Ireland

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

The investigation into the Irish Bank Resolution Corporation by a Commission of Investigation remains the highest-profile current corporate investigation in Ireland. It is very significant as it is connected to the collapse and subsequent winding down of Anglo Irish Bank plc, a prominent Irish bank that collapsed in connection with the financial crash. The related trial of certain high-ranking banking executives concerning their conduct before the collapse was the longest criminal trial in the history of the state and resulted in penal sentences, which are rarely imposed in Irish business crime cases. This investigation is one of the most complex ever to have been carried out by the Garda National Economic Crime Bureau (GNECB) and concerns allegations of a €7.2 billion conspiracy to defraud. Taoiseach Michael Martin has recently said in Parliament that it is unclear whether this investigation will be concluded by the end of 2020.

It is important for both the subject matter under investigation and the procedural conduct of any similar investigation in the future. In that regard, the Commission of Investigation has published a number of interim reports that have highlighted difficulties in conducting this type of investigation in Ireland, such as duties of confidentiality, privilege and the constitutional rights of persons implicated in an investigation.

A draft order and terms of reference for a Commission of Investigation into the National Asset Management Agency (NAMA) were published by the Irish government and an interim report was published in September 2017. The terms of reference provide for an investigation into Project Eagle (the name given to NAMA’s Northern Ireland property loans portfolio), which it sold in April 2014 for about €1.6 billion. The Cooke Commission’s final report was initially due to be published in June 2019, but is now expected to be published by the end of December 2020. This was previously the subject of an inquiry in Northern Ireland, with the Northern Ireland Public Prosecution Service announcing in August 2020 that charges of fraud were being brought against two men involved in the Project Eagle transaction.

The Office of the Director of Corporate Enforcement (ODCE) launched high-profile investigations into both Independent News & Media plc (INM) and the Football Association of Ireland (FAI). In September 2018, the president of the High Court granted an application by the ODCE to appoint inspectors to INM and investigate whether there may have been alleged unlawful sharing of the company’s information. The first interim report of these inspectors was delivered to the High Court and subsequently to the ODCE in April 2019. The investigation into the FAI was commenced subsequent to its auditors filing a notice to the Companies Registration Office alleging breaches of the Companies Acts on the grounds that financial accounts were not properly maintained. If it is proved that there was a failure to keep proper accounting records, this would result in a breach of sections 281 to 285 of the Companies Act, and the potential conviction of individual board members, who could face a fine of up to €50,000 or imprisonment for up to five years, or both. The ODCE investigation is continuing and in January 2020, following a series of meetings with the ODCE, An Garda Síochána decided not to launch an investigation into the FAI and to leave the ODCE to continue its investigation.

There has been only a very limited number of applications to appoint inspectors by the High Court. The approach in relation to the INM investigation was the first brought under section 748 of the Companies Act 2014, which is a relatively new provision but one that is very similar to the legislation under which previous applications were made and which this provision has replaced. The judgment, therefore, provides guidance on the scope of the powers of the High Court. Significantly, the Court clarified that the actions of a director or chairman, even if acting outside his or her usual authority, will come within the meaning of conducting the ‘affairs of the company’ for the purposes of a section 748 application.

The High Court provided a useful analysis of the matters it will take into consideration in exercising its discretion under section 748, confirming that public interest in ensuring that proper standards of probity and good governance in companies are maintained is one of the primary matters that should be taken into account for any such application. The Court noted that public interest in the circumstances of this case was particularly engaged because of the nature of the company’s business, the position it occupies in the Irish media and its status as a public company.

The Court also held that another important factor in the exercise of its discretion is the existence, or potential existence, of other statutory investigations into the subject matter of an application. These types of investigations do not automatically preclude the appointment of inspectors and the Court will engage in an assessment of the adequacy of those investigations to deal with the issues raised in an application, taking into account matters such as the nature of the powers available to the statutory bodies in question, their power to publish a report, and the effect and status of such a report.

An interesting side aspect of the judgment is that it brings renewed focus to an issue that has been occupying headlines for quite some time; specifically, the role of the ODCE and its ability to carry out its enforcement functions effectually. As a result of the Anglo Irish Bank investigation and recent trials, the ODCE has found itself subject to scrutiny as a result of comments made by Judge John Aylmer regarding its investigative process. Against that backdrop, the government, in its Package on White Collar Crime announced in November 2017, committed to re-establish the ODCE as a new independent agency in an effort to enhance the state’s corporate law enforcement capacity. Under the General Scheme of the Companies (Corporate Enforcement Authority) Bill 2018, which was published in December 2018, it is proposed that the ODCE will be re-established in the form of a commission, known as the Corporate Enforcement Authority (CEA). The CEA will be established as an independent company law compliance and enforcement agency and will have greater powers than the ODCE. The CEA will operate independently of any government department to provide more independence in addressing company law breaches. The establishment of the CEA is regarded as a fundamental element of the government’s commitment to enhance Ireland’s ability to combat white-collar crime. However, since early 2019, it does not appear that further steps have been taken to enact this Bill.

During 2018, the government made some significant progress in implementing the proposals set out in the Measures to Enhance Ireland’s Corporate, Economic and Regulatory Framework. This included the enactment of the Criminal Justice (Corruption Offences Act) 2018, which commenced on 30 July 2018, and publication of the General Scheme of the Companies (Corporate Enforcement Authority) Bill 2018 in December 2018. In addition, the Minister for Justice and Equality appointed James Hamilton, former director of public prosecutions, to chair a review of Ireland’s anti-corruption and anti-fraud structures and procedures in criminal law enforcement. In March 2019, the review group issued a call for submissions on a number of issues under its terms of reference, the results of which have yet to be published as at October 2020.

2 Outline the legal framework for corporate liability in your country.

Corporations are separate legal entities and a company can be found liable for the criminal acts of its officers. Section 18(c) of the Interpretation Act 2005 provides that the term ‘person’ when used in legislation includes a corporate, unless otherwise specified. Companies can also be vicariously liable for the conduct of employees. When the doctrine of vicarious liability does not apply, the state of mind of an employee can be attributed to the company in circumstances in which the human agent is the ‘directing mind and will’ of the company, or when an individual’s conduct can be attributed to the company under the particular rule under construction. A company can also be guilty of a strict liability offence, which is an offence that does not require any natural person to have acted with a guilty mind, such as health and safety legislation infringements. Since its commencement on 30 July 2018, the Criminal Justice (Corruption Offences) Act 2018 also has created a strict liability offence for companies. Under section 18 of this Act, a corporate body can be guilty of a criminal offence if one of its officers, employees, agents, subsidiaries or persons purporting to act as such commits a corruption offence with the intention of obtaining or retaining business or an advantage for the company. The only defence under this section is for the corporate to show that it took all reasonable steps and exercised due diligence.

Specific corporate criminal offences are also prescribed by the Companies Act 2014. These offences include failing to keep adequate accounts, making a false or misleading statement to a statutory auditor, falsifying records, intentionally making a false statement and fraudulently altering a book or document. Conviction for these offences can lead to imprisonment of company officers, the imposition of fines, or both.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

An Garda Síochána (the national police force) is the primary body with responsibility for the investigation and prosecution of crime in Ireland, with a specialised wing for complex fraud-type offences (the GNECB). There are also a number of regulatory bodies with a separate specific remit to investigate and enforce corporate crime. These types of investigations are often carried out with the assistance of the police. The regulatory bodies include:

the ODCE, which monitors and prosecutes violations of company law;
the Office of the Revenue Commissioners, which is responsible for the collection, monitoring and enforcement of tax laws;
the Competition and Consumer Protection Commission (CCPC), which is responsible for competition law and consumer protection;
the Central Bank of Ireland (CBI), which regulates financial institutions;
the Health and Safety Authority, which enforces occupational health and safety law; and
the Data Protection Commission (DPC), which is responsible for data protection law.

In terms of prosecution, offences are divided between summary (minor) offences and indictable (serious) offences. In general, regulatory bodies, such as those listed above, are authorised to prosecute summary offences directly. The Office of the Director of Public Prosecutions (DPP) is the body responsible for the prosecution of criminal offences on indictment, or of summary offences outside the remit of regulatory bodies. The DPP has no investigative functions; the relevant investigating body prepares a file and submits it to the DPP for consideration. It is then solely at the discretion of the DPP as to whether a case will be taken.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

This will depend on the statutory basis for that investigation. For the most part, investigations are initiated on the basis of a complaint alleging that an offence has been committed. Some bodies (such as the Standards in Public Office Commission) can only initiate investigations following receipt of a complaint alleging that an offence has been committed, whereas others, such as the DPC, can also initiate investigations on their own initiative. Different bodies use different factors to consider whether to initiate an investigation into a specific matter. For example, the GNECB has stated that it will assess whether to investigate a complaint on the basis of factors such as the monetary loss involved, the international dimension of the complaint and the complexity of the issues of law or procedure that arise.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

The lawfulness or scope of a notice or subpoena from a law enforcement authority may be challenged in the Irish courts through judicial review proceedings. However, it may be possible to reach a compromise with the law enforcement agency on the scope of the notice. It may also be possible to obtain an interim injunction in certain circumstances preventing the exercise of the notice, subpoena or warrant, or preventing the authority from using information already obtained, unless and until the court determines that the validity of the instrument is valid and enforceable.

6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

Irish law does not recognise plea bargaining or co-operative agreements. The decision to prosecute is at the discretion of the DPP and the courts have discretion in imposing sentences within the statutory minimum and maximum periods.

7 What are the top priorities for your country’s law enforcement authorities?

Regulatory bodies typically publish their enforcement priorities annually. The CBI’s 2020 priorities include, among other things, strengthening consumer protection, outsourcing, protecting investors and market integrity, the behaviour and culture of regulated entities, money laundering and counter-terrorist financing compliance, while the DPC and the CBI have both stated that their current focus is on cybersecurity. The CBI has also published its Consumer Protection Outlook for 2020, the first since 2017, which clearly underlines the focus that the CBI is putting on consumer protection including in the context of tracker mortgage-related issues and borrowers in mortgage arrears.

As mentioned in question 1, the Irish government has a specific renewed focus on tackling white-collar crime. A key part of its efforts in this space was the introduction of the Criminal Justice (Corruption Offences) Act 2018, plans to establish the ODCE as an independent company law compliance and enforcement agency, and piloting a Joint-Agency Task Force to tackle white-collar crime. The government also intends to enact the Criminal Procedure Bill, the aim of which is to streamline criminal procedures to enhance the efficiency of criminal trials.

The CBI, in collaboration with the Dutch Central Bank, conducted an assessment of the behaviour and culture in five Irish retail banks; the findings of this review were published in July 2018. As part of these findings, the CBI has proposed the introduction of a new individual accountability framework, which would apply to banks and other regulated financial service providers. The framework includes conduct standards for regulated financial services providers and the staff working in them, a senior executive accountability regime, and enhancements to the existing fitness and probity, and enforcement processes. This is a top priority for the CBI and a consultation paper is expected imminently, with draft headings of the Bill expected to be published shortly thereafter.

In August 2020, the CBI was focused on the supervision of how the insurance industry is handling claims for business interruption resulting from the covid-19 pandemic. The CBI published a supervisory framework outlining its expectations of insurance firms when handling such claims, stating that when customers are entitled to claim, those claims should be processed and paid promptly and in full. Additionally, when cover is in dispute, the CBI has said that agreed test cases are to be taken and that it expects insurers to pay their own costs as well as the reasonable costs of the customers who engage in such litigation, regardless of the outcome. The CBI has said that the outcome of any test litigation should be acted on promptly by insurers to ensure that all affected customers obtain the benefit of the outcome. Finally, the CBI noted that in the course of carrying out its supervisory work, it would examine all possible options within its suite of powers and intervene when appropriate.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

It is vital for corporations to be seen to have an effective regulatory compliance and corporate governance programme. Under section 225 of the Companies Act 2014, company directors are required to include in their annual report a statement to confirm (1) the company’s policies in respect of compliance by the company with its relevant obligations under company law and tax law, (2) the putting in place of appropriate structures designed to secure material compliance with these obligations, and (3) that a review of such structures has taken place during the previous financial year. Any failure to comply with all these requirements must be explained by the company directors in their annual statement. In addition, specific legislation imposes further obligations, such as the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), as discussed in questions 22 to 24. Under the GDPR, companies are required to establish a data protection compliance programme informed by GDPR principles, including the appointment of a data protection officer, providing training to employees and conducting internal data audits and compliance reviews.

The onus for ensuring that compliance programmes are in place falls on a company’s directors. In terms of what constitutes an effective compliance programme, section 225 of the Companies Act 2014 provides that the structures put in place ‘shall be regarded as being designed to secure material compliance’ if these structures ‘provide a reasonable assurance of compliance in all material respects with those obligations’.

The Department of Finance published information on its own corporate governance framework in October 2019. This publication contains some commentary on what constitutes an effective governance framework. It noted that good corporate governance ‘provides clarity in relation to authority and responsibility, it supports effective decision making and it identifies the assurance and accountability arrangements that exist within any organisation’.

The CBI’s Director of Asset Management and Investment Banking, Michael Hodson, remarked in a speech on 11 June 2019 that utilising the ‘three lines of defence’ structure is important to ensure that high standards of corporate governance are in place, and noted that a recent CBI review found that not all boards and senior management should demonstrate active consideration of their firm’s control framework. This model envisages the division of risk management into three lines of defence, namely functions that (1) own and manage risk, (2) oversee or specialise in risk management and compliance, and (3) provide independent assurance (i.e., an internal audit).

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018, which were introduced in September 2018, impose requirements on operators of essential services (OESs) and digital service providers (DSPs) to manage the risks to the security of network and information systems. OESs include operators within specified sectors, including energy, transport, banking, financial market infrastructure, health and digital infrastructure. DSPs are those who provide digital services, including online marketplaces, online search engines and cloud computing services. There is a centralised computer security incident response team in the Department of Communications, Climate Action and the Environment, which both OESs and DSPs must notify if there are incidents that have a significant or substantial impact on these services. The CBI also takes enforcement action against any financial service provider whose failings in cybersecurity cause it to breach its regulatory requirements. For example, in July 2020, the CBI reprimanded and imposed a fine of €1.66 million on a credit institution for contravention of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations). The credit institution was found to have failed to report an incident of cyber-fraud to An Garda Síochána until prompted to do so and, on investigation the CBI found deficiencies in respect of the institution’s administrative procedures, internal controls and organisational arrangements designed to prevent cyber-fraud. The initial fine of €2.37 million was reduced in accordance with the CBI’s settlement discount scheme.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

The Criminal Justice (Offences Relating to Information Systems) Act 2017 was the first Irish legislation to specifically address the issue of cybercrime. The Act created new dedicated cybercrime offences, including:

accessing or interfering with an information system without lawful authority;
interfering with data without lawful authority;
interfering with the transmission of data without lawful authority; and
use of a computer or data for the purpose of the commission of any of these offences.

The Criminal Justice (Theft and Fraud Offences) Act 2001 also provides that it is an offence to use a computer with the dishonest intention of causing a loss to another person.

An Garda Síochána has a specialist division – the Garda National Cyber Crime Bureau – that investigates and enforces cybercrime. Any prosecutions for cybercrime are managed by the DPP.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

In general, Ireland does not assert extraterritorial jurisdiction in respect of acts conducted outside the jurisdiction. However, extraterritorial jurisdiction is conferred by statute in respect of specific offences to varying degrees. For instance, section 4 of the Competition Act 2002 provides that it is an offence to be party to an anticompetitive agreement that has the effect of preventing, restricting or distorting competition in trade in goods or services within the state. Importantly, section 4 is not restricted to agreements made within Ireland.

Ireland is bound by the EU’s European Arrest Warrant Framework Decision, as implemented in Ireland by the European Arrest Warrant Act 2003, under which arrest and extradition is coordinated among EU Member States. Legal assistance can be requested and provided by Irish authorities to law enforcement in other jurisdictions under the Criminal Justice (Mutual Assistance) Acts 2008 and 2015. However, Ireland will only allow extradition in circumstances where (1) a person has been charged with an offence (i.e., not for the purpose of merely investigating a criminal offence), (2) the offence is not a political offence, and (3) the offence does not carry the death penalty.

Examples of specific offences for which Ireland exercises extraterritorial jurisdiction are as described below.

Corruption

The Criminal Justice (Corruption Offences) Act 2018 prohibits bribery offences occurring outside Ireland in two sets of circumstances: (1) if an Irish person or company does something outside Ireland that, if done within Ireland, would constitute an offence under the corruption legislation, that person is liable as if the offence had been committed in Ireland; and (2) if an offence under the corruption legislation takes place partly in Ireland and partly in a foreign jurisdiction, a person may be tried in Ireland for that offence. There is no requirement that the offending act should also be an offence in the foreign jurisdiction where the offending act took place. To date, there have been no prosecutions in Ireland under these extraterritorial provisions.

Money laundering

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (the CJ(MLTF) Act) sets out specific circumstances in which an action can be taken for money laundering occurring outside Ireland. If an individual or a company engages in conduct in a foreign jurisdiction that would constitute a money laundering offence both under the CJ(MLTF) Act and in that foreign jurisdiction, they can be prosecuted in Ireland. This extraterritorial jurisdiction may only be exercised if the individual is an Irish citizen, ordinarily resident in the state, or the body corporate is established by the state or registered under the Companies Act 2014.

The Proceeds of Crime Acts

Under the Proceeds of Crime Act 2016 (the PCA Act), the Irish High Court can make orders depriving a defendant of assets that are merely suspected of being the proceeds of crime, regardless of whether the defendant has been convicted of a criminal offence. The standard of proof required to determine any question arising under the PCA Act is that applicable to civil proceedings. ‘Property’ in relation to the proceeds of crime is broadly defined and includes money and all other property, real or personal. ‘Proceeds of crime’ for the purposes of the PCA Act means any property obtained or received at any time by, or as a result of, or in connection with criminal conduct. The definition of ‘criminal conduct’ is such that foreign criminality is covered by the scope of the act where the proceeds are within the state. Therefore, the legislation has extraterritorial effect when (1) the criminal conduct occurred outside the state, but the respondent and the property are situated within the state, provided that the conduct constituting the offence is also an offence in the foreign state, (2) the respondent is situated within the state and the criminal conduct occurred outside the state and the property is located outside the state, or (3) the property is located within the state, the respondent is situated outside the state and the criminal conduct occurred outside the state, provided that the conduct constituting the offence is also an offence in the foreign jurisdiction.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

Cross-border investigations, whether by law enforcement, regulators or internal investigations by companies, pose challenges in every jurisdiction for practical, political and legal reasons. For investigations by Irish regulators and law enforcement agencies, the foremost consideration will be whether there is an existing framework for co-operation between Ireland and the other jurisdiction or jurisdictions. The Criminal Justice (Mutual Assistance) Act 2008, as amended, is the primary piece of legislation governing mutual legal assistance between Ireland and other countries. The extent of available co-operation under mutual legal assistance procedures is dependent on the identity of the corresponding state, and the greatest level of co-operation is among other EU Member States. Co-operation with third countries (i.e., those outside the European Economic Area) is dependent on their ratification of relevant international agreements or the existence of a mutual assistance treaty agreed between them. Regulators and law enforcement can co-operate with their counterparts outside these formal procedures, and this will depend on the relationships between those bodies.

Investigations by regulators or law enforcement and by corporations can also encounter difficulties owing to different legal standards. For example, data protection laws in some countries can restrict the flow of information out of the country, and different levels of protection for private data may restrict the possibility of transfer between the jurisdictions. Further, different rules can apply to matters such as the application of privilege and the constitutional protections owed to persons under investigation.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The long-established principle of double jeopardy applies in Ireland. A corporation cannot be prosecuted twice for the same or similar offences on the same facts following a legitimate acquittal or conviction by an Irish court or by a court of competent authority in a foreign jurisdiction. There must be identity between the foreign and domestic offences. It is possible for the same course of conduct in an international setting to give rise to multiple separate offences in different jurisdictions.

The fact that a corporation entered into a deferred prosecution agreement (DPA) in a different country is unlikely to prevent prosecution in Ireland, which does not provide for the use of DPAs, unless the DPA was viewed as being equivalent to an acquittal or conviction.

Typically, the principle does not apply until proceedings are concluded. However, under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended), no proceedings may be initiated in circumstances where an individual has been charged under that Act in the absence of consent from the DPP.

There is no anti-piling on policy in Ireland that prevents multiple enforcement authorities from taking action against an entity in relation to the same conduct.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

It is possible for a domestic authority to reach a resolution as part of a coordinated approach with an overseas authority. However, if a party wishes to reach a settlement with authorities in another country or countries, it should be aware that such an agreement may not prevent Irish authorities from continuing to pursue a prosecution.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

Investigations into similar matters in other jurisdictions are often the catalyst for investigations in Ireland. Irish authorities will usually try to co-operate with foreign investigation authorities, and the exchange of information through appropriate channels can aid an investigation greatly. Irish investigatory authorities will take notice of decisions made by foreign investigatory authorities, but the weight given to such a decision will vary depending on factors such as the similarity of the facts under investigation and the jurisdiction concerned. Ultimately, it will be a matter for the Irish authorities to determine whether and how to conduct their own investigations, and prosecutions and enforcement actions in other jurisdictions will at most be one of a number of factors considered.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

Where sanctions are imposed at an international level, they are implemented at a national level. Therefore, individuals and companies operating in Ireland should be aware of the restrictions imposed under Irish law that implement international sanctions. As a Member State of both the United Nations and the European Union, Ireland is required to observe and enforce UN Security Council sanctions and EU restrictive measures. Each Member State is required to designate those of its competent authorities that are engaged with sanctions issues. In Ireland’s case, these are the Department of Foreign Affairs and Trade, the Department of Business, Enterprise and Innovation and the CBI. The competent Irish authorities are not responsible for designating sanctions against individuals or other states. The competent authorities enact legislation that enforces sanctions imposed by either the European Union or the United Nations. For example, the Department of Business, Enterprise and Innovation implements trade sanctions issued by the United Nations and the European Union, and the CBI handles all financial sanctions.

The CBI’s website includes up-to-date information on the most recent EU financial sanctions and UN targeted financial sanctions.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

As outlined in question 16, sanctions are implemented at a national level. The CBI is responsible for ensuring that regulated entities operating in the financial services sphere in Ireland comply with financial sanctions. Any regulated entity in Ireland could find itself subject to enforcement action in respect of policies and procedures around financial sanctions screening.

Sanctions enforcement activity has increased on account of the European Union being more proactive in imposing sanctions. For example, the emergence of ISIL as a terrorist threat, the sanctions imposed on Russia after the annexation of the Crimean peninsula and the continuing conflict in Syria have all resulted in increased sanctions activity, with which Irish companies are obliged to comply. Although several enforcement settlements issued by the CBI to date have related to anti-money laundering failures, there have been no settlements yet specifically related to failures concerning a firm’s financial sanctions screening process.

18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

Coordination and co-operation between competent authorities of each Member State is facilitated through the implementation of EU and domestic legal instruments. This ensures efficient national coordination and communication mechanisms between all relevant competent authorities.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

As a member of the European Union, Ireland is subject to the EU Blocking Regulation, which was expanded in August 2018 to curtail the effects of the United States’ withdrawal from the Joint Comprehensive Plan of Action. The Blocking Regulation effectively nullifies the extraterritorial application of the US sanctions against Iran by prohibiting compliance with any sanctions imposed by the United States; preventing the enforcement of any judgment from a foreign court outside the European Union that gives effect to the sanctions; by requiring any EU person, natural or legal, to notify the European Commission of any effects that the sanctions may have on them; and by allowing any EU person to seek compensation caused by the application of the sanctions.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

The Irish courts implement certain aspects of the EU Blocking Regulation by not enforcing or recognising any judgments that may be made outside the European Union. Further, the courts will allow EU persons to seek compensation in the Irish court system for any adverse effects caused by the application of US sanctions.

Under SI 217/1997 (European Communities (Extraterritorial Application of Legislation Adopted By a Third Country) Regulations), failure to comply with the EU Blocking Regulation is an offence and may be punished by a fine or up to 12 months’ imprisonment.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

Allegations of misconduct will often by raised by whistleblowers, who are protected by the Protected Disclosures Act 2014. Accordingly, great care must be taken not to violate these protections when allegations come to light in this way. Under the Central Bank Act (Supervision and Enforcement) Act 2013, there are specific whistleblower protections in relation to making disclosures to the CBI when breaches of financial services legislation may be in issue.

Thematic reviews are typically carried out by regulators. By the time an allegation of misconduct has arisen on a thematic review or as a result of any other regulatory oversight, the company may not be able to remedy the matter or otherwise prevent an investigation or enforcement action. For example, the CBI often bases its investigations on the Administrative Sanction Procedure under the Central Bank Act 1942 (as amended) on matters identified during thematic reviews.

When allegations arise through media reports, publicised litigation or other publicised external sources, there are more immediate public relations risks than when a matter arises internally. Companies should consider engaging a public relations agency if there are significant reputational risks attached to any allegation of misconduct.

There are specific legislative provisions that oblige persons to report information in relation to certain offences in certain circumstances. The Supreme Court upheld the enforceability of section 19 of the Criminal Justice Act 2011 in Sweeney v. Ireland [2019] IESC 39. If a company is a regulated entity, it may be required to make certain disclosures to its regulator, or indeed to self-report unintentional breaches or offences. Auditors have disclosure obligations, and misconduct coming to light during their engagement may trigger a reporting obligation.

There is political appetite to ensure Ireland remains an attractive location in which to do business. The introduction of the ‘corporate offence’ in the Criminal Justice (Corruption Offences) Act 2018 enables a corporate body to be held liable for the corrupt actions committed for its benefit by any director, manager, secretary, employee, agent or subsidiary. The single defence available to corporates for this offence is demonstrating that the company took ‘all reasonable steps and exercised all due diligence’ to avoid the offence being committed. Although there is no Irish guidance on the legislation yet, ‘reasonable steps’ could include ensuring measures are taken to promote and ensure a corporate culture of reporting suspicions or concerns in relation to corruption and that any suspicions or concerns are notified and, where appropriate, reported to the relevant authorities.

Information gathering

22 Does your country have a data protection regime?

Ireland’s data protection regime mainly comprises the GDPR and the Data Protection Acts 1988–2018 (the DP Acts). Within this regime, there are a number of duties on data controllers, including an obligation to process personal data (under the meaning of the GDPR and the DP Acts) fairly, for it to be kept up to date and secure.

Additionally, the Criminal Justice (Offences Relating to Information Systems) Act 2017 (enacted on 24 May 2017) gives effect to provisions of Directive 2013/40/EU on attacks against information systems. The Act introduced a number of criminal offences, including:

unauthorised access of information systems;
interference with information systems or with data on such systems;
interception of the transmission of data to or from information systems; and
the use of tools to facilitate the commission of these offences.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

The DPC is responsible for monitoring the application of the DP Acts and the GDPR to protect the rights and freedoms of individuals in relation to processing.

The DPC has a number of investigative powers, including the power to conduct an audit, the power to compel individuals and companies to provide it with information and documentation, and the power to prohibit the transfer of personal data overseas.

Summary proceedings may be brought and prosecuted by the DPC. In relation to indictable offences, the DPC prepares a file and submits it to the DPP for consideration; it is then solely at the discretion of the DPP whether a case will be made in respect of a suspected offence.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

The GDPR and the DP Acts restrict the use and disclosure of an individual’s data in Ireland. There are exceptions to the protection given under the DP Acts, but there is no specific exemption when an internal investigation is being carried out. Therefore, all the rules and protections regarding personal data, as set out in the DP Acts, must be followed during an internal investigation. Traditionally, companies have relied on consent to support internal investigations; however, the DP Acts now require that consent be freely given to be valid. In the context of employment, there is an inherent imbalance of power between employee and employer. In addition, the GDPR requires that a data subject can withdraw his or her consent at any time. These factors make it difficult for employers, in the majority of circumstances, to rely on consent as a legal basis for processing data, albeit not impossible.

Companies should therefore seek an alternative lawful basis for processing in the context of internal investigations. The DP Acts allow for data to be processed if it is necessary for the purposes of legitimate interests pursued by the data controller, which can be the case for an internal investigation, but that needs to be balanced against the fundamental rights and freedoms and the legitimate interests of the data subject in question.

Organisations do have a legitimate interest in protecting their business, reputation, resources and equipment. However, Irish law recognises a broad ‘right to privacy’, which includes a right to privacy at work, and a person does not lose privacy and data protection rights simply by being an employee. Any limitation of an employee’s right to privacy should be proportionate to the likely damage to the employer’s legitimate interests.

If an employer seeks to use ‘legitimate interests’ as the basis for processing data, an employee as data subject will have a right to object to that processing of their data. This right is not absolute and may be overridden by the employer having ‘compelling reasons’ to process the data. The severity of the suspected offence will therefore affect the employer’s ability to satisfy this requirement. Companies should also ensure that this balancing exercise between the legitimate interests of the company and those of the employee be carried out prior to conducting the internal investigation, and information in respect of any such exercise should be made available to employees.

In any event, companies must inform their employees of the right to object and should draft an internal investigation policy reflecting this balance. Employees should be notified of the possibility that an investigation might take place and, in particular, the ways in which their personal data might be processed in the context of an investigation. For new employees, this information should be provided when they join the company. However, for existing employees, the provision of an updated internal investigation policy will be sufficient.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

Irish employers have the right to monitor employees’ communications. However, this is subject to the right to privacy that employees are afforded under both the Irish Constitution and the European Convention on Human Rights, as well as under data protection law. Any intrusion of an employee’s right to privacy must be proportionate to any likely damage caused to the employer’s legitimate interests.

When an employee wishes to enforce the right to privacy or believes that it has been infringed, he or she may do so by referring a dispute to the Workplace Relations Commission or by commencing proceedings in the courts. If the dispute involves an employee’s personal data, it may be possible to lodge a complaint with the DPC.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Search warrants and dawn raids are often used as part of investigations against companies, particularly by the CCPC and the ODCE. Both company premises and private homes of relevant persons can be searched on the basis of an appropriate warrant.

There are constitutional protections for persons subject to searches, particularly of private homes. Depending on the specific statute, a regulator or investigatory body would obtain a search warrant to enter a dwelling to conduct a search and to seize documents. There is a general requirement that there is some nexus between the investigation by the regulatory body of the offence in question and the dwelling in question. The body is only permitted to search the premises specified in the warrant and to seize items coming within the terms of the warrant.

Evidence seized outside the scope of a search warrant may, depending on the circumstances, be inadmissible at trial.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

Privileged material is prima facie protected from examination by law enforcement or regulatory bodies. Specific statutes, such as the Companies Act 2014 and the Central Bank (Supervision and Enforcement) Act 2013, also provide for the protection of privileged information during investigations.

In practical terms, it can be difficult to determine during a seizure operation whether material is privileged, and sometimes the material will be isolated so that a claim of privilege can be assessed later.

The mechanism to assess whether privilege has been properly asserted will be dependent on the legislation under which the search warrant was granted. For example, the Competition and Consumer Protection Act 2014 provides a mechanism whereby material that is seized, and is claimed to be legally privileged, is retained and vetted by an independent assessor to determine whether privilege has been properly asserted.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

The Irish Constitution recognises a right to silence and the privilege against self-incrimination. Arrested suspects are brought into police custody for questioning ‘under caution’. The suspects should be cautioned that they have the right to maintain silence and that anything they say may be used in evidence. However, the Criminal Justice Act 1984 (as amended) provides that, in the case of arrestable offences (i.e., those for which a person can be imprisoned for five years or more), inferences can be drawn at trial from an accused’s silence.

The right to silence can be abridged by statute, most often in the context of regulatory investigations, meaning that answers can be compelled. However, Irish courts have frequently held that statements given under statutory compulsion (such as in connection with a regulatory investigation attracting a civil penalty) cannot be used against that person in subsequent criminal proceedings, whereas voluntary statements can be.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

The Protected Disclosures Act 2014 (the 2014 Act) protects whistleblowers and provides for a tiered disclosure regime with a number of avenues open to whistleblowers. The 2014 Act encourages the vast majority of protected disclosures to be made to the employer in the first instance. However, other options are available if this is inappropriate or impossible.

There are no financial incentive schemes for whistleblowers.

When a worker makes a protected disclosure, the employer in question is prevented from dismissing or penalising the worker, taking an action for damages or an action arising under criminal law, or disclosing any information that might identify the person who made the disclosure. If the employer were to dismiss or penalise a worker wholly or mainly as a result of him or her making a protected disclosure, the worker could be awarded up to five years’ remuneration, re-engagement or reinstatement by the Workplace Relations Commission (the employment tribunal in Ireland). Further, the 2014 Act creates a cause of action in tort for the worker for detriment suffered as a result of making a protected disclosure. The definitions of ‘protected disclosure’, ‘relevant wrongdoing’ and ‘worker’ are quite broad, and care should be taken to consider whether the Act applies in every case of reported misconduct.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

As a general matter, employees have a constitutional right to ‘fair procedures’ in any investigative or disciplinary process. This means that, among other things, an employee must be kept appraised of the investigation and must be permitted to participate in the investigation and make points in his or her defence. The extent and scope of fair procedures and natural justice that must be afforded during a workplace investigation depends on the actual nature of the investigation and the potential consequences thereof.

The rights do not differ for officers and directors who are employees.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

The rights outlined in question 30 apply in an investigation and disciplinary process when a person is implicated or suspected of having engaged in misconduct.

Prior to a finding of misconduct being made, an investigation and disciplinary process should be carried out.

The disciplinary process should, at a minimum, follow the Workplace Relations Commission’s Code of Practice on Disciplinary and Grievance Procedures, the employer’s own procedures and involve the basic principles set out below.

Advance written notice of any allegations, and any supporting documentation and witness statements, should be provided to the employee.
The employee should be invited, in writing, to an investigation meeting to discuss the allegations and to put forward his or her response.
The investigation should go no further than to determine whether there is a sufficient factual basis to warrant a matter being put to disciplinary hearing.
Suspension should only be imposed after full consideration of the necessity for it pending a full investigation of matters. It may be justified if it is to prevent repetition of the conduct complained of or interference with evidence; to protect individuals at risk from such conduct; to comply with any regulatory rule applicable to the individual or their role; or to protect the employer’s business and reputation. Suspension must be on full pay and benefits, and for no longer than is reasonably necessary.
Depending on the outcome of an investigation, the employee should be invited in writing to a disciplinary meeting to discuss the allegations and to put forward a response. Documents obtained during the investigation should be provided to the employee.
The employee should be allowed to be accompanied by a colleague or trade union representative at any meetings.
Any sanction must be proportionate and reasonable in the circumstances and should be confirmed in writing to the employee.
A right of appeal to someone not previously involved should be provided.
Unless the allegations are sufficient to constitute gross misconduct, the sanctions should progress from verbal warning to written warning to final written warning and then to dismissal. Summary dismissal will be permitted only when the circumstances genuinely constitute gross misconduct.

The following specific protections may arise in the context of conduct-related investigations and dismissals.

Unfair dismissal. In general, an employee with one year of continuous service may bring a claim for unfair dismissal. An employer cannot lawfully dismiss an employee unless substantial grounds exist to justify termination, such as the employee’s conduct. Regard will also be given to the reasonableness of the employer’s conduct and the extent of any failure to adhere to agreed procedures. A preliminary investigation is an essential precursor to a fair disciplinary process.
Discrimination. Irrespective of length of service, an employee may bring a claim for discriminatory dismissal or discrimination based on any one of the nine discriminatory grounds contrary to equality legislation (i.e., gender, civil status, family status, sexual orientation, religion, age, disability, race (including colour, nationality and ethnic or national origin) and membership of the traveller community).
Whistleblowing. See question 29.
Wrongful dismissal or High Court injunction. An employee can seek a High Court injunction to restrain an employer from implementing a dismissal if the decision is not implemented correctly. An injunction maintains the status quo pending the determination of an overarching breach of contract claim. A similar order may also be brought to restrain an investigation or disciplinary hearing before matters even reach the dismissal stage. A challenge may be based on corporate governance grounds, the fairness of the procedures adopted or failure to terminate the contract in accordance with its terms.

For dismissal for out-of-work misconduct to be deemed fair, there must be a genuine connection between the employee’s offence and his or her employment. The connection must be such that it leads to a breach of trust or causes reputational or other damage to the employer. In these circumstances, the employer should carry out its own internal investigation and disciplinary process (in accordance with the requirements set out above).

32 Can an employee be dismissed for refusing to participate in an internal investigation?

The extent to which an employer may take disciplinary action against an employee for failure to participate in an investigation, up to and including dismissal in accordance with its disciplinary procedure, will depend on the circumstances.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

There is no statutory requirement for such a document, but it would be considered general good practice. Depending on the circumstances, it may be useful to detail the purpose and scope of the investigation and to clarify the remit of the investigators’ role. Matters to cover might include:

the structure and methodology of the investigation;
a definition of the issues to be covered; and
details of any engagement with legal counsel and related matters concerning privileged material.

If the investigation concerns employees of the company, it should go no further than gathering the relevant information or evidence to determine whether or not there is a sufficient factual basis to put particular allegations at a formal disciplinary hearing. The investigation should be carried out in accordance with any relevant internal procedures and not reach any factual conclusions on the evidence or decide whether the allegations are proved.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

Depending on the severity of the issue, it would usually be prudent for a business to carry out a certain level of enquiry and investigation. However, a company should take care in carrying out any investigations and in creating any reports, as it is possible that any such documents could be subject to disclosure in any subsequent legal proceedings. A company would not generally be obliged to voluntarily provide the results of such an investigation to the relevant authorities unless it is required under a court order, statute or as part of a self-report. A number of legislative provisions impose a positive obligation on persons (including businesses) to report wrongdoing in certain circumstances (see question 51).

It is also essential, of course, that any wrongdoing ceases as soon as the company becomes aware of it, and that remedial measures are taken where appropriate. Care should be taken to preserve evidence of the wrongdoing, as a failure to do so could result in accusations of destruction of evidence, which can itself be an offence under certain legislation, such as pursuant to section 793 of the Companies Act 2014.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

It is advisable to immediately implement a ‘document hold’ by suspending deletion policies and circulating document retention notices.

The company should review the request and consider the power under which it is exercised, and in particular if the request is voluntary or mandatory. There are risks associated with releasing documentation, particularly when it might contain confidential or personal information, without being lawfully compelled to do so. External legal advice may be required in this regard.

An inventory listing the materials falling within the notice should also be prepared. The material should then be assessed for privilege. Copies of anything provided to the investigation authority should be retained.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

Privately owned companies are not required to publicly disclose the existence of internal investigations or contact from law enforcement. There may, of course, be commercial reasons for doing so (or not doing so) in any particular case.

Under the Irish Listing Rules, publicly listed companies on the Irish Stock Exchange (Euronext Dublin) must, without delay, provide to Euronext Dublin any information that it considers appropriate to protect investors. Euronext Dublin may, at any time, require an issuer to publish such information within the time limits as it considers appropriate to protect investors or to ensure the smooth operation of the market.

37 How are internal investigations viewed by local enforcement bodies in your country?

Internal investigations are considered part of good corporate governance. However, companies operating in Ireland can be subject to certain reporting obligations in respect of certain offences and will therefore be required to notify matters to law enforcement or regulators in certain circumstances (see question 51).

The Irish High Court ruled in Mooney v. An Post [1998] 4 IR 288 that the acquittal of an employee of criminal charges does not preclude employers from considering whether an employee should be dismissed on the basis of the impugned conduct. However, if criminal prosecution precedes an internal investigation, in general, internal disciplinary procedures are suspended to respect the individual’s right to silence.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

Any requirement to disclose documents obtained through an internal investigation to the Irish authorities is qualified by legal professional privilege. In Ireland, documentation, including electrical documentation and audio and visual records of communication, may attract legal professional privilege either in the form of legal advice privilege or litigation privilege. Legal advice privilege arises regarding confidential communications between a lawyer and a client that are created for the sole or dominant purpose of giving or seeking legal advice, even if there is no actual or potential litigation. Litigation privilege applies to communications between a lawyer and a client made in the context of contemplated or existing litigation or regulatory action and also covers communications with third parties, such as experts. Litigation privilege can be a broader form of privilege to assert in the context of an internal investigation, provided there is actual or contemplated litigation or regulatory action.

The main way to protect privilege is to involve lawyers in internal investigations at an early stage, although it should be noted that privilege cannot be created regarding existing documents after they have been created merely by involving lawyers. To ensure that existing privilege is not lost, it is important to limit the disclosure or sharing of materials to essential persons only. Legal advice should not be summarised or copied and shared by non-legal persons. If privileged materials need to be shared with third parties, it is important to ensure that appropriate confidentiality agreements are put in place to govern such disclosure and that, as far as possible, privilege is not inadvertently waived or lost.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

Legal professional privilege applies equally to individuals and companies and belongs to the client (see question 38). Under Irish law, the question of who is the client in a corporate context was considered in UCC v. ESB [2014] IEHC 135. In that case, it was held that if the client is a corporate body, it is necessary to consider whether the individual making the communication to the lawyer is a person engaged or employed to obtain or receive legal advice on behalf of the client.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Both in-house and external counsel attract legal professional privilege when the criteria for legal professional privilege are met. In-house counsel must be acting in their capacity as legal adviser and not, say, as an officer of the company. However, the position with regard to in-house counsel in the context of certain external matters is not straightforward and advice should be sought as a result of the decision of the European Court of Justice in Akzo Nobel Chemicals Ltd and Akcros Chemicals Ltd v. Commission (Case C-550/07 P).

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to (internal or external) investigations in your country?

The position in Ireland is that, as far as legal professional privilege is concerned, the definition of ‘lawyer’ extends to foreign lawyers. There does not appear to be any question about this and it is generally accepted that foreign legal advice is privileged to the extent that it fits Irish legal rules on privilege.

For example, in Sports Direct International Plc v. Minor & ors [2015] IEHC 650, the High Court applied privilege to English legal advice without questioning whether it would apply.

42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

Asserting legal professional privilege is a legal right and the fact of its assertion should not be held against a party. However, if the materials regarding which legal professional privilege is being asserted are central to any enforcement investigation (such as a party defending certain conduct on the basis that it was taken following legal advice), it may appear unco-operative to refuse to disclose such material. In such a case, disclosure could, in fact, be in a party’s strategic interest. Any decision to waive privilege should be carefully considered as, once waived, legal professional privilege is lost. It is generally recommended that a waiver should be limited to those materials that are strictly necessary and should be made on a limited and specified basis; in other words, a general waiver of all legal professional privilege in respect of a particular matter is not advisable.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

It is possible to waive privilege on a limited basis. However, care should be taken as privilege can inadvertently be lost in such circumstances. The scope of the waiver should be clear, limited and in writing; furthermore, it is of utmost importance that confidentiality in the material should be maintained. Care should be taken when waiving privilege over documents that make reference to connected documents over which privilege is maintained. In Quinn v. Irish Bank Resolution Corporation [2018] IEHC 481, the High Court ruled that it would be ‘unfair if the plaintiffs were entitled to maintain privilege over . . . privileged documents which are connected or related to the same “transaction”, [or] the subject matter of disclosed privileged documents’.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

If the waiver of privilege was appropriate, limited and restricted, it should not defeat the overall assertion of legal professional privilege. However, this will depend on the extent and nature of the waiver in each case.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Common interest privilege does exist in Ireland. It is important that common interest privilege is expressly asserted and that the third party is aware of the necessity of preserving privilege in the materials received, such as by not disclosing it to any other persons outside the common interest circle.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

Third-party communications are only protected against disclosure in the context of litigation privilege. Litigation privilege can be asserted regarding third-party communications where the dominant purpose of the communication is in anticipation of existing or contemplated litigation (which currently includes regulatory proceedings).

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

Witnesses can be interviewed in internal investigations and are often seen as an integral part of the fact-finding exercise of an investigation. However, the internal investigation would not be able to compel witnesses to attend, except to the extent that employees can be requested to co-operate in the context of their employment.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

Reports that contain legal analysis, advice or conclusions, or are prepared with the dominant purpose of preparing for, or in contemplation of or in connection with litigation or regulatory proceedings, can be protected by legal professional privilege.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

It can be important that witnesses are informed of the nature of the interview, whether they are implicated in any wrongdoing and, crucially, of any possible consequences for them of the investigation process to preserve the ability to take appropriate action, if necessary, following or as a result of the investigation. It is important to point out that any lawyers present are acting for the company and not for the employee, who may, in some cases, have his or her own legal representation.

Existing employees have a greater right to fair procedures as they are more likely to face the possibility of an adverse outcome, such as dismissal. However, it is best practice to accord equal, fair procedures to all interviewees.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

It is good practice to ensure that any documents of relevance to the witness are put to them. ‘Interview by ambush’ is contrary to fair procedures and open to challenge, particularly by employees.

Employees have no statutory right to legal representation at witness interviews. However, if the employee or witness is, or may become, the subject of the investigation, the employer should consider advising the employee or witness to have legal representation to minimise the risk of a later legal challenge to the investigation process. If the person requests permission to have legal representation, the company should assess each case separately. It is generally considered prudent to permit such representation, or not to proceed in the absence of such representation.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

A number of legislative provisions impose a positive obligation on persons (including businesses) to report wrongdoing in certain circumstances. Most significantly, section 19 of the Criminal Justice Act 2011 provides that a person is guilty of an offence if he or she fails to report information that he or she knows or believes might be of ‘material assistance’ in preventing the commission of, or securing the prosecution of another person in respect of, certain listed offences, including many corporate crimes. The disclosure must be made ‘as soon as practicable’, and a person who fails to disclose such information may be liable to a fine or imprisonment for up to five years, or both. However, the person considering making the report may need to make enquiries to be satisfied that a report is justified.

The Supreme Court case of Sweeney v. Ireland, Attorney General and Director of Public Prosecutions [2019] IESC 39 has important implications for section 19 of the Criminal Justice Act 2011.

In overturning the High Court decision, the Supreme Court upheld the constitutionality of section 9(1)(b) of the Offences Against the State (Amendment) Act 1998. This decision has implications for section 19 of the Criminal Justice Act 2011 (the 2011 Act), which provides that a person is guilty of an offence if he or she fails to report information that he or she knows or believes might be of material assistance in preventing the commission of, or securing the prosecution of, another person of certain listed offences, including many white-collar offences. The wording of section 19(1)(b) of the 2011 Act is identical to that of section 9(1)(b) of the 1998 Act except that the former applies to a ‘relevant offence’ and the latter applies to a ‘serious offence’. In finding that the provision was sufficiently certain, the Supreme Court held that the 1998 Act was clear in what it obliges witnesses to do – to disclose information pertaining to serious offences that they know will aid in the prosecution of such an offence. Although the Supreme Court noted that no comment has been made as to the constitutionality of similar provisions, such as section 19(1)(b) of the 2011 Act, it would appear to indicate that such reporting obligations would be likely to withstand a similar legal challenge.

Other mandatory reporting obligations include the duties of:

persons with a ‘pre-approved control function’ to report breaches of financial services legislation;
designated persons (auditors, financial institutions, solicitors) to report money laundering offences;
auditors to report a belief that an indictable offence has been committed;
auditors or persons preparing accounts to report theft and fraud offences; and
all persons to report any offence committed against a child.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

A company might be advised to self-report, in Ireland or overseas, to mitigate the risk of prosecution or any potential sentence that may be imposed by a court. There are no express provisions for immunity or leniency in prosecution under Irish law, but self-reporting can be considered a mitigating factor in sentencing. The DPP does have discretion to grant immunity in certain circumstances. Some regulatory regimes, such as the CBI’s administrative sanction procedure, also consider self-reporting as a mitigating factor affecting the level of sanctions. The list of sanctioning factors set out in the CBI’s Administrative Sanctions Procedure (published in 2018) includes ‘how quickly, effectively and completely the regulated entity brought the contravention to the attention of the CBI or any other relevant regulatory body’.

The exception is the Cartel Immunity Programme operated by the CCPC, which allows a member of a cartel to apply for immunity in return for co-operating with the CCPC. Only the first member of a cartel to come forward can avail of the programme and must meet strict eligibility criteria.

In terms of extraterritorial self-reporting, an Irish company may self-report to authorities in other jurisdictions that have immunity or leniency programmes if the conduct in question could also be investigated or prosecuted by those authorities. For example, the European Commission runs a cartel immunity programme and an Irish company may self-report to the Commission to avail of this.

53 What are the practical steps you need to take to self-report to law enforcement in your country?

It is important that a company has considered its risks and, as far as possible, investigated the matter before making a report. A report can be made in writing, such as by letter to the appropriate authority, or by providing a written statement upon attending a Garda station. The form and content of the report will depend on the specific circumstances of the matter, including, for example, whether the company might be implicated, or whether there are other legal, commercial or reputational issues to be considered. Data deletion policies should be suspended and relevant materials retained in case they are subsequently required in the context of an investigation or legal or regulatory proceedings.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

Dialogue may start with the authority once a notice has been received and analysed. For example, the company may wish to address concerns such as the scope of the request, the legal basis or the deadline for compliance. It is important that care is taken with these types of communications, as they can set the tone for engagement with the authority and may be relevant for any subsequent court challenge or dispute that may arise.

55 Are ongoing authority investigations subject to challenge before the courts?

Ongoing investigations may be subject to challenge in the courts, for example through an application for judicial review. It is also possible to seek injunctions, typically on an interim basis, to protect legal rights while the underlying challenge is resolved.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

Each request should be treated separately as the legal basis for the request is likely to be different. A request that may appear to compel disclosure of documents may not, in fact, have legal effect if it is from outside the jurisdiction and the procedures for compelling cross-border information (such as the procedures under the Criminal Justice (Mutual Assistance) Act 2008, as amended (see question 58)) are not engaged. It is generally not advisable to release information, particularly personal data within the meaning of the DP Acts, in the absence of lawful compulsion. ‘Package disclosures’ are therefore usually unadvisable, as documents that one agency has a legal right to obtain may not be within the compulsory power of another agency. That said, when requests are made by different authorities, it is important to have a consistent approach with regard to how requests are treated and what arguments are made to authorities.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?

The appropriate response will depend on the nature of the request and the relationship between the company that is subject to the request and the entities holding the documents across borders. If the company in receipt of the request has the power to compel production, such as from a branch or subsidiary, it may be required to do so. However, generally, the entity to which the request is addressed will be the only body with an obligation to respond.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

Irish law enforcement and regulatory bodies are known to share information informally with equivalent bodies in different jurisdictions.

In terms of formal co-operation mechanisms, the Criminal Justice (Mutual Assistance) Act 2008 gives effect to 12 international agreements that establish the existing legislative framework for the provision of mutual legal assistance. The Criminal Justice (Mutual Assistance) (Amendment) Act 2015 gives effect to a further six international instruments not provided for by the 2008 Act. This has enhanced the already significant level of co-operation between Ireland and other EU Member States. Co-operation with third countries (those outside the European Economic Area) is dependent on their ratification of relevant international agreements or the existence of a mutual assistance treaty agreed between them.

The transposition of the EU Fourth Money Laundering Directive into Irish law has also led to further enhanced international co-operation, as the Directive requires information to be shared between competent national authorities, including the creation of a central register of beneficial owners of entities.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

There is no generally applicable statutory obligation that creates an obligation on the police to keep information received during an investigation confidential.

Irish law does recognise a broad ‘right to privacy’, however, which is protected by the Irish Constitution, the EU Charter of Fundamental Rights and the European Convention on Human Rights. Further, data protection is regulated in Ireland primarily by the DP Acts. Irish data protection laws reflect EU data protection laws and protect the personal data of individuals from disclosure in certain circumstances. The police are subject to the same obligation under the DP Acts as all ‘data controllers’, within the meaning of the DP Acts, when processing personal data. There are exceptions to the rules set out in the DP Acts, including where the processing is required to investigate or prevent an offence.

The police may disclose information to law officers and other law enforcement agencies during an investigation or on the basis of the prevention and detection of offences, under mutual assistance agreements with Interpol Europe and other agencies that have a statutory investigative and enforcement role.

Whistleblowers are protected from identification by the Protected Disclosures Act 2014. Accordingly, great care must be taken not to violate these protections when an investigation involving whistleblower information is under way. However, the identity of whistleblowers can be disclosed to prevent a crime or to aid in the prosecution of a criminal offence.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

In such circumstances, it would usually be prudent to advise the company not to provide the documents. However, the company should ensure that it is not violating any laws in its own jurisdiction by doing so. The company should inform the requesting authority of the basis for the decision to refuse the request for documents.

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

Data protection is regulated in Ireland primarily by the DP Acts. Irish data protection laws reflect EU data protection laws and protect the personal data of individuals from disclosure in certain circumstances. The transfer of data outside Ireland is restricted, but there is no outright ‘block’ preventing all transfers. The main implication of Irish data protection law is that companies may be reluctant to release materials in the absence of a legal obligation.

As discussed in question 24, Irish law also recognises a broad right to privacy, which can restrict the disclosure of data even when the disclosure would comply with the DP Acts.

Further, care should be taken when releasing documents that relate to any type of contractual relationship, as there may be confidentiality terms in the contract or engagement terms that could be violated by the disclosure. A party should always be mindful that if it releases information without being compelled to do so, it is not protected from claims that it has breached Irish data protection legislation or breach of confidence claims.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

As outlined in questions 60 and 61, there are risks attached to voluntary production of documents, and it is generally not advised unless there are compelling reasons to do so. In particular, as noted in question 59, a company may be in breach of the DP Acts if it releases materials that contain personal data in the absence of lawful compulsion, and may also be in breach of confidence if it releases confidential material without being compelled to do so. There may also be other contractual consequences for a company releasing certain materials voluntarily. There is no automatic confidentiality attached to materials disclosed to law enforcement, unless restrictions have been agreed to that effect. Accordingly, material provided to authorities voluntarily may be shared with other authorities or used for purposes other than the initial basis of the request. Materials obtained on the basis of a compulsory power are subject to greater protections. However, once material is in the possession of an authority, there is nothing to prevent a third party from seeking the material, such as through a non-party discovery order.

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Irish criminal legislation typically provides for monetary fines or terms of imprisonment for offences. Given the nature of corporate entities, the most common form of sanction is a fine. However, while less common, Irish legislation also provides for specific remedies, such as compensation orders and adverse publicity orders under health and safety legislation.

Common sanctions in the context of business crime are restriction and disqualification orders. Under section 839 of the Companies Act 2014, if a person has been convicted of an indictable offence in relation to a company, or convicted of an offence involving fraud or dishonesty, that person may not be appointed to, or act as, an auditor, director or other officer, receiver, liquidator or examiner, or be in any way, whether directly or indirectly, concerned or take part in the promotion, formation or management of any company for a period of five years by default, but potentially longer should the court see fit.

As discussed further under question 64, companies convicted of certain offences may be excluded from participation in public tenders for a specific period.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

The EU Public Sector Procurement Directive (2014/24/EU) was transposed into Irish law by the European Union (Award of Public Authority Contracts) Regulations 2016. Under these Regulations, companies must be excluded from public procurement for a specific period when they have been convicted of certain offences. The Regulations also provide for offences that carry discretionary debarment. These include offences under EU law, meaning that a company should take care when settling charges in another country, as doing so could, depending on the offence, trigger these exclusion rules.

The Regulations enable companies to recover eligibility to bid for public contracts by demonstrating evidence of ‘self-cleaning’, such as the payment of compensation to the victim, clarification of the facts and circumstances of the offence, co-operation with the investigating authority, and the implementation of appropriate measures to prevent further criminal offences or misconduct.

65 What do the authorities in your country take into account when fixing penalties?

Sentencing of corporate crimes is largely a function for the courts. There is no express provision under Irish law for immunity or leniency in prosecution. If a business is found guilty of an offence, a wide range of factors may be taken into account at the discretion of the court. Mitigating factors include whether the company ceased committing the criminal offence on detection or whether there were further infringements or complaints; whether remedial efforts to repair the damage caused were used by the company; the existence of a compliance programme; and whether the company itself reported the infringement before it was detected by the prosecuting authority. Additionally, in imposing any sentence, the court must comply with the principle of proportionality as set out in People (DPP) v. McCormack [2000] 4 IR 356.

Certain sanctions, such as those available to the CBI under the administrative sanction procedure or the CCPC in connection with cartels, can be expressed as a percentage of turnover. This allows the size of the entity to be considered when penalties are imposed.

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

Non-prosecution agreements (NPAs) and DPAs are not available in Ireland. There has been some consideration of these types of arrangements at policy level; for example, the Law Reform Commission (LRC) recommended in its Report on Regulatory Powers and Corporate Offences (published on 23 October 2018) that DPAs be introduced, based on the UK model, which are subject to court approval. In the United Kingdom, the court must be satisfied that (1) the terms of a DPA are fair and proportionate and (2) a DPA is in the interests of justice before it is approved. Although any recommendations of the LRC are not always followed or implemented, they are usually given serious consideration by the Irish government.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

NPAs and DPAs are not currently available in Ireland.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

It is possible to enter into a settlement with some regulatory authorities in prescribed circumstances. For example, the CBI commonly uses settlements to resolve investigations brought under the Administrative Sanctions Procedure under the Central Bank Act 1942 (as amended) (in respect of civil sanctions only). In addition, pursuant to the Cartel Immunity Programme, a settlement may be achieved in specific circumstances.

Generally, any company considering entering into a settlement with a regulatory or enforcement authority should balance the seriousness of the charge, the scope of a conviction and the strength of the case against it, against the terms of the settlement, such as the quantum of any fine and whether there is publicity associated with the settlement. Care should be taken with regard to a settlement under the Cartel Immunity Programme to ensure that the stringent eligibility criteria are met before engaging with the CCPC.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

As DPAs and NPAs are not currently available in Ireland, the use of external corporate compliance monitors is not an enforcement tool used by Irish law enforcement authorities. In its Report on Regulatory Powers and Corporate Offences, the LRC has indicated that the detailed procedures concerning DPAs are best left to be determined in a Code of Practice to be developed by the DPP, comparable to the DPP’s Guidelines for Prosecutors and the DPP’s Guidelines for the Cartel Immunity Programme.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

A defendant may be subject to simultaneous civil and criminal proceedings arising out of the same set of circumstances. There is no obligation on the courts to adjourn the civil proceedings pending the completion of the criminal proceedings. However, civil proceedings are commonly adjourned pending the outcome of the criminal case. As there are different burdens of proof in civil and criminal matters, the outcome of civil and criminal proceedings will not necessarily be the same. It is also possible, although rare, for individuals to initiate private criminal prosecutions by issuing a summons pursuant to the Petty Sessions (Ireland) Act 1851 in certain limited circumstances.

Authorities are not obliged to disclose their files to such persons unless the particular file is generally open to the public or a court order has been obtained.

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

The Irish judiciary is extremely protective of the accused’s right to a fair trial and will prohibit or stay a trial if necessary. This sometimes occurs in respect of high-profile cases when the extent of publicity affects the ability of the defendant to have a fair jury trial. An example of this is the trial of a high-profile former chairman of Anglo Irish Bank, which was adjourned in October 2015, owing to concerns of adverse publicity surrounding the trial, and a new trial date scheduled for September 2016. In May 2017. the former chairman was acquitted on all charges following strong criticism by the Circuit Criminal Court of the investigation run by the ODCE.

Reports that undermine legal proceedings can amount to contempt of court. Further, any reporting that goes beyond a faithful account of the court proceedings could give rise to defamation claims.

Pursuant to the Data Protection Act 2018, new court rules have been introduced to allow access to documents on court files. Under these new rules, an accredited member of the press may access documents that are ‘opened’ in court (i.e., read out in court by a lawyer or by the judge) and those that are ‘deemed to have been opened’ at a hearing before the court (i.e., documents that the judge has read in chambers and does not require the parties to formally open in court).

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

In larger companies, corporate communications are generally managed by a team of marketing professionals, and it is common for companies to employ public relations companies when there is a risk of negative publicity.

73 How is publicity managed when there are ongoing related proceedings?

It is important that any public statements issued by a company do not potentially prejudice current criminal proceedings or investigations. Statements issued by a company in such circumstances should be brief, factual and approved by the company’s legal advisers. Care should also be taken that no comments are made that potentially identify any persons, as there could be a risk of defamation proceedings if the statement incorrectly implies that a person has committed any wrongdoing.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

As discussed in question 36, Euronext Dublin may require an issuer to publish information within such time limits as it considers appropriate to protect investors or to ensure the smooth operations of the market.

Anticipated developments

75 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

Following the publication in November 2017 by the Irish government of its Measures to Enhance Ireland’s Corporate, Economic and Regulatory Framework, aimed at strengthening Ireland’s response to corporate misconduct, there have been a number of key legislative changes including:

the enactment of the Criminal Justice (Corruption Offences) Act 2018, which came into effect on 30 July 2018 and effectively repealed and replaced the seven existing Prevention of Corruption Acts 1889 to 2010 with a single statute; and
the publication in December 2018 of the General Scheme of the Companies (Corporate Enforcement Authority) Bill 2018. This Bill proposes that the ODCE will be re-established as an agency, in the form of a commission, which will be known as the Corporate Enforcement Authority.

As referenced in question 1, the Minister for Justice and Equality appointed James Hamilton, former DPP, to chair a review of Ireland’s anti-corruption and anti-fraud structures and procedures in criminal law enforcement in 2018. In March 2019, the review group issued a call for submissions on a number of issues under its terms of reference, which could result in further legislative changes being introduced. The deadline for submission was 19 April 2019 and the results have yet to be published online.

There have been legislative changes to reflect the realities of the corporate environment during and following the covid-19 pandemic. The Civil Law and Criminal Law (Miscellaneous Provisions) Act 2020 and the Companies (Miscellaneous Provisions) (Covid-19) Act 2020 both came into effect in August 2020. The former Act seeks to address technical legal issues caused by covid-19. Its provisions include the expansion of court powers to direct remote hearings, allowing for the electronic filing of court documents in civil proceedings, allowing business records to be used as evidence in civil proceedings, and widening the use of video technology in criminal proceedings.

Footnotes

^[1]Karen Reynolds is a partner and Ciara Dunny is a senior associate at Matheson.