When gathering documents and data from countries outside of the United States, investigators must consider the effect of other countries’ data privacy laws, which can restrict the ability to collect, transfer, and review data. These laws typically restrict the “processing” (e.g., collection and review) and “transfer” (e.g., transportation of documents outside the country or region of origin) of personal data. Most statutes take a very broad view of what constitutes “personal data” and can implicate almost any employee’s email files.
Examples of potentially relevant data privacy or similar legal restrictions include:
- The EU’s General Data Protection Regulation (GDPR);
- China’s state secrets law;
- bank secrecy laws;
- blocking statutes; and
- labor laws and workers’ unions agreements.