GDPR vs Trump vs Brexit vs Privacy Shield
Practical tips for managing conflicts of law in
a global investigation
GIR MODERATOR
Mary Jacoby
Consulting Editor
Global Investigations Review
(“GIR”)
Just Anti-Corruption
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
2
Forensic Risk Alliance (“FRA”) is a global
provider of Forensic Accounting,
eDiscovery and Data Analytics solutions.
Specialize in advising companies facing
cross-border regulatory scrutiny.
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
3
YOUR FRA SPEAKERS
Frances McLeod
Toby Duthie
Greg Mason
Founding Partner
Founding Partner
Founding Partner
Head of the firm’s
US offices
Head of the firm’s
UK and European
offices
Head of the firm’s IT
division and
eDiscovery team
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
4
FRANCES MCLEOD
Frances is a former investment banker and has been at the forefront
of data protection issues for the past 24 years. Frances is recognized
in Who’s Who Legal: Consulting Experts 2017 as a leading
professional in her field of practice.
Her experience dates back to the late 90’s when she was responsible for the
design and implementation of claim evaluation and administration systems for
the US$ 1.3 billion Swiss Bank settlement.
[email protected]
+1 (401) 519 1438
Frances has since been deeply involved in FRA’s FCPA, tax and accounting
standards monitorship work and was the lead partner on one of FRA’s New
York Department of Financial Services bank monitorships.
She led the team providing technical advice to the Asia Pacific Group on money
laundering under a mandate from the Asian Investment Bank, drawing on her
knowledge of alternative banking systems and offshore havens, and has provided
expert testimony in terrorism financing litigation cases. She led FRA’s UN OilFor-Food investigation team, including an analysis of the function of the OFF
escrow account managed from New York by a global bank.
In 2014, Frances and her team won Consulting Team of the Year at the
prestigious Women in Compliance Awards.
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
5
TO B Y D U T H I E
Toby has more than 20 years’ experience in financial analysis,
complex financial modeling, investigations and compliance reviews.
Toby is recognized in Who’s Who Legal: Consulting Experts 2017 and Who’s
Who Legal: Investigations 2017 as a leading professional in his fields of
practice. One source describes him as, “first-rate” in multi-jurisdictional
investigations and government enforcement matters, with clients lauding his
expertise as “unsurpassed” and “tremendously impressive, he knows all there
is to know about FCPA enforcement”.
[email protected]
+44 (0)20 7269 7837
Toby has particular expertise in multi-jurisdictional investigations, antibribery and corruption compliance testing, and specializes in matters of
government enforcement in the UK and the US.
Toby has worked on a number of complex financial frauds and bribery
investigations which have involved disgorgement and fine calculation analysis
and modeling in a variety of jurisdictions with the most recent including the
Rolls-Royce £700m DOJ, SFO and Brazilian settlement.
Toby was instrumental in developing the firm’s white-collar and regulatory
defense services across Europe and has been integral in resolving such highprofile FCPA enforcement cases.
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
6
GREG MASON
Greg’s expertise lies in database architecture and programming,
software design, mass data analysis, data mining, and data forensics
for the purposes of investigations, disputes and litigation.
Greg is recognized in Who’s Who Legal: Consulting Experts 2017 and Who’s
Who Legal: Investigations 2017 as a leading professional in his fields of
practice. He is recommended for his “astute mind” on “complex problems”
and for “constructing solutions that fit clients’ needs”.
[email protected]
+1 (401) 519 1431
Greg advised a number of complex, cross-border regulatory investigations
and litigations, where he designed robust eDiscovery solutions compliant
with European privacy laws for data. Greg also developed FRA’s fully
comprehensive mobile eDiscovery solution. The mobile solution is one of a
few that is able to transfer data across borders compliantly. Multiple
terabytes of data can be processed remotely with data protection,
commercial secrecy, state secrecy or banking secrecy laws.
Greg was the key technical analyst on a high-profile FCPA matter where he
analyzed a global oil services company’s internal financial database,
comprising over 21 million transactions made in over 25 countries, for
presentation to SEC investigators. Greg has served as an expert in multiple
cases for the US DOJ FATCA/Swiss Banks Program.
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
7
1
G E O P O L I T I C S O F DATA T R A N S F E R
2
K E Y C O N S I D E R AT I O N S
3
P R AC T I C A L S T E P S TO R E M A I N C O M P L I A N T
4
QUESTIONS
The information in this webinar is not to provide legal advice. Should you
require legal advice or have any questions, please contact the presenters.
ROADMAP & DISCLAIMER
T H E G E O P O L I T I C S O F DATA T R A N S F E R
CURRENT REGULATORY ENVIRONMENT
> The last few years have seen some significant developments in data privacy
regulation including:
> Repeal of Safe Harbor
> Introduction of the EU-US Privacy Shield and Swiss-US Privacy Shield
> Approval of the General Data Protection Regulation
> UK data privacy post Brexit an unknown
> Election of Donald Trump to the US Presidency
> China’s cybersecurity law took effect on June 1 posing security and cost
concerns for foreign companies
> With the advancement and reliance on technology to conduct crossborder business there will be no relaxation in data protection laws
> Regulatory investigations and related processes frequently span several
years so strategic decisions made today around data transfers will have
important ramifications down the line
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
10
US-EU SAFE HARBOUR
> In 1995, the European Commission (“EC”) issued a Directive, which
prohibited the transfer of personal data to non-EU countries that do not have
an ‘adequate’ level of privacy protection
> It’s intent was to provide a mechanism to enable the free transfer of data
between Europe and the US
> The US-EU Safe Harbour Framework was developed
> With the increasing internationalization of business and related data flows
across borders, the EC recognized the lack of consistent safeguards around
data privacy between member states and therefore proposed introducing
true consistency via the General Data Protection Regulation (“GDPR”)
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
11
US-EU SAFE HARBOR CONTINUED…
> A year after the EC began to draft the GDPR in 2012, Edward Snowden
leaked information about the extent of the NSA’s mass surveillance and data
collection practices, and almost concurrently an investigation into Facebook’s
European privacy practices was launched by the Irish data protection
watchdog
> The European Court of Justice have since reviewed the ‘adequacy’ criteria of
data protection in the US
> The results of that review led to the Safe Harbour Framework being
invalided in October 2015
> Corporates were left in a state of uncertainty around data protection and
data transfer for months while an alternative mechanism was developed
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
12
EU-US AND SWISS-US PRIVACY SHIELD
> The result was the EU-US and Swiss-US Privacy Shield (“Privacy Shield”)
which was developed and put into force in July 2016
> The intent of the shield is to provide more accountability and oversight
over data protection privacy
> The initial reactions to earlier drafts of the Shield were sceptical
> US and EU officials described the Shield as “a framework that protects
privacy and creates certainty” and provides assurances that “any access to
personal data for law enforcement or national security is limited to what is
necessary and proportionate”
> The Shield however remains untested in court and is therefore vulnerable
to future legal challenges
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
13
THE TRUMP ADMINISTRATION
> Privacy Shield is in jeopardy under Trump – Trump administration
threatening Privacy Shield
> The EC is currently conducting an assessment of the agreement
> Recent Trump Executive Order (“EO”) to ‘exclude persons who are not
United States citizens…from the protections of the Privacy Act…’ directly
opposes the spirit of the Privacy Shield
> The Attorney General's designation of specific countries that are covered by
the Judicial Redress Act, which along with the Attorney General’s list became
law in February 2017
> Imagine the scenario where the Attorney General, Jeff Sessions, could decide
at a later date to revoke some countries' – or the EU's – designations under
the Judicial Redress Act
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
14
GDPR – IN FORCE FROM MAY 25, 2018
> It preserves the core principles and the Adequacy Criteria from the
Directive
And:
> Expands on certain issues
> Outlines fines and penalties
> Fines and Penalty – Unlike previous regulations, the GDPR introduced a
tiered penalty approach for breaches, where fines are much higher than under
the previous regulations, i.e. up to 4% of annual worldwide turnover or EUR 20
million
> Based on the changes, it is clear that the GDPR will introduce significant
undertakings and potential risks for all parties affected, from concerned
subjects, to oversight bodies and corporations with a nexus to the EU
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
15
EXPANDED CRITERIA
> Expanded territorial reach – not limited to data controllers and
processors within the EU – those whose processing activities related to the
provision of goods or services to, or monitoring the behavior of EU data
subjects, will require the appointment of a representative within the EU
> Consent – a data subject’s consent to process their personal data is
required to be as easily withdrawn as it is granted
> International transfers risk awareness – although the GDPR removes
self-assessment as a basis for transfer, data subjects are now required to be
adequately informed of the risk of transferring data outside of the EU
> Breach Notification – data controllers are required to report most data
breaches to the new Data Protection Authority, where possible, within 72
hours of awareness, together with appropriate justification
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
16
WHAT ABOUT BREXIT?
> We can expect several new laws to be passed unilaterally
What will the new UK data privacy regulation look like?
> We can only wait for a new UK-specific data privacy regulation to be
introduced to find out
> We can, however, begin to imagine the risks
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
17
POSSIBLE POST BREXIT RISKS?
> Companies with operations in the UK may be particularly vulnerable to
the uncertainties arising from the GDPR – the UK will still need to abide
by the GDPR in the period between May 2018 and when Article 50
completes its cycle (expected to be by March 2019), regardless of the UK’s
future data privacy intentions.
> Consideration of how to handle UK-US data transfer, should the UK
administration decide to opt out of the GDPR following Brexit. The US and
the UK could create a unique environment for data transfers, but the
obligations under the Regulation for UK businesses operating in Europe
would remain.
> A UK-US mechanism would be highly unlikely to satisfy such obligations.
This scenario poses the very real risk for UK corporates that they end up
with two conflicting data regimes within one organization.
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
18
K E Y C O N S I D E R AT I O N S
KEY CONSIDERATIONS
> Current lack of clarity on all these factors create uncertainty for
corporations involved in cross-border litigation and investigations
> Leaves investors, management and stakeholders susceptible to uneasy
regulatory transitions, high costs, and exposure to the risk of heavy fines
> For industry practitioners, and companies involved in investigations or
expecting regulatory probes or even cross border litigation, there is no single
solution, but there are certain measures that can be undertaken in preparation
to mitigate risks
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
20
1. DATA MAPPING
> A clear data strategy is vital to any investigation where data may reside in
several jurisdictions
Crucial considerations include knowing:
> What data is being considered
> The jurisdiction where the data resides
> Applicable data privacy regulations
> What clearance is required and from whom prior to the data collection, let
alone transfer
> Companies will be most successful if they take a conservative approach to
data transfers, as privacy failures may lead to sizeable liabilities
> Once data is transferred into the US it becomes “discoverable”
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
21
2. COLLECTION AND PRESERVATION
> Prior to carrying out a data collection or data preservation exercise, ensure
the following:
> The appropriate risk management tools have been engaged; and
> Steps have been taken to ensure compliance with data privacy regulations in
the jurisdiction the data is being hosted in.
> We counsel, in general, collection and preservation of data in its jurisdiction
of origin
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
22
3. TRAINING AND ESC ALATION
> All personnel involved in investigations and data transfers should have
up-to-date training on data transfer protocols and jurisdictional data privacy
regulations
> They should also be trained to properly document the considerations and
safeguards, throughout the investigation, for any data transfer
> Escalation protocols should be in place to ensure demonstrable
consideration and consultation in relation to data transfer, especially for
jurisdictions with data privacy regulations that are more challenging to address
> Identifying and engaging the appropriate counsel in each jurisdiction as well
as data identification, processing and transfer experts with extensive cross
border experience to assist internal stakeholders is a necessity
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
23
4. DATA TRANSFER STRATEGY
> Develop with your advisors a data transfer strategy that takes into
consideration the nature of the data, its origin, data privacy and other data
related constraints (banking secrecy, commercial and state secrecy etc.), and
security
> Weigh the risks of using untested or controversial data transfer mechanisms
> Consult and involve expert data privacy and transfer experts from the
outset in any cross-jurisdictional investigation
> From the data identification and location exercise, to the treatment of data
in a manner compliant with applicable data privacy laws, to the mechanism
employed, if appropriate, for data transfer, advice and execution by the right
experts will be critical to success
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
24
PRACTIC AL STEPS
PRACTIC AL STEPS
> Think carefully about data management in the interim as fines for noncompliance are severe
> Be cautious – travellers to the US should travel with a blank laptop and/or
ensure that confidential privileged documents are not on their person
> Local data centres and mobile eDiscovery technology – until data
regulation is confirmed, transferring data across the Atlantic is still a
challenging and complex legal procedure
> Predictive coding – ensures compliance with the ‘privacy by design’
requirement
> Avoid transferring personal data altogether
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
26
QUESTIONS
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
CONTACT INFORMATION
[email protected]
+1 (401) 519 1438
[email protected]
+44 (0)20 7269 7837
[email protected]
+1 (401) 519 1431
W W W. F O R E N S I C R I S K .C O M
A downloadable version of this webinar, along with these slides, will be emailed to you in the next few days.
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO VItEwill
R V Ialso
E Wbe accessible on the GIR website.
28
ABOUT FRA
18+ years of service
> Credentials in all major jurisdictions and emerging
markets
> Fielded multi-disciplinary teams and handled data in
75+ countries
eDiscovery and data transfer
> Fully mobile eDiscovery solution
> Installed on-site independently worldwide
> Fully isolated to prevent cyber risks
120+ professionals
> Multi-national and multi-lingual
> Former SEC, SFO and FBI enforcement specialists
and forensic accountants including CPAs, CAs and
CFEs; Data transfer and cyber security experts
FORENSIC A
RC
I SCKOAULN
L ITAI N G
C EO V E R V I E W
Worked on 5 of the
top 15 FCPA
settlements of the last
decade all of which
involved complex data
transfer issues
Processed over 100TB
of data in 2016 alone
Deployed over 20
mobile solutions
Retained on 7
compliance
monitorships
(DOJ/SEC; NYDFS;
PCAOB)
29