January 19th, 2021 / Insight posted in Articles

Data privacy and investigations – what US firms need to know if they trade in the UK and EU

Falling foul of data privacy laws can cost US companies dearly in terms of finance and reputation. Between May 2018 and September 2019, US companies were collectively fined more than $417 million (€380 million) by EU data regulators.[1]

Under the EU’s General Data Privacy Regulation (GDPR), companies stand to forfeit the higher of €20 million or up to 4% of group total global turnover of the preceding fiscal year.

Making the situation even more challenging, the trade deal marking the UK’s withdrawal from the EU (effective from 1 January 2021) will have far reaching repercussions for companies based in the US whose operations rely on the free flow of personal data between the EU and the UK.

Data privacy

The transfer of personal data out of the EU is subject to the constraints of the GDPR. Following the UK’s departure from the EU, the UK could lose easy access to EU personal data unless the European Commission decides that the UK’s personal data regime provides a level of protection similar to that of the EU and grants the UK data adequacy status.

The new trade deal between the UK and the EU maintains the status quo until 30 April 2021 and a further extension to 30 June 2021 is possible.  If an adequacy decision is not made, there will need to be specific safeguards put in place between the EU data exporter and the UK data importer.

US companies currently relying on the GDPR to allow the movement of personal data from the EU to the UK should consider developing standard contractual clauses or binding corporate rules now, to allow them to seamlessly move to a new regime, which is likely to occur at some point.

Data subject to GDPR restrictions could include customer names, addresses, credit card details, HR or finance data – anything that can identify a person directly or indirectly.

Investigations

There is likely to be a huge increase in investigations for companies to undertake as the economy recovers from the global Coronavirus pandemic. Controls developed based on an office-working environment may not be suitable for remote working.

The rise in remote working as a response to Coronavirus is almost certainly going to see an uplift in data theft, fraud and other illegal activity. Whatever the driver, it will be vitally important for companies to ensure that when they are conducting forensic investigations, they keep an eye on their data privacy obligations.

US companies and their senior management could face an increase in fines and other sanctions during the coming years from EU regulators and law enforcement. The US, UK and some EU legislation already allows for prosecuting offences of corporate criminal liability. This means that companies can be liable when an employee commits a crime, especially if they have poor controls for the elimination of such activity.

In response to this, companies may find themselves having to conduct thorough investigations to demonstrate that any criminality undertaken by an employee was unsanctioned. As more countries develop this type of legislation, the likelihood of getting on the wrong side of it increases.

In addition, law enforcement will also be looking to examine the behaviour of companies during the pandemic, with specific regard to government assistance schemes being criminally abused.  Proactive compliance exercises can help organisations ensure that they have not accidentally breached hastily crafted regulations.

In some situations, rather than having to respond to a knock on the door and hand their servers over to law enforcement, companies can conduct their own internal investigations and provide the results to the authorities. In all these scenarios, a forensic investigation will be necessary and data privacy issues should be at the forefront of any considerations.

With the development of the cloud, it is much more likely that evidence will exist outside initial jurisdictions and advice must be sought to ensure that data privacy laws are not breached. As the saying goes, “there is no such thing as the cloud, just other people’s servers”, so it is important to know which jurisdiction those servers are in.

Companies need to engage with forensic investigators who can help them avoid the pitfalls involved in balancing EU privacy legislation with their own investigations and global law enforcement requirements. A suspect’s email repository may be a rich cache of evidence detailing their transgression but it will almost certainly also contain personal and private data which must not be trawled through unnecessarily or transmitted to another country illegally.

How Moore Kingston Smith can help

Moore Kingston Smith has in-house teams dedicated to helping clients in all these complex areas. Our specialists cover the GDPR, data privacy during investigations, eDiscovery, forensic accounting, digital forensics and employment law.

We can assist with all the aspects of how personal data can be transferred legally between the EU and the UK now, and following any treaty changes.

We use technology to assist with data privacy in investigations, for example setting up review platforms within a jurisdiction and keeping data in-situ, or the deduplication of documents across different countries using hashing algorithms.  As well as addressing data transfer issues, technology can help make sure that some of the core principles of the GDPR are maintained. This includes purpose limitation and data minimisation (targeted acquisition of data); storage limitation (secure deletion at the end of a matter); and integrity and confidentiality (encryption).

From a forensic investigation perspective, a lot may hinge on the rights that a company has over an individual’s data. However, considering this once an investigation has started is almost certainly too late. Ensuring employment contracts allow access to data, for example employment contract clauses allowing the monitoring of data for specific activity, will help future investigations be successful.

If you or any clients needing advice on the GDPR, investigations or employment law, contact Edward Nkune at ENkune@mks.co.uk, who is responsible for Moore Kingston Smith’s eDiscovery and digital forensics service. Edward can then muster the relevant experts for more in-depth discussion.

[1] Source: U.S. International Trade Commission (USITC), September 2019 Trade Briefing.