Data privacy in Investigations

In order to protect itself, an organisation involved in an investigation should consider the relevant data privacy laws at the outset of the investigation. There are various stages throughout an investigation where the issue of data privacy arises, particularly at the outset of an investigation when data (including personal data) may need to be collected, and during the investigation when personal data may need to be processed and often transferred to third parties (sometimes across borders). At all times, an organisation needs to be mindful of its potentially competing obligations and responsibilities to the individuals who are the subject of the personal data and the authority that has the conduct of the investigation. The eight ocean carriers (including CMA CGM, Hapag-Lloyd, MSC and ZIM) currently being investigated by the US Federal Maritime Commission over “congestion or related surcharges” following allegations that these were improper, should be paying close attention to their privacy obligations as well as their interactions with the Commission.

At the beginning of an investigation, an organisation will need to identify and collate documents that are relevant to the investigation. Depending on the nature of the investigation, this may include information and/or documents that constitute personal data, such as employee details and emails (and in some cases personal communications, photographs or banking details held on corporate devices or email accounts). Different jurisdictions have different privacy laws that apply in different ways and have different criteria that need to be satisfied in order for personal data to be processed lawfully and, therefore, all applicable jurisdictions will need to be identified and their privacy laws considered prior to the collection of any personal data.

Taking the European General Data Protection Regulation (GDPR), the gold standard for privacy laws, as an example, organisations located outside of the EU need to be aware of its extra-territorial scope when considering if and how it applies to them – given that the GDPR applies to both organisations established in the EU as well as organisations that are not established in the EU but that actively offer goods or services to individuals located within the EU. When collecting, in relation to an investigation, personal data to which the GDPR applies, the personal data must be collected lawfully, fairly and in a transparent manner. This means that individuals should, in most cases, be made aware that their personal data is being collected and used by an organisation, and there must be a legal basis set out in the GDPR or relevant national legislation that justifies the organisation’s processing of that personal data. From a practical perspective, it is often difficult to justify the collection and use of personal data as part of an investigation. For instance, where an organisation collects personal data in an illegal way – by intercepting messages that should not be intercepted or by using private investigators that use deception to obtain information – the personal data collected can never be held and used by that organisation in line with the GDPR.

Where a regulator requests an organisation, in relation to an investigation, to provide it with information that includes personal data, the organisation needs to be careful to ensure that complying with the request does not breach its obligations under relevant privacy laws, such as the GDPR. Any transfer of personal data to the authority must be justified with a legal basis and, where the authority is based outside of the EU, the transfer of the personal data outside of the jurisdiction needs to be separately justified under the GDPR. There are few lawful bases upon which personal data, particularly sensitive personal data such as health data, can be transferred outside of the jurisdiction, which means EU-based organisations involved in cross-border investigations often find themselves stuck in no-man’s land between the competing needs to fully co-operate with the regulator during an investigation and complying with their obligations under the GDPR.

We have used GDPR as the example in this article, but similar issues arise under many other jurisdictions’ privacy laws. Questions for organisations involved in an investigation to consider include:

• Do we actually need to collect or transfer personal data in relation to the investigation, and if so, how can we make sure only the minimum amount of personal data needed is collected?
• What adverse impact, if any, does the collection and use of the personal data in relation to the investigation have on the individuals concerned?
• Are we legally obliged to provide the personal data to a regulator in relation to an investigation, and what are the risks we are running if we provide the data, in order to co-operate, but without a lawful basis to justify providing the personal data?
• How will the regulator react if we refuse to provide the personal data requested or if we redact the more sensitive personal data – and what impact will that have on the investigation?

Most organisations understand that there can be serious consequences for not fully cooperating or engaging with the regulator during an investigation, so choosing to breach privacy laws in favour of co-operating with an investigation may seem the easiest, but may not always be the right, course of action. Data protection regulators can impose significant fines for breach of data privacy laws – for example, under the GDPR, the maximum fine is the higher of EUR 20 million or 4% of annual global turnover – and the regulators are increasingly turning their attention to data privacy breaches. To put it into perspective, the largest fine imposed for breach of data privacy under GDPR (against Amazon in 2021) amounted to USD 877 million.

In summary, global data privacy rules are varied, inconsistent, and complex, and the potential sanctions for breaching data privacy rules can be significant. In the context of regulatory investigations, an organisation can find itself in the unenviable position of having to comply with these rules while simultaneously being required to cooperate and be transparent with the regulator conducting the investigation. It is, therefore, crucial that organisations carefully consider the relevant jurisdictions involved in an investigation prior to any personal data being collected so that applicable advice can be taken and measures put in place to ensure, to the extent possible, that both data privacy and investigative duties are appropriately managed.