Issues surrounding data privacy and data security have been key areas of focus for regulators around the world. In the past few years, new data privacy regimes have been proposed or have come into force in the United States, including new laws in New York, Illinois, and California, and internationally, including in Brazil, China and elsewhere.
Addressing data breach and internal governance concerns in response to these laws can be a complex undertaking as companies try to sort through area of potential liability. One such area that is often overlooked is data privacy issues arising from regulatory investigations. During any government investigation, companies will often be required to produce documents to the investigating agency. Some of these documents may contain employee or consumer data, for example, thereby prompting the potential application of data privacy laws.
Data privacy regulations may conflict with a company’s other obligations during an investigation. For example, companies may be asked to disclose documents containing employee data in one jurisdiction, but at the same time, in another jurisdiction, there may be restrictions impeding access to, or the transfer of, that same data. Even when there is not a direct conflict, companies will feel pressure to move swiftly in responding to authorities while still needing to take deliberate measures to maintain data privacy.
Anticipating and addressing issues surrounding data privacy that arise during a regulatory investigation are increasingly important to include in a company’s broader crisis management strategy. These concerns are both global and local, from implementing company-wide employee privacy policies to considering jurisdiction-specific regulations. How companies manage data privacy issues, as part of its broader strategy when responding to regulatory investigations, can significantly impact the risks to the company. The following steps can help companies mitigate these risks:
1. Identify Where Data Is Collected
Companies should conduct a data mapping exercise to identify all relevant jurisdictions where personal data is collected, stored or processed. Working with legal counsel, companies should evaluate the legal grounds relied on for processing and transferring personal data to and from each jurisdiction the company operates in.
Legal counsel should discuss requirements for personal data storage in each relevant jurisdiction. For example, companies operating across the United States and Europe may face challenges with data production to U.S. authorities when data has been collected in Europe. Companies must comply with the European Union’s General Data Protection Regulation (GDPR) when producing documents to U.S. authorities. The GDPR may require companies to redact any personal identifying information, such as email addresses, phone numbers or even names, from document productions. Some jurisdictions, including France and Switzerland, have additional “blocking statutes” prohibiting the transfer or any documents or information to foreign authorities that concern certain sensitive topics, such as security, economic interests or public policies. Practically speaking, companies should engage local counsel to formulate a strategy for responding to U.S. authorities while complying with other jurisdictions’ limitations on production. Strategies may include requesting permission from foreign data privacy authorities, redacting documents, or researching additional exceptions to disclosure prohibitions.
2. Convene a Response Team with Relevant Data Privacy Experience
Companies should create a standing team of key stakeholders to lead the company’s response to a corporate crisis, including one arising from a significant regulatory investigation. In addition to business personnel, public relations mangers, legal counsel and others, companies should ensure that some members of the response team have data privacy experience. The response team will need to deal with data processing and production questions on short notice. Either with the support of a data privacy expert, or through the insights of a key in-house resource, the response team should be prepared to address these questions by drawing on their experience.
As part of advance planning, the response team should inform employees through privacy notices and internal policies that compliance with legal requirements and investigative processes are express purposes for collection of their data. Further, the response team should ensure that they have obtained the necessary approvals for employee data processing ahead of time to simplify the process at the outset of an investigation.
3. Maintain a Data Privacy Investigation Protocol
Companies should maintain and routinely update data privacy investigation and production protocols. When an investigation is initiated, the response team will need to move quickly and should have investigation and production protocols on place that include data privacy policies and practices. A written protocol is helpful for tracking requirements from different jurisdictions, aligning stakeholders on the scope of data collection, and making a record of steps taken in response to the investigation.
A data privacy protocol should outline what has been learned through the data mapping exercise, identify those responsible for collecting and transferring data, and provide detailed descriptions for how to identify data that is protected in relevant jurisdictions. The data privacy protocol should also link to e-discovery processes and templates and identify local counsel that can be consulted as needed.
4. Properly Store and Review Employee Communications
In the United States, employers have the ability to monitor employees’ work communications. Employees generally consent to monitoring by their employers by signing an employee handbook or company’s technology policy, although in most cases consent is not needed. Companies still must collect and store any employee communications in accordance with the regulations of relevant jurisdictions. Be mindful of recent guidance on the use of text and ephemeral messaging platforms when considering how data is stored.
During an investigation by a government agency, companies may be required to review and produce employee communications, particularly if personnel conduct is a cause of the concern. Collection and storage of employee communications, regardless of which platform they may be on, will be under scrutiny and should be handled carefully.
5. Be Prepared to Discuss Data Privacy with Regulators Early in the Investigation
An investigating agency may have guidance regarding the scope and focus of its investigation. Scoping discussions with the relevant agency can help the company better understand what data sources and jurisdictions will be relevant throughout the investigation. Engaging in a dialogue at an early stage with the relevant authority regarding any anticipated limitations on gathering and transferring of data will help to address data protection concerns and communicate any anticipated obstacles in data production.
In discussions with relevant authorities, companies should be prepared to produce any policies that provide consumers and employees with notice and seek informed consent. Such policies may include data collection, use and disclosure policies, policies regarding proper channels for business communications, and any opt-out or exception policies the company may use.
----------
For additional practical guidance, Cleary Gottlieb’s Global Crisis Management Handbook outlines initial responses to global crises, provides advice on how to respond to requests for information from authorities, and provides crisis management plans. The Handbook is designed to be an introduction to the many legal and practical implications that frequently arise in crises involving large-scale corporate events or cross-border investigations.