Production of Information to the Authorities: The In-house Perspective
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
12.1Introduction
Although less common for small and medium-sized enterprises, it is not unusual for large, particularly multinational, companies to find themselves weighing whether to voluntarily disclose information, or what to do when compelled to disclose information to law enforcement or regulatory authorities. The variables to consider are many and nuanced. They include, without limitation, the potential impact on customers and the business, the nature and pervasiveness of the wrongdoing, and whether mandatory reporting obligations arise. This chapter considers some of the key legal and practical considerations implicated when a company produces information to the authorities.
12.2Initial considerations
The company should as early as possible seek to establish:
- Its status in the inquiry – is it a suspect or witness? This is not always communicated or readily discernible because the authority, itself, might not have decided either way, or might not wish its view to be known in the early stages of an investigation. There may, however, be some clue in how the authority has gone about requesting or otherwise obtaining the information. For instance, in the United Kingdom, a dawn raid by the Serious Fraud Office (SFO) on company premises implies that the SFO, and the courts, have reasonable grounds to believe, based on some assessment of facts, that it is impracticable to use less intrusive production order powers or doing so creates a risk of destruction of evidence. As such, unannounced raids tend to indicate, though not conclusively, that the company is a suspect.[2]
- Are any of the company’s employees suspects, and do they pose any ongoing risks to the business?[3] When employees are suspects, a company should ensure that data collection and any internal investigation is conducted without tipping off the implicated employees or ‘trampling over the crime scene’, while adhering to local data protection and labour law.
- Which authority is making the request, and is the request reasonable? Some authorities are more aggressive than others; this is worth factoring in when setting the response strategy. Equally important is determining whether there are multiple authorities involved. Requests from less familiar jurisdictions, where the independence of prosecutors and the judiciary might be less assured, pose additional questions: Is there a political or monetary motivation? Are employees at risk of arrest and imprisonment without adequate due process? And what are the rules of corporate liability, if any? A request for information should be carefully reviewed to ensure that it appears reasonable in terms of scope and the basis for the request, and should state the power under which the request was made.
12.3Data collection and review
The company will at an early stage start to think about whether it has the responsive data and the appropriate process for preserving and collecting it. Data from digital devices to be produced to the authorities should be safeguarded from deletion or destruction and then collected in a forensically sound way. At a high level, this means that the collection is carried out by skilled persons who can retrieve and preserve whole images of various types of devices in a manner that is repeatable with consistent results, and that all steps taken are recorded and auditable. It is vital to capture all relevant material, and having a systematic and methodical approach will help. The investigation support team should include someone with detailed knowledge of the company’s IT systems and structure and will, preferably, be experienced in data extractions.
A company is also likely to want to understand for itself what the collected data reveals. The data review is invariably the most time-consuming and costly part of the production exercise. It is therefore imperative to try to agree realistic deadlines with the authorities at the outset and to communicate promptly if any slippage is anticipated. Most authorities will want a written record, usually in the form of witness statements, of the methodology used in the data collection and imaging, the process and rationale behind any filtering of the data, and how the review was conducted and the instructions given to the reviewers. This point is stated explicitly in the Corporate Co-operation Guidance published by the SFO on 6 August 2019 under the heading ‘Preserving and providing material’. The SFO Guidance emphasises the need to have an audit trail of the acquisition and handling of digital material and to take all steps to maintain the integrity of systems hosting such material over the life of an SFO investigation, which can run for many years.
A corporate can manage the costs incurred in a data collection and production exercise by: having an established panel of specialist law firms, which should yield discounted rates, but maintaining flexibility to go off-panel as individual case needs dictate; outsourcing the data collection and document review to professional service providers or even doing it in-house[4] if there is the requisite capability, instead of the law firm doing it; ensuring that the document review is as focused as possible through appropriate filtering and, possibly, use of AI technology; setting a budget at the outset and sticking to it unless extensions are approved; and monitoring costs on a monthly basis to ensure the exercise remains within budget.
12.4Principal concerns for corporates contemplating production
There are numerous, often competing, concerns when a company produces documents to the authorities. One obvious but important concern is the impact that the disclosed material might have on (1) the authority’s investigation, or even pre-investigation, and (2) the company’s status with the authority. Another concern is to identify and then to protect any intellectual property, trade secrets or proprietary information, or commercially sensitive information that might be contained in, or decipherable from, the material to be disclosed. This concern will accentuate when the company is co-operating with several international and domestic authorities, or where multiple authorities have taken, or could take, an interest. The disclosed material could end up being shared between the various authorities, which could result in the limitations on use that the disclosed material can be put to in one jurisdiction not applying in another. As a result, the disclosing party cannot necessarily ensure that the limitations on use – which applied in the jurisdiction in which the material had been disclosed – will be enforced in a separate jurisdiction in which the material is now available.[5]
Special care must be taken at the start and throughout the investigation to have clear records of who is authorised on behalf of the company to instruct and receive advice from external lawyers, and is therefore the client. The purpose of any internal investigation is important also and should be recorded. Is the purpose to obtain legal advice on the company’s position in relation to a law enforcement or regulatory authority’s interest? Is it to gather information to disclose to the authorities? Or is it to do with actual or contemplated litigation, or a combination of reasons?
At the time of writing the previous edition of this chapter, the England and Wales High Court in SFO v. ENRC [6] had ruled that a criminal investigation by the SFO does not necessarily equate to adversarial litigation being in reasonable contemplation, which is of course the test for litigation privilege to be applicable.[7] This made the applicability of legal privilege in internal investigations in the United Kingdom, when the authorities were in an investigatory and not in a prosecution phase, quite difficult and widened the transatlantic divide in the approach to legal privilege. However, in September 2018, the Court of Appeal overturned the High Court’s ruling and lowered the bar for legal privilege to be available.[8] Although the key question of whether adversarial litigation is in reasonable contemplation is very fact-specific, it will be a little less difficult for corporates to successfully argue that litigation privilege applies to certain parts of its internal investigation, including over employee and third-party interviews and material generated by forensic accountants.
While the question of who is the ‘client’ remains narrowly construed, namely those who have been authorised by the company to instruct and receive advice from lawyers, the Court of Appeal in SFO v. ENRC expressed a non-binding view that the law in this area could be reviewed and updated. For now, it remains more difficult to apply legal advice privilege to the fact-gathering part of an internal investigation.
A company will also be keen to restrict the ability of third parties to use the information disclosed to the authorities in civil proceedings against the company. Such restrictions could be imposed during the course of negotiations or discussions aimed at resolving, avoiding or reducing the scope of litigation by making clear at the time of production that the information is confidential and, when dealing with UK authorities, stated to be provided on a limited waiver of legal privilege or without-prejudice privilege basis.[9] A company contemplating this approach should keep in mind that it loses control over material that has been disclosed to authorities. The material might, for example, via court orders for disclosure, end up in the hands of litigants, regardless of attempts to prevent it. Second, the attempt to make the disclosure of material without prejudice to privilege could clash with the authority’s expectation of a co-operating entity and negatively affect the chances of non-prosecution. This is particularly the case in view of the 2018 judicial review in which the court criticised the SFO and re-emphasised the SFO’s obligation to proactively seek to obtain material that might help the case of individual defendants or undermine the prosecution’s case, even if that means testing and challenging a company’s assertion of privilege over the product of an internal investigation.[10]
Federal courts in the United States are, however, reluctant to recognise selected waivers of privilege in relation to documents produced as part of an investigation or prosecution.[11] The information may lose the protection of privilege and be subject to discovery by other parties.
Adherence to data protection principles is another important concern, especially when the information is being provided voluntarily and there is not the protection given by a document production order or subpoena, which usually overrides any local data protection rules. Since 25 May 2018, Article 48 of the EU General Data Protection Regulation (GDPR) has restricted the ability of companies to transfer information out of the European Union in order to respond to orders or requests of foreign courts or authorities. Under this Article, personal data can only be transferred outside the European Union to respond to law enforcement or regulatory subpoenas or production orders, or court orders for disclosure, through the mutual legal assistance treaty route or other provisions of the GDPR. As the application of Article 48 is yet to be examined by the courts, it is unclear whether voluntary disclosure to the authorities is caught by the Article.[12]
12.5Obtaining material from employees
There will often be a wide pool of employees, a few of whom might be ‘suspects’ or ‘targets’, who hold relevant information. It is important to first identify which, if any, of those employees should be notified of the data collection, bearing in mind the SFO cautioning against putting employees on notice and its desire to have the data collection undertaken with minimal risk of interference.[13] The Corporate Co-operation Guidance states that the SFO should be consulted before interviewing employees (or taking any HR action). When collecting data from employees, the corporation should be mindful of local laws and the company’s policies on data collection, as well the potential need to give notice or obtain consent from the employee. The key is to weigh any risk of relevant information being destroyed, and displeasing the requesting authority, if notice of the data collection is given to employees against any specific local law requirements and internal data collection policies.
It is common for employees to have personal material on work devices. If there are no reasonable grounds to believe that giving notice of a data collection exercise to an employee creates a risk that data will be destroyed, the employee could be instructed to separate personal material from work material before the device is copied. The personal material would then be safe from inadvertent disclosure to the authorities. If this separation of personal data is not possible because, for instance, the collection needs to be covert, then filtering and review before disclosure, if appropriate, should provide adequate safeguards against personal data being handed over.
A less common problem is where work material has been stored on personal devices. If that same material also exists on a work device or on the company’s servers, it can be collected from there rather than from the employee’s personal device. Clearly, it is not possible for a company to covertly extract data from an employee’s personal device but it may be possible to do so with the employee’s express consent. Such situations should be catered for in the contract of employment and the company’s internal policies.
As a best practice, companies should guard against this thorny issue of commingling of personal and business information by instituting appropriately tailored policies. It may not, however, be reasonable to expect that a company device will never be used for some personal purposes but companies should provide written limitations on the kinds of use that are acceptable and permitted. In any event, the transfer of business data through personal devices or email accounts should always be prohibited.
12.6Material held overseas
Because of the global nature of business, information that is required by a law enforcement or regulatory authority might be held by the company’s overseas subsidiaries – and in multiple locations at that.
When a company seeks to provide information voluntarily, it should assess whether this would expose it to potential claims of breaching the confidentiality or data protection rights of employees or third parties.
Despite a company’s desire to co-operate with a subpoena or production order, there may be significant legal hurdles, such as blocking statutes, preventing it from providing the material.[14] There have been several US and UK court decisions[15] that, applying the ‘law of the forum’ principle, ruled that the risk of prosecution for breaching an overseas blocking statute is not a reasonable ground for non-compliance with the court’s order for discovery. In those circumstances, the company’s lawyers must speak with the authority concerned, explain the issues and diplomatically suggest that the authority consider obtaining the information through the MLAT route or through police-to-police information exchange. It is vital for the company to support the process by having the material readily available, and using the contacts that the company’s external lawyers might have with prosecutors in the state where the material is held, to try to expedite matters. A legitimate alternative is available if the information also exists independently in another jurisdiction, which does not have blocking statutes, provided it had been transferred there previously for valid business or legal purposes and not to get around the blocking statute.
There have been recent important legislative developments in the United States and United Kingdom that seek to make it easier for law enforcement to access electronic data held overseas. The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the UK’s Crime (Overseas Production Orders) Act (COPO Act) 2019 allow the authorities to compel companies, without having to apply to a court, to hand over information even where the information is held overseas. The UK–US Bilateral Data Access Agreement, signed on 3 October 2019, will lead to prosecutors gaining these additional powers. These are the first acts of the kind and reflect the theme of increased cross-border co-operation. While the impact of the legislation remains to be seen, the acts clearly represent another point at which companies can be caught between conflicting laws, with blocking statutes and data privacy laws at the other side of the pincer seeking to limit companies’ ability to provide information. Companies should therefore be acutely aware of the potential for such conflicting obligations, and understand who controls their data (third parties may host or store data) and where it is stored. It is also prudent to develop plans of action for how to respond to an order to furnish evidence kept in a jurisdiction with laws prohibiting the transfer.
12.7Concluding remarks
As explained in Chapter 11, there are many good reasons why a company might wish to take a proactive approach and voluntarily provide information rather than waiting for a subpoena or production order. It could, for example, give the best opportunity for maximising co-operation credit. Indeed, the senior UK judge granting the Rolls-Royce deferred prosecution agreement (DPA) cited voluntary provision of material as one of the ways Rolls-Royce demonstrated ‘extraordinary’ co-operation. Depending on the facts of the case, in the authors’ view, there could be little to no loss of credit by asking for a production order rather than voluntarily disclosing – if this is appropriate to overcome data protection or other barriers – provided (1) there is early dialogue with the authorities and (2) the issues are reported before the authority learns of them separately through another source.[16]
In some circumstances a company might wish to think carefully about whether it needs to demonstrate extraordinary levels of co-operation. One way to do so would be to waive legal privilege over certain classes of documents to influence the company’s eligibility for the United States Department of Justice’s FCPA Corporate Enforcement Policy[17] or a DPA.[18] The joint Crown Prosecution Service and SFO Guidance on Corporate Prosecutions[19] explains that ‘genuinely proactive’ self-reporting is a public interest factor militating against the prosecution of a company. A voluntary waiver of privilege is relevant to determining whether a company has genuinely and proactively co-operated with the SFO or other authority, and consequently to the assessment of whether it is in the public interest to prosecute or to invite the company to DPA negotiations. The SFO Corporate Co-operation Guidance states that a failure to waive privilege and provide witness accounts will not allow the company to avail itself of the corresponding factor weighing against prosecution as found in the SFO and CPS Deferred Prosecution Agreements Code of Practice[20] (but will not be penalised by the SFO). The company might therefore wish to think carefully about which documents it believes are truly legally privileged and whether in fact to assert legal privilege over them.
As stated in opening this chapter, there are many and nuanced factors to consider when a company is required to produce information to the authorities. The key is to be well prepared in terms of knowing where information is stored; to have the relevant expertise, preferably internally, to gather relevant information quickly and forensically; to have an overall strategy and end game as early in the process as possible, but also keeping things under review; and to be able to rely on trusted advisers.
Footnotes
1 Femi Thomas is vice president and global head of business integrity at Nokia Corporation and Tapan Debnath is senior legal counsel in Nokia Corporation’s ethics and compliance department and compliance lead for Nokia Enterprise Business Group. The views expressed are the authors’ (or as otherwise attributed) and do not represent the views of Nokia Corporation.
2 On 6 August 2019, the SFO published its long-awaited Corporate Co-operation Guidance. At the end of the Guidance, a short passage explains that it may be necessary for the SFO to exercise powers of compulsion to obtain material from a co-operating company. This re-enforces that how the authority seeks material (whether by production order or dawn raid) can be illustrative only of the company’s status in the investigation and should not be taken as conclusive.
3 While change of company personnel (and culture) is a desirable outcome in most cases involving serious wrongdoing, it will probably need to be considered after a thorough review of the issues.
4 Some companies have an in-sourced legal support function that handles, for example, initial review of contract terms, which can, with some training and guidance, be used to do the first document review in an internal investigation.
5 In United States v. Allen, 864 F.3d 63 (2d Cir. 2017), the US Court of Appeal overturned the convictions and indictments of two LIBOR traders because, among other things, the testimony given by the defendants to the UK Financial Conduct Authority [FCA] under compulsion was used against them in their US criminal trial, which was held to be an infringement of the defendants’ Fifth Amendment rights. This is an example of information given in one jurisdiction (the United Kingdom), in which there were statutory limitations on use of the information, being used without limitation, initially at least, by another (the United States).
6 The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation Limited [2017] EWHC 1017 (QB), para. 159. The Chancellor of the High Court ruled in Bilta (UK) Ltd v. Royal Bank of Scotland Plc & Anor [2017] EWHC 3535 that, in the present case, documents created in an internal regulatory investigation after a ‘watershed moment’ of HMRC writing to allege tax fraud were covered by legal professional privilege.
7 Three Rivers District Council and others v. Governor and Company of the Bank of England (No. 6) [2005] 1 AC 610, HL, para. 53 (per Lord Rogers).
8 The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation Limited [2018] EWHC Civ 2006.
9 Property Alliance Group Ltd v. Royal Bank of Scotland plc [2015] EWHC 1557 (Ch) without prejudice privilege applied to negotiations with the FCA with a view to arriving at a settlement. The without prejudice rule applies to exclude negotiations genuinely aimed at settlement from being given in evidence.
10 See R (on the application of AL) v. Serious Fraud Office [2018] EWHC 856.
11 See In Re Columbia/HCA Healthcare Corp. Billing Practices Litig., 293 F.3d 289 (6th Cir. 2002).
12 See, for example, David J Kessler et al., ‘The Potential Impact of Article 48 of the The Sedona Conference Journal, volume 17, 2016, No. 2 on Cross Border Discovery From the United States’ in The Sedona Conference Journal, Volume 17, 2016, No. 2.
13 Speech by Alun Milford, SFO General Counsel, Annual Employed Bar Conference, 26 March
2014, available at https://www.sfo.gov.uk/2014/03/26/corporate-criminal-liability-deferred-prosecution-agreements/.
14 France, Switzerland, Italy and China are some of the countries that have blocking statutes. (See further, Vol. II chapters at question 60.) Breach of the Swiss blocking statute has been prosecuted on several occasions, whereas breach of the French blocking statute has, as far as is known, been prosecuted only once since its inception in 1968. However, Sapin II has a provision for penalising breach of the French blocking statute, which leads some commentators to believe that it will be more readily enforced. Further, Article 48 of the GDPR has similar effect to blocking statutes across the European Union. (See further, Vol. II chapters at question 60.)
15 For example, Secretary of State for Health and Others v Servier Laboratories and Others (Servier) [2013] EWCA Civ 1234 and National Grid Electricity Transmissions PLC v ABB Limited and Others [2013] EWHC 822 (Ch).
16 Rolls-Royce did not self-report but still received a deferred prosecution agreement because of its ‘extraordinary’ co-operation. See Serious Fraud Office v. Rolls-Royce PLC and another, Case No. U20170036 (2017), paras. 21, 22.
17 The Corporate Enforcement Policy adapted and replaced the FCPA Pilot Program – see https://www.justice.gov/criminal-fraud/corporate-enforcement-policy. The policy includes a presumption of a declination where the company voluntarily self-reports, fully co-operates with a DOJ investigation and makes timely and appropriate remediation.
18 Of course, the implications of full or selective waiver of privilege must be very carefully thought through.