Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Practice note: EU changes data privacy rules for company investigations

Investigations into allegations of bribery, corruption or misconduct in Europe just got a whole lot harder due to recent changes to the EU Data Privacy regime.

Traditionally, such investigations involved the collection of potentially relevant data on-site within the EU. Then it would invariably be shipped back to the U.S., where it could be processed, hosted, reviewed and if necessary, produced for regulators. 

The data transfer and processing could be done by any organization that had verified its safeguards to protect EU data from privacy violations via the Safe Harbor mechanism.
Well, that’s all changed.
This month, Privacy Regulators from 28 EU nations backed the European Court of Justice’s decision in the Max Schrems case that invalidated the Safe Harbor regime. That closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years.

The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.

From a legal perspective, there is no clear path forward.

Trans-Atlantic lawyers, technologists, civil libertarians, government officials and politicians are wading into the quagmire to fight it out. However, a safe middle ground that effectively balances privacy alongside national security interests is not materializing fast enough. EU Data Protection Authorities are already prepared to bring enforcement actions early next year against EU-U.S. data transfers that were previously protected by the Safe Harbor framework but are now considered to potentially violate privacy rights of EU citizens.
What then are practical steps when conducting cross-border investigations or litigation? How can investigators and litigators access key data residing in the EU?

Here’s the most important and obvious strategy to adopt: If you can’t take the data out of the EU, then don’t take the data out of the EU. Leave it there. Don’t move it. Do your data projects on-site, in Europe.

Armed with the right software, it is possible to do the processing, analysis, review and production work within the country of origin, and then to ship a small subset of only those documents deemed relevant and not private back to the U.S.

It may sound daunting and impractical, and it’s certainly different from what we’re all used to. But it can be done, with excellent results.

There are software solutions that make all this possible. And there are consultants and service providers who would be delighted to help.

Jo Sherman is the founder and CEO of dispute and investigation software company EDT. She has degrees in law and computer science and extensive international experience in the application of technology to law. She was recently appointed to the Data Law Information Governance Board of Advisors for the Benjamin N. Cardozo School of Law in New York.  She can be reached via her website or by email.

Share this post



  1. The recent safe harbor decision brings into the spotlight an issue that has existed cross-border for considerable time, but is entirely possible to navigate a path between the conflicting demands of the USA & EU legal authorities especially in the case of FCPA, Bribery, Corruption, Trade Violations as well as a host of other issues such as IP infringement and the like. Technology can certainly help but it is often the case that organisations have investment in software technology but lack the complex and thorough experience necessary to effectively use it to produce a suitable set of legally defensible documents or information,especially when under time pressures. We have been providing expertise to organisations as well as technology to assist them in time and data sensitive environments to support legal submissions in line with court directives and within conflicting legal environments for many years, successfully, thoroughly and to the satisfaction of some of the worlds largest law firms, corporates and government organizations. Strong process, highly skilled and qualified people, best in class technology in a go-anywhere mobile model works very well indeed.

  2. Here’s something to consider in this approach. The closer the data is to the wrongdoers the easier it is for them to control it. Keeping everything in Europe makes it easier for the wrongdoers to suppress it, and to keep the facts from going up the corporate line. If the local bosses who authorize bribery or join in cartels can now keep a US-based compliance officer or board audit committee from learning the full facts of an investigation, it is hard to see what this does to protect anyone’s privacy. It does, however, help protect those engaged in high-level misconduct. We are underestimating the mischief that can be created by the power EU’s privacy bureaucrats are increasingly exercising. Cheers, Joe

  3. Interesting point Joe but remember that this isn't bureaucrat made law but judge made law. Whatever we think of the decision we have to investigate lawfully otherwise the guilty get free. Tom Fox and I did a podcast on this a day or so after the judgment from the SCCE conference if you're interested in more on this – I think it's on Tom's website at in the Safe Harbor section of our site with other resources including today's German decision (by bureaucrats not a court!)

  4. Here's a thing. Jurisprudentially we all agree the state prosecutors must get their evidence lawfully which means lawful investigations (including lawful access to data) or else convictions for FCPA or Bribery Act breaches should be overturned. Surely Jo Sherman's suggestion is the solution where non US based operations are being investigated by US investigators. However that only works where the organisation itself wishes to be under scrutiny. How about organisations such as FIFA (or the CIA?) where the organisation has difficulty in recognising a separation between those governing or managing the organisation and the organisation itself?

Comments are closed for this article!