Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
DATA PROTECTION IMPLICATIONS OF INTERNAL
AND EXTERNAL INVESTIGATIONS
Presented By Ann Bevitt, Morrison & Foerster (UK) LLP and Monika Tomczak-Gorlikowska, Miller Canfield (Poland)
December 11, 2013
OVERVIEW
• Basic data protection rules and principles for investigations
• Dealing with internal investigations
• Dealing with external investigations:
– Data protection authorities
– Other regulators
• Focus on handling of employee data
BASIC DATA PROTECTION RULES AND PRINCIPLES FOR INVESTIGATIONS
THE BASIC RULES AND PRINCIPLES
• Emails and documents may contain personal data
• Any investigative activity involving personal data is processing, i.e.:
Scanning and copying emails and documents
Making a copy of the hard drive
Reviewing and sorting emails and documents
Remote access to emails and hard drives is transfer
• There are limitations on processing personal data, e.g.:
There must be a legal basis
Transfers outside the EEA require an adequacy mechanism
Access rights must be established
Work email may be considered private
• Any disclosure or sharing of personal data with third parties is subject to limitations e.g. data processing agreement
OBLIGATIONS TOWARDS EMPLOYEES
• All employees must receive notice informing them about:
– Types of personal data collected
– Purpose(s) of collection
– Any disclosures or recipients
– Access and correction rights
– Other information relevant to the circumstances
• Secondary use/disclosure requires additional notice and legal basis
BASICS FOR INVESTIGATIONS
• Companies should have strategies to deal with investigations related to: internal breaches of policies and/or procedures; and
external regulatory proceedings
• Investigations are often multi-jurisdictional involving cross-border transfers of data, e.g., responding to discovery requests from foreign regulators a U.S. entity that has control over a foreign affiliate’s documents
cannot ignore discovery requests relating to such documents
BASICS FOR INVESTIGATIONS (CONTD.)
• Investigations may give rise to obligations towards: Individuals:
Notice
Consent
Regulators (other than those prompting investigation):
Registration
Other parties:
Consultation with works councils
INTERNAL INVESTIGATIONS
• Monitoring of employees’ electronic communications may help: detect breaches of policies and/or procedures
prevent such breaches
• Approaches to employee monitoring vary across the EEA: Employees’ right to privacy at work must be balanced with other
legitimate rights and interests of the employer
INTERNAL INVESTIGATIONS (CONTD.)
• WP29 Working Document (issued in 2002) on the surveillance of electronic communications in the workplace (WP55) permits monitoring provided: It is necessary and proportionate for the intended purposes
The least intrusive methods are used
All online communications in the workplace are subject to confidentiality protections
Sensitive data are not collected
Prior notice is provided (no further guidance is required to be delivered)
EMPLOYEE MONITORING – UNITED KINGDOM
• ICO Employment Practices Code and Supplementary Guidance
• Systematic v. occasional
• Impact assessment (N.B. adverse impact and alternatives)
• Notice required (unless, exceptionally, covert monitoring justified, e.g. criminal activity or equivalent malpractice) but not consent
• Access to data and subject access requests
• Retention of data
EMPLOYEE MONITORING - POLAND
• Monitoring is permitted subject to a number of conditions
• Prior employee notice is essential
• The monitoring may not lead to the extension of scope of employee data expressly limited by Polish regulations
• Must be necessary and proportionate for the intended purposes
A variety of authorities and official bodies may request access to data by exercising their statutory rights
Employee does not have right of access to such demands
WHISTLEBLOWING HOTLINES
• Whistleblowing hotline as source of disclosure leading to internal investigation:
– Limit scope to SOX issues (other issues dealt with via other reporting channels)
– Further local limitations
– Notice required but not consent (as legitimate interests can be relied upon)
– Voluntary
– Not anonymous
– Works council consultation
– Confidentiality of whistleblower
INTERNAL INVESTIGATIONS: ENSURING PRIVACY COMPLIANCE
• Implement a comprehensive employee monitoring program Consider local laws that may limit or regulate employee
monitoring
Given notice to employees that monitoring will occur and not to expect (full) privacy, even if accounts are password protected
Identify what types of conduct are prohibited
Conduct regular training and refresher courses on appropriate email and Internet usage in the workplace
Obtain acknowledgment that an employee has received, understands, and will follow the requirements
Consult with and get necessary approval from employee representatives (works councils)
INTERNAL INVESTIGATIONS: ENSURING PRIVACY COMPLIANCE (CONTD.)
• If personal data are to be transferred outside the EEA, put in place adequacy mechanism
• Handle personal data appropriately during course of investigation and after its conclusion
• Take into account obligations to complainant, alleged perpetrator, witnesses etc.
• Following a disciplinary offence in 2012, a French
based affiliate of a U.S.-based company fired one of its employees
• It later turned out that the offence was related to an anti-corruption investigation launched by a U.S. parent The parent requested copies of all emails between the fired
employee and all clients exchanged between 2002 and 2012
Before the employee left, he erased all data files from his computer but it was possible to extract the data from back-up discs
• Can the French affiliate comply with the parent’s request? Under what circumstances?
INTERNAL INVESTIGATIONS - CASE STUDY 1
• A U.S.-based company has launched an internal
investigation following a whistleblowing report from a
U.S.-based employee
• Similar allegations were made by employees in France
First phase of the investigation involves monitoring employees’ work
computers in the U.S., Finland, France, and Germany in order to filter the
data through keyword searches and review relevant records for purposes
of the investigation
External consultants and lawyers based in the UK and the U.S. copy and
filter the data and review relevant records
As the investigation unfolds, the U.S.-based company may need to share
information with experts, law enforcement authorities, and regulatory
authorities in the U.S.
• Discuss what compliance measures should be
implemented
INTERNAL INVESTIGATIONS - CASE STUDY 2
• A multinational with an NYSE-listed parent and global presence receives an anonymous report in the U.S. on major price-fixing by affiliates in Spain, Japan, and the U.S.
• Management decides to conduct an internal investigation covering Germany, Spain, the UK, Japan, and the U.S.
• London-based service provider engaged to perform e-Discovery and law firm to conduct investigation
• Discuss compliance steps
INTERNAL INVESTIGATIONS - CASE STUDY 3
EXTERNAL INVESTIGATIONS
• By data protection authorities: Trends in number and scope:
Continental EU:
Generally large investigative powers, possibility to “knock on the door” any time; some regulators announce their arrival by courtesy, some are required to do so
Increased number of investigations in many European jurisdictions
Trend for co-ordination of international enforcement by DPAs (International Enforcement Coordination Working Group)
C.f. UK:
More limited powers e.g. audit
EXTERNAL INVESTIGATIONS
• By other regulators, e.g.:
– Financial supervision authorities, e.g. FCA in UK
– Competition authorities
• Establishing a legal basis: – Is the regulator regulating the EU entity or e.g. the US parent?
• Establishing an adequacy mechanism: – Legal interests?
EXTERNAL INVESTIGATIONS – CASE STUDY
• U.S. regulator requires U.S.-based pharmaceutical company to provide clarifications on recent adverse event incidents reported outside the U.S.. – 3-week deadline imposed for provision of information
– Records required include information stored on servers located in Ireland, Romania, and Switzerland
– Time span for the records is past 5 years
– EEA affiliates required to provide immediate access to third party service provider engaged by U.S. company
• What compliance steps should be undertaken to lawfully provide the requested information, and by whom?
LOOKING AHEAD
• Art. 82 of new Draft Regulation: employee investigations permitted only if related to employees’ criminal behavior – standards to be set by Member States
TOP 3 TAKE AWAYS
• Have the requisite policies and procedures e.g. Tech Use/Monitoring, whistleblowing hotline
• Check what additional steps may be required locally before taking action
• Don’t forget the basics (notice, legal basis, adequacy mechanism, data processing agreements etc)!
READING MATERIALS
• EU Data Protection Directive 1995/46/EC
– http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF
• LIBE Compromise text of draft Regulation (unofficial version from Rapporteur)
– http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-consolidated-LIBE.pdf
• Article 29 Working Party Working Document 55/2002 on the surveillance of electronic communications in the workplace
– http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf
QUESTIONS?
Ann Bevitt
Partner
Morrison & Foerster (UK) LLP
CityPoint
1 Ropemaker Street
London
EC2Y 9AW
Tel: +44 20 7920 4041
Fax: +44 20 7496 8541
M: +44 7903 845 743
Email: [email protected]
Monika Tomczak-Górlikowska | adwokat
Miller Canfield
ul. Batorego 28-32
81-366 Gdynia, Poland
T +48587820050 | F +48587820060 | Mobile
+48601150317