Many investigations are likely to present data privacy issues. For example, an employee’s personnel and disciplinary records are often collected from company databases for review. Corporate investigations also may seek the collection and use of data from employee-owned devices. This complicates matters from a data privacy compliance perspective, as the data that resides on such devices typically comprises both business- or work-related data, and the personal data of the employee (such as personal messages, emails, photographs, and even the employee’s credit card details). The resolution of such issues also takes on greater urgency in an investigation, where there are concerns that implicated individuals may destroy or hide electronic evidence.
The fragmented and varied regulatory Asia-Pacific landscape
The imperative to understand, navigate and comply with the relevant legal boundaries for the collection, use and disclosure of personal data is compounded by the fragmented regulatory landscape for data protection and privacy in the Asia-Pacific region. Unlike the European Union, data protection and privacy laws vary considerably among countries in the Asia-Pacific region. Presently, countries such as Cambodia, Bangladesh, and Myanmar appear to lack formal data protection and privacy laws. At the other end of the spectrum, Japan and South Korea have developed robust data protection and privacy regimes that are akin to the European Union’s General Data Protection Regulation (GDPR). Further, data protection and privacy laws in the region continue to evolve. For example, India and Indonesia are in the process of enacting dedicated data protection and privacy legislation. Likewise, Singapore and South Korea are currently considering significant amendments to their data protection and privacy laws.
Breaches can carry serious consequences
Breaches of data protection and privacy laws in a number of Asia-Pacific jurisdictions can expose companies to fines and civil actions. In 2019, two Singapore health care companies were issued with significant monetary penalties for a data breach relating to patient data. Breaches of data protection and privacy laws in certain circumstances may even result in personal criminal liability for the company’s corporate officers, in countries such as China, South Korea, Thailand, Malaysia, and Singapore. In 2020, a South Korean travel company was not only fined for a data breach, but its privacy officer was held personally liable for the breach and also fined. Accordingly, incorporating the management of data privacy issues in the overall planning and strategy for investigations can help to minimize financial, legal and reputational risks.
Key considerations
Below are some key considerations for managing data privacy risks when conducting corporate investigations in the Asia-Pacific region.
(1) Obtain consent from the individual. Obtaining the consent of the individual whose personal data is being processed or used is generally recognized as a legal basis for collecting and using the personal data in many Asia-Pacific jurisdictions. Obtaining such consent in advance is preferable. Many companies would obtain an employee’s written consent to collect and use their personal data for the purpose of an investigation by the company, as part of the terms of the employee’s employment contract with the company. The terms of employment may also include adhering to applicable company policies, including policies that address and regulate the modes of communication that employees use to conduct business, such as the use of electronic messaging apps such as WhatsApp, WeChat, Telegram and Line, on both personal devices as well as company-owned devices. In this regard, the United States’ Department of Justice (DOJ) issued a policy that called for companies to implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms” that would hinder their ability to appropriately retain business records (see Reed Smith’s Update on FCPA Corporate Enforcement Policy).
Such consent from individuals may not always be forthcoming. Where the device to be imaged is password-protected, the employee’s refusal to cooperate would hinder the investigation. This is an issue that confronts even regulators in the region. Earlier this year, the Hong Kong Securities and Futures Commission (SFC) had to apply to the Hong Kong High Court to direct certain individuals under investigation to disclose the passwords for their devices, after they refused and challenged the SFC’s right to obtain such disclosure. Second, even if an employee consents, data protection and privacy laws in the region typically allow for consent to be withdrawn with reasonable notice. Third, seeking consent may carry the risk of tipping off errant employees to destroy incriminating evidence that may be on their devices.
(2) Identify other legal bases for processing personal data. In situations where employee consent is not forthcoming, companies should consider whether there are other legal grounds for processing personal data. For instance, in Singapore, consent is not required for the collection of personal data where necessary for any “investigation,” and where it is reasonable to expect that seeking the consent of the individual would compromise the availability or accuracy of the personal data. Notably, Singapore regulators are also considering a “legitimate interests exception,” which could potentially cover the collection and use of personal data without consent, for purposes such as the detection or prevention of illegal activities.
(3) Understand the position under local law. It is ideal to have a coordinated global approach to processing personal data in an investigation context. However, given the growing proliferation of such laws and regulations in many Asia-Pacific countries, it is generally prudent, in many cases, to consult with experienced local counsel on the local law position and requirements. Certain types of personal data, such as data regarding an individual’s health, political affiliations, religious beliefs, and sexual orientation, are subject to more stringent data protection and privacy requirements in certain Asia-Pacific countries. In Malaysia, the processing of “sensitive personal data” is prohibited unless it is necessary for certain specified purposes and the individual has given their explicit consent. Similarly, in Japan, the processing of “special care-required personal information” requires the consent of the individual to be obtained in advance, except in limited circumstances. Additionally, in Singapore, companies are generally not permitted to collect, use or disclose various state-assigned identification numbers (such as passport numbers and national registration identification numbers), except in limited circumstances.
(4) Be alive to local sensitivities and cultures. It is equally as important for counsel and the data forensics team to understand, and be attuned to, local attitudes toward data privacy, when formulating a data processing and review strategy in an investigation. For instance, employees in certain Asia-Pacific jurisdictions often have a strong awareness of their privacy rights; they may complain to a local regulator if they believe that their data protection and privacy rights have been violated. Further, in a number of Asia-Pacific countries, employees who are requested to provide their data on mobile devices will be reluctant to cooperate unless clear instructions to do so have come from local management.
(5) Ensuring the security of the data. The obligation to protect personal data that is in the company’s possession or control is found in the data protection and privacy laws of many Asia-Pacific countries. This obligation extends to taking reasonable efforts to ensure that the data processors can protect the data transferred to them from unauthorized access, copying, use or disclosure. These efforts would include appropriate due diligence of their data processor’s IT security measures, and imposing contractual obligations on their data processors to protect the data transferred to them. All collected electronic data should be encrypted and secured at the point of collection, in transit, and at its destination. If the company does not take reasonable efforts, and a data breach subsequently occurs on the data processor’s servers, the company may be held concurrently and/or vicariously liable for the breach. It may even expose the company to civil claims from the individuals whose personal data was leaked, in countries such as India, Thailand, Hong Kong and Singapore. Further, the loss of confidentiality from data breaches may adversely affect a company’s claims to privilege.
(6) Exercise proportionality. Data minimization obligations can be found in the data protection and privacy laws of a number of Asia-Pacific countries, such as Malaysia and Hong Kong. Other Asia-Pacific countries, such as Singapore, require companies to ensure that they process personal data for purposes that are considered reasonably appropriate in the circumstances. The collection and use of personal data for the investigation should therefore be proportionate, or not excessive, to the purpose of the investigation. Regardless of such legal requirements, it nevertheless will be good practice to generally collect and use data that is necessary to achieve the goals identified for the purpose of the investigation. This may be achieved by clearly establishing the scope or parameters of the investigation.
(7) Complying with data localization requirements or cross-border transfer restrictions. Certain Asia-Pacific countries, such as China, Japan, India and Singapore, impose conditions on the transfer of personal data outside their territory. For example, China’s Cybersecurity Law prohibits the transfer of personal data overseas by “Critical Information Infrastructure Operators” (“CIIOs”) unless required for business necessity and a security assessment has been conducted. Chinese law also prohibits the transfer of various types of information outside of China, such as “state secrets,” “population health information,” and “important data” gathered or produced by CIIOs. In Malaysia and Singapore, the transfer of personal data overseas is only permitted if informed consent is obtained or where the company ensures the overseas recipient is legally obliged to protect the data transferred on a standard of protection comparable to what their law provides for.
(8) Do not unnecessarily retain personal data. Data retention limitations are found in the data protection and privacy laws of a significant number of Asia-Pacific countries. Examples include South Korea, Hong Kong, Malaysia and Singapore. This generally obliges companies conducting investigations to ensure that they do not retain personal data collected for an investigation longer than reasonably necessary. This can be managed through the formulation and enforcement of appropriate corporate data retention policies.
Conclusion
As businesses become increasingly digitalized, the volume of data, including personal data, that is generated and processed is expected to exponentially increase. Given the diversity of data protection and privacy laws and the consequences of a breach of such laws, it would be sensible to have a sound strategy to manage data risks, and other potential implications arising from the collection and use of data, when conducting corporate investigations in the Asia-Pacific region.
Client Alert 2020-335