DATA PROTECTION IMPLICATIONS OF INTERNAL

AND EXTERNAL INVESTIGATIONS

Presented By Ann Bevitt, Morrison & Foerster (UK) LLP and Monika Tomczak-Gorlikowska, Miller Canfield (Poland)

December 11, 2013

OVERVIEW

• Basic data protection rules and principles for investigations

• Dealing with internal investigations

• Dealing with external investigations:

– Data protection authorities

– Other regulators

• Focus on handling of employee data

BASIC DATA PROTECTION RULES AND PRINCIPLES FOR INVESTIGATIONS

THE BASIC RULES AND PRINCIPLES

• Emails and documents may contain personal data

• Any investigative activity involving personal data is processing, i.e.:

Scanning and copying emails and documents

Making a copy of the hard drive

Reviewing and sorting emails and documents

Remote access to emails and hard drives is transfer

• There are limitations on processing personal data, e.g.:

There must be a legal basis

Transfers outside the EEA require an adequacy mechanism

Access rights must be established

Work email may be considered private

• Any disclosure or sharing of personal data with third parties is subject to limitations e.g. data processing agreement

OBLIGATIONS TOWARDS EMPLOYEES

• All employees must receive notice informing them about:

– Types of personal data collected

– Purpose(s) of collection

– Any disclosures or recipients

– Access and correction rights

– Other information relevant to the circumstances

• Secondary use/disclosure requires additional notice and legal basis

BASICS FOR INVESTIGATIONS

• Companies should have strategies to deal with investigations related to: internal breaches of policies and/or procedures; and

external regulatory proceedings

• Investigations are often multi-jurisdictional involving cross-border transfers of data, e.g., responding to discovery requests from foreign regulators a U.S. entity that has control over a foreign affiliate’s documents

cannot ignore discovery requests relating to such documents

BASICS FOR INVESTIGATIONS (CONTD.)

• Investigations may give rise to obligations towards: Individuals:

Notice

Consent

Regulators (other than those prompting investigation):

Registration

Other parties:

Consultation with works councils

INTERNAL INVESTIGATIONS

• Monitoring of employees’ electronic communications may help: detect breaches of policies and/or procedures

prevent such breaches

• Approaches to employee monitoring vary across the EEA: Employees’ right to privacy at work must be balanced with other

legitimate rights and interests of the employer

INTERNAL INVESTIGATIONS (CONTD.)

• WP29 Working Document (issued in 2002) on the surveillance of electronic communications in the workplace (WP55) permits monitoring provided: It is necessary and proportionate for the intended purposes

The least intrusive methods are used

All online communications in the workplace are subject to confidentiality protections

Sensitive data are not collected

Prior notice is provided (no further guidance is required to be delivered)

EMPLOYEE MONITORING – UNITED KINGDOM

• ICO Employment Practices Code and Supplementary Guidance

• Systematic v. occasional

• Impact assessment (N.B. adverse impact and alternatives)

• Notice required (unless, exceptionally, covert monitoring justified, e.g. criminal activity or equivalent malpractice) but not consent

• Access to data and subject access requests

• Retention of data

EMPLOYEE MONITORING - POLAND

• Monitoring is permitted subject to a number of conditions

• Prior employee notice is essential

• The monitoring may not lead to the extension of scope of employee data expressly limited by Polish regulations

• Must be necessary and proportionate for the intended purposes

A variety of authorities and official bodies may request access to data by exercising their statutory rights

Employee does not have right of access to such demands

WHISTLEBLOWING HOTLINES

• Whistleblowing hotline as source of disclosure leading to internal investigation:

– Limit scope to SOX issues (other issues dealt with via other reporting channels)

– Further local limitations

– Notice required but not consent (as legitimate interests can be relied upon)

– Voluntary

– Not anonymous

– Works council consultation

– Confidentiality of whistleblower

INTERNAL INVESTIGATIONS: ENSURING PRIVACY COMPLIANCE

• Implement a comprehensive employee monitoring program Consider local laws that may limit or regulate employee

monitoring

Given notice to employees that monitoring will occur and not to expect (full) privacy, even if accounts are password protected

Identify what types of conduct are prohibited

Conduct regular training and refresher courses on appropriate email and Internet usage in the workplace

Obtain acknowledgment that an employee has received, understands, and will follow the requirements

Consult with and get necessary approval from employee representatives (works councils)

INTERNAL INVESTIGATIONS: ENSURING PRIVACY COMPLIANCE (CONTD.)

• If personal data are to be transferred outside the EEA, put in place adequacy mechanism

• Handle personal data appropriately during course of investigation and after its conclusion

• Take into account obligations to complainant, alleged perpetrator, witnesses etc.

• Following a disciplinary offence in 2012, a French

based affiliate of a U.S.-based company fired one of its employees

• It later turned out that the offence was related to an anti-corruption investigation launched by a U.S. parent The parent requested copies of all emails between the fired

employee and all clients exchanged between 2002 and 2012

Before the employee left, he erased all data files from his computer but it was possible to extract the data from back-up discs

• Can the French affiliate comply with the parent’s request? Under what circumstances?

INTERNAL INVESTIGATIONS - CASE STUDY 1

• A U.S.-based company has launched an internal

investigation following a whistleblowing report from a

U.S.-based employee

• Similar allegations were made by employees in France

First phase of the investigation involves monitoring employees’ work

computers in the U.S., Finland, France, and Germany in order to filter the

data through keyword searches and review relevant records for purposes

of the investigation

External consultants and lawyers based in the UK and the U.S. copy and

filter the data and review relevant records

As the investigation unfolds, the U.S.-based company may need to share

information with experts, law enforcement authorities, and regulatory

authorities in the U.S.

• Discuss what compliance measures should be

implemented

INTERNAL INVESTIGATIONS - CASE STUDY 2

• A multinational with an NYSE-listed parent and global presence receives an anonymous report in the U.S. on major price-fixing by affiliates in Spain, Japan, and the U.S.

• Management decides to conduct an internal investigation covering Germany, Spain, the UK, Japan, and the U.S.

• London-based service provider engaged to perform e-Discovery and law firm to conduct investigation

• Discuss compliance steps

INTERNAL INVESTIGATIONS - CASE STUDY 3

EXTERNAL INVESTIGATIONS

• By data protection authorities: Trends in number and scope:

Continental EU:

Generally large investigative powers, possibility to “knock on the door” any time; some regulators announce their arrival by courtesy, some are required to do so

Increased number of investigations in many European jurisdictions

Trend for co-ordination of international enforcement by DPAs (International Enforcement Coordination Working Group)

C.f. UK:

More limited powers e.g. audit

EXTERNAL INVESTIGATIONS

• By other regulators, e.g.:

– Financial supervision authorities, e.g. FCA in UK

– Competition authorities

• Establishing a legal basis: – Is the regulator regulating the EU entity or e.g. the US parent?

• Establishing an adequacy mechanism: – Legal interests?

EXTERNAL INVESTIGATIONS – CASE STUDY

• U.S. regulator requires U.S.-based pharmaceutical company to provide clarifications on recent adverse event incidents reported outside the U.S.. – 3-week deadline imposed for provision of information

– Records required include information stored on servers located in Ireland, Romania, and Switzerland

– Time span for the records is past 5 years

– EEA affiliates required to provide immediate access to third party service provider engaged by U.S. company

• What compliance steps should be undertaken to lawfully provide the requested information, and by whom?

LOOKING AHEAD

• Art. 82 of new Draft Regulation: employee investigations permitted only if related to employees’ criminal behavior – standards to be set by Member States

TOP 3 TAKE AWAYS

• Have the requisite policies and procedures e.g. Tech Use/Monitoring, whistleblowing hotline

• Check what additional steps may be required locally before taking action

• Don’t forget the basics (notice, legal basis, adequacy mechanism, data processing agreements etc)!

READING MATERIALS

• EU Data Protection Directive 1995/46/EC

– http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF

• LIBE Compromise text of draft Regulation (unofficial version from Rapporteur)

– http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-consolidated-LIBE.pdf

• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace

– http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf

QUESTIONS?

Ann Bevitt

Partner

Morrison & Foerster (UK) LLP

CityPoint

1 Ropemaker Street

London

EC2Y 9AW

Tel: +44 20 7920 4041

Fax: +44 20 7496 8541

M: +44 7903 845 743

Email: abevitt@mofo.com

Monika Tomczak-Górlikowska | adwokat

Miller Canfield

ul. Batorego 28-32

81-366 Gdynia, Poland

T +48587820050 | F +48587820060 | Mobile

+48601150317

tomczak@pl.millercanfield.com