Investigations into allegations of bribery, corruption or misconduct in Europe just got a whole lot harder due to recent changes to the EU Data Privacy regime.
Traditionally, such investigations involved the collection of potentially relevant data on-site within the EU. Then it would invariably be shipped back to the U.S., where it could be processed, hosted, reviewed and if necessary, produced for regulators.
The data transfer and processing could be done by any organization that had verified its safeguards to protect EU data from privacy violations via the Safe Harbor mechanism.
Well, that’s all changed.
This month, Privacy Regulators from 28 EU nations backed the European Court of Justice’s decision in the Max Schrems case that invalidated the Safe Harbor regime. That closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years.
The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.
From a legal perspective, there is no clear path forward.
Trans-Atlantic lawyers, technologists, civil libertarians, government officials and politicians are wading into the quagmire to fight it out. However, a safe middle ground that effectively balances privacy alongside national security interests is not materializing fast enough. EU Data Protection Authorities are already prepared to bring enforcement actions early next year against EU-U.S. data transfers that were previously protected by the Safe Harbor framework but are now considered to potentially violate privacy rights of EU citizens.
What then are practical steps when conducting cross-border investigations or litigation? How can investigators and litigators access key data residing in the EU?
Here’s the most important and obvious strategy to adopt: If you can’t take the data out of the EU, then don’t take the data out of the EU. Leave it there. Don’t move it. Do your data projects on-site, in Europe.
Armed with the right software, it is possible to do the processing, analysis, review and production work within the country of origin, and then to ship a small subset of only those documents deemed relevant and not private back to the U.S.
It may sound daunting and impractical, and it’s certainly different from what we’re all used to. But it can be done, with excellent results.
There are software solutions that make all this possible. And there are consultants and service providers who would be delighted to help.
Jo Sherman is the founder and CEO of dispute and investigation software company EDT. She has degrees in law and computer science and extensive international experience in the application of technology to law. She was recently appointed to the Data Law Information Governance Board of Advisors for the Benjamin N. Cardozo School of Law in New York. She can be reached via her website or by email.