also applies to passing on personal data within a corporate group and to third parties such as legal, PR or forensic advisors. It is only in the case of processors – service providers for specific technical processing operations such as data hosting, in particular – that a separate legal basis for data transfer is not required (the data processing contract is instead used as a basis, Article 28 GDPR).
A legally binding order issued by a European authority usually constitutes a legal basis for the disclosure of personal data (Article 6(1), letter (f) GDPR). In contrast, non-binding requests for cooperation and disclosure should be scrutinised with particular care. However, if it is common practice that such requests are promptly followed by binding requests, or if a lack of “willing cooperation” is punished by increased fines (or similar disadvantages), disclosure is often lawful on the basis of legitimate interests (Article 6(1), letter (f) GDPR).
As a rule, consent is not a suitable legal basis. Firstly, it can be withdrawn at any time (Article 7 GDPR). Although the withdrawal of consent does not affect the lawfulness of the processing before such consent was withdrawn, it does initially remove the legal basis for any future (further) processing. German data protection supervisory authorities take a critical view of the practice of “stacking” legal bases, especially having recourse to a legal basis after consent is withdrawn. Secondly, supervisory authorities question whether consent given by an employee in the context of a compliance investigation can be considered freely given. They argue that employees are under considerable pressure in such situations, which means that their consent is frequently involuntary and therefore has no legal effect.
In addition, the company must comply with organisational requirements:
- If, as described, data are passed on to other group companies or third parties, the companies involved may have to conclude specific data processing contracts (Articles 26, 28 GDPR).
- The data subjects must be informed about the data processing unless, exceptionally, the duty to provide information does not apply, e.g. on account of special confidentiality obligations or requirements.
- Right from the outset, the company must put measures in place to ensure that the data processed during the internal investigation can be securely stored and, if necessary, deleted. This also includes stipulating time limits for the storage and erasure of data or specific criteria that determine the life span of the data.
- A data protection impact assessment (Article 35 GDPR) may be required, especially if the company uses innovative technologies (e.g. artificial intelligence) to process particularly large amounts of data efficiently.
Data protection requirements for cross-border compliance investigations
In a cross-border investigation, the above requirements in terms of legal basis and organisational structure become more complicated. Companies also have to navigate a range of restrictions on the transfer of data.
Leeway in national regulations on employee data protection
The protection of employees’ personal data continues to be regulated by national law despite extensive harmonisation of data protection provisions via the GDPR. This means that the processing of employee data in different countries must be assessed using different standards, even within the EU. Companies usually find it extremely challenging to set up processes in the context of a cross-border investigation that comply with national law in all the (Member) states concerned.
The problem is exacerbated when the investigation also involves countries outside the EU that have adopted their own data protection laws. This now includes not only all the BRIC countries, but also countries such as Australia, Nigeria, Japan, South Korea, Canada and Switzerland.
It is in many cases not possible to choose the – particularly strict – data protection law of one country as the “gold standard” and then assume that the requirements in other countries will also be met. This is because international data protection regimes cannot easily be classified on a linear scale from lenient to strict, as they emphasise different aspects. As the example of consent shows, the panacea of one legal system is precisely not the remedy of choice in another.
Group-wide policies or works agreements are also factored into the assessment under data protection law via the principle of weighing of interests. This becomes relevant in particular when a European parent company imposes policies which make the requirements of the GDPR binding for all group companies.
In such cases, companies may no longer take advantage of more generous local processing powers without risk. It is usually difficult to explain to the authorities in the respective country why the company is processing less data to investigate a violation than it is legally entitled to just because it has to comply with an internal policy that is based on the requirements of what is, from the authority’s point of view, foreign law.
Restrictions on outbound transfer
European law imposes special restrictions on the transfer of personal data to third countries outside the EU and EEA, in order to ensure that personal data in the third country remain adequately protected.
This is deemed to be the case if the level of data protection in the third country has been officially recognised as adequate by the EU Commission (Article 45 GDPR) – however, such adequacy decisions have only been issued for a small number of countries (including the UK, Switzerland, Canada, Argentina and Japan, but not the U.S., India, Russia, China, Brazil, Turkey or Australia). In the absence of an adequacy decision for the respective country, additional safeguards must be provided, e.g. by concluding a data protection agreement based on the EU standard contractual clauses (Article 46 GDPR).
Authorities in third countries will not usually be willing to enter into standard contractual clauses with a European company, however. The company concerned must therefore check whether a data transfer is permissible based on one of the exceptions laid down in Article 49 GDPR, in particular for the establishment, exercise or defence of legal claims (Article 49(1), letter (e) GDPR). This exception is specifically aimed at the use of personal data in judicial proceedings (e.g. in a subpoena), but may also justify other types of disclosures (e.g. in the context of monitorships or antitrust proceedings).
So that they can demonstrate their efforts to comply with the GDPR, companies should generally only transfer personal data to authorities or courts to the extent that is absolutely necessary. This includes redacting irrelevant personal data (e.g. relating to persons not involved in the matter), if this is accepted by the authority or court concerned.
Restrictions on inbound transfer
The collection of personal data in third countries and the transfer of such data to the EU may also be subject to stringent legal restrictions. States such as Russia, China and Brazil have laid down strict requirements for the transfer of data abroad. In some cases, it is mandatory for at least a copy of the data to be kept in the country concerned.
Another aspect to be considered when disclosing personal data with a link to third countries is how this will affect the common law institution of legal privilege. The release of information may result in a loss of this “privilege” in the U.S. or UK, along with the associated protection against such information being handed over.
Companies should therefore start thinking about the challenges posed by a (cross-border) compliance investigation even if this seems merely a hypothetical problem. Steps to be taken include, in particular:
- drafting intra-group data protection agreements in such a way that exchanging information in compliance investigations is covered;
- developing processes and organisational structures relevant for compliance investigations taking into account data protection requirements (e.g. data minimisation, data localisation);
- acquiring and implementing IT systems that can meet both the practical requirements of a cross-border compliance investigation (e.g. cross-border legal hold) and data protection requirements (e.g. segmentation, data minimisation through electronic filtering); and
- drafting group policies, data protection agreements and works agreements in such a way that different national regulations can be taken into account.
If a compliance investigation is imminent, it is all the more important to consider the data protection requirements when planning and implementing the project. This is especially relevant when it comes to:
- the composition of the project team and the structuring of the cooperation between entities in different locations or at different corporate levels;
- a possible upcoming exchange of data with authorities, where consideration should be given to the handling of binding and non-binding requests for information right from the outset. If the company is to cooperate (voluntarily) with an authority (e.g. in the context of a leniency application or monitorship), it is also advisable, at an early stage, to manage expectations with regard to possible delays caused by data minimisation measures;
- the documentation of the internal investigation, which on the one hand should be as detailed as possible in order to be able to prove compliance with legal requirements to the data protection supervisory authority, and on the other must be carried out with due awareness of data subjects’ possible rights of inspection and access as well as the possibility of access by authorities;
- the fulfilment of duties to provide information and to ensure transparency, taking into account secrecy obligations and requirements;
- the involvement of employees holding the relevant positions in the company and group, e.g. compliance officer, data protection officer, human rights officer under the German Act on Corporate Due Diligence in Supply Chains, etc.; and
- the preparation of a budget and resource plan, in particular with regard to a review that may be layered for forensic and/or data protection reasons, relevant advisors and (local) counsel.
The legal challenges posed by the transfer of personal data in the context of internal investigations will become even more complex in the future as more and more countries – following the example of the GDPR – enshrine specific requirements for the lawful “export” of data across national borders in their laws.
Efforts by the EU, the UK and a number of other countries to create a safe space for the free exchange of data via mutual recognition of “adequate” levels of data protection are a step in the right direction, but are not progressing fast enough to raise high hopes. Moreover, such decisions on adequate levels of protection are regularly challenged in court and – as the European Court of Justice’s Schrems II ruling in summer 2020 showed – can suddenly be invalidated.
Meanwhile, more and more regulations – from the GDPR to the Whistleblower Directive and the German Money Laundering Act to the Supply Chains Act – are creating new requirements to be met by group-wide risk management systems. Parent companies of international groups are therefore less and less able to leave compliance tasks to their local subsidiaries alone. Cross-border compliance investigations will thus become increasingly the rule, and companies should take steps to ensure that they are as well prepared as possible – also when it comes to data protection.