Internal Investigations under Data Protection Legislation
Many countries have data privacy laws limiting the disclosure of personal information their citizens. Although the laws are far from uniform around the world, the European Data Protection Directive (95/46/EC) is a leading guide.
These laws motivate (multinational) corporations to configure controls into email (as well as webmail and text-instant-message) record retention systems.
The European Data Directive generally instructs European countries to enact local privacy legislation to regulate personal information. The legislation can apply to e-mail and other electronically stored information (ESI). As a practical matter, the details on implementation and enforcement of local (non-US) privacy laws with respect to e-mail is a very complex topic. Some local laws can frustrate internal corporate investigations that might appear, to US-based managers for example, as routine and responsible. They can cause emails to be withheld from investigators.
One instance: In 2001 French courts held that a foreign-headquartered company violated the privacy rights of a French engineer when it inspected his e-mail records, stored on company computers. The records revealed he was wrongfully moonlighting on company time. Doreen Carvajal, “The Workplace: When bosses spy on workers,” International Herald Tribune, April 21, 2004 .
As corporations install appliances to store e-mail archives, they should consider whether to implement controls for compliance with local privacy statutes. The controls might include
1. written policies calling for compliance with local law;
2. technical blocks to prevent unauthorized people or departments from accessing specific records, while granting access to those who have been authorized; and
3. alerts and audit trails to enable after-the-fact review of who accessed which records and when.
Mr. Wright is a consultant to Messaging Architects, develper of sound process for electronic mail record-keeping and investigation.