Add to collection(s) Add to saved
  1. Social Science
  2. Law

FTI Technology QuickPitch

advertisement 
Resolving the Inherent Conflicts
Between U.S. Investigations and
European Data Privacy Laws
May, 2011
0
Moderator
Mary Jacoby
Mary Jacoby is an award-winning
former reporter for the Wall Street
Journal, Salon magazine, the St.
Petersburg Times of Florida, the
Chicago Tribune and Roll Call.
From 2005 to 2007 she reported from
Brussels for the Wall Street Journal,
where she covered European Union
antitrust and regulatory issues,
breaking numerous stories about
investigations involving Intel, Microsoft
Corp., Mastercard and other major
companies.
Her investigations have ranged from
the influence of Russian oligarchs in
Washington to terrorist financing and
white-collar crime.
Agenda
• Introduction of Presenters
• Background
• Cross-Border Data Transfers
• Data Protection Laws Around the World
• Increased Global Scrutiny
• Common Scenarios
• Cross-Border Data Transfers
• Practical Guidance
• Case Studies
• Q&A
2
Presenter
Joe Looby
Joe Looby is a senior managing
director in the FTI Technology
segment.
He has provided expert testimony and
consulting on economic and technology
issues and appeared before regulatory
agencies on diverse matters.
Joe has also participated in studies on
search technology effectiveness,
sponsored by the National Institute of
Standards and Technology (NIST) and
DOD Advanced Research and
Development Activity (ARDA).
Presenter
Veeral Gosalia
Veeral Gosalia is a managing director
in the Electronic Evidence Consulting
group of FTI’s Technology practice.
Mr. Gosalia’s areas of expertise include
data extraction, data analysis,
computer forensics and e-discovery.
Mr. Gosalia has extensive computer
forensics experience. He has assisted
on matters related to the forensic
acquisition and examination of
computer systems, e-mail and various
types of computer media
Additionally Mr. Gosalia has experience
dealing with EU data privacy issues in
regards to performing computer
acquisitions and tape restorations.
Presenter
Craig Earnshaw
Craig Earnshaw is a managing director
in the FTI Technology segment.
Since 1997, he has worked solely in
the electronic evidence field and during
this time has amassed considerable
experience in forensic computing,
electronic disclosure, Internet
investigations and electronic evidence.
Mr. Earnshaw has provided both
written and oral expert evidence in the
High Court in London, and has testified
at depositions in the United States, as
well as submitting written expert
evidence into other forums such as
employment tribunals and arbitrations.
Presenter
William Long
William Long is a counsel in the
London office of Sidley Austin LLP.
He advises international clients on a
wide variety of data protection, privacy,
information security, e-commerce,
payments and other regulatory matters.
Mr. Long has experience with EU and
international data protection and
privacy projects particularly in the
financial services and healthcare
sectors advising on cross-border data
transfer and other data protection
issues.
Mr. Long is a regular speaker on data
protection and privacy matters.
Survey Question
Which of these is not a legitimate basis to permit the US
cross-border discovery of personal data from EU
employees?
a.
Informed Consent
b.
Standard Contractual Clauses
c.
Binding Corporate Rules
d.
Safe Harbor
e.
DOJ Subpoena
Background
Joe Looby, FTI
Cross Border Data Transfers
Right Paperwork, Right Technology & Right Approach
Looking after personal information properly goes much wider than ensuring appropriate
security. It involves a comprehensive approach – usefully summarized as ‘data
minimization’ – to the collection, use, sharing, retention, and destruction of personal
information. This is what data protection is all about. An important key is ensuring that
there is clarity and accountability for getting it right in terms of the right paperwork, the
right technology, and the right approach to raising the awareness and skills of
staff. These matters can rarely be left to a single department. Accountability must
therefore usually reside at, or near, the top of the organization. Richard Thomas, UK
Information Commissioner,
January 2009.
From - Data Protection, by Peter Carey, Oxford Press. 2009.
Cross-Border Data Transfers: Consents
In the United States, consent generally trumps all: A person need only give approval for
the use of data. Routinely upon hiring, many U.S. employees are asked to consent and
prospectively waive any and all rights to the e-mails and documents they create
pursuant to employment and/or on employer-owned property. That’s not the case in the
European Union, where a person’s consent cannot be given prospectively and where
consent must be fully informed. E.U. citizens also have the right to revoke consent. As a
result, the E.U. data privacy regulator (i.e., the E.U. Working Party) has indicated
that consent is generally unworkable as a permissible basis to transfer such
protected data to the United States.
From - Discovering Europe: How to Navigate Europe’s
Privacy Protections, National Law Journal, December 2010
Data Protection Laws Around the World
Increased Global Regulatory Scrutiny
Netherlands
People’s Republic of China (PRC)
Canada
Investigated payments and gift-giving business
development practices in connection
with a subsidiary conducting
business.
Directed
investigation
of alleged
improper use
of corporate
funds.
Korea
Allegations of violations of the
Foreign Corrupt Practices Act
involving an international division.
Due diligence investigation focused
on possible affiliations with Chinese
security agencies.
Indonesia
Investigated illegal
"grey market" distribution
of video products.
Belgium
Investigated
portfolio company's
misappropriation of
fund assets.
Investigated allegations of
improper accounting for
international construction
equipment manufacturer.
People’s Republic of China (PRC)
Investigated claims of
ownership related to gold
and other assets “hidden”
after WW II.
Europe
Italy
Conducted a due diligence
investigation on business
practices and integrity of
potential acquisition targets.
France, Germany,
Scotland, England
and Ireland
Japan
Philippines
Investigated allegations that senior management
had fraudulently inflated financial results and
engaged in kickbacks and self-dealing.
France
Investigated allegations
of improper accounting for
finite insurance contracts.
Mexico
Investigated alleged "money
laundering" violations of US
and Mexican banking regulations
at several Mexican bank
branch offices.
Investigated violations
of the Foreign Corrupt
Practices Act involving
a subsidiary of an oil
field services
company.
Brazil
Reviewed allegations that
country manager of U.S.
corporation was receiving
kickbacks from vendors.
Argentina and India
Key: Red Highlight denotes Data Privacy and Protection Laws
Investigated possible improper
manufacture and transhipment
of generic pharmaceuticals.
FCPA Numbers and Fines on the Rise
Average Corporate Penalty (DOJ & SEC) 1977-2009
Number of FCPA Enforcement Actions
60
$60,000,000
50
$50,000,000
40
$40,000,000
30
20
DOJ
$30,000,000
SEC
$20,000,000
10
$10,000,000
0
$0
2004
2005
2006
2007
2008
2009
2010
1977-1981
1982-1986
1987-1991
1992-1996
1997-2001
2002-2006
2007-2009
Source: Miller Chevalier, Winter Review 2010
Source: Gibson, Dunn & Crutcher, August 2010
“ More bad news for violators: paying the large SEC and DOJ fines does not necessarily end the company’s
exposure. A more subtle, yet also potent penalty awaits companies after the onslaught of civil and criminal
fines. Private actions by infuriated stockholders and businessmen have been filed with increasing
frequency following exposure of a company’s fraudulent business practices.
”
Source: The Foreign Corrupt Practices Act: Update 2010, by George Anthony "Tony" Smith, Esq., Weinberg Wheeler Hudgins Gunn & Dial LLC, June 15, 2010
Common Scenarios
Mergers and Acquisitions
Regulatory Reviews
Price Fixing Investigations
Accounting Investigations
Internal Investigations due to Employee Theft
IP Theft Including Employees Starting Competing Ventures
International Arbitration
International Civil Litigation
International Commercial Litigation
Legal
Frameworks
William Long, Sidley Austin LLP
EU Data Protection and Document
Discovery
• Catch 22 situation – disclosure obligations compete with EU data
protection requirements and blocking statutes
• Approach to document discovery varies between Member States
particularly between common law countries such as the UK and
civil law countries such as Germany
• EU Member States have adopted the EU’s Data Protection
Directive 95/46/EC but there are differences in interpretation and
application in practice
• Article 16 of the Treaty on the Functioning of the European Union
(TFEU) establishes a right to data protection and incorporates
directly in to EU law Article 8 of the Charter of Fundamental
Rights of the EU
• November 2006: Article 29 Working Party expressed and adopted
its opinion on the SWIFT case - fundamental rights of citizens
must be guaranteed
EU Data Protection and Document
Discovery
• Consider blocking statutes such as in France (Aerospatiale/MAFFExecutive Life case) and in Switzerland where Penal Code
prohibits certain types of information being disclosed to foreign
authorities
• Rules on privilege also vary between Member States. The Azko
Nobel (2007) case confirmed principles in relation to privilege in
the context of EU Commission investigations
• In February 2009, the Article 29 Data Protection Working Party
published Guidelines on pre-trial discovery for cross-border civil
litigation (WP 158)
• Requests for information may also be made through the Hague
Convention on taking of evidence abroad in civil and commercial
matters – but not all Member States are parties while some have
filed reservations for discovery in relation to foreign legal
proceedings
• Transfers of evidence for criminal proceedings may be governed
by bilateral agreements which can differ from state to state
Article 29 Working Party Paper on
Discovery
• The Article 29 Data Protection Working Party Paper (WP 158)
provides guidance to EU data controllers on data protection
requirements as applied to discovery in civil litigation
• Data Retention
• Legitimacy of Processing
– Consent
– Compliance with a Legal Obligation
– Pursuit of a Legitimate Interest
• Proportionality
• Notice to data subjects and rights of access, rectification and
erasure
• Data Security and Controls over External Service Providers
• Transfers to third countries
Article 29 Working Party Paper on
Discovery
•
Companies must consider the Guidelines in each phase of data
processing for litigation purposes
-
Phase 1: Retention
-
Phase 2: Disclosure
-
Phase 3: Onward transfer
-
Phase 4: Secondary use
•
Personal data should only be kept for the period of time
necessary for the purposes for which it is collected
•
Contrast with requirement to retain documents under local law
and regulatory requirements or possible future litigation
•
Specific or imminent litigation - EU Commission accept data can
be retained until conclusion of proceedings
Article 29 Working Party Paper on
Discovery
•
Processing of data for litigation purposes - justified when in the
legitimate interests of the data controller but provided rights of
the individual are not overridden
•
Individuals must be provided with fair processing information
unless limited exceptions apply
•
A balancing test must be applied in considering the relevance of
the personal data to the litigation and the consequences for the
individual
•
Must act in a proportionate and fair way
-
determining if the information is relevant to the case
-
assessing the extent to which personal data is included
-
considering whether the personal data can be produced in a
more anonymised or redacted form
-
perform filtering exercise locally
Survey Question
You are a US company with offices and employees in
Europe, and discovery is required of the documents
resident in the EU. Is there a potential breach of
European data privacy if those documents are
collected and transferred to the US for review?
a.
Yes
b.
No
21
Cross-Border
Data
Transfers
Cross Border Data Transfers
•
Articles 25 and 26 of the Data Protection Directive prohibit transfers to
countries outside EEA that do not ensure an adequate level of protection
•
Possible means for dealing with data transfers outside the EEA include:
– Consent – but consent must be informed and freely given
– Model Contracts – EU’s standard clauses for the transfer of personal
data between a data exporter and a data importer
– US Safe Harbor – US company that subscribes to US Safe Harbor
Scheme and data protection principles
– Binding Corporate Rules – EU approved internal data protection rules
which are binding on parties
– Art 26(1)(d) – transfer necessary or legally required on important
public interest grounds or for establishment, exercise or defence of
legal claims
•
Art 29 Working Party have commented that where the transfer for
litigation purposes is a single transfer of all relevant information then
Article 26(1)(d) is a possible ground but other options should be
considered
•
Hague Convention – compliance with a request under the Hague
Convention does provide a formal basis for the transfer of personal data
but some EU Member States have not signed the Convention or signed
with reservations
Practical
Guidance
William Long, Sidley Austin LLP
Article 29 Working Paper on Discovery:
Steps to consider for EU data production
Steps to consider with EU discovery exercises
• Consider if there is a framework to compel co-operation with US
discovery rules such as under the Hague Convention
• Determine which Member State’s data protection laws apply
• Consider Working Party guidelines during each phase: retention,
disclosure, onward transfer, and secondary use
• Develop data protection protocol and privacy log of information
protected from disclosure
• Provide clear and advance notice
• Inform data subjects of data protection rights such as rights of
access, rectification and erasure
• Consider grounds for legitimate processing; apply balance of
interests test
• Consider measures to minimise information collection and
dissemination, specify security and confidentiality procedures
Article 29 Working Paper on Discovery:
Steps to consider for EU data production
Steps to consider with EU discovery exercises
• Devise specific security measures and controls over third party
service providers
• Ensure active oversight role for data protection officers
• Establish pre-transfer data review and filtering procedures
including
review
of
documents
(with
redaction
and
anonymisation) in the EU by trusted third party
• Adopt restrictive data retention policies consistent with applicable
law
• Ensure data transfers are permitted under Article 25 and 26 of
the Data Protection Directive and local law requirements
• Check position with local counsel in each relevant Member State
due to local law differences – for example need to make data
protection filings with local DPA and consult with works council
Practical
Guidance
Joe Looby, FTI Consulting
Practical Guidance
PROPORTIONALITY
PRIVACY LOG
Assess the proportionality, quality and relevance
of the data collected.
When an employee withholds consent for a large
volume of documents, and in any instance in which
redaction or production otherwise may be infeasible.
PROCESSING
Use a qualified and trusted E.U. third party to
process the data.
ANONYMIZING
Remove any personally identifiable information
such as names and e-mail addresses, and
consider using aliases such as Custodian One
and Custodian Two.
FILTERING/MINIMIZATION
Tested keywords should be applied to filter the
documents on-site.
REDACTION
Remove personal data, but beware of blocking
statutes!
PROTOCOLS
Before legally moving data out of the country, make
sure protocols are in place.
Survey Question
If an EU employee’s employment agreement contains a
certified signed consent form permitting cross-border
discovery, can a law firm gather the employee’s documents
and bring them to the US for processing, review and
production?
a.
Yes
b.
No
Case Study France
Veeral Gosalia, FTI Consulting
Case Study: Financial Services - France
BACKGROUND
• Large French bank needing assistance in the
support of a large-scale, international arbitration
involving a financial dispute.
SPECIFIC CHALLENGES
• Jurisdictional challenges to transferring personal
data outside of France.
• E-mail and electronic documents for six
individuals needed to be collected, processed,
keyword searched and exported for review by
counsel based in Paris.
• Company requires export of data to format for
review locally in Paris to support a document
review.
• Complex IT infrastructure.
• Company generally sensitive to data collection.
SOLUTION
• Mobile team performs data collections and data processing at local counsel’s offices in Paris.
• Global collaboration with legal teams based in New York, London and Paris, including performing
interviews and a targeted data collection of specific documents.
• Deployed an “offline” mobile processing environment at local counsel’s offices.
• Integrated solution into counsel's review workflow and current matter status.
Case Study Luxembourg
Craig Earnshaw, FTI Consulting
Case Study: Financial Services - Luxembourg
BACKGROUND
• Global law firm investigating the activities of a small number
of individuals based in the UK and Luxemburg following the
identification of a potentially incriminating document on a
printer in the UK.
SPECIFIC CHALLENGES
• Jurisdictional challenges to transferring
personal data outside of Luxemburg.
• E-mail and electronic documents for five individuals needed to
be preserved and reviewed to enable the investigators to
uncover the actions of the individuals involved to enable
appropriate actions to be taken.
• Need for the company to quickly assess
the situation to enable appropriate action
to be taken.
• Requirement to identify and exclude
potentially personal e-mail from review.
SOLUTION
• Mobile team deployed on-site to Luxembourg to preserve and prepare the electronic records and to review the
situation and assist the legal team.
• All document collection, processing and review took place within the clients premises to ensure that the
company’s strict confidentiality requirements were met, and local jurisdictional data privacy needs were met.
• As reviewers came across “hot” documents, they were able to immediately share findings with the investigative
team in the “war room” to pursue new leads and find similar documents.
• Many of the keys to unlocking the fraud were hidden in the details of complex financial spreadsheets and
transactions, requiring expertise in forensic accounting and structured data.
• Through the paper trail and investigation, developed a chronology of activities linking the key individuals to a
series of fraudulent payments.
Q&A
Moderated by Mary Jacoby, Main Justice
Additional Resources
Data Protection
Joe Looby
Joe.looby@fticonsulting.com
William Long
wlong@sidley.com
New York
Veeral Gosalia
Veeral.gosalia@fticonsulting.com
John Casanova
jcasanova@sidley.com
Washington, D.C.
Craig Earnshaw
Craig.earnshaw@fticonsulting.com
London
Sidley Austin LLP
Woolgate Exchange
25 Basinghall Street
London, EC2V 5HA
United Kingdom
T: +44 (0) 20 7360 3600
F: +44 (0) 20 7626 7937
www.sidley.com
RAND Europe report on EU data privacy
regulations and discovery available at
www.ftitechnology.com.
Please Rate this Webinar
Related documents
New Patient Information Form
New Patient Information Form
NORTH SHORE CARDIOVASCULAR ASSOCIATES
NORTH SHORE CARDIOVASCULAR ASSOCIATES
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
New Patient Form - Cowes Medical Centre
New Patient Form - Cowes Medical Centre
Consent for Psychological Outpatient Treatment for Children
Consent for Psychological Outpatient Treatment for Children
Application for a VON Research Ethics Review
Application for a VON Research Ethics Review
Download
advertisement