Strategic Considerations in Cross-Border Investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
This chapter offers insight into how to navigate the modern complexities of cross-border securities investigations, in particular those involving the US Securities and Exchange Commission (SEC) and the US Department of Justice (DOJ). In contrast to purely domestic investigations, cross-border investigations may involve uncertainty as to whether information, documents and witnesses that reside outside an authority’s traditional territorial jurisdiction are nevertheless subject to the authority’s reach. While jurisdictional complexities, data privacy protections and incompatible legal systems may constrain cross-border efforts, recent multilateral and bilateral agreements may catalyse investigations. At the same time, the subject of a cross-border securities investigation must consider the dichotomies in information and access between it and its regulators. Careful cooperation and coordination with the SEC, the DOJ and foreign agencies is a crucial element in successfully resolving any cross-border securities investigation in a manner most favourable to clients.
Initial strategic considerations
To the extent that self-reporting is an option, the first strategic consideration in a cross-border matter involving securities laws is whether, when, to whom and how a company should report potential securities-related misconduct. Whether the misconduct is suspected or confirmed through an internal investigation, a company must weigh the potential benefits, risks, need and wisdom of self-reporting. The myriad considerations in this holistic inquiry include the ability to control the information flow to regulators, likelihood of cooperation credit and reduced penalties, reputational impact (such as influence on share prices) and costs of outside counsel. Different jurisdictions have different rules on announcing or publishing the identity of a suspect, target or defendant.
Critical to the calculus of whether and how to report to and cooperate with securities regulators is the increased cooperation and information sharing among enforcement governments. When dealing with a singular regulator in a single jurisdiction, a company may have a greater opportunity to influence the enforcement narrative to its benefit. Information that is shared in one jurisdiction may easily become known in another jurisdiction, potentially with different exposure for liability and without any required notice to the subject of investigation.[2]
Therefore, the subject of an investigation must assume that any information that is shared with one regulator will be known by every other relevant regulator across multiple jurisdictions. For example, US Deputy Attorney General Lisa Monaco announced in October 2021 that, among other ‘new actions’ being taken by the DOJ to strengthen its enforcement against corporate crime, prosecutors must consider ‘all misconduct by [a] corporation discovered during any prior domestic or foreign criminal, civil, or regulatory enforcement actions against it’ when making charging decisions, whether or not the ‘past misconduct is similar to the instant offense’.[3] From this assumption, the driving force behind self-reporting is determining which jurisdiction has the most onerous regulatory regime so that the subject is ahead of compliance with any self-disclosure requirements. For example, while the threshold for reporting regulatory breaches to the UK Financial Conduct Authority (FCA) or the UK Prudential Regulation Authority (PRA) is very low, a party must weigh the relative investigation burdens by foreign authorities.
At the same time, cross-border investigations may involve multiple regulators with different enforcement cultural nuances (beyond strict legal authority). A company must also take these local cultures into consideration, including the aggressiveness of enforcement and prosecution, differing treatment of witnesses, risk of heightened regulatory scrutiny across businesses and changing political pressures on enforcement. For example, in 2018, the DOJ announced a new ‘anti-piling on’ policy aimed to ‘discourage disproportionate enforcement of laws by multiple authorities’, recognising the increasing number of simultaneous investigations across numerous jurisdictions, potential inequity of cumulative prosecution and the need to credit companies (where appropriate) for penalties paid in other jurisdictions.[4] Under this policy, which is included in the US Attorneys’ Manual,[5] the DOJ considers the totality of fines and penalties imposed by all government agencies so as to avoid ‘piling on’ excessive punishment. On the other hand, in December 2020, a senior DOJ official warned companies against using the policy ‘offensively or tactically’ with the DOJ, undermining the potential to use the anti-piling-on policy to successfully defend against charges.[6] Further, given the attention paid to investigations into multinational corporations and high net worth individuals, regulators may compete with each other to secure the highest penalties from the investigation’s subject. All these dynamics must factor into a company’s decision to self-report and cooperate.
Basics of coordination among international regulators
Generally, a regulator’s direct ability to access evidence abroad (i.e., outside its jurisdiction) is limited.[7] However, regulators and securities authorities have a wide range of informal and formal tools for coordinating securities investigations, including mutual legal assistance treaties (MLATs), memoranda of understanding (MOUs) and specific agreements between countries in relation to particular subjects.[8] These tools can serve to manage constrictions such as confidentiality assurances, bank secrecy laws, dual criminality requirements or weak legal authority in a foreign counterparty to access information and data abroad. These coordination tools have only grown in recent years, and US authorities have signalled an intention to maximise reliance on domestic and international coordination. For example, US Attorney General Merrick Garland announced in March 2022 that the DOJ would be adding ‘force-multipliers’ to its prosecutors and agents, including ‘partnerships at every level of government and around the world’.[9]
Traditionally, MLATs were a common method through which the SEC and other US enforcement authorities enlisted the cooperation of foreign authorities during cross-border investigations. MLATs are bilateral agreements that authorise government attorneys to request and obtain evidence – physical, documentary and testimonial – located abroad. Outside the DOJ’s criminal investigations, the SEC is one of a few civil regulators in the United States to which MLATs are available. The US has signed MLATs with over 70 countries, including every Member State of the European Union.[10] However, the MLAT process has been widely criticised as being too slow for modern cross-border investigations, leading to more recent agreements and tools to accelerate and facilitate obtaining evidence abroad. Yet the MLAT process continues to be used in investigations and enforcement actions; recent attention has even been given to the risk of US prosecutors using MLAT requests to suspend statutes of limitation that would otherwise have expired.[11]
In 2002, the International Organization of Securities Commissions (IOSCO) formed a non-binding agreement – the Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information (MMOU) – to standardise the protocol of information sharing among international securities regulators. The MMOU created incentives for jurisdictions to enact legislation enabling information sharing among international regulators, and more than 100 securities and derivatives regulators are now signatories to the MMOU (including the SEC and the US Commodity Futures Trading Commission (CFTC), the Hong Kong Securities and Futures Commission, the FCA and the Australian Securities and Investments Commission).[12] The result has been to ‘increas[e] and expedit[e] the SEC’s ability to obtain information from a growing number of jurisdictions worldwide’.[13]
Specifically, the MMOU provides for: (1) sharing information and documents held in regulators’ files; (2) obtaining information and documents regarding transactions in bank and brokerage accounts, including the beneficial owners of those accounts; and (3) taking or compelling a person’s statement or testimony.[14] The MMOU further provides that shared information may be used in administrative and civil proceedings, as well as provided to law enforcement. Prior to the MMOU, the SEC relied on bilateral MOUs for individual countries, which it negotiated directly with foreign regulators.[15] In light of the IOSCO MMOU, SEC staff now recommend the negotiation of a bilateral MOU only if a foreign securities authority is empowered to provide assistance beyond that required by the IOSCO MMOU, such as the ability to compel testimony or the gathering of internet service provider (ISP) and phone records.[16] However, the SEC still considers bilateral MOUs, where available, to be ‘crucial’ to its investigations and an ‘excellent supplement’ to the MMOU.[17]
For example, when the SEC sought discovery through various MOUs from 10 foreign regulators in civil litigation, the defendants objected that the requests for assistance issued to foreign regulators operated outside the supervision of any court, because ‘there d[id] not appear to be a mechanism for a foreign business entity to challenge the scope or propriety of a Request’.[18] In addition, the defendants claimed that the MOUs did not require them to be notified when the SEC issued a request or to be informed about what the request contained or what documents were obtained as a result of the request.[19] The court rejected the defendants’ challenge to the SEC’s use of the MOUs, noting that ‘the fact that this discovery tool is one-sided does not render it unlawful’ and that the SEC was acting within the scope of the MOU authority.[20]
As of 2019, the SEC (and the CFTC) is also a signatory to IOSCO’s 2016 Enhanced Multilateral Memorandum of Understanding (EMMOU), which specifically addresses information sharing among securities and derivatives regulators and enhances cross-border enforcement cooperation.[21] The EMMOU provides for new types of assistance for signatories, including: (1) compelling testimony under oath; (2) obtaining auditing information and other information relating to review of financial statements; (3) freezing or sequestering funds or assets; (4) obtaining subscriber identification records from telephone companies and ISPs; and (5) obtaining recordings of telephone conversations or other electronic communications maintained by regulated financial institutions.[22] Other signatories include securities authorities from Switzerland, the United Arab Emirates, the United Kingdom, Canada, Singapore, Korea and Hong Kong.[23]
In March 2018, the US Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), in part to address delays associated with MLAT requests for electronic information (such as emails, texts or social media posts). The CLOUD Act authorised US law enforcement agencies to obtain data in the possession, custody or control of communications service providers (CSPs) subject to US jurisdiction, regardless of where in the world the data is physically stored. This provision resolved an ambiguity in a prior law by clarifying that even if a CSP subject to US jurisdiction stores data outside the United States, it must still produce that data to US enforcement authorities when served with a subpoena or warrant.
The CLOUD Act also contemplates the conclusion of bilateral agreements with certain ‘trusted foreign partners’ for law enforcement in both jurisdictions ‘to obtain direct access to . . . electronic evidence, wherever it happens to be located, in order to fight serious crime and terrorism’.[24] Among other things, these bilateral CLOUD Act agreements permit law enforcement in one jurisdiction to issue demands for production directly to CSPs in the target jurisdiction, without the courts in the target jurisdiction separately authorising these demands.[25] In 2019, the United Kingdom and the United States executed the first bilateral agreement pursuant to the CLOUD Act, which entered into force in October 2022.[26] In 2021, Australia and the United States executed the second agreement, which is currently under review by the legislatures of the two countries and is expected to enter into force by the end of 2022. The United States and Canada announced the beginning of negotiations for a bilateral agreement pursuant to the CLOUD Act in March 2022.[27]
As signatories to the IOSCO MMOU and the EMMOU, the SEC and CFTC are required to give overseas regulators the ‘fullest assistance permissible’. However, regulators may consider whether an overseas regulator has abused or overused its requests to the counterparty regulator and whether the demands of the overseas regulator have had a negative impact on the counterparty regulator’s own resources. Although the subject of a securities investigation cannot anticipate these dynamics, the potential for inter-authority tension, along with the ever-more-likely inter-agency cooperation, must factor into the subject’s strategic considerations.
Congress has also expanded the tools available to US regulators through the Anti-Money Laundering Act of 2020 (the AML Act), which was passed in January 2021 as part of the National Defense Authorization Act for Fiscal Year 2021. The AML Act includes some of the most extensive reforms to US anti-money laundering laws since the PATRIOT Act, including a significant expansion of the ability of the DOJ and the US Department of the Treasury (the Treasury) to obtain evidence from foreign financial institutions. Pursuant to Section 6308 of the AML Act, the DOJ and the Treasury may issue a subpoena to any foreign bank that maintains a correspondent account in the United States. Notably, they may request any records relating to the correspondent account, in addition to any records relating to ‘any account at the foreign bank, including records maintained outside of the United States’ if those records are the subject of any investigation involving a violation of US federal criminal law, in any civil asset forfeiture case, in any investigation conducted under the Bank Secrecy Act or in an investigation pursuant to 31 US Code Section 5318A.[28] While the foreign financial institution may petition for relief from the subpoena before a US court, Section 6308 states that the existence of a conflict with a provision of a foreign secrecy or confidentiality law cannot be the sole basis for quashing or modifying a subpoena.[29]
Of course, in addition to these formal channels, international regulators may also informally choose to share investigative strategies and information on an ad hoc basis. For example, overseas regulators may attend interviews conducted by the SEC or CFTC at the discretion of the US authority. As noted above, self-disclosed information from financial institutions is likely to be shared – very quickly – between regulators, both local and international. Potential subjects of securities investigations must also be aware of non-governmental organisations that enforce relevant rules: for example, the Egmont Group of Financial Intelligence Units consists of the financial intelligence units of 164 countries and provides a platform to exchange information.[30]
Importantly, many of these information gathering tools are available to government securities enforcement attorneys, during both investigations and legal actions – not to private parties defending against potential or actual charges of securities law violations. In the US, for example, even individual criminal defendants pursuing evidence and testimony abroad after charges have been filed must request that a court issue letters rogatory to foreign countries; courts lack the authority to order the government to exercise its MLAT powers to request evidence and testimony from foreign countries when the letters rogatory method proves ineffective.[31] Letters rogatory are less formal than MLAT requests, and compliance is left to the discretion of the courts in the requested country. Therefore, subjects in securities enforcement investigations (even more so than defendants in securities enforcement actions) face significant dichotomies in accessing evidence abroad that is not within their own control.
Management of evidence production to various international agencies
Responding to the SEC and other international securities regulators generally entails providing relevant, non-privileged information, including documentary and testimonial evidence. These responses range from complying with a subpoena or other compulsory process to the voluntary provision of information.[32] In practice, although there is little a company can do to resist complying with formal or compulsory requests without resorting to court proceedings, a company may negotiate with the relevant authority regarding the scope of documents responsive to the request, as well as the timing of production, to its benefit and as part of its holistic strategy.
A company’s strategy in managing a cross-border investigation becomes more complicated as it must manage responses to multiple authorities in different jurisdictions with differing areas of focus. Even in light of the increasing international cooperation among regulators, a company facing requests for formal disclosure may want to consider whether there is any strategic advantage to disclosing to one authority before another. At the same time, there are no restrictions in the United States regarding a firm sharing information about a domestic regulatory investigation with overseas authorities.
Within the US, if there are parallel investigations by the DOJ and the SEC, the SEC may expect a company to voluntarily produce evidence simultaneously to the DOJ so as to avoid necessitating the issuance of a grand jury subpoena by the DOJ, which is governed by grand jury secrecy requirements of Rule 6(e) of the Federal Rules of Criminal Procedure, and which would limit sharing of evidence with the SEC by DOJ prosecutors. Therefore, a US company should be prepared to make simultaneous productions as part of its cooperation.
In any event, a company must maintain the utmost organisation of identifying and processing information and documents, while both managing regulators’ expectations and maintaining a strategic, global view of the investigation. Importantly, evidence production also implicates questions of legal privilege (including choice-of-law) questions – discussed in detail in Chapter 4 – as well as data privacy issues, discussed below.
Protecting against breach of data privacy and other laws in one jurisdiction while satisfying expectations of cooperation in another
Although there are few grounds on which a company can object to a national regulator providing information to overseas regulators, one of these grounds is that local laws may restrict a company’s or the regulator’s ability to transfer individual data overseas. Previously, a cooperating company may have considered voluntarily handing over more data than specifically required to demonstrate its willingness to cooperate (and, perhaps, to secure time to further internally investigate potential misconduct). Business today is saturated with electronic data, causing friction for a company subject to a cross-border investigation between satisfying the expectations of cooperation with regulators in one jurisdiction, while complying with more restrictive data privacy laws in another. Some countries, including France and the United Kingdom, have instituted civil or criminal liability for violation of their data privacy laws through blocking statutes.[33]
Notably, there is no comprehensive data privacy law at the federal level in the United States, although several US states have implemented these laws on the state level,[34] and sectoral regimes exist at the federal level (e.g., the Financial Privacy Rule applicable to certain personal information collected by banks, insurance companies and other companies operating in the financial services sector under the Gramm–Leach–Bliley Act,[35] and the Privacy Rule applicable to certain health-related personal information collected by covered entities under the Health Insurance Portability and Accountability Act).[36] Other jurisdictions have more comprehensive regimes. For example, the EU General Data Protection Regulation (GDPR) (in effect since 25 May 2018) applies both within the EU and to data controllers and processors (as defined in the Regulation) outside the EU, and restricts transferring data to countries that do not have adequate privacy protections.[37]
The European Commission determines whether a country has adequate protection for EU data on a case-by-case basis; it has recognised that, for example, the United Kingdom, Japan, New Zealand and Switzerland provide adequate protection.[38] The United States is not among these jurisdictions. In July 2020, the Court of Justice of the European Union issued a decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Schrems II ) in which it declared the EU–US Privacy Shield (one of the historical mechanisms for EU–US personal data transfer) invalid because the United States did not have adequate protections in place.[39] The Court also held that companies must verify, on a case-by-case basis, whether the laws in non-EU jurisdictions such as the United States ensure ‘adequate protection’ of personal data under EU law before transferring data subject to the GDPR to these jurisdictions.
Notwithstanding the above, Article 49 of the GDPR provides for a limited number of exceptions or ‘derogations’ for transfers to jurisdictions that have not been found to provide adequate protection, including a derogation for situations where ‘the transfer is necessary for important reasons of public interest’.[40] Significantly, the United Kingdom’s data protection authority has provided guidance that SEC-registered firms based in the United Kingdom can rely on the public interest derogation under the local data protections law to transfer records containing personal data to SEC staff during examinations.[41] Other potential solutions for companies seeking to comply with US disclosure obligations include redacting protected personal information before providing documents to authorities, though this may not be practical for high volumes of data.
Other jurisdictions have passed data privacy laws, including, but not limited to, Japan, Russia, India, Canada, the United Arab Emirates, Mexico, Taiwan and China.[42] Because of potentially applicable ‘blocking statutes’ regulating – and, in some instances, criminalising – the production of protected information for foreign legal proceedings, companies operating internationally may consider it necessary to initiate proceedings in the United States or in their home jurisdictions to determine their disclosure-related rights and obligations, before taking action in a regulatory investigation. While courts may cite comity and defer to foreign statutes limiting access to information, there is a risk that courts may find that the importance of the information, weighed with the relative interests of the requesting and resisting countries, compels production of the protected data. Similarly, the DOJ has indicated that it does not look favourably on what it considers overly broad assertions of data privacy laws as grounds for withholding what the DOJ considers to be relevant documents. As noted above, Section 6308 of the AML Act expressly states that conflicts with foreign laws requiring the secrecy or confidentiality of personal data cannot form the sole basis for a court to quash or modify a subpoena for foreign bank records under the statute.
Protecting jurisdictional defences in a country while responding to regulatory inquiries
Companies subject to cross-border investigations, even when cooperating with authorities, must not lose sight of jurisdictional defences to investigation and prosecution. For example, apart from bilateral agreements made pursuant to the CLOUD Act, there are no mechanisms that enable an overseas regulator to request information directly from firms in the United States. However, in the US, the DOJ and SEC can subpoena documents from corporate entities present in the US and are generally entitled to documents of related, overseas entities, where the documents are within the ‘possession, custody, or control’ of the US-based entity.[43]
However, the Federal Rules of Civil Procedure do not define ‘possession, custody, or control’ for purposes of obtaining the production of documents or electronically stored information (ESI), and federal circuits have not adopted a uniform approach. Some circuits apply a test that looks to whether the party has the ‘legal right’ to obtain the ESI[44] (or a variation of this test),[45] while others look to whether a party has the ‘practical ability’ to access or obtain the relevant ESI.[46] Counsel should be aware of the potentially applicable standards of ‘control’ for ESI and be prepared to assess the impact of the approach adopted in the relevant forum. For example, at least one court has noted that the method of cloud storage adopted by a company, and specifically the use of a ‘data trustee’ (an independent third party that controls access to data) and storage of data on a foreign server, may impact the ‘control’ analysis.[47]
Although US courts have required parent corporations to produce documents held by their foreign subsidiaries, the converse is not always true; a foreign subsidiary is generally not required to produce documents held by the US parent corporation. Yet this fact-specific test depends on the details of a subpoenaed entity’s corporate structure, business practices and method of electronic document storage. In the United Kingdom, the FCA and the PRA do not have express powers to require the production of information or documents where they are located in an overseas subsidiary, but firms are expected to take reasonable steps to ensure that group members provide regulators with the requested data where they are within the firm’s possession or control.
Another jurisdictional consideration for lawyers counselling in cross-border securities investigations is the location of individual defendants and witnesses: where the individual resides, or where any interview with regulators takes place, may affect the admissibility of the individual’s testimony and the individual’s exposure to civil and criminal liability, separate from any corporate exposure.[48] As an initial matter, it is important to try to clarify whether an individual is considered by the regulator to be a suspect or target or merely a witness. Counsel must also consider the risks and benefits of allowing individuals to be questioned by regulators voluntarily versus compelled under court order. Moreover, foreign nationals may be able to challenge the statutes under which they are prosecuted on extraterritoriality grounds, and foreign jurisdictions are able to push back against US law enforcement’s expansive jurisdictional approach.
In sum, despite the expanding reach of national regulators, international companies should not accept that cooperation in a cross-border investigation requires abandoning all jurisdictional defences.
Familiarisation with local regulatory rules, cultures and trends will assist in successfully navigating cross-border investigations into potential securities misconduct. A core strategic consideration in investigations spanning the globe is access and control of information and data. Cooperation and information sharing among regulators is likely only to increase. Taking a global view of enforcement of securities law will ensure that a subject can move towards the ultimate goal of finalising an investigation.
Footnotes
1 Scott S Balber is the managing partner and Christopher Boyd is an associate at Herbert Smith Freehills New York LLP.
2 See John D Buretta, Megan Y Lew and Courtney A Gans, ‘Co-operating with the Authorities: The US Perspective’, in Judith Seddon et al. (eds), The Practitioner’s Guide to Global Investigations, Volume I, ‘Global Investigations in the United Kingdom and the United States’ (Fourth edition, Global Investigations Review, 2020).
3 Deputy Attorney General Lisa O Monaco, US Department of Justice (DOJ), ‘Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies’ (28 October 2021), www.justice.gov/dag/page/file/1445106/download (accessed 30 September 2022); DOJ, ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 October 2021), www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute (accessed 30 September 2022).
4 DOJ, Policy on Coordination of Corporate Resolution Penalties (9 May 2018), www.justice.gov/opa/speech/file/1061186/download (accessed 6 September 2022).
5 DOJ, US Attorneys’ Manual § 1-12.100 (2018), www.justice.gov/jm/jm-1-12000-coordination-parallel-criminal-civil-regulatory-and-administrative-proceedings#1-12.100 (accessed 6 September 2022).
6 See Clara Hudson, ‘DOJ official warns against exploiting the anti-piling on policy’, Global Investigations Review (9 December 2020), www.globalinvestigationsreview.com/just-anti-corruption/enforcement/doj-official-warns-against-exploiting-the-anti-piling-policy (accessed 6 September 2022).
7 See Chapter 1 for the jurisdictional reach of relevant enforcement agencies.
8 See, generally, Evan Norris, ‘How Enforcement Authorities Interact’, Global Investigations Review (19 August 2019), www.globalinvestigationsreview.com/review/the-investigations-review-of-the-americas/2020/article/how-enforcement-authorities-interact (accessed 6 September 2022).
9 DOJ, ‘Attorney General Merrick B. Garland Delivers Remarks to the ABA Institute on White Collar Crime (3 March 2022), www.justice.gov/opa/speech/attorney-general-merrick-b-garland-delivers-remarks-aba-institute-white-collar-crime (accessed 6 September 2022).
10 Evan Norris and Morgan J Cohen, ‘How US Authorities Obtain Foreign Evidence in Cross-Border Investigations (13 October 2020), www.globalinvestigationsreview.com/review/the-investigations-review-of-the-americas/2021/article/how-us-authorities-obtain-foreign-evidence-in-cross-border-investigations (accessed 6 September 2022).
11 See Aruna Viswanatha and Dave Michaels, ‘Justice Department Accused of Abusing Process to Extend Statute of Limitations’, Wall Street Journal (2 February 2020), www.wsj.com/articles/justice-department-accused-of-abusing-process-to-extend-statute-of-limitations-11580657654 (accessed 6 September 2022).
12 US Securities and Exchange Commission (SEC), International Enforcement Assistance, www.sec.gov/about/offices/oia/oia_crossborder.shtml (accessed 6 September 2022).
13 ibid.
14 ibid.
15 See SEC, ‘Enforcement Manual’ (28 November 2017), at 71, www.sec.gov/divisions/enforce/enforcementmanual.pdf (accessed 6 September 2022).
16 SEC, ‘SEC’s Cooperative Arrangements with Foreign Regulators’, www.sec.gov/about/offices/oia/oia_coopfactsheet.htm (accessed 6 September 2022).
17 ibid.
18 See Sec. & Exch. Comm’n v. Ripple Labs, Inc., No. 20-CV-10832 (AT)(SN), 2021 WL 2069782 (S.D.N.Y. 19 May 2021).
19 ibid.
20 ibid.
21 ibid.; see the International Organization of Securities Commissions’s Enhanced Multilateral Memorandum of Understanding Concerning Consultation and the Exchange of Information (2016), Article 3(2), www.iosco.org/about/pdf/Text-of-the-EMMoU.pdf (accessed 6 September 2022).
22 SEC, ‘SEC’s Cooperative Arrangements with Foreign Regulators’, footnote 16.
23 Evan Norris and Morgan J Cohen, footnote 10.
24 DOJ, ‘Cloud Act Resources’ (17 August 2022), www.justice.gov/dag/cloudact (accessed 6 September 2022).
25 See, e.g., Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime (3 October 2019), Article 5(5), www.justice.gov/dag/cloud-act-agreement-between-governments-us-united-kingdom-great-britain-and-northern-ireland (accessed 6 September 2022).
26 See DOJ, ‘Joint Statement by the United States and the United Kingdom on Data Access Agreement’ (21 July 2022), www.justice.gov/opa/pr/joint-statement-united-states-and-united-kingdom-data-access-agreement (accessed 6 September 2022).
27 See DOJ, ‘United States and Canada Welcome Negotiations of a CLOUD Act Agreement’ (22 March 2022), www.justice.gov/opa/pr/united-states-and-canada-welcome-negotiations-cloud-act-agreement (accessed 6 September 2022).
28 See the Anti-Money Laundering Act of 2020, § 6308(a), Division F of the William M (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, www.congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf (accessed 6 September 2022).
29 ibid.
30 See Evan Norris and Morgan J Cohen, footnote 10.
31 United States v. McLellan, 959 F.3d 442, 471 (1st Cir. 2020).
32 The Securities Act, the Securities Exchange Act, the Investment Advisers Act and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct. See 17 C.F.R. § 11.4(a).
33 See French Penal Code Law 80-538 and the UK Protection of Trading Interests Act.
34 See the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.), effective since 1 January 2020, with certain amendments coming into force on 1 January 2023; the Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.), effective since 1 July 2023; the Connecticut Personal Data Privacy and Online Monitoring Act (2022 S.B. 6), effective from 1 July 2023; and the Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1–575 et seq.), effective from 1 January 2023.
35 See Title V, Subtitle A of the Gramm–Leach–Bliley Act (15 U.S.C. § 6801 et seq.) (regulating the disclosure of ‘nonpublic personal information’ by covered financial institutions).
36 See Part C, Health Insurance Portability and Accountability Act (42 U.S.C. §§ 1320d and 1320d-1 to d-9) (regulating the disclosure of ‘individually identifiable health information’ by covered entities).
37 See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Official Journal of the European Union L 119 at 1-88 (4 May 2016).
38 See ‘Adequacy decisions: How the EU determines if a non-EU country has an adequate level of data protection’, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (accessed 6 September 2021); ‘Data protection: Commission adopts adequacy decisions for the UK’, European Commission (28 June 2021), https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183 (accessed 6 September 2022).
39 See Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (16 July 2020), https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=9709819 (accessed 6 September 2022).
40 EU General Data Protection Regulation, Article 49.1(d).
41 Letter from the UK Information Commissioner’s Office to the SEC (11 September 2020), https://ico.org.uk/media/2619110/sec-letter-20200911.pdf (accessed 6 September 2022); see also SEC, Division of Examinations, ‘2021 Examination Priorities’ (2021), at 11, www.sec.gov/files/2021-exam-priorities.pdf (accessed 6 September 2022).
42 See Edward T Kang, Paul N Monnin and Daniel J Felz, ‘Multinational Aspects of SEC Investigations’, footnotes 59–66, SEC Compliance and Enforcement Answer Books (2020 edition), www.alston.com/-/media/files/insights/publications/2019/09/26751311seccomplianceanswerbook2020.pdf.
43 See Fed. R. Civ. P. 34(a); 45(a).
44 The ‘legal right’ test has been applied by courts in the Third, Fifth, Sixth, Seventh, Ninth, Tenth and Eleventh Circuits. See, generally, ‘The Sedona Conference Commentary on Rule 34 and Rule 45 “Possession, Custody, or Control”’, 17 Sedona Conf. J. 467 (2016), https://thesedonaconference.org/sites/default/files/publications/Commentary%20on%20Rule%2034%20and%20Rule%2045.17TSCJ467.pdf (accessed 6 September 2022).
45 Some circuits apply a variation of the ‘legal right’ test that has been termed the ‘legal right plus notification’ test. This includes situations where a party has the legal right to obtain the electronically stored information and additionally requires a party to notify its adversary if it is aware that a third party has responsive documents but the party itself does not have the legal right to obtain them. Courts in the First, Fourth, Sixth and Tenth Circuits have applied the ‘legal rights plus’ test.
46 The ‘practical ability’ test has been applied by courts in the Second, Fourth, Eighth, Tenth, Eleventh and District of Columbia Circuits.
47 In re Search of Info. Associated with [redacted]@gmail.com that is Stored at Premises Controlled by Google, Inc., No. 16-MJ-00757 (BAH), 2017 WL 3445634, at *17 n. 20 (D.D.C. 31 July 2017) (noting that ‘[t]he Court need not reach the question of whether this “data trustee” arrangement sufficiently undercuts Microsoft’s “control” over the electronic communications’); see also Paul M Schwartz, ‘Legal Access to the Global Cloud’, 118 Colum. L. Rev. 1681 (2018) (distinguishing the implications for ‘control’ analysis among ‘data shard’ clouds, ‘data localization’ clouds and ‘data trust’ clouds).
48 See Chapter 2 for unique considerations for representing individuals versus entities.