We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please view our Cookie Statement.
By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our Cookie Statement.
May 2020
Insights/Private Investigators and the GDPR: Be Careful What You Ask For—You May Get It

Private Investigators and the GDPR: Be Careful What You Ask For—You May Get It

By Mark Califano

Two years after the implementation of the most ambitious privacy regime in history, data protection agencies remain woefully understaffed, with referrals growing and resources lagging far behind, according to a complaint filed recently with the European Commission. Yet, while they may not do all they should, data protection authorities apparently continue—somewhat inconsistently—to pursue the misdeeds of investigative firms. Further, some investigative subjects have begun to invoke the General Data Protection Regulation (“GDPR”) and related data protection laws to cudgel careless and often unscrupulous investigative firms that ignore these laws and misuse personal information.

Companies and counsel need to know the investigative firms they employ comply with, and can help them navigate, the strictures of the GDPR. The investigators must be legally and operationally structured to handle sensitive personal information appropriately, properly memorializing the information they gather and the purposes for which they gather it.

London, host to a dense concentration of investigative and intelligence firms, is also home to the UK Information Commissioner’s Office (“ICO”), one of Europe’s larger data protection enforcement staffs. The ICO first asserted jurisdiction over private investigators, an otherwise unregulated industry, in 2003. In Operation Motorman, the ICO prosecuted investigators for purchasing personal information contained in government computer systems from police and government employees. Since then, the ICO has sporadically pursued private investigators’ misdeeds. It secured its first convictions under the GDPR and the 2018 Data Protection Act (“DPA”) against an insurance adjuster and private investigators hired to illegally obtain the bank information of a claimant. Investigators behaving badly can be targets for ICO enforcement as can their clients.

The GDPR and the DPA require investigators, counsel, and clients to understand and document the legitimate purpose for obtaining and processing personal data. Further, the investigative firm must also be equipped to process that data in accordance with the GDPR. For example, the personal information of a subject may be collected for litigation or to detect or prevent crime or fraud. Clients may also have a legitimate interest in collecting personal information of subjects in order to investigate potential corrupt activity or fraud, particularly where discovery of such evidence could result in regulatory or other disclosures. Other legitimate bases recognized by the GDPR include: (i) investigating suspected wrongdoing in one’s business or the improper behavior of a competitor that could adversely affect one; (ii) conducting due diligence in connection with business transactions, including acquisitions, mergers, loans, or other investments; and (iii) investigating present or prospective employees, officers, or directors. These examples are not exhaustive. It is essential that the investigative firm has the experience and competence to help the client and counsel properly weigh the legitimate interest of the client in collecting personal information against the legitimate interest of the subject in keeping in the information private and to guide the investigation accordingly.

Determining whether an investigative firm can articulate a legitimate basis for collecting personal information is not the end of the inquiry. A prospective client also needs to consider if: (i) the investigative firm has the proper structure and governance to collect, process, and transfer personal information between jurisdictions; (ii) personal information held by the firm is encrypted and properly protected from theft or improper disclosure; (iii) there is a lawful basis to excuse notice to an individual when gathering personal information; and (iv) the firm has in place a process to promptly handle data subject access requests. Accordingly, counsel must be alive to these requirements and must assure himself that his investigators are as well. When an investigator cannot answer these questions in a satisfactory manner, look elsewhere.

Ignoring these requirements, reasoning you can get what you need without being caught or pursued by harried regulators, can risk significant legal exposure for counsel and the client. If a subject learns that a client, counsel, or an investigative firm is collecting and processing his personal information, he can file a data subject access request to obtain all the information collected and processed and an explanation of what it was used for and to whom it was provided. These requests can be made in almost any form, including orally, and must be answered promptly, within a month of receipt. Unless a lawful basis exists to exempt the investigator from responding, the investigation file and the use to which it has been put may have to be disclosed.

In 2016, after an undercover investigation went spectacularly awry, members of an anti–asbestos activist group sued an investigative firm and its operative, a former reality TV producer, for breach of confidences, misuse of confidential information, and data privacy violations. The investigative firm had hired the operative to pose as a documentary filmmaker seemingly sympathetic to the anti–asbestos group. The operative’s findings, obtained by frank deception, were then sent to the investigative firm and its client, an asbestos conglomerate. After the operative confided in him, the founder of advocacy group Global Witness urged the operative to come clean. When he refused, the investigative firm that employed him was sued for breach of confidence and of the UK Data Privacy Act of 1998.The firm and operative incurred significant legal fees and paid damages to the claimants to resolve the case. Since then, other claimants have pursued similar behavior by investigators by alleging harassment and invoking the GDPR and its implementing legislation, the DPA.

As investigators continue to engage in deception, misrepresentation, and other chicanery to obtain personal information, complaints and sanctions will increase. “Don’t ask, don’t tell” is not an option for clients or counsel when considering engaging an investigator. Counsel must understand the plans of, and methods used by, the investigators they hire. Those who believe certain questions are too silly to ask an investigator before he starts work may wind up standing next to that investigator in the dock.



We've got you covered


We get to the truth before it's too late


Why risk it?