Many investigations are likely to present data privacy issues. For example, an employee’s personnel and disciplinary records are often collected from company databases for review. Corporate investigations also may seek the collection and use of data from employee-owned devices. This complicates matters from a data privacy compliance perspective, as the data that resides on such devices typically comprises both business- or work-related data, and the personal data of the employee (such as personal messages, emails, photographs, and even the employee’s credit card details). The resolution of such issues also takes on greater urgency in an investigation, where there are concerns that implicated individuals may destroy or hide electronic evidence.
The fragmented and varied regulatory Asia-Pacific landscape
The imperative to understand, navigate and comply with the relevant legal boundaries for the collection, use and disclosure of personal data is compounded by the fragmented regulatory landscape for data protection and privacy in the Asia-Pacific region. Unlike the European Union, data protection and privacy laws vary considerably among countries in the Asia-Pacific region. Presently, countries such as Cambodia, Bangladesh, and Myanmar appear to lack formal data protection and privacy laws. At the other end of the spectrum, Japan and South Korea have developed robust data protection and privacy regimes that are akin to the European Union’s General Data Protection Regulation (GDPR). Further, data protection and privacy laws in the region continue to evolve. For example, India and Indonesia are in the process of enacting dedicated data protection and privacy legislation. Likewise, Singapore and South Korea are currently considering significant amendments to their data protection and privacy laws.