Companies are increasingly frustrated by privacy protection laws that vary from country to country. But the European Union’s new General Data Protection Regulation (GDPR), which becomes law on May 25, 2018, eliminates much of the confusion with a uniform code for all EU nations.
But with more severe restrictions and greater penalties for violations, the GDPR creates its own brand of frustration.
The eDiscovery required to get the information needed to respond to investigations is going to take on a great deal more complexity; fines for violating privacy regulations could run as high as four percent of an organization’s annual worldwide turnover or up to €20 million ($23.5 million).
While the United States has driven enforcement of anti-corruption and bribery laws since the 1998 expansion of the anti-bribery provisions of the Foreign Corrupt Practices Act, regulations on data privacy are far more restrictive overseas, increasing the challenges of transferring data for defending against allegations of corruption.
At least in part, history is at fault.
EU nations that have survived totalitarian regimes — Germany, Spain, Eastern European nations — are prone to be especially protective of individual privacy rights. The GDPR responds to those concerns, requiring organizations worldwide that store or process EU data — both data stored in the EU as well as “belonging” to EU nationals — to diligently protect personal information and prove how they do so, including how data is used, how it is stored and who has access.
Nations outside the EU are tightening data protection laws as well: There are a further 21 laws in other European countries or jurisdictions, and many others have enacted or are considering data protection legislation, such as Malaysia, Mexico, India, Peru, South Africa and even Qatar.
While there is no single solution to protect a company against violation of data privacy regulations around the world, international companies operating in a regulated environment should have a defined policy for responding to a regulatory subpoena.
As specialists on trans-jurisdictional data privacy and data transfer, we recommend:
- Develop and implement a clear data strategy.
- Data map before collecting data. Decide on the data to be considered, identify the jurisdiction where it resides, and determine the applicable privacy regulations in that jurisdiction and what clearances are required and from what agency.
- Keep, process and review data in its jurisdiction of origin.
- Think strategically about what data you bring in and how you bring it in. Consider how this might be viewed by an EU judge in future years — both enforcement appetites around GDPR and the U.S.-EU Privacy Shield are as yet completely untested.
- Be conservative. The regulations are complex and can result in additional unintended consequences. For example, once data is transferred into the United States, it is generally discoverable for litigation purposes, in civil matters as well as by US government agencies.
- Comply with the data policy of the jurisdiction and minimize what you transfer. Ensure you are preserving the rights of those whose data you are using, that they give informed consent — i.e., that they are informed of what and why you’re collecting and agree to such collection, are given the right to exclude personal data and or assured that such data will be culled prior to production, and assured that the use of any data produced to regulators will be restricted to a specified purpose.
- In each jurisdiction engage counsel with data protection expertise.
- Use predictive coding software to avoid sharing personal data inadvertently — comfort can be obtained by the use of machine learning rather than human review to exclude personal data.
Brexit in the UK and the current inclination to relax privacy protections in the United States in the name of national security add uncertainty to the use and transfer of personal data from the EU and other jurisdictions with data privacy regulations in responding to anti-corruption investigations.
Still, organizations operating internationally should become GDPR aware and, ultimately compliant, to assure themselves the best line of defense and avoid the increasingly real risk of penalties associated with personal privacy law violations.
Frances McLeod is a founding partner of Forensic Risk Alliance (FRA). The firm supports a variety of compliance monitors, advises on trans-jurisdictional data privacy and data transfer issues, and has electronic discovery expertise that augments their forensic accounting and data analytics skills.