Navigating data protection issues in cross-border regulatory investigations
Regulators, courts and law enforcement authorities in the U.S. (and other jurisdictions around the globe) have developed an apparently insatiable appetite for access to data – including personal data – held by financial institutions.
Such data is often not held in the jurisdiction where the regulator is requesting it. Where this is the case, financial institutions that find themselves on the receiving end of regulatory requests are required to navigate a minefield of legal and practical data protection challenges.
Are governments tiring of the "long arm" of the U.S. authorities?
More recently, Governments (especially in the EU, but also in China and elsewhere) have expressed unease with what they perceive to be the "long arm" of the U.S. authorities in terms of requesting information held overseas. In response, some Governments are increasingly taking action to resist the exercise of extraterritorial jurisdiction by U.S. courts and law enforcement authorities.
This response has led, for example, to the proposed EU General Data Protection Regulation (in certain versions of its current draft form) specifically prohibiting the sharing of personal data with foreign authorities other than with the specific prior approval of a domestic data protection authority, punishable by potential fines of up to 5% of annual worldwide turnover.
The CJEU's decision in the high profile Schrems case (reported below) effectively means the "safe harbor" route is no longer a reliable option for data transfers to the U.S.
Enforcement risk relating to data protection
Compliance with a request received from a regulatory authority for personal data could potentially lead to a breach of EU data protection and other laws implemented by EU Member States. Firms can therefore find themselves "stuck between a rock and a hard place" when faced with such requests.
They must assess and weigh up the risks and sanctions they may face for breaching relevant data protection laws with the sanctions they may face as a result of failing to comply with a request received from a regulatory authority.
Microsoft is currently in the process of appealing a decision of a New York District Court, which held it in contempt for failing to comply with a demand that was served by federal agents on Microsoft's U.S. headquarters requiring it to hand over data about EU customers held on servers in Dublin, Ireland.
Practical recommendations: Steps to take on receipt of a regulatory request to minimise the data protection risks
The following practical steps may assist firms to navigate the range of data protection issues they face when receiving a regulatory request which includes personal data.
- Legal powers: Consider whether there is a binding legal obligation to respond to the request and, if so, to what extent. Regulators and law enforcement authorities will often request information where there is no legal power to compel disclosure of that information, or they will not follow the correct procedures to make a binding demand for information. It is important to examine the nature of the request, as it could determine whether or not a disclosure or transfer is within the scope of any consent given by the data subject or derogations. It may be appropriate to revert to ask the regulator or law enforcement authority to make a binding request.
- Seek further information: It is advisable to seek further information in writing from the requesting regulatory authority, to evaluate what the purpose of the request is. It is important to examine the purpose of the request, as it could determine whether or not a disclosure or transfer is within the scope of any consent given by the data subject or derogations under the European Data Protection Directive 95/46/EC.
- Negotiate the scope of the request: It may be advisable for the firm to attempt to negotiate the scope of the request, as in some cases regulators or law enforcement authorities will agree to narrow broadly defined requests to target specific information that is required for the purposes of their investigations. This will save cost and reduce risk, but needs to be balanced against the need to maintain a good relationship with the requesting regulators and law enforcement authorities.
- Data minimisation or anonymisation: Firms should always limit the data disclosed and transferred to that which is necessary for the purpose. This may involve undertaking an internal review process, possibly with the assistance of external advisors. If the requesting regulator or authority does not require personal data, it may be possible to redact certain personal or other sensitive information from documents before they are transferred and/or disclosed. If so, this will allow a company to reduce risk, although it will result in additional costs in connection with the review and redaction process.
- Consider obtaining consent and/or giving notice: In some cases, it will be possible to obtain a specific consent from individuals to undertake a particular disclosure and transfer of their personal data. Where this is possible, eg where the number of individuals is small and they are cooperative, this may be a useful additional means to legitimise the transfer and/or disclosure. However, equally, relying on consent as the only basis for legitimising transfers is not generally recommended.
- Data processing agreement: If transferring data to an affiliate or a third party as an interim measure, and that affiliate or third party will be acting as a data processor, it is necessary to put in place a data processing agreement, under which the data processor is required only to process data in accordance with the instructions of the company (as data controller), and to implement sufficient technical and organisational security measures to protect the personal data.
- Consider whether data may be transferred via a domestic authority: In certain cases, it may be possible to request that the requesting regulator requests data via a domestic regulator of the firm. This may be possible where the two regulators have entered into a memorandum of understanding or similar concerning international cooperation (eg such an agreement exists between the SEC and the FCA). Alternatively, foreign authorities can request that a domestic court compel the disclosure of documents pursuant to the Hague Convention, although this process is not often used in practice due to the obstacles to and expense of going through that process.