How will the GDPR impact international investigations?
GDPR: A Snapshot
The GDPR updates the EU’s 1995 framework data privacy law—which is outdated due to the technological advances that have occurred since the mid-1990s. The European Commission proposed the GDPR in 2012, to modernize the law and create greater harmonization across the EU. However, the current law is implemented in 20 different ways across the union which makes it challenging for multinational companies to comply. Due to the law’s very broad territorial reach, it applies to companies both in the EU and outside of the EU that collect and process personal data in connection with an EU establishment.
The GDPR is said to be the most heavily lobbied text in the history of the EU and was subject to many amendments during the multiyear legislative process. Eventually it was adopted in 2016, and organizations have been given two years to prepare for the approaching May 25th compliance.
Keep in mind, the GDPR is an update to a law, so various things remain broadly the same, including the scope of data to which the law applies, the core process and principles, and basic requirements, including telling people what you do with their data, establishing a legal basis for processing, and restrictions on transferring data outside of the EU.
EU law sets a wide-ranging definition of personal data, including obvious identifiers like names, addresses, and contact details. But it also includes less direct identifiers, including data that is pertinent to a corporate investigation such as IP addresses. The definition has been updated and expanded under the GDPR: data should only be processed for specific and defined purposes, and only stored for the length of time companies need it. Companies must also tell people how their data is being used and a legal basis for the process must be established. The available legal grounds are largely the same as the current law.
In regard to data transfers, EU data privacy law has restricted EU personal data from being transferred outside of the EU, and the GDPR does not cause changes. Popular options remain in place for transfers, namely the EU-US privacy shield for transfers to the U.S. and model clauses.
What does GDPR change, and why should I care?
While many facets of the law remain the same, there are big changes to stay on top of:
- Penalties: The key reason data privacy is getting so much attention is the severe penalties. If an organization infringes on provisions of the GDPR, fines range from up to €10 million, or 2% of the worldwide annual revenue of the prior financial year (whichever is higher), or up to €20 million, or 4% of the worldwide annual revenue of the prior financial year (whichever is higher). However, regulators are unlikely to immediately enforce these fines.
- More power for authorities: Supervisory authorities have more power to monitor and enforce the new law, conduct investigations on compliance, order companies to provide information, and to obtain access from companies to all personal data and information necessary that the authority thinks it needs to perform its task. Authorities have corrective powers to issue warnings, reprimands, and suspend certain processing or data flows to recipients outside of the EU.
- Enhanced rights: Individuals have enhanced rights under the law. The political slogan for the GDPR is the “Right to be Forgotten”—a right for individuals to have personal data erased.
- Accountability rules: Another key shift is a focus on “accountability”—the idea that companies are meant to be able to self-regulate rather than report and register their activities to a regulator on an annual basis.
How will GDPR affect international investigations?
When it comes to the GDPR’s impact on international investigations, high penalties for violations are likely to lead to a different risk balancing exercise. Companies can no longer hide behind foreign data privacy laws without an explanation. According to USAM guidelines, “A company should work diligently to identify all available legal bases to provide such documents.” While there may be blocking statutes and data privacy regulations that complicate a company’s ability to provide documentation to the U.S. Justice Department, they are required to demonstrate why they can’t provide documentation.
We’re also seeing a trend toward data minimization, with a rising concern that due to the right to be forgotten, companies may start saving less data, for shorter periods of time. This is significant, because it’s not uncommon for the government to learn about a violation long after it occurs. And if companies begin to adopt the view that they should keep less information, it could hamper investigations that take long periods of time to complete. Additionally, a company that appears to be engaging in spoliation raises red flags.
As GDPR compliance approaches, it is a critical time for international corporations to assess their data, do communication risk assessments, amend contracts with vendors, and understand their protocols so they can quickly respond in a compliant way under GDPR, and be in best position to fully cooperate in government investigations.
For more information about this topic, listen to our webcast featuring FCPA and GDPR experts.
Samantha Green is the manager of thought leadership for Epiq, and an expert on all aspects of electronic discovery, data privacy, and cybersecurity, drawing on her more than 15 years of litigation and consulting experience. As a litigator, Green has taken a number of cases from pre-discovery through trial, and has handled a broad spectrum of cases, from government investigations (including FCPA and antitrust matters) to HSR second requests and commercial litigation matters.