Privacy Laws in Europe Affect How Investigators Document Cases

I attended a regional meeting of the Council of International Investigators (CII) this weekend in Bratislava. Although I’m not a member of CII, I attended because someone told me that private investigations are illegal in Slovakia (something that turned out not to be true), and the prospect of meeting other investigators in a place where our work is banned was too good to pass up. Besides, it was in Bratislava where I proposed to my wife five years ago, atop the tower above St. Michael’s Gate. It’s a familiar town, and it was a unique opportunity to learn something new about international investigations.

The meeting included private investigators from all over Europe, along with a handful from other places, such as Israel and India. The means of investigating are very different in different parts of the world, where privacy laws can be poles apart, and it was fascinating to hear other investigators explain how they gather information where they live.

In the European Union, all countries are required to have a data protection act that comports with the Data Protection Directorate issued in 1995. These data protection laws generally dictate that consumers must be notified and must give consent when their information is collected or transferred to a third party. Those parties must then hand over information they collect upon request of the consumer.

As European private investigators (like investigators everywhere) frequently gather information about individuals, they can often find themselves mired in the mud of data protection. This poses problems for these investigators, since not being able to maintain records of their cases, and being required to share information about their investigations with the subjects they’re investigating, is the antithesis of what a good investigation would normally entail in, say, the United States.

What I’ve found is that the investigative industries in different countries have worked out this apparent contradiction in unique ways. For example, Anne Styren, the owner of Profile Intelligence in Stockholm, explained how transparency was a tradition in Sweden. “The first Swedish Freedom of the Press constitutional law was written in 1791, and the principle of public access to official documents [the equivalent of the Freedom of Information Act in the United States] was included already at that time. The Data Act [passed in1973] and the Personal Data Act [1998] are in comparison very young.” Information about citizens is collected by the government, which makes this information available to anyone who asks for it. The available information can be highly personal data, including tax and income information, and even matters decided by a family court. “The only thing you need to know is where to call and who to ask,” said Anne.

The problem in Sweden, as Anne explained it to me, is “the conflict for investigators between the public access to official documents, such as court rulings or financial information, and the Personal Data Act, which stipulates rules for gathering, registration, and maintaining information about individuals.” The moment a private investigator puts information about an individual into a document or registry that is searchable, the investigator would immediately fall under the personal data protection regulations. Personupplysningslagen (PUL) is the applicable concept in Sweden that a person owns their own information. Such information is regulated by the Data Inspection Board.

As Profile Intelligence deals in investigations of businesses, Anne is not so concerned about running afoul of PUL as “there are situations where other laws allow collection and registration of personal information,” but other firms specializing in pre-employment screening have faced the wrath of the Data Inspection Board over this issue. Anne explained how, after a handful of investigative companies which specialized in background investigations came under investigation themselves in 2010 for violating PUL, two of them decided to challenge the authorities in court. ”The court ruled in 2011 in favor of the Data Inspection Board and ruled that the companies must comply with PUL and, for example, stop registration of court rulings and be more careful with personal financial matters.”

Complying with the law in Sweden when you’re doing investigations that focus on individuals essentially means not processing your findings in structured reports. Theoretically, a private investigator can hand-write his or her reports and then fax them to clients, but more typically an investigator will convey the information verbally to clients. Other companies have gotten around PUL by citing a publishing exception. In other words, you can gather certain information about individuals provided you are a “publisher.” If you publish your findings then the Freedom of the Press supersedes PUL, and what you essentially have is an investigative database sort of like the ones that exist in the United States.

The next day, while I was still imagining what private investigations would be like in the United States without investigative reports, I had lunch with Paddy Beiner, a gregarious former Kroll analyst from the United Kingdom who now works for CEE Consulting Group in Warsaw.

“Previously, the state had a monopoly on surveillance and investigations,” Paddy explained, so the Polish government, concerned about private investigators turning the tables on politicians, essentially banned record keeping. He explained to me how Poland’s private investigation licensing laws, which predate computers, prohibit companies from maintaining paper dossiers on subjects (in contrast to Sweden’s prohibition on keeping digital records).

However, there is one major exception to the requirement to destroy investigative records in Poland. “In a situation where it becomes clear that the target of our investigation is involved in a criminal case, we must immediately inform the prosecutor about our investigation, and we must keep any files and documents pertaining to our investigation for two years, during which period the court [or] prosecutor can demand to have access to them.”

Although companies are required to keep a “detective contract” for each case, none of the substantive information can be maintained, at least not on paper—unless it might relate to a government investigation. The contract requires clients to acknowledge whether they intend to use the information in a court of law or not. Records will only be admissible in court if clients acknowledge up front that they intend to use them for this purpose.

Understandably, not maintaining records sometimes causes problems for private investigators in Europe, who can, for example, find it difficult to discern if they have a conflict of interest without any records to check. “How can you determine if you have a conflict of interest if you don’t keep a record of who you’ve investigated?” quipped Paddy. He explained that it’s not only the subjects of investigations which might create conflicts, but also their business affiliations and other “ancillary targets.”

Obviously, the prospect of having to turn over your case files to the government is troublesome in itself, but that’s a topic I’ll address in a different article.

Besides conflicts and government meddling in private investigations, not maintaining investigation files is a significant disadvantage in our line of work. Paddy explained, “In the past your files were your selling point, especially when looking at really high-level, big players.” Companies that had been in business for fifty years could draw on those sources again and again.

This reminded me of something Anne told me the day before, that Sweden’s transparency laws—even despite the hoops that investigators have to jump through to convey information to clients—give companies who hire firms like Profile Intelligence a significant “competitive edge” in doing business in Sweden.

Information truly is valuable, and experience has shown that people will find a way to get it (and keep it) even when governments attempt to curtail the access and storage of information in the name of privacy.

After lunch, Paddy let me tag along on a site visit for a Foreign Corrupt Practices Act (FCPA) investigation he happened to be working on in Bratislava. The FCPA requires U.S. businesses operating overseas to undergo some degree of due diligence when doing business with foreign companies, and he had to determine if a company’s office was where they claimed it was. Site visits generally involve taking pictures of the building and any signage. They are almost invariably done in concert with a more thorough due diligence investigation that draws on records from many different sources.

We took a cab to the site location, and I tried to stay out of the way as Paddy took the required pictures. In some ways, investigations the world over are all the same. What’s principally different is how we obtain, share, and store the information we collect.

I’d argue that systems which disallow the documentation of investigations don’t actually protect people’s privacy as much as they create unnecessary hurdles for investigators to collect information ethically and accurately. Destroying investigative files, for example, increases the likelihood of conflicts, and information conveyed verbally is more likely to contain errors. Recall, for example, the mistaken rumor I heard about private investigations being banned in Slovakia.

As Anne put it, “Public information that is correct is more ethical.”

I’d add, a regulated private investigations industry, where the rules are clear and reasonable, is more likely to adhere to sound, ethical business practices, which is altogether better for everyone.

More by | Philip Becnel Philip Becnel , Law.com Contributor
LOAD MORE