Forensics Journal - Stevenson University 2013 | Page 57

STEVENSON UNIVERSITY data to countries that lack adequate data protection laws (Bennett). Specifically, the Directive prohibits the transfer of personal data to a third country that does not, “ensure an adequate level of protection” (Directive 95/46/EC, 57). The European Union has certified only a limited number of countries as providing adequate data protection and the U.S. is not one of them (O’Brien). In the event that a data subject suffers damage as a result of the unlawful processing of data, the data subject is entitled to compensation from the offending person or company (Directive 95/46/EC, Article 23). COMPLEX CROSS-BORDER INVESTIGATIONS Conducting internal investigations of corruption and bribery on foreign soil is a very difficult undertaking. FCPA violations may have occurred over a period of years involving employees, agents hired by American multinational corporation, and third parties. The volume of information that must be collected and examined is enormous. Relevant data may be found in several locations and in a variety of formats. To conduct thorough internal investigations, data must be collected from all locations if, “even remotely related to the matter at hand.” (Biegelman and Biegelman, 297) WHAT IS PERSONAL DATA? Documentation relevant to an FCPA investigation can involve a plethora of financial reports, business operations, and corporate maintenance records. It may be necessary to collect and analyze personnel files, as well as e-mail communications and attachments. Most corporate business information is stored and filed in electronic or digital format. To reduce costs, many corporations utilize third parties, such as cloud computing services, to store and process business data. Cloud computing services may host the company’s data on virtual servers located on continents other than where the subsidiary operation is located (Manning, 19). The Directive defines personal data as, “any information that will identify a natural person by identification number, or physical, physiological, mental, economic, cultural and social identifiers and sexual orientation” (Directive 95/46/EC: Article 2(a)). This data includes the subject’s names, phone numbers and even addresses listed in telephone books (O’Brien). The processing of personal data is generally the handling of information, which involves the use of the personal data, its automatic retrieval, disclosure or transmission, as well as the blocking, dissemination or destruction of the personal data (Directive 95/46/EC: Article 2(b)). The gathering of data pertinent to suspected FCPA violations include the preservation of the electronic document’s underlying or meta data. The preservation of electronic data is paramount, particularly if commercial litigation is expected, or an investigation by the Department of Justice or the SEC ensues. When there is a question that an issue or incident may lead to commercial litigation, American multinational companies are bound under the Federal Rules of Procedure 37(a) to preserve relevant electronic data. The stringent protection of the personal data of European Union citizens stands in stark contrast to U.S. laws which provide weak protection of U.S. employees’ work place privacy rights. In contrast, with the Member countries of the European Union, it has become common practice for companies on American soil to monitor employee e-mail and voicemail communications stored on the companies’ internal communication systems. The “providers exception” of the Stored Communication Act permits an employer to access electronically stored information “as it sees fit” without violating employees’ privacy rights (Starr and Warren, 136). Companies can also monitor employee phone calls if done for legitimate business purposes pursuant to the, “ordinary course of business exception” of the Electronic Communications Privacy Act of 1986 (“ECPA”) (Starr and Warren, 134). Employees’ internet access, instant messaging and website postings may also be monitored (Starr and Warren, 137). EUROPEAN UNION’S PROTECTION OF ITS CITIZENS’ PERSONAL DATA Directive 9 Լ