How to manage complex cross-border internal investigations
US and European regulators take very different approaches to handling issues as diverse as whistle-blowing and data protection, making cross-border investigations into financial crime a challenge. By Jason Masimore, trial attorney and investigator, Kobre & Kim.
There are vast differences between how European countries and the US approach issues relating to white-collar criminal prosecution, for numerous cultural and legal reasons.
Among those differences:
- Whistleblowers in the US can reap eight-figure rewards; whistleblowers in European countries can face imprisonment and fines.
- US authorities aggressively and independently use non-prosecution agreements to cultivate co-operators; many European authorities are only beginning to use such agreements, often accompanied by heavy judicial oversight.
- US authorities rely on the results of internal investigations conducted by corporate counsel; many European authorities are more skeptical of those lawyers.
- US authorities are used to an “at will” employment environment, in which employees may be fired for any reason or no reason at all, provided it is not for one of a limited set of constitutionally impermissible reasons; by contrast, European labour laws are heavily employee-protective, making it difficult to terminate employees for not co-operating in internal investigations or engaging in malfeasance.
The most significant US/European difference within the scope of US cross-border investigations may only be an afterthought to a lawyer with a US mindset: the European notion of personal data protection.
Data protection differences
US employees enjoy no privacy when using corporate IT systems. Indeed, US laws typically only protect small subclasses of data not often relevant in cross-border investigations, such as private health records. By contrast, the EU aggressively protects individuals against the “collection,” “storage,” “consultation,” “use,” “transmission,” and “dissemination” of “any information relating to an identified or identifiable natural person”. Regulation (EU) No 2016/679, Art. 4(1) & (2) (27 Apr. 2016) (the “2016 Regulation”). Under the EU model, protection against these uses of personal data “is a fundamental right”. 2016 Regulation, cl. (1).
The broad, enforceable data protection rights that EU-based employees enjoy are unlike anything in the US. Subject to country-specific regulations, an EU-based company:
- must be “transparent” in its investigation, informing employees under investigation that a data file exists if there is no substantial risk that the employee might jeopardise the investigation (see Opinion 1/2006, Art. 29, Data Protection Working Party, 00195/06/EN WP117 (1 Feb. 2006))
- must provide employees, including the targets of its investigation, with access to the data collected and an opportunity to correct data that the employees regard as inaccurate, “including by means of providing a supplementary statement,”, 2016 Regulation, Arts. 15 & 16
- must provide employees with the right to withhold consent concerning the processing of their data, see 2016 Regulation, Art. 7
- may only transfer data to the US pursuant to a complex privacy shield framework approved by the EU, which exceeds 100 pages, Commission Implementing Decision (EU) No 2016/1250 (12 Jul. 2016).
Data protection sensitivities
These data protection requirements are at odds with US-style investigations, which value unhindered secrecy and completeness. If an entirely domestic US company informed prosecutors that it held back in an internal investigation to protect privacy, the prosecutors would question the fullness of the company’s co-operation, increasing its risk of a large fine. However, a company’s failure to protect EU-based employees during an internal investigation – even in anticipation of a US-led cross-border investigation – can result in significant negative consequences, including a €20m fine, starting from May 2018. See EU General Data Protection Regulation, Art. 83 (Apr 8, 2016). Therefore, a company’s lawyers must assure US authorities that it conducted a full and unimpeded investigation while vigorously following the applicable EU privacy protection frameworks. Global companies and lawyers practicing in the cross-border defence space should consider the following:
- Prepare data processing procedures for internal investigations in advance.
- Follow local directives on appointing data processing controllers, and specifically define their responsibilities during investigations.
- Prepare contractual language governing data transfers to US lawyers and vendors, such as investigators and potential expert witnesses, ensuring compliance with local requirements.
- Implement data hold as soon as situations risking US cross-border investigations arise, and promptly engage US-qualified counsel who understand data protection restrictions.
- Carefully limit the scope of the internal investigation to essential witnesses and materials.
- Scope limitation allows the company to avoid obtaining employee consent in advance of investigating, which makes the company appear more cooperative to US authorities. See 2016 Regulation, Art. 5(c).
- When dealing with less-sophisticated US authorities, explain data protection restrictions immediately and articulate a plan to conduct a full investigation within the applicable parameters. A company’s adherence to thoughtful procedures established prior to the crisis will increase its credibility.
- Obtain early buy-in on scope limitation from US authorities, when possible. Explaining the plan for conducting a full-scope investigation within the required parameters is an opportunity to build rapport with the authorities and demonstrate a cooperative stance.
- During the investigation, be aware of data processing rules and avoid creating additional protected data when possible, including within witness interview notes.
- Allow employee access and corrections to data as required, but notify US authorities in advance to maximise credibility and cooperation.
- Engage in joint defence communications with counsel for individuals; it may be in their interest to appear cooperative to US authorities by refraining from exercising data protection access rights in a manner that might be interpreted as impeding the company’s co-operation.
A Speakers’ Corner is an area where open-air public speaking, debate and discussion are allowed. The original and most noted is in the north-east of Hyde Park in London (Wikipedia definition).