In the high-stakes world of sanctions investigations, where data privacy meets sanctions regimes, companies and practitioners must navigate both domestic and international legislation while ensuring compliance with regulatory agencies. In the complex landscape of sanctions investigations and the need to identify and collate documents that are relevant to the investigation, data protection plays a crucial role.
The initial phase of a sanctions investigation often involves fact finding in order to establish the complete picture of events that transpired, including the securing and review of documentary and electronic data, interviewing employees, and IT-forensic analysis. All of these activities must be conducted in accordance with standards and procedures generally accepted by regulators for sanctions investigations.
Naturally, depending on the nature of the investigation, this may include information that constitute personal data, such as employee details and emails. Sanctions investigations often bring cross-border elements, where different jurisdictions with different privacy laws come into play. In this post, the Global Sanctions Investigation Group shares some thoughts based on recent experiences in the EU, United States, and China.
EU GDPR Impact
The European General Data Protection Regulation (“GDPR”), already six years into its implementation, sets a high standard for investigations. Companies — whether based in the EU or not — must be aware of its extraterritorial scope (applying not only to EU-established companies but also to those that offer goods or services to EU individuals).
The GDPR introduces a range of key obligations when collecting personal data related to investigations. Companies have to be transparent, minimise the use of personal data, and establish a legal basis for processing personal data. Recent experiences of the Global Sanctions Investigations Group in the EU show that data protection issues must be considered early in an investigation.
- EU and National Rules: In principle, individuals must be informed about the processing of their personal data in advance. However, it is difficult under the GDPR to justify the collection and use of personal data for such purposes in the context of sanctions investigations. Despite harmonization on the EU level, national legislation must also be taken into account. In our experience, companies need to assess beforehand which national exceptions may apply.
- Understanding Data Flows: The GDPR implements controls around the transfer of personal data outside of the EU/EES. Does your company process personal data that someone outside the EU has access to? Do you intend to use service providers outside the EU or store personal data in a cloud service? These questions will be significant in cross-border investigations including sanctions investigations, and the Global Sanctions Investigation Group’s experiences have demonstrated the importance of understanding internal IT infrastructure and data transfer flows.
- Data Minimization and Proportional Use: Sanctions investigations often involve sensitive information, including financial records and beneficiary details, and transfers of such data should be documented to demonstrate compliance with the GDPR. In this regard, stakeholders in a sanctions investigation should seek to ensure data minimization and proportional use.
Regulators in the EU can impose significant fines for breach of data privacy laws, so sanctions investigations need to keep these GDPR compliance issues in mind.
US Data Protection Considerations
While the United States does not have a single, comprehensive data protection law like the GDPR, there are still significant considerations for companies involved in sanctions investigations. This includes a patchwork of state privacy laws that may increase a company’s litigation risk if certain kinds of employee or customer data is mishandled as part of a sanctions investigation. Here are some key points to keep in mind:
- Sector-Specific Regulations: Data protection in the United States is often dictated by the specific industry or sector. For example, the Gramm-Leach-Bliley Act safeguards financial information, while the Health Insurance Portability and Accountability Act protects patient data. Companies involved in sanctions investigations must be aware of any relevant sector-specific regulations that might apply to the data they collect.
- Employee versus Customer Data: Different rules will apply to collection and use of employee personal data versus customer data. With regard to employee data, it tends to matter significantly whether the information sought to be reviewed is on a company-owned or controlled device or a personal one. Understand these distinctions when conducting a sanctions investigation, and consult the details of applicable company policies that employees will have accepted as part of employment
- National Security Focus: The National Security Division (“NSD”) within the Department of Justice plays a crucial role in sanctions enforcement. The NSD prioritizes national security interests, which can sometimes create tension with individual data privacy concerns. Companies may be obligated to provide data to the NSD during an investigation, even if it contains personal information. However, a company usually must have a valid legal basis for doing so, such as a subpoena or warrant. Voluntary production of confidential data to the US Government may increase the risk of follow-on litigation by the subjects involved, especially if they are located outside the United States.
- Balancing Act: Balancing investigatory goals with individual privacy rights is a constant challenge in the United States. Companies should strive to collect and use only the minimum amount of personal data necessary for the investigation. They should also implement appropriate data security measures to protect this information. Companies must take special care when considering cross-border data transfers of confidential data. Consulting applicable company policies is a key first step.
By understanding these considerations and implementing appropriate safeguards, companies can navigate the challenges of US data privacy protections while undertaking sanctions investigations when necessary.
China Data Protection Law Impact
Since 2016, China has enacted a variety of data protection laws and regulations, including the Cybersecurity Law, the Personal Information Protection Law (“PIPL”), the Data Security Law (“DSL”), and subsequent implementation regulations. These impose stringent requirements on the processing of personal information and strict scrutiny over cross-border data transfers. These laws and regulations pose significant challenges for companies conducting or responding to cross-border sanctions investigations.
- Informed Consent Requirements: Similar to the GDPR, companies need to secure informed consent from data subjects when processing their personal information. While it is possible to rely upon statutory consent-exemption on the ground of human resources management, a standalone consent and a necessity test is required for cross-border data transfer of personal information. In our experience, companies usually consider this issue from the beginning of the investigation and take proper risk-mitigating measures (e.g., well-drafted company policies, tailer-made consent forms).
- Heightened Scrutiny Risks with Sanctions Investigations: Chinese legislation also imposes different governmental formalities to scrutinize cross-border transfers of personal information, especially when such transfers concern large scale or sensitive personal information. Aside from personal information protection, the cross-border transfer scrutiny has a focus on national security, where sensitive data such as important data or state secrets are subject to restrictions or even prohibitions for transferring outside China. In particular, sanctions investigations that may potentially lead to adverse impact on Chinese companies and individuals’ interests and rights (e.g., adding to the sanction list or being subject to penalties) are very likely to be subject to stringent scrutiny from the Chinese data protection law perspective. The various anti-foreign sanctions laws and regulations issued by Chinese government authorities add another layer of complexity on US or EU sanctions investigations.
- Approval Considerations: Both the PIPL and DSL prohibit any provision of personal information or data stored within China to foreign judicial or regulatory authorities without the approval from competent Chinese authorities. Yet it remains unclear as to when such an approval requirement may be triggered and how companies can secure such an approval. A case-by-case analysis of the data transfer path is usually advised. In any case, companies should exert caution and conduct risk assessments when dealing with data collection requests from foreign judicial or regulatory authorities.
The Chinese data protection legislation and enforcement landscape is evolving very quickly. It is critical for US or EU trade compliance teams to closely collaborate with the investigation team in China to navigate the complicated and fast-developing Chinese data protection regulatory regime.
Our Global Sanctions Investigation Group stands ready to help clients navigate these complex and evolving data-protection legal requirements that have a great impact on sanctions investigations.
View all posts in the “Navigating the Impending Global Sanctions Enforcement Storm” series.
