It’s all about the data – regulatory barriers to cross-border investigations

The final 2024 issue of the Dutch journal Compliance, Ethics & Sustainability features an article by FRA about cross-border data challenges and how they impact investigations. Looking at examples, the authors explore issues around accessing, preserving and transmitting data across borders, and offer suggestions on how to manage these challenges.

Mentioned in this article:

• Data Privacy Regulations and Challenges in the US, EU, China and Switzerland
• Laws relating to data localisation and cloud services
• Cross-border data transfers and handling of Personal Identifiable Information (PII)
• Technical challenges in data collection and storage

The full journal can be found here.

With the continued rise of multinational corporations straddling the world, the increase in global compliance requirements, and the continued backdrop of multi-jurisdictional oversight, it is no surprise that there have been a number of high profile cross-border investigations hitting the headlines, including the Wirecard, Tuna Bond and Alstom matters. This article will look at some of the largest and most complex global matters and discuss whether some of the most difficult barriers preventing a successful outcome centre around the demands involved with accessing, preserving and transmitting the evidential data across borders. The article examines some of the issues and suggests how they are best addressed and managed.

1. Introduction

It has been often quoted that there are over 80,000 transnational corporations in the world. A vast network of people, goods, services and data travelling across international boundaries and, equally significantly, between different jurisdictions. Once distance and language barriers have been overcome, international trade can of course be extremely lucrative, however, when disputes, civil or criminal litigation, regulatory breaches or other proceedings occur, this very same global context can make simple matters much more complex.

The US Foreign Corrupt Practices Act of 1977 is considered to be one of the world’s most “powerful and effective transnational anticorruption laws in the world”. Its global reach has triggered over 750 enforcement actions by the US Department of Justice and the Securities and Exchange Commission since it came into force. Along with the UK Bribery Act 2010 and the 2016 French Sapin II anti corruption law which both also have extraterritorial reach, corporations and individuals working in international commerce all have the increased potential to become involved in cross-border investigations. With billion-dollar fines, long prison sentences and exclusion from lucrative tendering opportunities at stake, these investigations take on primary importance and must be conducted to a professionally high standard.

Investigations, however, are not all about bribery and corruption. The regulatory landscape has become more complex and is only increasing.  New regulations for sustainability and the environment, along with recent privacy legislation mean that organisations have more opportunities to breach the rules, either knowingly or inadvertently. The more multinational an organisation is the more likely its investigation will be cross-border, with all that that brings. Whatever the trigger, cross-border investigations pose unique challenges. Differences in laws and regulatory frameworks often require local knowledge and understanding. In some circumstances there may also be direct conflict between the expectations of national and international law enforcement. One of the main issues is the movement of information across the border itself and in particular, personally identifiable information (PII).Whilst this involves all personal data, including paper records and electronic documents, the vast majority of material will likely be computer files either on corporate or personal devices.

2. Data Privacy Regulations and Challenges

Data privacy is a fundamental aspect of today’s legal landscape. Around the world, countries have established laws and regulations concerning data privacy and data rights, which can create challenges or even conflicts when conducting international investigations. As a result, and perhaps unsurprisingly, the need for cross-border data sharing in investigations often clashes with strict data protection regulations, making it difficult for forensic investigators to access critical information; and all the time, enforcement agencies continue to monitor a corporate’s efforts to obtain the information necessary to undertake the investigation.  

Two major regulations that shape this landscape are the EU General Data Protection Regulation (GDPR) and the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) both of which have far-reaching implications for data handling during international investigations. The GDPR imposes strict rules on data being transferred out of the EU. Often businesses are required to obtain explicit consent from individuals, or they must meet specific legal criteria before they can export personal data across external borders. The CLOUD Act allows U.S. law enforcement agencies to access data held by U.S. companies, even if that data is stored outside the United States. While this supports U.S. investigative needs, it can clash with data protection regulations in other jurisdictions.

In addition to these regulations, many countries have enacted data localisation laws, which require that certain data be stored on servers within their national borders (see recent steps taken by China and Russia). These laws create further challenges for investigators seeking to access data that is geographically dispersed creating a complex legal environment where investigators must navigate both legal and technical hurdles to collect and store data for international investigations.

2.1. EU Legislation

Since coming into effect on May 25, 2018, the GDPR has provided comprehensive guidance on data protection in the EU, governing how personal data is collected, processed, and stored. The primary objective of the GDPR is to delineate individual data privacy rights and establish consistent legal standards among EU member states. Building on the Data Protection Directive 95/46/EC, the GDPR expands the scope of data privacy regulation to apply uniformly across EU member states, imposing strict requirements regarding user rights, individual consent, entity accountability, and enforcement mechanisms. The GDPR prioritises individuals’ data rights, focusing on their rights to access, rectify, erase, restrict, transfer, and control the use of their personal data. Overall, the GDPR represents a significant milestone in EU privacy protections, outlining both individual rights and organisational accountability within modern data systems.

When it comes to international data usage, the GDPR applies to all entities that process the data of EU residents, not only EU-based organisations. For non-EU organisations, if they are based in countries meeting the adequacy standards outlined by the EU, such as the UK, Switzerland, and Japan, there are no additional requirements to access personal data from the EU. The U.S. and EU have worked together on the EU-U.S. Data Privacy Framework to establish adequacy and shared regulatory standards.

2.2. U.S. Legislation

Enacted on March 23, 2018, the CLOUD Act establishes a framework for U.S. law enforcement to access data stored overseas by American companies. At its core, the CLOUD Act allows U.S. authorities to issue warrants for data held by U.S. companies, regardless of physical location and is designed to streamline the process of accessing relevant information held abroad. Its central purpose, therefore, is to clarify and enhance the ability of law enforcement agencies to obtain electronic evidence necessary for investigations while also addressing international data privacy concerns. Importantly, the CLOUD Act includes provisions for individuals’ data privacy protections, namely - transparency requirements, protections for civil liberties, and remediation mechanisms. It also maintains standards for international information sharing that focus on privacy protection and alignment with local data privacy laws in other jurisdictions. Through these measures, the CLOUD Act aims to facilitate lawful data access for investigations while still reinforcing its commitments to data privacy in a rapidly evolving digital landscape.

Other central data privacy laws in the U.S. include the Freedom of Information Act (FOIA) and the U.S. PATRIOT Act. First enacted in 1966, FOIA was designed to provide the American public with the right to request access to records from any federal agency, thereby promoting government transparency. These information requests can include individuals’ personal records and data controlled by the U.S. federal government. However, FOIA also provides protections and exemptions, including safeguards for the privacy of sensitive personal information. In contrast, the PATRIOT Act of October 2001 was designed to increase government surveillance for counterterrorism by providing law enforcement with additional data access. This includes allowing the US Federal Bureau of Investigation (FBI) to conduct searches without prior notification and issuing national security letters (NSLs) to obtain information from companies without a warrant. The PATRIOT Act enhances access to U.S. citizen and company data, irrespective of the data’s physical storage jurisdiction.

From an American perspective, the CLOUD Act and the PATRIOT Act both create strain and ease tensions on international investigations. While PATRIOT Act’s access is limited to law enforcement investigations, its extraterritorial reach in international investigations has caused diplomatic tensions when local data privacy protections contradict PATRIOT Act requests. The CLOUD Act, conversely, is designed to facilitate data sharing between countries with similar legal frameworks. It empowers the U.S. to enter into Mutual Legal Assistance Treaties(MLATs) with foreign governments to share data more efficiently. It also restates its protection of data privacy rights and civil liberties.

2.3. Chinese Cybersecurity Law and Russian data localisation laws

The Chinese Cybersecurity Law came into effect on June 1, 2017, and was designed to address cybersecurity and personal data protection concerns in China. The law outlines several key rights and data protections, including the requirement for user consent for data collection and processing, clear communication of the purpose of data collection, and individuals’ rights to access, correct, and delete their personal data. Additionally, it stipulates that personal data generated within China must be stored on domestic servers. This data localisation requirement is similar to that found in Russian law, which mandates that all personal data must remain on domestic servers. Clearly, sanctions considerations following Russia’s invasion of Ukraine will also add a layer of complexity for investigations involving Russian companies or individuals, wherever they are situated.

2.4 Swiss new Federal Act on Data Protection (nFADP)

In 2020, Switzerland passed a law in order to improve the processing of personal data, supplementing its 2009 and 2019 laws. The nFADP, which came into effect in September 2023, mainly aligns with the EU GDPR requirements, so that companies already fulfilling those requirements will have limited adjustments to operate.

Additionally, Switzerland has strong bank secrecy regulations, with severe penalties for breaching them, that have to be complied with during cross-border investigations. These regulations, in particular, forbid the transfer of client identifying information pertaining to bank customers outside of Switzerland.

2.5. French Blocking Statute: its implications for cross-border investigations

The French Blocking Statute, originally enacted in 1968, aims to protect French citizens and entities from foreign legal demands that could require the disclosure of data stored in France. Under the statute, the transfer of data to foreign jurisdictions is prohibited unless the request aligns with France’s national interests or is based on an applicable international treaty. In such cases, MLATs may be utilised to facilitate data transfer in compliance with the statute. This legal framework presents a significant challenge in cross-border investigations, as it can obstruct the execution of foreign subpoenas and legal requests, which are often central to international inquiries. As a result, investigators must carefully navigate these restrictions to ensure compliance with both French law and the demands of foreign jurisdictions.

3. Data localisation and cloud services

Data localisation laws are emerging across the globe and in many major jurisdictions. While these laws can take different forms, they generally require that certain types of data be stored within domestic borders. To transfer information outside of these jurisdictions, organisations must comply with a series of specific standards and adhere to strict regulatory requirements. With data localisation laws, one central question always arises: how will data be collected, processed, and stored throughout the course of an investigation? This requirement prompts further questions about how organisations can manage and safeguard cross-border data flows while complying with local regulations throughout international investigations. Non-compliance with data localisation laws can expose companies to serious legal risks, making data storage a fundamental consideration of cross-border investigations.

When these laws apply, data storage must, quite simply, remain within the jurisdiction for the duration of the investigation. While this requirement may seem straightforward, international investigations often involve legal and forensic firms that are not local to the jurisdiction where the data is initially stored, and investigators must therefore first determine how the data will be stored locally during the identification stage of the case. Organisations operating internationally face increased operational complexity, as they must establish local data storage facilities or partner with local providers to comply with data localisation laws. This may require significant investment in infrastructure. When data is stored across multiple jurisdictions, investigators must also consider the potential conflicts between local data localisation laws and international legal obligations, which can create significant barriers to data access and cross-border cooperation.

One of the areas where these laws create particularly complex challenges is in the adoption of cloud storage, which has become increasingly prevalent in international investigations because of its relative cheapness. Some eDiscovery software service providers encourage clients to use cloud services by offering cloud-only tools and applications. Although cloud storage can significantly reduce costs, improve performance, and allow access to new technologies, it also complicates the issue of data storage localisation forcing organisations to ensure that any cloud storage options under consideration are localised to the required jurisdiction. To comply with data localisation laws, providers offering cloud data storage must have data centres within specific jurisdictions and offer clients the ability to choose where their data is stored. Forensic investigators must navigate both the technological and legal complexities to ensure that data remains compliant with local regulations while still benefiting from the operational advantages of cloud storage.

Not only do storage providers need to manage the best use of multiple locations, but they also need to ensure that their clients fully understand exactly where their data is and where it has been already. For example, a recent FRA client who was undertaking an investigation in the Middle East asked for their data to be stored entirely on-site to maintain jurisdiction during handling and review. In response, we planned to deploy a standalone server as a mobile solution to host their data locally. However, upon being engaged to preserve the data, we discovered that the client was primarily using Office 365, which relies on Microsoft Azure cloud servers. The data had originally been hosted in the European Union and because of this fact we were able to advise the client to use a cheaper, secure cloud eDiscovery platform that also leveraged Microsoft Azure’s cloud infrastructure.

4. Cross-Border data transfers and handling of Personal Identifiable Information (PII)

When it comes to cross-border data transfers, a fundamental aspect of international investigations, these legal statutes can present significant roadblocks and complications in initiating the collection process. As regulations may diverge or conflict, investigators must navigate a complex web of laws at domestic, regional, and international levels. For example, data localisation laws may apply to only certain portions of the dataset, and the broader data universe may, in fact, contain of multiple subsets that cannot be stored together due to differing jurisdictional requirements. These standards are often inconsistent, meaning each jurisdiction’s requirements are unique and must be addressed individually. Organisations must comply both with data transfer laws and binding corporate rules to ensure the data is managed legally and forensically. These sensitivities do not just apply to the actual raw data but will also apply to the project reporting during an investigation. This will come into focus should any PII be contained in the project reports. All data localisation laws will apply to this data too.

Investigators managing data transfers across borders must also understand the specific added requirements that govern these transfers, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). SCCs, issued by the European Commission, provide pre-approved model contractual clauses for transferring personal data to third countries outside the European Union. These clauses may vary depending on the roles of the originating European company, the receiving company, and the destination country. However, all SCCs require prior agreement and strict adherence to their terms.

BCRs are internal policies adopted by multinational companies for transferring personal data between group entities in compliance with the GDPR. These policies facilitate internal transfers while ensuring consistent data protection standards across all jurisdictions in which the group operates. They must be approved by a supervisory authority, outline basic data protection principles, and establish an overarching standard for the multinational company’s operations. By using these mechanisms, alongside supplementary measures and regular monitoring, organisations can mitigate the risks of non-compliance and build trust with customers and regulators.

Whilst cultural differences will have affected how laws have developed in different jurisdictions, they can also affect the behaviour of those directly involved in investigations. In a recent FRA matter, a high-profile sports enterprise was involved in a patent litigation case that included data from the U.S., Switzerland, and France. The French executives involved in the case were reluctant to have their emails stored outside their offices until they had been fully screened. As a result, in-house data storage was specifically required for the French data, with separate off-site hosting for the data from the U.S. and Switzerland. Once the data had been initially reviewed and cleared for external storage, it was moved to a larger workspace for further review. Meeting the cultural expectations and legal requirements of the case demanded a complex technical workflow and expertise in data transfer.

5. Technical challenges in cross-border data collection and storage

Beyond the legal complexities of navigating overlapping international data requirements, the technological challenges in cross-border investigations can present significant hurdles. These challenges are most evident during the early, most technical stages of data review. First, data is collected, during which eDiscovery firms employ various tools and techniques to ensure that the data is forensically preserved. Once the collection is complete, the data is processed and stored to facilitate review by legal teams and, if necessary, production. Throughout this process, eDiscovery teams must continue to ensure that local data privacy standards are maintained. Effective coordination between legal an technical teams is critical for ensuring compliance and streamlining the investigation process.

5.1. Collection

During the data collection phase, clients and legal teams must address several key considerations. The first priority is determining the location of the collection. While on-site data collection was once the standard, remote collection has become increasingly common in the past five years. The COVID-19 travel restrictions accelerated the adoption of off-site collection technologies, enabling eDiscovery teams to expand their international coverage while significantly reducing travel costs. Once the collection location is determined, teams must assess the existing data storage setup and address any potential hardware challenges. Collection teams can use a variety of tools designed for specific data types, including PC computers, hard drives, app communications, and mobile devices. eDiscovery teams must then select the most appropriate tool for each collection, which may involve navigating jurisdictional restrictions on the use of certain tools. Additional sensitivities may apply due to local cultural norms or internal company policies. For example, senior executives may prefer their data to be handled separately or with heightened sensitivity to protect key information. To address these concerns and meet client needs, additional steps must be taken during the collection process.

5.2. Processing

After the collection phase, forensic copies of the data are preserved, then processed so that usable versions of the data can be provided for review. During the processing and early case assessment phase, the data is evaluated so that the dataset can be streamlined. One of the most effective ways to do this is to deduplicate the data set. Duplicated data is commonplace within corporate organisations (for example, the same email residing in the mailbox of multiple employees) and deduplication is the process where exact copies of a document are identified, and only one version is retained for review. However, deduplication can present challenges when managing large volumes of data, as it requires careful management to avoid inadvertently discarding critical information. For large investigations, stripping out identical documents can significantly save on storage and review costs. Cross border investigations throw up a particular complication as the comparisons need to be made between documents which may be sitting in several jurisdictions. This can be achieved by turning each document into a unique anonymised code, a “cryptographic hash”, and comparing the hashes. If the hashes are the same, the underlying documents are the same and one document can then be discarded from the review set, while of course retaining its meta data. Since the hashes are anonymised and encrypted, they can be safely transmitted across orders without breaching any data privacy legislation.

Analytics tools can further assist in streamlining the dataset, particularly in cross-border investigations. For example, in a case based in Dubai, documents were in both English and Arabic, or a combination of the two languages. The legal team planned to use a team fluent in both Arabic and English, as well as a more cost-effective team fluent only in English, to conduct the review. To assess whether this approach was suitable, and to gain an overview of the dataset, the eDiscovery team employed a language identification tool to determine the size of the dataset in each language. If necessary, machine translation could have been implemented to assist English-only reviewers in understanding the full dataset. By leveraging these tools, teams can optimise both the efficiency and accuracy of the review process.

5.3. Storage and review

Once the data is available in the review platform, it becomes the responsibility of both the review team and legal counsel to ensure compliance with data access laws, while facilitating an efficient review process. Given that multiple parties often need access to the data, implementing robust security measures from the outset is essential in cross-border investigations. For instance, an investigation involving a large defence contractor based in France and multiple law firms from different countries required careful coordination. Ensuring that the data was handled in a forensically sound manner, in compliance with data privacy laws, and with each firm’s specific access needs, necessitated the deployment of multi-layered and complex security protocols. Secure access was granted to different stakeholders, while still ensuring compliance with jurisdictional data privacy laws. By using robust security measures with tailored access controls, we were able to mitigate the risk of non-compliance and maintain the integrity of the investigation process.

5.4. Data volumes and AI

As many investigators will attest, a large volume of data can be one of the greatest challenges to a successful investigation and can significantly increase costs. A significantly time-consuming and costly aspect of civil and criminal litigation, the basis of many investigations, is disclosure. This is the process whereby each side must provide to the other, details of relevant documents they hold. This requires examination of the data being held to find evidence which either supports or undermines the case. If the data set is very large, then this can be a consequentially difficult exercise.  Historically, teams of reviewers would be tasked with reading each document and deciding upon their relevance. More recently, machine learning (AI) is being harnessed for this purpose which significantly reduces costs. An instance of this, Continuous Active Learning (CAL), was recently deployed by our team on an investigation involving the review of over 500 million documents.

6. “I’m Sorry Dave, I’m afraid I can’t Do That.”

Finding the relatively small amount of ultimately relied upon evidence in a large cross-border investigation is difficult for all of the above-mentioned complexities. Huge investigations, with different international players, often come with competing objectives, a problem which is likely to only increase over time as we become more globalised and regulation increases. Organisations will need to be better prepared with regard to data governance to better prevent the incidents that lead to investigations and respond to them when they do. It may become a defining competitive factor but often companies resist investment in proactive data governance until they have to, and it may take a few high-profile breaches, fines and sentences before it becomes a higher spend priority. The locking down of computer use and the decrease in the acceptance of off-channel communications will restrict individuals’ flexibility but increase a corporate’s regulatory compliance and assist in future complex cross-border investigations when they occur. The use of increased monitoring and compliance approved AI to aid decision making across an organisation might be one solution but will certainly bring us closer to the words spoken by HAL in Kubrick’s classic.