Companies that operate in more than one jurisdiction that are either carrying out an internal investigation or are subject to a criminal or regulatory investigation by U.S. law enforcement agencies will almost certainly need to consider the legality of trans-Atlantic data transfers.  Under European law, in particular, companies falling short in compliance with data protection laws could face fines of up to the higher of €20 million or 4% of annual global turnover.

With the introduction, in 2018, of the General Data Protection Regulation (“GDPR”) which generally prohibits (with some exceptions) the transfer of EU-based personal data outside of the European Economic Area (“EEA”) and other legislation, the overhaul of the EU data protection framework often leaves companies under investigation by U.S. law enforcement with tough decisions to make between complying with their obligations – or their wish – to meet U.S. prosecutors’ demands and abiding by relevant data protection laws.  In particular, some EU-based companies have found themselves at the receiving end of U.S. prosecutors’ requests or subpoenas for documents, in circumstances where compliance with them could potentially risk hefty domestic fines for breaching data protection laws.  There may also be other considerations to be borne in mind, such as relevant bank secrecy laws and common law rights to privacy, where a failure to comply with the relevant law could result in criminal sanctions including imprisonment.

Developments in U.S. and U.K. law, however, have introduced a framework for the legal cross-border transfer of data via cooperation between international authorities.  In addition to ensuring compliance with the GDPR and other privacy obligations in conducting data transfers,  U.S.- and U.K.-based communication service providers (“CSPs”)[1] should familiarize themselves with the recently signed U.K.-U.S. Bilateral Data Access Agreement (the “Agreement”).  The Agreement facilitates the objectives of the U.S. Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) and the U.K. Crime (Overseas Production Orders) Act 2019 (the “COPOA”).  According to a communication by U.S. Attorney General William Barr to Congress earlier this year, the Agreement was scheduled to become effective on July 8, 2020, but there has been no official announcement from either the U.S. or U.K. governments on the status of the Agreement.  Indeed, earlier this month, the U.K. government anticipated that the Agreement would “come[] into use later this year[.]”  We discuss the implications of these developments and considerations for U.S.- and U.K.-based companies needing to transfer personal data[2] across the Atlantic to facilitate investigations.

GDPR implications for EU-U.S. data transfers

Given the extraterritorial reach of the GDPR, EU-based companies and U.S. companies processing EU-based individuals’ personal data are required to process and transfer EU personal data in accordance with the GDPR.  Generally, the GDPR restricts data transfers outside of the EEA unless certain exemptions apply; for example, that the EU personal data is afforded an equivalent level of protection abroad as it would within the EEA, the data subject has explicitly consented to the proposed transfer, the transfer is necessary for the performance of a contract between the data subject and the transferring party, or the transfer is necessary for important reasons of public interest.

For personal data to be transferred outside of the EEA in compliance with the GDPR, companies first need to consider whether the recipient of the data is based in a country for which the European Commission has passed an ‘adequacy decision’.  The European Commission considers that the legal frameworks of a small number of countries and territories provide an adequate level protection to the rights and freedoms of individuals’ personal data and, as a result, has passed full adequacy decisions.  However, in relation to the U.S., the European Commission considers the U.S. data protection framework to be only partially adequate and has not passed a full adequacy decision.  In circumstances where no other exemptions apply (which we consider below), therefore, the GDPR allows EU personal data to be transferred to only those U.S. companies that are certified by the EU-U.S. Privacy Shield framework.  Absent the Privacy Shield, the EU company will need to ensure that it implements appropriate safeguards, as listed in the GDPR, before transferring personal data to the U.S..

Absent the Privacy Shield, what other methods exist to permit the legal transfer of EEA personal data from the EU to the U.S.?

For data transfers within a multinational corporate group, the GDPR recognises Binding Corporate Rules (“BCRs”), which is an EEA-approved internal code of conduct and consist of GDPR-prescribed provisions, agreed between group companies, as providing an adequate level of protection.  Therefore, EU entities wishing to transfer EU personal data to their U.S. group companies as part of an internal investigation may legally do so in accordance with regulator-approved BCRs.

In any internal investigation, there are likely be additional relevant parties, whether based in the EU or the U.S., that require access to EU personal data.  These may include third-party due diligence and database providers, search agents and local counsel.  Companies wishing to transfer EU-based personal data to U.S.-based third parties involved in an internal investigation could consider entering into the European Commission’s pre-approved Standard Contractual Clauses (“SCCs”) with the U.S.-based recipient.  SCCs set out each party’s contractual obligations to ensure that the EU-based personal data is granted the same level of protection as under the GDPR, including by requiring the receiving party to implement appropriate technical and organizational security measures to protect personal data and prohibiting onward transfers to third parties without implementing appropriate safeguards.  Although SCCs are considered straightforward to implement within group entities, and since the inception of the GDPR, third parties have been open to entering into SCCs prior to transferring data, some third parties involved in internal investigations might be hesitant to implement SCCs.  Such entities may find the obligations to implement security measures too onerous or simply not wish for data subjects to be able to directly enforce their rights over their personal data against them or take legal action as a result of a GDPR breach.  Although SCCs are a common mechanism used to facilitate the legal transfer of personal data between companies, it is unclear whether they can be used to share EU-based personal data with U.S. authorities.

Other available exemptions under the GDPR

Absent an adequacy decision and appropriate safeguards, it is likely that the company transferring the EEA personal data to the U.S. for an investigation will need to rely on one of the limited exemptions available under the GDPR.  In the context of an investigation, the most relevant and applicable is likely to be where the transfer is “necessary for the establishment, exercise, or defence of legal claims”.[3]  Prior to the GDPR coming into force, a similar derogation was contained in the preceding data protection directive, albeit that it was narrowly interpreted and appeared to apply in limited circumstances.  Such circumstances included the existence of an active U.S. litigation brought by an individual who required their own personal data to be transferred for the purposes of the proceedings.

Guidance[4] published by the European Data Protection Board[5] (the “EDPB”) suggests that under the GDPR, the derogation for transfers “necessary for the establishment, exercise, or defence of legal claims” will be widely interpreted and apply to transfers in the context of criminal or administrative investigations concerning corruption, insider trading or anti-trust law in a third country for the “purpose of defending oneself or for obtaining a reduction or waiver of a fine legal foreseen”.  In order for this derogation to apply, however, there must be a “formal, legally defined process” and a close and substantial connection between the data and the legal claim.[6]  The EDPB Guidelines state that although a company may rely on this derogation more than once to transfer data to U.S. authorities, such transfers must be made outside the regular course of actions, for example, within arbitrary time intervals.  Therefore, the U.S. authorities’ mere interest in the data or a company’s obtaining of possible “good will” from the U.S. authorities are unlikely to be sufficient bases for transferring EU-based personal data to the U.S.[7]  Furthermore, companies may only rely on this derogation for “occasional” transfers of data and as such, an agreement with U.S. authorities during a long-term investigation to make regular, systematic and repeated data transfers may not meet the intended nature of this derogation as being an exception from

Against the above background, it is unlikely that a company will be able to rely on the “necessary for the establishment, exercise, or defence of legal claims” derogation when voluntarily self-disclosing to U.S. authorities.

Additionally, it is unclear whether a derogation to make a transfer “necessary for important reasons of public interest” will be a valid derogation to rely on during regulatory investigations.  The EDPB Guidelines specifically state that data transfers made pursuant to a request from a non-EEA authority for an investigation that serves a public interest of the non-EEA country which, in an abstract sense, also exists under EU or Member State law will not fall within the scope of this derogation.  Companies may only rely on this derogation where, under EU law or domestic Member State law, the intended transfer would be allowed for important public interest purposes, such as in the “spirit of reciprocity for international cooperation” pursuant to international agreement or convention that the EU or Member State is a party to.  Where the company finds an important public interest ground that would necessitate or legally require the transfer to be made, this may be a potential basis for the company to transfer EU-based personal data.

As a last resort, and where no other derogations apply, a company may consider if its “compelling legitimate interests”, not overridden by the interests or rights and freedoms of the data subject, necessitate the data transfer, and provided it satisfies the high threshold and numerous conditions imposed for reliance on this exemption.  The EDPB considers that a company may have a compelling legitimate interest if, for example, the data transfer is essential to protect the company from a “severe penalty which would seriously affect its business”.

Whichever exemption a company relies on to transfer data in accordance with the GDPR, it should be noted that the EDPB Guidelines require companies to only transfer EU-based personal data to the extent it is relevant and limited to what is necessary for the purposes for which it is being processed.  Therefore, companies should be mindful of the extent of personal data they intend to transfer.  Companies may also be expected to assess the possibility of anonymizing or pseudonymizing personal data before transfers.  Absent the viability of these options, companies should carefully consider redacting EU personal data before handing evidence over to U.S. authorities.

Additional considerations for CSPs

CSPs, including private entities that provide electronic communication services, social media companies, cloud storage providers and web hosts, have additional considerations when transferring EEA- based personal data to the U.S.  Specifically, CSPs should take note of recent developments in the U.S. and the U.K. which provide CSPs with a new legal framework to conduct cross-Atlantic data transfers pursuant to a U.S. government order.

Historically, when seeking evidence related to criminal investigations from U.K.-based CSPs, U.S. prosecutors have tended to rely on the long-established Mutual Legal Assistance Treaty (“MLAT”) with the U.K.  Likewise,  the U.S. Securities and Exchange Commission, which is able to levy civil penalties, has utilized its information sharing gateway with the U.K. Financial Conduct Authority to obtain information relevant to certain regulated entities.  These processes have proved cumbersome and have resulted in delays in investigations and prosecutions.

In March 2018, the U.S. enacted the CLOUD Act, which enables the U.S. government to enter into “executive agreements” with qualifying foreign governments.  The U.S. government and participating foreign governments will be able to issue orders for data directly to CSPs located in each country through normal domestic legal processes, thereby significantly streamlining the process for obtaining electronic evidence based abroad.  The CLOUD Act also clarifies that U.S. warrants issued to U.S.-based CSPs apply extraterritorially to data stored overseas, which is another way for the U.S. government to easily access data outside the U.S.

U.S. executive agreements with foreign governments are limited to “the prevention, detection, investigation, or prosecution of serious crime, including terrorism.”  “Serious crime” is not defined in the CLOUD Act, but rather is open to be defined in each executive agreement.

There are numerous other safeguards and limitations that must be built in to each executive agreement, including (1) assurances that the foreign government’s domestic law “affords robust substantive and procedural protections for privacy and civil liberties”, (2) requiring the foreign government to adopt “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons[,]” (3) restricting targets of the investigation, including a prohibition on targeting a U.S. person or a person located in the U.S., (4) requiring that orders “identify a specific person, account, or personal device, or any other specific identifier[,]” (5) requiring that orders be in compliance with the domestic law of the foreign government,  (6) requiring that orders “be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation” and be subject to oversight or review “by a court, judge, magistrate, or other independent authority[,]” and (7) specifications for and limitations on the review, use, and dissemination of data obtained pursuant to an order.

Less than a year after the U.S. CLOUD Act was enacted, on February 12, 2019, the U.K. enacted the COPOA.  Similar to the CLOUD Act, the COPOA seeks to accelerate and simplify the process for obtaining electronic evidence based abroad for certain U.K. criminal investigations.  Pursuant to the COPOA, U.K. law enforcement authorities, including the Serious Fraud Office, HM Revenue and Customs, the Financial Conduct Authority and the police, can apply to access evidence based overseas which is potentially relevant to U.K. indictable offences that carry a potential sentence of at least three years’ imprisonment.  The process for accessing the evidence requires the relevant U.K. authority to, based on credible facts, apply to a U.K. Crown Court to obtain an Overseas Production Order (“OPO”).  If granted, the relevant U.K. authority can serve U.S. companies (in particular, CSPs) directly with the OPO to compel them to produce or grant access to electronic data of U.K. persons held in the U.S., usually within seven days.  This accelerates U.K. investigations as U.K. authorities do not need to rely on U.S. authorities’ involvement to access data.

Under the COPOA, any electronic data to which legal professional privilege applies and certain personal data (e.g., relating to an individual’s physical or mental health, or spiritual or welfare counselling) remains outside of the remit of an OPO.  CSPs are also exempt from complying with such orders where the granting of access to the electronic data would contravene local data protection laws.

The first U.S.-U.K. data sharing agreement

To facilitate the data sharing objectives of the COPOA and CLOUD Act, the U.K. and U.S. governments on October 3, 2019 entered into a Bilateral Data Access Agreement (the “Agreement”).  The Agreement gives powers to U.K. and U.S. law enforcement agencies to seek and obtain court orders from domestic courts against CSPs based abroad, such as an OPO in the U.K., and compel the relevant CSP to produce the requested evidence.  U.K. authorities cannot, however, target U.S. residents’ data, and vice versa.  State and local law enforcement agencies in the U.S. are included in the definition of “Issuing Parties” under the Agreement and can therefore issue orders to U.K. CSPs  Furthermore, the Agreement only applies to serious crimes, which is defined as “an offense that is punishable by a maximum term of imprisonment of at least three years.

The Agreement also contains the safeguards and limitations mandated in the CLOUD Act and COPOA as outlined above. Significantly, the Agreement provides the U.K. with veto power over the use of data in cases where the U.S. government seeks the death penalty, and the U.S. with veto power where the U.K. prosecution involves freedom of speech concerns.

The Agreement has the potential of transforming law enforcement’s evidence gathering abilities in criminal investigations.  CSPs are likely to have U.K. or U.S. authorities knocking on their doors to disclose potentially relevant evidence relating to third parties under investigation, even where the CSP is itself not connected to the criminal investigation or proceedings.

Importantly, the Agreement hopefully clarifies the perceived conflicts between the GDPR and provisions of the U.S. CLOUD Act as they apply to U.K. CSPs and the data of U.K. residents, especially as it acts as the legally binding and enforceable instrument to facilitate the personal data transfer to the U.S., and alleviates the concerns which multinational CSPs had of being stuck between a rock and a hard place.

The Agreement carves the way for other bilateral data access agreements, such as the proposed agreements between the U.S. and EU and the U.S. and Australia, and boost efficiency in international cooperation between prosecutors, limiting the need to rely on the lengthy MLAT process and yielding results more quickly.

Although CSPs now have a legal means to transfer relevant data for a criminal investigation, all other organisations will still need to rely on BCRs and SCCs for transfers as part of internal investigations and the formal, legally defined process to transfer data to the U.S. authorities.  Where there are no other means of accessing data based in the U.K., for example issuing a U.S. subpoena, court order, or other formal request for data, U.S. authorities will need to rely on the existing MLAT process to obtain information from non-CSP companies.

[1] For example, private entities that provide electronic communication services, social media companies, cloud storage providers, web hosts, etc.

[2] i.e., information, such as name, date of birth, national security number, location data, IP addresses, religion, criminal conviction and offences data, etc., relating to a living individual who can be identified directly from the information in question or indirectly by combining the information in question with other information.

[3] Article 49(1)(e) GDPR

[4] EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018 (the “EDPB Guidelines”)

[5] The EDPB, formerly known as the Article 29 Working Party, is a coalition of representatives from EU and EEA Member States’ data protection authorities and is responsible for adopting guidelines for complying with the GDPR.

[6] Section 2.5, page 11, EDPB Guidelines

[7] Section 2.5, page 12, EDPB Guidelines