Production of Information to the Authorities: The In-house Perspective
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Although less common for small and medium-sized enterprises, it is not unusual for large, particularly multinational, companies to find themselves weighing whether to voluntarily disclose information, or what to do when compelled to disclose information to law enforcement or regulatory authorities. The variables to consider are many and nuanced. They include, without limitation, the potential impact on customers and the business, the nature and pervasiveness of the wrongdoing, and whether mandatory reporting obligations arise. This chapter considers some of the key legal and practical considerations implicated when a company produces information to the authorities.
12.2 Initial considerations
The company should seek as early as possible to establish:
- Its status in the inquiry – is it a suspect or witness? This is not always communicated or readily discernible because the authority, itself, might not have decided either way, or might not wish its view to be known in the early stages of an investigation. There may, however, be some clue in how the authority has gone about requesting or otherwise obtaining the information. For instance, in the United Kingdom, a dawn raid by the Serious Fraud Office (SFO) on company premises implies that the SFO, and the courts, have reasonable grounds to believe, based on some assessment of facts, that it is impracticable to use less intrusive production order powers or doing so creates a risk of destruction of evidence. As such, unannounced raids tend to indicate, though not conclusively, that the company is a suspect.2
- Are any of the company’s employees suspects, and do they pose any ongoing risks to the business?3 When employees are suspects, a company should ensure that data collection and any internal investigation is conducted without tipping off the implicated employees or ‘trampling over the crime scene’, while adhering to local data protection and labour law. Depending on the jurisdiction and the authority involved, the company may need to disclose to the investigating agency that it intends to seek information from company employees. This may help to avoid inadvertent and unwanted interference with the agency’s own activities.4
- Which authority is making the request, and is the request reasonable? Some authorities are more aggressive than others; this is worth factoring in when setting the response strategy. Equally important is determining whether there are multiple authorities involved. Requests from less familiar jurisdictions, where the independence of prosecutors and the judiciary might be less assured, pose additional questions: Is there a political or monetary motivation? Are employees at risk of arrest and imprisonment without adequate due process? And what are the rules of corporate liability, if any? A request for information should be carefully reviewed to ensure that it appears reasonable in terms of scope and the basis for the request, and that it states the power under which the request was made.
12.3 Data collection and review
The company will at an early stage start to think about whether it has the responsive data and the appropriate process for preserving and collecting it. Data from digital devices to be produced to the authorities should be safeguarded from deletion or destruction and then collected in a forensically sound way. At a high level, this means that the collection is carried out by skilled persons who can retrieve and preserve whole images of various types of devices in a manner that is repeatable with consistent results, and that all steps taken are recorded and auditable. It is vital to capture all relevant material, and having a systematic and methodical approach will help. The investigation support team should include someone with detailed knowledge of the company’s IT systems and structure and will, preferably, be experienced in data extractions.
A company is also likely to want to understand for itself what the collected data reveals. The data review is invariably the most time-consuming and costly part of the production exercise. It is therefore imperative to try to agree realistic deadlines with the authorities at the outset and to communicate promptly if any slippage is anticipated. Most authorities will want a written record, usually in the form of witness statements, of the methodology used in the data collection and imaging, the process and rationale behind any filtering of the data, and how the review was conducted and the instructions given to the reviewers. This point is stated explicitly in the Corporate Co-operation Guidance published by the SFO on 6 August 2019 under the heading ‘Preserving and providing material’. The SFO Guidance emphasises the need to have an audit trail of the acquisition and handling of digital material and to take all steps to maintain the integrity of systems hosting such material over the life of an SFO investigation, which can run for many years.
A corporate can manage the costs incurred in a data collection and production exercise by: having an established panel of specialist law firms, which should yield discounted rates, but maintaining flexibility to go off-panel as individual case needs dictate; outsourcing the data collection and document review to professional service providers or even doing it in-house5 if there is the requisite capability; ensuring that the document review is as focused as possible through appropriate filtering and, possibly, use of AI technology; setting a budget at the outset and sticking to it unless extensions are approved; and monitoring costs on a monthly basis to ensure the exercise remains within budget. In an about-face from the wave of outsourcing that predominated in the past decade or so, large corporates are increasingly building in-house e-discovery proficiencies. A well-resourced programme need not be burdensome, but will pay dividends at production time by sharply reducing some of the larger-ticket items in document production – data collection, processing and culling (coordinated, as necessary, jointly with outside counsel).
12.4 Principal concerns for corporates contemplating production
There are numerous, often competing, concerns when a company produces documents to the authorities. One obvious but important concern is the impact that the disclosed material might have on (1) the authority’s investigation, or even pre-investigation, and (2) the company’s status with the authority. Another concern is the ability to identify and protect any intellectual property, trade secrets or proprietary information, or commercially sensitive information that might be contained in, or decipherable from, the material to be disclosed. This concern will accentuate when the company is co-operating with authorities in a cross-border context, or where multiple authorities have taken, or could take, an interest. The disclosed material could end up being shared between the various authorities, which could result in disparate recognition or application across different jurisdictions of limitations on use (as provided under statute or as agreed with one authority). As a result, the disclosing party cannot necessarily ensure that the limitations on use – which applied in the jurisdiction in which the material had been disclosed – will be enforced in a separate jurisdiction in which the material is now available.6
Relatedly, the corporate will be interested in preserving protections afforded under the attorney-client privilege or its jurisdictional equivalents. Special care must be taken at the start and throughout the investigation to have clear records of who is authorised on behalf of the company to instruct and receive advice from external lawyers, and is therefore the client. The purpose of any internal investigation is important also and should be recorded. Is the purpose to obtain legal advice on the company’s position in relation to a law enforcement or regulatory authority’s interest? Is it to gather information to disclose to the authorities? Or is it to do with actual or contemplated litigation, or a combination of reasons?
With the Court of Appeal ruling in SFO v. ENRC,7 it is now easier for corporates to argue successfully that litigation privilege applies to certain parts of its internal investigation, including over employee and third-party interviews and material generated by forensic accountants. While the question of who is the ‘client’ remains narrowly construed, namely those who have been authorised by the company to instruct and receive advice from lawyers, the Court of Appeal expressed a non-binding view that the law in this area could be reviewed and updated.8 For now, it remains more difficult to apply legal advice privilege to the fact-gathering part of an internal investigation.
A company will also be keen to restrict the ability of third parties to use the information disclosed to the authorities in civil proceedings against the company. Such restrictions could be imposed during the course of negotiations or discussions aimed at resolving, avoiding or reducing the scope of litigation by making clear at the time of production that the information is confidential and, when dealing with UK authorities, stated to be provided on a limited waiver of legal privilege or without-prejudice privilege basis.9 A company contemplating this approach should keep in mind that it loses control over material that has been disclosed to authorities. The material might, for example, via court orders for disclosure, end up in the hands of litigants, regardless of attempts to prevent it. Second, the attempt to make the disclosure of material without prejudice to privilege could clash with the authority’s expectation of a co-operating entity and negatively affect the chances of non-prosecution. This is particularly the case in view of a 2018 judicial review in which the High Court criticised the SFO and re-emphasised the SFO’s obligation to proactively seek to obtain material that might help the case of individual defendants or undermine the prosecution’s case, even if that means testing and challenging a company’s assertion of privilege over the product of an internal investigation.10
Federal courts in the United States are reluctant, however, to recognise selected waivers of privilege in relation to documents produced as part of an investigation or prosecution.11 The information may lose the protection of privilege and be subject to discovery by other parties.
It is also noteworthy that legal privilege in most European countries is generally treated somewhat differently than it is in the United Kingdom and United States. France and Germany, for example, apply the doctrine of professional secrecy or confidentiality of communication between the client and his or her attorney. Lawyer–client communications are, pursuant to the doctrine, protected from disclosure to external parties, subject to the crime exception. The status of any material created by lawyers during an internal investigation will need to be carefully considered. This is especially so because material created by in-house counsel conducting an internal investigation not under the auspices of an external lawyer-led investigation, is unlikely to attract the professional secrecy or confidentiality protection.
Adherence to data protection principles is another important concern, especially when the information is being provided to the authority voluntarily and there is consequently not the protection given by a document production order or subpoena, which usually overrides any local data protection rules. Since 25 May 2018, Article 48 of the EU General Data Protection Regulation (GDPR) has restricted the ability of companies to transfer information out of the European Union in order to respond to orders or requests of foreign courts or authorities. Under this Article, personal data can only be transferred outside the European Union to respond to law enforcement or regulatory subpoenas or production orders, or court orders for disclosure, through the mutual legal assistance treaty route or other provisions of the GDPR. As the application of Article 48 is yet to be examined by the courts, it is unclear whether voluntary disclosure to the authorities is caught by the Article.12
12.5 Obtaining material from employees
There will often be a wide pool of employees, a few of whom might be ‘suspects’ or ‘targets’, who hold relevant information. It is important to first identify which, if any, of those employees should be notified of the data collection, bearing in mind the SFO cautioning against putting employees on notice and its desire to have the data collection undertaken with minimal risk of interference.13 The Corporate Co-operation Guidance states that the SFO should be consulted before interviewing employees (or taking any HR action). When collecting data from employees, the corporation should be mindful of local laws and the company’s policies on data collection, as well the potential need to give notice or obtain consent from the employee. The key is to weigh any risk of relevant information being destroyed, and displeasing the requesting authority, if notice of the data collection is given to employees against any specific local law requirements and internal data collection policies.
It is common for employees to have personal material on work devices. If there are no reasonable grounds to believe that giving notice of a data collection exercise to an employee creates a risk that data will be destroyed, the employee could be instructed to separate personal material from work material before the device is copied. The personal material would then be safe from inadvertent disclosure to the authorities. If this separation of personal data is not possible because, for instance, the collection needs to be covert, then filtering and review before disclosure, if appropriate, should provide adequate safeguards against personal data being handed over.
A growing trend is for work material to be stored on personal devices. The covid-19 pandemic has prompted an explosion in the number of people working from home, increasing the use of own devices, which many companies permit through BYOD (bring your own device) polices. If that same material also exists on a work device or on the company’s servers, it can be collected from there rather than from the employee’s personal device. Clearly, it is not permissible for a company to covertly extract data from an employee’s personal device but it may be possible to do so with the employee’s express consent. Such situations should be catered for in the contract of employment and the company’s internal policies.
Another effect of the pandemic is that working from home or hybrid working is becoming the norm. This may mean that employee-created paper notes and other hard-copy material that had previously been kept in office locations are now being stored at employees’ home addresses. It should be noted that employees’ country of work may have changed due to the pandemic. For instance, employees may have returned to their home country from their country of assignment during the pandemic. The movement of material stored on devices and elsewhere from one country to another may impede the company’s access to that material for specific purposes. For example, material transferred to France by an employee previously working in the United States may be caught by the Blocking Statue should the company require that material for US litigation or to produce to US authorities. Likewise, that material becomes more readily accessible to the French authorities if required for their inquiries. Companies will do well to map out such risks as they craft their remote working policies.
As a best practice, companies should guard against this thorny issue of commingling of personal and business information by instituting appropriately tailored policies. It may not, however, be reasonable to expect that a company device will never be used for some personal purposes but companies should provide written limitations on the kinds of use that are acceptable and permitted. In any event, the transfer of business data through personal devices or personal email accounts should always be governed by appropriate mobile phone and BYOD policies. The policies should require, by way of non-exhaustive examples, line manager approval; only recommended devices be used; and only corporate subscription is permissible, which means that the device is linked to and can be controlled through the company’s systems. .
The foregoing considerations are further complicated by the increasing popularity of social media platforms, such as WhatsApp, text messages and iMessage, which are expensive and difficult – if not impossible – to recover once deleted, in corporate communications. Companies increasingly must preserve (and produce) business communications made via ephemeral messaging apps (EMAs), which fall broadly into two categories: ‘popular social media’, WhatsApp and so forth; and business messaging platforms, such as Slack, Yammer and Workplace. The distinction between the two is important because popular social media platforms are more likely to have more private than business data than the business platforms. The retrieval of business data co-mingled with ‘private’ data is much more complex and burdensome, especially in countries with strict data protection laws, if not generally impermissible without the employee’s express and freely given consent. Companies should continue to exercise vigilance over business use of EMAs – including business messaging platforms; provide centrally hosted and backed up messaging for business communications and sensible social media use policies; understand server data locations for each service (particularly those used by the business as opposed to those used by individual employees); and put in place data retention policies to ensure clarity around what sort of data is preserved and for how long. US and UK authorities expect companies to be able to retrieve EMAs in an investigation.
12.6 Material held overseas
Because of the global nature of business, information that is required by a law enforcement or regulatory authority might be held by the company’s overseas subsidiaries – and in multiple locations at that.
When a company seeks to provide information voluntarily, it should assess whether this would expose it to potential claims of breaching the confidentiality or data protection rights of employees or third parties.
Despite a company’s desire to co-operate with a subpoena or production order, there may be significant legal hurdles, such as blocking statutes, preventing it from providing the material.14 There have been several US and UK court decisions15 that, applying the ‘law of the forum’ principle, ruled that the risk of prosecution for breaching an overseas blocking statute is not a reasonable ground for non-compliance with the court’s order for discovery. In those circumstances, the company’s lawyers must speak with the authority concerned, explain the issues and diplomatically suggest that the authority consider obtaining the information through the MLAT route or through police-to-police information exchange. It is vital for the company to support the process by having the material readily available, and using the contacts that the company’s external lawyers might have with prosecutors in the state where the material is held, to try to expedite matters. A legitimate alternative is available if the information also exists independently in another jurisdiction, which does not have blocking statutes, provided it had been transferred there previously for valid business or legal purposes and not to get around the blocking statute.
There have been recent important legislative developments in the United States and United Kingdom that seek to make it easier for law enforcement to access electronic data held overseas. The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the UK’s Crime (Overseas Production Orders) Act (COPO Act) 2019 allow the authorities to compel companies, without having to apply to a court, to hand over information even where the information is held overseas. The UK–US Bilateral Data Access Agreement, signed on 3 October 2019, will lead to prosecutors gaining these additional powers.16 These are the first acts of the kind and reflect the theme of increased cross-border co-operation. While the impact of the legislation remains to be seen, the acts clearly represent another point at which companies can be caught between conflicting laws, with blocking statutes and data privacy laws at the other side of the pincer seeking to limit companies’ ability to provide information. Companies should therefore be acutely aware of the potential for such conflicting obligations, and understand who controls their data (third parties may host or store data) and where it is stored. It is also prudent to develop plans of action for how to respond to an order to furnish evidence kept in a jurisdiction with laws prohibiting the transfer.
The February 2021 decision of the UK Supreme Court in KBR v. SFO17 allowed an appeal against a High Court ruling which deemed that a non-UK registered company could be compelled under section 2 of the Criminal Justice Act 1987 to produce to the SFO material held overseas provided there was a sufficient connection between the company and the United Kingdom. In this case, KBR Inc, organised in the US, was issued with a section 2 notice for material held overseas in connection with an SFO investigation into KBR Inc’s UK subsidiary. The Supreme Court overturned the High Court decision on the basis that it had not been the intention of Parliament to give the SFO such extraterritorial powers, noting that Parliament had instead developed MLA to facilitate gathering of material held internationally.
12.7 Concluding remarks
As explained in Chapter 11, there are many good reasons why a company might wish to take a proactive approach and voluntarily provide information rather than waiting for a subpoena or production order. It could, for example, give the best opportunity for maximising co-operation credit. The senior English judge granting the Rolls-Royce deferred prosecution agreement (DPA) cited voluntary provision of material as one of the ways Rolls-Royce demonstrated ‘extraordinary’ co-operation. This was also highlighted as a key element of Airbus’s co-operation, which led to DPAs with the SFO and US Department of Justice and an equivalent convention judiciaire d’intérêt public (equivalent to a DPA) with France’s Parquet National Financier in January 2020.18
From a US perspective, the DOJ expressly encourages corporates to co-operate with their investigations. For example, the second edition iteration of the DOJ and SEC Resource Guide to the US Foreign Corrupt Practices Act19 emphasises that corporates enjoys most favourable treatment under the April 2020 Corporate Enforcement Policy by demonstrating full and timely co-operation, together with self-disclosure, a comprehensive internal investigation, willingness to pay disgorgement, and an enhanced and effective compliance programme.
Depending on the facts of the case, in the authors’ view, there could be little to no loss of credit by asking for a production order rather than voluntarily disclosing – if this is appropriate to overcome data protection or other barriers – provided (1) there is early dialogue with the authorities and (2) the issues are reported before the authority learns of them separately through another source.20
In some circumstances a company might wish to think carefully about whether it needs to demonstrate extraordinary levels of co-operation. One way to do so would be to waive legal privilege over certain classes of documents to influence the company’s eligibility for the United States Department of Justice’s FCPA Corporate Enforcement Policy21 or a DPA.22 The joint Crown Prosecution Service and SFO Guidance on Corporate Prosecutions23 explains that ‘genuinely proactive’ self-reporting is a public interest factor militating against the prosecution of a company. A voluntary waiver of privilege is relevant to determining whether a company has genuinely and proactively co-operated with the SFO or other authority, and consequently to the assessment of whether it is in the public interest to prosecute or to invite the company to DPA negotiations. The SFO Corporate Co-operation Guidance states that a failure to waive privilege and provide witness accounts will not allow the company to avail itself of the corresponding factor weighing against prosecution as found in the SFO and CPS Deferred Prosecution Agreements Code of Practice24 (but will not be penalised by the SFO). In France, Guidelines on the Implementation of the Convention Judiciaire d’Intérêt Public25 make clear that an assertion of legal privilege that is deemed by the prosecutor to be unjustified has an ‘unfavourable effect on the level of cooperation of the company’. The Guidelines do add, however, that the risks companies may face in other jurisdictions by waiving privilege will be taken into account. Considering current policy in the United States, United Kingdom and France, a company might wish to think carefully about which documents it believes are truly legally privileged and whether in fact to assert legal privilege over them.
As stated in opening this chapter, there are many and nuanced factors to consider when a company is required to produce information to the authorities. The key is to be well prepared in terms of knowing where information is stored; to have the relevant expertise, preferably internally, to gather relevant information quickly and forensically; to have an overall strategy and end game as early in the process as possible, but also keeping things under review; and to be able to rely on trusted advisers.
1 Femi Thomas is chief compliance officer at Booking.com, Tapan Debnath is head of integrity, regulatory affairs and data privacy – process automation at ABB, and Daniel Igra is legal counsel in Nokia Corporation’s ethics and compliance department. The views expressed are the authors’ (or as otherwise attributed) and do not represent the views of their employers.
2 On 6 August 2019, the SFO published its long-awaited Corporate Co-operation Guidance. At the end of the Guidance, a short passage explains that it may be necessary for the SFO to exercise powers of compulsion to obtain material from a co-operating company. This re-enforces that how the authority seeks material (whether by production order or dawn raid) can be illustrative only of the company’s status in the investigation and should not be taken as conclusive.
3 While change of company personnel (and culture) is a desirable outcome in most cases involving serious wrongdoing, it will probably need to be considered after a thorough review of the issues.
4 Agencies such as the US Department of Justice (DOJ) and SFO have considerable powers to sanction non-compliance with requests for information. While such sanctions have been seldom used in the United Kingdom, the SFO did secure its first conviction after trial in January 2020 in relation to its ongoing ENRC investigation for failing to comply with a notice pursuant to s.2 of the Criminal Justice Act 1997.
5 Some companies have an in-sourced legal support function that handles, for example, initial review of contract terms, which can, with some training and guidance, be used to do the first document review in an internal investigation.
6 In United States v. Allen, 864 F.3d 63 (2d Cir. 2017), the US Court of Appeal overturned the convictions and indictments of two LIBOR traders because, among other things, the testimony given by the defendants to the UK Financial Conduct Authority (FCA) under compulsion was used against them in their US criminal trial, which was held to be an infringement of the defendants’ Fifth Amendment rights. This is an example of information given in one jurisdiction (the United Kingdom), in which there were statutory limitations on use of the information, being used without limitation, initially at least, by another (the United States).
7 The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation Limited  EWCA Civ 2006.
8 The Court of Appeal in Civil Aviation Authority v. R (on behalf of the application of Jet2.comLtd)  EWCA Civ 35 also indicated that it does not believe that this principle should be the law, but that it remains the law, unless the Supreme Court intervenes.
9 Property Alliance Group Ltd v. Royal Bank of Scotland plc  EWHC 1557 (Ch) without prejudice privilege applied to negotiations with the FCA with a view to arriving at a settlement. The without prejudice rule applies to exclude negotiations genuinely aimed at settlement from being given in evidence.
10 See R (on the application of AL) v. Serious Fraud Office  EWHC 856.
11 See In Re Columbia/HCA Healthcare Corp. Billing Practices Litig., 293 F.3d 289 (6th Cir. 2002).
12 See, for example, David J Kessler et al., ‘The Potential Impact of Article 48 on Cross Border Discovery From the United States’ in The Sedona Conference Journal, Volume 17, 2016, No. 2.
13 Speech by Alun Milford, SFO General Counsel, Annual Employed Bar Conference, 26 March 2014, available at https://www.sfo.gov.uk/2014/03/26/corporate-criminal-liability-deferred-prosecution-agreements/.
14 France, Switzerland, Italy and China are some of the countries that have blocking statutes. Breach of the Swiss blocking statute has been prosecuted on several occasions, whereas breach of the French blocking statute has, as far as is known, been prosecuted only once since its inception in 1968. However, Sapin II has a provision for penalising breach of the French blocking statute, which leads some commentators to believe that it will be more readily enforced. Further, Article 48 of the EU General Data Protection Regulation has similar effect to blocking statutes across the European Union. (See, further, Vol. II chapters at question 61.)
15 For example, Secretary of State for Health and Others v Servier Laboratories and Others (Servier)  EWCA Civ 1234 and National Grid Electricity Transmissions PLC v ABB Limited and Others  EWHC 822 (Ch).
16 The Agreement came into force on 8 July 2020.
17 R (on the application of KBR, Inc) v Director of the Serious Fraud Office  UKSC 2
18 United States of America v. Airbus SE, Case No. 1:20-cr-00021, Convention Judiciaire Intérêt Public between the Parquet National Financier and Airbus SE  (PNF-16 159 000 839); Director of the Serious Fraud Office v. Airbus SE  Case No. U20200108.
19 Published on 2 July 2020.
20 Rolls-Royce did not self-report but still received a deferred prosecution agreement because of its ‘extraordinary’ co-operation. See Serious Fraud Office v. Rolls-Royce plc and another, Case No. U20170036 (2017), paras. 21, 22.
21 The Corporate Enforcement Policy adapted and replaced the FCPA Pilot Program – see https://www.justice.gov/criminal-fraud/corporate-enforcement-policy. The policy includes a presumption of a declination where the company voluntarily self-reports, fully co-operates with a DOJ investigation and makes timely and appropriate remediation.
22 Of course, the implications of full or selective waiver of privilege must be very carefully thought through.
23 Available at https://www.cps.gov.uk/legal-guidance/corporate-prosecutions.
24 Available at https://www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf.
25 Available in English at https://www.agence-francaise-anticorruption.gouv.fr/files/files/EN_Lignes_directrices_CJIP_revAFA%20Final%20(002).pdf.