When most people think about privacy laws, what springs to mind are banks, insurance companies, and health care providers; businesses that move reams of data every day. However, since information, including personal information, is the stock-in-trade for every private investigator, privacy laws impact how private investigators operate, and the expansion of privacy laws affects how the investigator conducts her work and manages the information she obtains. Anyone engaging the services of private investigators should also be aware of how data privacy laws impact the way investigators work and under what circumstances investigators can obtain personal data.
Data Privacy — It’s a Trend
In recent years, many nations, including Brazil and China, have implemented or updated their data protection laws, while other countries, such as India, are in the process of implementing new regulations. Indeed, it has been estimated that by 2023, the personal data of some 65% of the world’s population will be covered by modern privacy laws, up from 10% in 2020. Businesses that collect personal information should not underestimate the impact these laws will have on their operations. In particular, this new regime will have tremendous significance for the private investigator, whose métier is collecting, analyzing, and reporting on what is frequently defined as “personal data.”
GDPR & the EU
While there are bound to be differences in the data privacy standards implemented around the world, since the European Union’s General Data Protection Regulation (“GDPR”) is one of the most mature and widely applicable data privacy laws and the one institutions and investigators will look to first for guidance on data privacy procedures.
The overriding consideration under the GDPR, at least from a private investigator’s perspective, is the appropriate use of personal data. Under the GDPR, investigators and their clients need to determine if a “legitimate interest” exists for collecting and processing personal data, assuming that a data subject’s consent is not obtained. Legitimate interests can include collecting personal data to support litigation and detect or prevent fraud or crime. There can also be a legitimate interest to collect such information when it relates to corruption, or fraud, and such information could lead to disclosure to regulators. In addition, the GDPR may, under certain circumstances, permit the collection of personal data in conducting an internal investigation into wrongdoing.
An investigator with a legitimate interest for collecting and processing personal data then needs to consider if: (i) the firm has the proper structure and governance to collect, process, and transfer personal information between jurisdictions; (ii) personal data held by the firm is encrypted and adequately protected from theft or improper disclosure; (iii) notice is due the person whose data has been collected; and (iv) the firm has in place a process to promptly handle data subject access requests.
Data Privacy Is Now Coming to the United States
While data privacy regulation has traditionally been limited in the United States, efforts to enact a more stringent regime have gained momentum over the past few years, with a patchwork of laws being adopted in various states including California, Virginia, and Colorado. Some twenty states and the District of Columbia are considering enacting such laws and the federal government is looking to regulate data privacy nationally through a proposed statute called the American Data Privacy Protection Act (ADPPA). As of the date of this article, a vote on the bill is pending in the US House of Representatives.
The ADPPA differs from the GDPR in that it is primarily data-based, rather than use-based. Therefore, if the ADPPA is enacted as drafted, the preliminary question for an investigator will concern the data source rather than the use of that data by the investigator and the client.
The ADPPA seeks to regulate “covered data,” that is, any data that “identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals, including derived data and unique identifiers.” However, and most importantly for the private investigator, covered data does not include “publicly available information.” The statute defines “publicly available information” as information coming from sources that already form much of the basis of the investigator’s research, including: (a) government records; (b) widely distributed media, including Internet broadcasts; (c) websites and online services available to the public; and (d) disclosures made to the public required by law.
Since much of an investigator’s research encompasses publicly available records such as those from the media, the Internet, or government agencies (e.g., court records), the ADPPA, at least in its current proposed form, will likely have a limited impact on the investigator’s collection and use of these categories of information regarding individuals. However, an investigator should always be cautious about collecting and retaining such data, as investigations are often multi-national and frequently implicate subjects in other jurisdictions. Investigators who are cognizant of these strictures will find that data privacy laws such as the GDPR and the ADPPA will not prove an obstacle to conducting successful and legal investigations on behalf of their clients.