GDPR and data protection issues in cross-border regulatory investigations
The EU General Data Protection Regulation (GDPR), which applies from 25 May 2018, has implications for the planning and conduct of cross-border regulatory investigations. Regulators, courts and law enforcement authorities in the U.S. and other jurisdictions have developed an apparently insatiable appetite for access to data – including personal data – held by financial institutions. Financial institutions that find themselves on the receiving end of requests are required to navigate a minefield of legal and practical challenges.
The “long arm” of the U.S. authorities
In recent years, governments (especially in the EU, but also in China and elsewhere) have expressed unease with what they perceive to be the “long arm” of the U.S. authorities in terms of requesting information held overseas. In response, action has been taken by governments and the private sector to resist the exercise of extraterritorial jurisdiction by U.S. courts and law enforcement authorities. For example, article 48 of the GDPR expressly addresses transfers of personal data to foreign authorities.
GDPR allows for much larger fines
The GDPR contains essentially the same toolkit in respect of international data transfers as current EU data protection law (the Data Protection Directive 95/46/EC). Although a proposed outright ban on transfers to foreign regulators without specific prior approval of a domestic data protection authority, which appeared in early drafts, has not survived in the adopted text of GDPR, the significant increase in fines may cause many to reevaluate whether they are willing to risk breaching data protection law in order to accede to a request from a regulator or law enforcement authority. Data protection authorities will be able to impose fines under GDPR for some infringements (including breach of requirements relating to international transfers) of up to the higher of 4% of annual worldwide turnover and EUR20 million.
International transfer to foreign court or regulator based on an international agreement
On the face of it, the GDPR requires that, without prejudice to any other grounds for cross-border transfers, any transfer or disclosure of personal data in response to a request from a court, tribunal or administrative authority of a non-EEA country must be based on an international agreement, such as a mutual legal assistance treaty (MLAT), between the requesting state and the EU or an EU Member State. This means that, in the absence of another legitimate basis for a cross-border transfer under GDPR, firms based in the EU should not transfer data to a third country for the purposes of law enforcement unless an MLAT or similar is in place with that third country under which the transfer would be made. However, GDPR maintains certain additional derogations which allow for transfers where there is a public interest and in connection with legal proceedings.
U.S. Privacy Shield may not work
The CJEU’s decision in the high profile Schrems case effectively meant that the “safe harbour” route was no longer a reliable option for data transfers to the U.S. Its replacement, the “Privacy Shield”, may face a similar fate before the CJEU as a result of a referral by the Irish High Court to the CJEU on 12 April 2018 asking whether the Privacy Shield does in fact mean that the U.S. ensures an adequate level of protection.
Enforcement risk relating to data protection
Compliance with a request received from a regulatory authority for personal data could potentially lead to a breach of EU data protection and other laws implemented by EU Member States, such as bank secrecy rules and “blocking statutes” in some jurisdictions (eg France). Firms can therefore find themselves “stuck between a rock and a hard place” when faced with such requests.
They must assess and weigh up the risks and sanctions they may face for breaching relevant data protection laws with the sanctions they may face as a result of failing to comply with a request received from an authority.
Historically, companies have generally been more fearful of the U.S. financial regulators than the data protection authorities in EU Member States, although there have been recent examples of companies attempting to resist demands from U.S. law enforcement agencies. Most notably, Microsoft (which has said it receives tens of thousands of requests for customer data each year) challenged the decision of a New York District Court, which held Microsoft in contempt for failing to comply with a demand that was served by federal agents on Microsoft’s U.S. headquarters requiring it to hand over customer data being held on servers in Dublin, Ireland. After an appellate court decision that the warrant did not apply to information held outside the United States, the U.S. government appealed this decision to the U.S. Supreme Court, before which the case was recently argued. On 17 April 2018, however, the Supreme Court officially dismissed the case in light of the newly passed U.S. CLOUD Act (discussed below), which has rendered the case moot.
U.S. CLOUD Act
The Microsoft case was based on unclear drafting in the U.S. Stored Communications Act (SCA), under which the original warrant was issued. To clarify this ambiguity, the U.S. Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) was recently passed. The CLOUD Act amends the SCA expressly to require a provider to provide data within its “possession, custody, or control, regardless of whether [such data] is located within or outside the United States”. In the Microsoft case, the U.S. government has since obtained a new warrant pursuant to the CLOUD Act covering the same data requested in the original warrant. Both parties agreed that the new warrant replaced the original warrant. Therefore, no live dispute remained between the parties.
The CLOUD Act also allows the U.S. government to enter into bilateral executive agreements with other countries to expedite cross-border requests by one government for data stored in the other country. Theoretically, therefore, the U.S. and an EU Member State could enter into a bilateral agreement that allows each government broad access rights to data stored in the other country.
It will remain to be seen to what extent such agreements are reached and how they will ensure adequate protection for personal data.
Practical recommendations: Steps to take on receipt of a regulatory request to minimise data protection risks
The following practical steps may assist firms to navigate the range of data protection issues they face when receiving a regulatory request which includes personal data.
- Legal powers: Consider whether there is a binding legal obligation to respond to the request and, if so, to what extent. Regulators and law enforcement authorities will often request information where there is no legal power to compel disclosure of that information, or they will not follow the correct procedures to make a binding demand for information. It is important to examine the nature of the request, as it could determine whether or not a disclosure or transfer is within the scope of any consent given by the data subject or derogations under applicable EU data protection law. It may be appropriate to revert to ask the regulator or law enforcement authority to make a binding request.
- Seek further information: It is advisable to seek further information in writing from the requesting regulatory authority, to evaluate what the purpose of the request is. It is important to examine the purpose of the request, as it could determine whether or not a disclosure or transfer is within the scope of any consent given by the data subject or derogations under applicable EU data protection law.
- Negotiate the scope of the request: It may be advisable for the firm to attempt to negotiate the scope of the request, as in some cases regulators or law enforcement authorities will agree to narrow broadly defined requests to target specific information that is required for the purposes of their investigations. This will save cost and reduce risk, but needs to be balanced against the need to maintain a good relationship with the requesting regulators and law enforcement authorities.
- Data minimisation or anonymisation: Firms should always limit the data disclosed and transferred to that which is necessary for the purpose. This may involve undertaking an internal review process, possibly with the assistance of external advisers. If the requesting regulator or authority does not require personal data, it may be possible to redact certain personal or other sensitive information from documents before they are transferred and/or disclosed. If so, this will allow a company to reduce risk, although it will result in additional costs in connection with the review and redaction process. In particular, the wide definition of personal data means that redacting someone’s name is unlikely, of itself, to be sufficient to remove all personal data from any given document. It is highly likely that the individual can still be identified from other data and/or the context. Redaction therefore has a place but is neither a wholesale solution nor required in every instance.
- Consider obtaining consent and/or giving notice: In some cases, it will be possible to obtain a specific consent from individuals to undertake a particular disclosure and transfer of their personal data. Where this is possible (eg where the number of individuals is small and they are co-operative), it may be a useful additional means to legitimise the transfer and/or disclosure. However, under GDPR, consent must be freely given, specific, informed and unambiguous. Relying on consent as the only basis for legitimising transfers will therefore not generally be recommended, particularly as consent can be withdrawn at any time and must be as easy to withdraw as to give.
- Data processing agreement: If transferring data to an affiliate or a third party as an interim measure, and that affiliate or third party will be acting as a data processor, it is necessary to put in place a data processing agreement, under which the data processor is required only to process data in accordance with GDPR.
- Consider whether data may be transferred via a domestic authority: In certain cases, it may be possible to ask that the requesting regulator requests data via a domestic regulator of the firm. This may be possible where the two regulators have entered into a memorandum of understanding or similar concerning international cooperation (eg such an agreement exists between the SEC and the FCA). However, as a matter of public international law, a memorandum of understanding is not the same as an international agreement (unlike an MLAT). Such a channel may therefore not be valid for requests under GDPR, as discussed above. Alternatively, foreign authorities can request that a domestic court compel the disclosure of documents pursuant to the Hague Convention, although this process is not often used in practice due to the obstacles to and expense of going through that process.
- Consider whether data may be transferred via a mutual legal assistance treaty: It may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement. For example, in the Microsoft case, Microsoft argued that the U.S. government should have used the MLAT process to request the data stored on its servers in Ireland. However, most EU Member States do not have MLATs with the U.S. and the process is often criticised as being too slow and unwieldy for the needs of modern law enforcement. Where no MLAT exists, a transfer may nevertheless be lawful if it falls within the scope of any consent given by the data subject (although note limitations on consent at point 5 above) or derogations under applicable EU data protection law.
This article is part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication. For more information please contact Karen Birch – email@example.com, or tel +44 20 3088 3710.