A frantic call comes in. A company’s auditors have found that something is amiss. A whistleblower has come forward or an enforcement agency has come calling, and the company needs to launch an internal investigation. With the increase in enforcement of the Foreign Corrupt Practices Act (“FCPA”), tax fraud, and money laundering laws, internal investigations into serious corporate compliance issues have become commonplace for global companies with a presence in the United States. One of the first issues that an investigation must address is the collection of information such as emails, text messages, documents, and spreadsheets. One critical question at this point is: how does one collect this information and bring it into the United States without violating non-U.S. privacy laws and other potential legal or regulatory impediments, such as blocking statutes? The collection itself may not pose any technical or logistical issues. The company’s information technology (“IT”) department may be able to search the company’s servers for emails related to the conduct at issue. The IT department also may be able to collect the data itself, utilizing software programs previously installed on company workstations that can extract data from laptops and the company network around the world. Alternatively, the company may have outsourced part or all of its IT infrastructure to a third-party service provider. Third-party providers may have similar capabilities but often present more complex legal issues. These providers may maintain servers in locations outside the jurisdictions where the data at issue were created or received, and may control those servers or applications remotely from yet another jurisdiction (e.g.India). If some information cannot be collected remotely, the company may be able to send outside counsel or other investigators into local offices to collect relevant data or documents. Outside counsel can also conduct on-site employee interviews. But even if the data collection is technically possible, it may still present certain legal challenges. The legality of the collection depends on local privacy laws and related requirements in the various jurisdictions at issue. Before giving the green-light to start an internal investigation, the company should identify the jurisdictions potentially at issue and review the local privacy requirements in those jurisdictions. This step is important because many countries have adopted local laws regarding privacy, data protection, wiretapping, bank secrecy, blocking, labor and employment, and other legal requirements (collectively, “Privacy Laws”) applying to data and document collection. No company wants to violate the law in the course of a compliance investigation, particularly since violations of Privacy Laws can risk significant unintended consequences for the company and the investigation. For example, a Privacy Law violation might confer a private right of action upon the individuals concerned (regardless of whether they have committed the underlying violations), attract attention from data protection authorities, incur fines and injunctive relief, and create potential criminal liability for the company and participating individuals, such as corporate directors, officers, and managers. This article provides a brief overview of the types of local Privacy Laws that may impact data and document collection in internal investigations involving non-U.S. jurisdictions, and outlines practical recommendations for how to address these regulatory risks. Privacy and Data Protection Many non-U.S. jurisdictions have comprehensive privacy and data protection laws that restrict the collection, handling, and transfer of any personally identifiable information about individuals (“Personal Data”). Perhaps the most significant comprehensive privacy laws are established under the European Commission Directive on the Protection of Individuals With Respect to the Processing of Personal Data (95/46/EC) (“EC Directive”). Although a significant review of the EC Directive is underway, each of the EU member countries has implemented the EC Directive through national laws, and the EC Directive will generally apply in the context of internal investigations affecting employees, consultants, consumers, customer contacts, investors, suppliers, or other individuals in the local jurisdictions. For example, if a document or email contains the name of a local company employee, data about payments made or received by such employee, and the name of the third party payee or payor, then the document or email would contain regulated Personal Data about both the employee and the third party. The collection, use, and transfer of this Personal Data during the internal investigation would trigger a range of data protection requirements for the company. These requirements include obligations to: (i) ensure that there is a legitimate purpose to collect and use such data; (ii) provide a sufficient privacy notice to the affected individuals; (iii) obtain consent in some cases, particularly if the data is sensitive (which in some countries includes data about criminal behavior); (iv) maintain reasonable measures to protect the security and confidentiality of such data; (v) complete a filing with the local data protection authority describing the data collection and processing activities; and (vi) confirm that any international transfers of the Personal Data to the United States or other non-EU locations are properly subject to adequate protection. An internal investigation may be delayed or frustrated if the company has not already satisfied these requirements before the investigation begins. For example, waiting until the commencement of the internal investigation to provide a sufficient privacy notice to individuals suspected of wrongdoing could lead to concerns about the potential for the destruction of evidence. Some individuals also may refuse to provide consent for the collection of data. Furthermore, given that data protection authorities may have 60 days or more under statutory deadlines to review new filings and may in practice take even longer than this, the company could be left waiting for government approval before proceeding with the investigation. Additionally, data protection regimes in certain jurisdictions (e.g., Germany) often require consultation with data protection officers. These are employees of the company or external appointees who must report any data privacy violations by the company to the data protection authorities and, as a result, may have to be consulted as part of the collection process. The international transfer of Personal Data can also cause headaches for those working on the investigation. Data collected during the course of an investigation is often consolidated for review in a single jurisdiction (e.g., the United States). The transfer of Personal Data from other jurisdictions can cause issues if the company has not already taken steps to address the international transfer of Personal Data. Some of these requirements may have already been addressed by the company’s existing global privacy compliance program, or may otherwise be managed in short timelines through practical compliance efforts. Similarly, the company may have addressed the additional complications that arise from outsourcing the maintenance of its IT infrastructure to a third-party service provider. Yet, it is still important to consider all of these requirements and identify any potential issues as early as possible. Wiretapping and Electronic Communications Many non-U.S. jurisdictions also have wiretapping laws and other requirements that prohibit or restrict the interception, review, or recording of electronic, telephone, or other communications. For example, a portion of the German Telecommunications Act may protect employees’ private emails from review or transfer by the company without employee consent. Violations of this law constitute a crime and the penalty may include up to five (5) years’ imprisonment. Similarly, the Federal Constitution of Brazil, which applies to companies and other private sector actors, establishes a right to privacy and the inviolability of electronic and other correspondence. The Brazilian Communications Interception Act establishes further requirements for the process of intercepting, reviewing, and recording such communications. Violations of this law carry both civil and criminal penalties. In order to address these requirements, the company may only be able to collect and review communications for which it has obtained the express consent of the employee or, at minimum, provided a sufficient privacy notice to the employee. Bank Secrecy and Common Law Confidentiality Industry-specific secrecy or confidentiality requirements may apply to particular data depending on the company, the nature of the data, and the jurisdictions at issue. For example, healthcare data – particularly patient data – may be subject to separate regulations and may have stricter confidentiality requirements. Another example is Greek bank secrecy law, which prohibits local bank operations from sharing certain customer data with any of its affiliated companies or other third parties (including parent companies). This prohibition generally cannot be waived even with express customer consent, and violations of this requirement give rise to criminal penalties. Other jurisdictions have statutory or common law bank secrecy or professional confidentiality obligations that may apply to data gathered in an investigation. As part of the data collection process, the company may need to take steps to protect data before it is transferred to the parent company or otherwise. “Blocking” Statutes Various jurisdictions have adopted “blocking” statutes specifically intended to restrict or prohibit investigations in or affecting the local territory. For example, the French Blocking Statute, subject to applicable treaties or international agreements, prohibits any person to: (i) request, research, or communicate in writing, orally, or by any other means (ii) documents and information relating to economic, commercial, industrial, financial, or technical matters (iii) leading to the establishment of evidence for foreign judicial or administrative proceedings (or as part of such proceedings). The terms and definitions in the French Blocking Statue must be considered carefully in the context of any investigation as they may apply more broadly than anticipated. For example, if data are collected and exported as part of an internal investigation in cooperation with the U.S. government, or if data are otherwise shared on an ongoing basis with the U.S. government, the French Blocking Statute may apply. Labor and Employment Law If the company has works councils or trade unions, it may need to consult these entities before starting to gather information. The company also may need to address any special terms in collective bargaining or other agreements. In some countries, other specific requirements may apply. For example, in Spain, it may be necessary to allow an employee representative to be present when an employee’s hard drive is imaged or when the employee’s workstation is searched. Violations of labor and employment requirements can lead to fines, practical difficulties with the company’s workforce, and in some cases, criminal liability for company officers. Additionally, in certain jurisdictions the company must collect documents in a particular manner in order to use them in court (e.g., in a contested termination proceeding). In Spain, the collection may need to be overseen by a notary for the documents to be used in court against an employee. Failure to collect data appropriately may lead to its inadmissibility in court, making it difficult to successfully terminate employees who have engaged in unlawful behavior. Other Legal Requirements Additional requirements may apply depending on the jurisdiction at issue. For example, the People’s Republic of China (“PRC”) has adopted various requirements including the Law on Keeping State Secrets and the Regulations of Administration on Secrecy of Computer Information Systems. These requirements may apply to the collection of data and documentation about senior government officials and may restrict the collection and transfer of such information to the United States or other jurisdictions. As with the other categories of Privacy Laws described above, violations of these requirements in the PRC may give rise to criminal liability for corporate officers. Practical Recommendations Although a variety of Privacy Laws apply to global internal investigations, companies can take several practical steps to assess and manage such risks. The starting point for the assessment is basic factual information about the investigation – such as the countries involved – and information about the company’s existing privacy compliance program. The company may find that some Privacy Law obligations have already been addressed through privacy notices issued to affected employees, provisions embedded in its agreements with third-party service providers, filings with data protection authorities, or pre-existing cross-border transfer solutions (e.g, data transfer agreements or Safe Harbor certification). Other obligations may be deferred for a short period of time to avoid concerns about destruction of evidence. It also may be possible to implement remediation measures addressing certain remaining regulatory risks (e.g., by implementing inter-company data transfer agreements). Other solutions to specific issues may involve keeping certain data from the investigation in-country or redacting Personal Data prior to transfer. The specific solution will vary on a case-by-case basis, taking into account the jurisdictions, types of data, company operations, potential penalties, risk tolerance, and other factors at play. Perhaps the most important lesson, however, is that the best approach is for the company to conduct due diligence and get its “house in order” on global privacy issues before the need to conduct a global internal investigation arises. By Brian Hengesbaugh and Amy de La Lama, Chicago, and Michael Egan, Washington, D.C. This article was first published in Baker & McKenzie’s Inside the FCPA: The Corruption and Compliance Quarterly
