Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« America's Newest Foggy Bottom | Main | Our Big Lesson »

EU/US Cross Border Data Discovery – Mission Impossible?

by Joe Looby

Complicated, yes, but impossible? No, according to a report just out from RAND Europe.

With the widely reported increase in FCPA enforcement by the U.S. DOJ and SEC, and a new U.K. Bribery Act taking effect in April of 2011, corporations are increasingly required to conduct anti-bribery due diligence and investigations across the globe. In many instances, this may require the collection of email and documents from one country and the review and production of such documents in another country.

However, EU data privacy laws often seem to be in direct conflict with U.S. regulatory requirements to produce documents for FCPA investigations. To comply with a DOJ request for documents from certain countries—say, Germany or Italy—a company cannot simply rely on “U.S. notions” of employee consent and then gather those documents and bring them to the U.S. for review and production to the DOJ.

For example, if an EU employee were to consent upon hiring to the employer’s unrestricted use of his or her email (a common practice in the U.S.) – a later transfer to the U.S. on this basis alone would violate EU data privacy. To further complicate matters, each EU country, and certain local jurisdictions within those countries, can implement their own data privacy rules differently.

The RAND Europe report, sponsored by FTI Technology, outlines options that can be considered by companies and counsel, and the report incorporates guidance from the European Directive’s Article 29 Working Party, the Sedona Conference, as well as national data privacy regulators and experts from five European countries (France, Germany, Spain, Switzerland and the United Kingdom).

Some of these recommendations include processing and redacting documents in country, use of a privacy log, or assigning a third party to adhere to the European legal framework. In addition, the report includes country-specific requirements for the five countries mentioned above.

The full report is available for download here.

Joe Looby is a senior managing director of FTI Technology and can be contacted here.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.