1 / 34

May 2011

Resolving the Inherent Conflicts Between U.S. Investigations and European Data Privacy Laws. May 2011. Moderator. Mary Jacoby Mary Jacoby is an award-winning former reporter for the Wall Street Journal, Salon magazine, the St. Petersburg Times of Florida, the Chicago Tribune and Roll Call.

susane
Download Presentation

May 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Resolving the Inherent Conflicts Between U.S. Investigations and European Data Privacy Laws May 2011

  2. Moderator Mary Jacoby Mary Jacoby is an award-winning former reporter for the Wall Street Journal, Salon magazine, the St. Petersburg Times of Florida, the Chicago Tribune and Roll Call. From 2005 to 2007 she reported from Brussels for the Wall Street Journal, where she covered European Union antitrust and regulatory issues, breaking numerous stories about investigations involving Intel, Microsoft Corp., Mastercard and other major companies. Her investigations have ranged from the influence of Russian oligarchs in Washington to terrorist financing and white-collar crime. Speaker: Mary Jacoby

  3. Agenda • Introduction of Presenters • Background • Cross-Border Data Transfers • Data Protection Laws Around the World • Increased Global Scrutiny • Common Scenarios • Cross-Border Data Transfers • Practical Guidance • Case Studies • Q&A

  4. Presenter • Joe Looby • Joe Looby is a senior managing director in the FTI Technology segment, delivering consulting expertise and advanced technology for investigations, antitrust and complex litigation matters, and is based in New York.  • He has provided expert testimony and consulting on economic and technology issues and appeared before regulatory agencies on diverse matters.  Mr. Looby has spoken and written extensively on litigation technology, electronic evidence and computer forensics.  • Mr. Looby is a contributing author and lecturer at the Sedona Conference, for projects including: Search & Retrieval Sciences; and, E-Discovery Quality Methods & Metrics. Joe has also participated in studies on search technology effectiveness, sponsored by the National Institute of Standards and Technology (NIST) and DOD Advanced Research and Development Activity (ARDA). • Joe has a B.A. in economics from Fordham University and a J.D. from Union University School of Law. He is a certified fraud examiner, a member of the Association of Certified Fraud Examiners and is licensed to practice law in New York and Connecticut. Speaker: Mary Jacoby

  5. Presenter • Veeral Gosalia • Veeral Gosalia is a senior managing director in the Electronic Evidence Consulting group of FTI’s Technology practice and is based in New York. Mr. Gosalia’s areas of expertise include data extraction, data analysis, computer forensics and e-discovery. He has assisted attorneys and corporations in understanding the issues surrounding electronic evidence, including the acquisition, analysis and production of data. • Mr. Gosalia has extensive computer forensics experience. He has assisted on matters related to the forensic acquisition and examination of computer systems, e-mail and various types of computer media. He has acquired several hundred computer images and coordinated seizure efforts across the world. • Additionally Mr. Gosalia has experience dealing with EU data privacy issues in regards to performing computer acquisitions and tape restorations. Select experience in this area includes serving as an expert witness and providing an expert report in matters related to evidence destruction and theft, spoliation and chain of custody issues.  • Prior to joining FTI, Mr. Gosalia worked at Deloitte & Touche in the Dispute Consulting Technology practice. There he assisted with the development of a national practice technology infrastructure. Speaker: Mary Jacoby

  6. Presenter • Craig Earnshaw • Craig Earnshaw is a managing director in the FTI Technology segment and is based in London.  Mr. Earnshaw is responsible for the management of the activities of the Electronic Evidence Consulting, Document Analytics and Data Processing sub-segments within the UK.   • Since 1997, he has worked solely in the electronic evidence field and during this time has amassed considerable experience in forensic computing, electronic disclosure, Internet investigations and electronic evidence.  In 2006, he founded FTI’s Technology Consulting segment in Europe. • Mr. Earnshaw has provided both written and oral expert evidence in the High Court in London, and has testified at depositions in the United h as employment tribunals and arbitrations.  • Prior to joining FTI, Craig was the head of the forensic computing practices at CRA International and Lee & Allen Consulting, which he founded in 1998. Mr. Earnshaw is a member of the British Computer Society and the Institute of Analysts and Programmers.  He holds a Bachelor of Science in Computer Science from the University of Durham. Speaker: Mary Jacoby

  7. Presenter • William Long • William Long is a counsel in the London office of Sidley Austin LLP. He advises international clients on a wide variety of data protection, privacy, information security, e-commerce and other regulatory matters. Mr. Long has experience with EU and international data protection and privacy projects particularly in the financial services and healthcare sectors advising on cross-border data transfer and other data protection issues including regulatory investigations. • Mr. Long was previously in-house counsel to one of the world’s largest international financial services groups as their e-Commerce counsel dealing with e-commerce, data protection and on-line financial services matters. Mr. Long  is on the DataGuidance Panel of data protection lawyers for the financial services sector and on the DataGuidance Panel for data protection lawyers for the life sciences sector. Mr. Long also writes extensively for a number of journals including Data Protection Law & Policy, Journal of Medical Research Law & Policy, Journal of Electronic Business Law, Journal of eCommerce Law and Policy and E-Finance & Payments Law & Policy. English Solicitor. • Memberships, Affiliations, Presentations & Articles • Previous Member of the Centre for European Policy Studies Working Group on eCommerce Regulation • Article “New International Guidelines on the Transfer of Personal Health Data” - Journal of Medical Research Law & Policy - Volume 4, Number 4 • Presenter at the Financial Technology Forum on privacy and data protection issues, Chicago • Article “Data Security breaches: the changing legal landscape” - E-Finance Law & Policy - October 2008 • Article “Data Security and payments: dynamic Phorm of development” - E-Finance Law & Policy - April 2009 Speaker: Mary Jacoby

  8. Survey Question Which of these is not a legitimate basis to permit the US cross-border discovery of personal data from EU employees? • Informed Consent • Standard Contractual Clauses • Binding Corporate Rules • Safe Harbor • DOJ Subpoena Speaker: Mary Jacoby

  9. Background Joe Looby Speakers: Mary Jacoby and Joe Looby

  10. Cross Border Data Transfers Right Paperwork, Right Technology & Right Approach Looking after personal information properly goes much wider than ensuring appropriate security.  It involves a comprehensive approach – usefully summarized as ‘data minimization’ – to thecollection, use, sharing, retention, and destruction of personal information.  This is what data protection is all about.  An important key is ensuring that there is clarity and accountability for getting it right in terms of the right paperwork, the right technology, and the right approach to raising the awareness and skills of staff.  These matters can rarely be left to a single department.  Accountability must therefore usually reside at, or near, the top of the organization.  Richard Thomas, UK Information Commissioner, January 2009.  From - Data Protection, by Peter Carey, Oxford Press. 2009. Speaker: Joe Looby

  11. Cross-Border Data Transfers: Consents In the United States, consent generally trumps all: A person need only give approval for the use of data. Routinely upon hiring, many U.S. employees are asked to consent and prospectively waive any and all rights to the e-mails and documents they create pursuant to employment and/or on employer-owned property. That’s not the case in the European Union, where a person’s consent cannot be given prospectively and where consent must be fully informed. E.U. citizens also have the right to revoke consent. As a result, the E.U. data privacy regulator (i.e., the E.U. Working Party) has indicated that consent is generally unworkable as a permissible basis to transfer such protected data to the United States. From - Discovering Europe: How to Navigate Europe’s Privacy Protections, National Law Journal, December 2010 Speaker: Joe Looby

  12. Data Protection Laws Around the World Speaker: Joe Looby

  13. Increased Global Regulatory Scrutiny NetherlandsInvestigated allegations that senior management had fraudulently inflated financial results and engaged in kickbacks and self-dealing. People’s Republic of China (PRC)Investigated payments and gift-giving business development practices in connection with a subsidiary conducting business. CanadaDirected investigation of alleged improper use of corporate funds. Europe Investigated illegal "grey market" distribution of video products. BelgiumInvestigated portfolio company's misappropriation of fund assets. ItalyConducted a due diligence investigation on business practices and integrity of potential acquisition targets. KoreaAllegations of violations of the Foreign Corrupt Practices Act involving an international division. France, Germany, Scotland, Englandand Ireland Investigated allegations of improper accounting for international construction equipment manufacturer. Japan FranceInvestigated allegations of improper accounting for finite insurance contracts. People’s Republic of China (PRC)Due diligence investigation focused on possible affiliations with Chinese security agencies. PhilippinesInvestigated claims of ownership related to gold and other assets “hidden” after WW II. MexicoInvestigated alleged "money laundering" violations of US and Mexican banking regulations at several Mexican bank branch offices. Brazil Reviewed allegations that country manager of U.S. corporation was receiving kickbacks from vendors. IndonesiaInvestigated violations of the Foreign Corrupt Practices Act involving a subsidiary of an oil field services company. Argentina and IndiaInvestigated possible improper manufacture and transhipmentof generic pharmaceuticals. Key: Red Highlight denotes Data Privacy and Protection Laws Speaker: Joe Looby

  14. FCPA Numbers and Fines on the Rise Source: Miller Chevalier, Winter Review 2010 Source: Gibson, Dunn & Crutcher, August 2010 “ More bad news for violators: paying the large SEC and DOJ fines does not necessarily end the company’s exposure. A more subtle, yet also potent penalty awaits companies after the onslaught of civil and criminal fines. Private actions by infuriated stockholders and businessmen have been filed with increasing frequency following exposure of a company’s fraudulent business practices. Source: The Foreign Corrupt Practices Act: Update 2010, by George Anthony "Tony" Smith, Esq., Weinberg Wheeler Hudgins Gunn & Dial LLC, June 15, 2010 ” Speaker: Joe Looby

  15. Common Scenarios Mergers and Acquisitions Regulatory Reviews Price Fixing Investigations Accounting Investigations Internal Investigations due to Employee Theft IP Theft Including Employees Starting Competing Ventures International Arbitration International Civil Litigation International Commercial Litigation Speaker: Joe Looby

  16. Legal Frameworks William Long Speaker: William Long

  17. EU Data Protection and Document Discovery • Catch 22 situation – disclosure obligations compete with EU data protection requirements and blocking statutes • Approach to document discovery varies between Member States particularly between common law countries such as the UK and civil law countries such as Germany • EU Member States have adopted the EU’s Data Protection Directive 95/46/EC but there are differences in interpretation and application in practice • Article 16 of the Treaty on the Functioning of the European Union (TFEU) establishes a right to data protection and incorporates directly in to EU law Article 8 of the Charter of Fundamental Rights of the EU • November 2006: Article 29 Working Party expressed and adopted its opinion on the SWIFT case - fundamental rights of citizens must be guaranteed Speaker: William Long

  18. EU Data Protection and Document Discovery • Consider blocking statutes such as in France (Aerospatiale/MAFF-Executive Life case) and in Switzerland where Penal Code prohibits certain types of information being disclosed to foreign authorities • Rules on privilege also vary between Member States. The Azko Nobel (2007) case confirmed principles in relation to privilege in the context of EU Commission investigations • In February 2009, the Article 29 Data Protection Working Party published Guidelines on pre-trial discovery for cross-border civil litigation (WP 158) • Requests for information may also be made through the Hague Convention on taking of evidence abroad in civil and commercial matters – but not all Member States are parties while some have filed reservations for discovery in relation to foreign legal proceedings • Transfers of evidence for criminal proceedings may be governed by bilateral agreements which can differ from state to state Speaker: William Long

  19. Article 29 Working Party Paper on Discovery • The Article 29 Data Protection Working Party Paper (WP 158) provides guidance to EU data controllers on data protection requirements as applied to discovery in civil litigation • Data Retention • Legitimacy of Processing • Consent • Compliance with a Legal Obligation • Pursuit of a Legitimate Interest • Proportionality • Notice to data subjects and rights of access, rectification and erasure • Data Security and Controls over External Service Providers • Transfers to third countries Speaker: William Long

  20. Article 29 Working Party Paper on Discovery • Processing of data for litigation purposes - justified when in the legitimate interests of the data controller but provided rights of the individual are not overridden • Individuals must be provided with fair processing information unless limited exceptions apply • A balancing test must be applied in considering the relevance of the personal data to the litigation and the consequences for the individual • Must act in a proportionate and fair way • determining if the information is relevant to the case • assessing the extent to which personal data is included • considering whether the personal data can be produced in a more anonymised or redacted form • perform filtering exercise locally Speaker: William Long

  21. Cross-Border Data Transfers • William Long Speaker: William Long

  22. Survey Question You are a US company with offices and employees in Europe, and discovery is required of the documents resident in the EU.  Is there a potential breach of European data privacy if those documents are collected and transferred to the US for review? • Yes • No Speaker: Mary Jacoby

  23. Cross Border Data Transfers • Articles 25 and 26 of the Data Protection Directive prohibit transfers to countries outside EEA that do not ensure an adequate level of protection • Possible means for dealing with data transfers outside the EEA include: • Consent – but consent must be informed and freely given • Model Contracts – EU’s standard clauses for the transfer of personal data between a data exporter and a data importer • US Safe Harbor – US company that subscribes to US Safe Harbor Scheme and data protection principles • Binding Corporate Rules – EU approved internal data protection rules which are binding on parties • Art 26(1)(d) – transfer necessary or legally required on important public interest grounds or for establishment, exercise or defence of legal claims • Art 29 Working Party have commented that where the transfer for litigation purposes is a single transfer of all relevant information then Article 26(1)(d) is a possible ground but other options should be considered • Hague Convention – compliance with a request under the Hague Convention does provide a formal basis for the transfer of personal data but some EU Member States have not signed the Convention or signed with reservations Speaker: William Long

  24. Practical Guidance William Long and Veeral Gosalia Speaker: William Long

  25. Article 29 Working Paper on Discovery:Steps to consider for EU data production Steps to consider with EU discovery exercises • Consider if there is a framework to compel co-operation with US discovery rules such as under the Hague Convention • Determine which Member State’s data protection laws apply • Consider Working Party guidelines during each phase: retention, disclosure, onward transfer, and secondary use • Develop data protection protocol and privacy log of information protected from disclosure • Provide clear and advance notice • Inform data subjects of data protection rights such as rights of access, rectification and erasure • Consider grounds for legitimate processing; apply balance of interests test • Consider measures to minimise information collection and dissemination, specify security and confidentiality procedures Speaker: William Long

  26. Article 29 Working Paper on Discovery:Steps to consider for EU data production Steps to consider with EU discovery exercises • Devise specific security measures and controls over third party service providers • Ensure active oversight role for data protection officers • Establish pre-transfer data review and filtering procedures including review of documents (with redaction and anonymisation) in the EU by trusted third party • Adopt restrictive data retention policies consistent with applicable law • Ensure data transfers are permitted under Article 25 and 26 of the Data Protection Directive and local law requirements • Check position with local counsel in each relevant Member State due to local law differences – for example need to make data protection filings with local DPA and consult with works council Speaker: William Long

  27. Practical Guidance Proportionality Assess the proportionality, quality and relevance of the data collected. Processing Use a qualified and trusted E.U. third party to process the data. Anonymizing Remove any personally identifiable information such as names and e-mail addresses, and consider using aliases such as Custodian One and Custodian Two. Filtering/MINIMIZATION Tested keywords should be applied to filter the documents on-site. Privacy Log When an employee withholds consent for a large volume of documents, and in any instance in which redaction or production otherwise may be infeasible. Redaction Remove personal data, but beware of blocking statutes! Protocols Before legally moving data out of the country, make sure protocols are in place. Speaker: Veeral Gosalia

  28. Survey Question If an EU employee’s employment agreement contains a certified signed consent form permitting cross-border discovery, can a law firm gather the employee’s documents and bring them to the US for processing, review and production? • Yes • No Speaker: Mary Jacoby

  29. Case Studies Veeral Gosalia and Craig Earnshaw Speaker: Veeral Gosalia

  30. Case Study: Financial Services - France • Specific challenges • Jurisdictional challenges to transferring personal data outside of France. • Complex IT infrastructure. • Company requires export of data to format for review locally in Paris to support a document review. • Company generally sensitive to data collection. • Background • Large French bank needing assistance in the support of a large-scale, international arbitration involving a financial dispute. • E-mail and electronic documents for six individuals needed to be collected, processed, keyword searched and exported for review by counsel based in Paris. • Solution • Mobile team performs data collections and data processing at local counsel’s offices in Paris. • Global collaboration with legal teams based in New York, London and Paris, including performing interviews and a targeted data collection of specific documents. • Deployed an “offline” mobile processing environment at local counsel’s offices. • Integrated solution into counsel's review workflow and current matter status. Speaker: Veeral Gosalia

  31. Case Study: Financial Services - Luxembourg • Background • Global law firm investigating the activities of a small number of individuals based in the UK and Luxemburg following the identification of a potentially incriminating document on a printer in the UK. • E-mail and electronic documents for five individuals needed to be preserved and reviewed to enable the investigators to uncover the actions of the individuals involved to enable appropriate actions to be taken. • Specific challenges • Jurisdictional challenges to transferring personal data outside of Luxemburg. • Requirement to identify and exclude potentially personal e-mail from review. • Need for the company to quickly assess the situation to enable appropriate action to be taken. • Solution • Mobile team deployed on-site to Luxembourg to preserve and prepare the electronic records and to review the situation and assist the legal team. • All document collection, processing and review took place within the clients premises to ensure that the company’s strict confidentiality requirements were met, and local jurisdictional data privacy needs were met. • As reviewers came across “hot” documents, they were able to immediately share findings with the investigative team in the “war room” to pursue new leads and find similar documents. • Many of the keys to unlocking the fraud were hidden in the details of complex financial spreadsheets and transactions, requiring expertise in forensic accounting and structured data. • Through the paper trail and investigation, developed a chronology of activities linking the key individuals to a series of fraudulent payments. Speaker: Craig Earnshaw

  32. Q&A Speaker: Mary Jacoby

  33. Additional Resources Joe LoobyJoe.looby@fticonsulting.comNew York Veeral GosaliaVeeral.gosalia@fticonsulting.comWashington, D.C. Craig EarnshawCraig.earnshaw@fticonsulting.comLondon William Longwlong@sidley.comLondon John Casanovajcasanova@sidley.comLondon T: +44 (0) 20 7360 3600 F: +44 (0) 20 7626 7937 www.sidley.com RAND Europe report on EU data privacy regulations and discovery available at www.ftitechnology.com. Speaker: Mary Jacoby

  34. Please Rate this Webinar To download the materials for this presentation or view it again in the archives please go to: http://www.mainjustice.com/webinars

More Related