Hypothetical:
A U.S. company with offices in EU member countries is conducting an internal investigation pursuant to an inquiry from the U.S. Department of Justice. The company needs to preserve corporate emails and computer files of an employee identified by the DOJ as a person of interest, but has been asked not to disclose the inquiry (and by extension, the collection) to the target employee.
Key Considerations:
- Does the company have an in-house privacy officer or legal counsel designated as a point person for GDPR issues? If so, this individual should be an early point of contact when considering any collection. They should be able to direct you to any applicable company policies or notices relevant to data collection and transfers, including intercompany agreements, as noted below. They can also advise if the company’s in-house IT team has sufficient experience with data preservation and collection to assist in the investigation, or if you should engage outside vendors.
- Does the company have an existing transfer mechanism, such as an intercompany agreement or model clauses, addressing the transfer of personal data from the EU to the U.S.? Under the GDPR, data transfers from EU member countries to the U.S. may be facilitated by existing intercompany agreements designed to satisfy the obligation of GDPR cross-border transfer rules. The company’s privacy officer or legal department should be consulted to determine what existing intercompany agreements are in place.
- Has the target employee previously received notice of corporate policies concerning the access and transfer of data pursuant to the GDPR? The notice should include the relevant provisions of Article 13 of the GDPR – e.g., a description of data subject rights; the identification of purposes for processing, including for regulatory-related purposes and internal compliance-related purposes; a statement that data may be transferred within the company group or to third parties, including government agencies, regulators and advisors; and a statement that transfers may occur to third countries, including those without adequacy decisions (namely, the U.S.). Ideally, the target employee would have previously received notice of company policies sufficient to satisfy transparency obligations under the GDPR with respect to data collection.
- Once collection has been approved, have steps been taken to minimize the volume of data transferred out of the GDPR member country? To the degree reasonably possible, the company should limit the processing of “personal data” (which under the GDPR may include work-related content) and the volume of data transferred out of the member country should be kept to a minimum. The company should consider using any resources available in-country for de-duplication or de-threading prior to transferring the data to the U.S. With respect to email and laptop files, company emails are often maintained on a central (often U.S.-based) server, and thus can be quickly accessed and downloaded once the company has confirmed that proper notice and intercompany agreements are in effect. By contrast, remote laptop collections often take significant time, and likely will not be finished until after server-side emails have been preserved. In order to minimize the volume of laptop data transferred out of the member country, the company could use in-country resources to de-duplicate laptop data against data already recovered from the email collection, and then transfer the de-duplicated data out of the country.