Production of Information to the Authorities: The In-house Perspective
Although less common for SMEs, it is not unusual for large, particularly multinational, companies to find themselves weighing whether to voluntarily disclose information, or being compelled to disclose information to law enforcement or regulatory authorities. The variables to consider are many and nuanced. They include, without limitation, the potential impact on customers and the business, the nature and pervasiveness of the wrongdoing, and whether mandatory reporting obligations arise. This chapter considers some of the key legal and practical considerations implicated when a company produces information to the authorities.
12.2 Initial considerations
The company should as early as possible seek to establish:
- Its status in the inquiry – is it a suspect or witness? This is not always communicated or readily discernible because the authority, itself, might not have decided either way, or might not wish its view to be known in the early stages of an investigation. There may, however, be some clue in how the authority has gone about obtaining the information. For instance, in the United Kingdom, an SFO dawn raid on company premises implies that the SFO, and the courts, have reasonable grounds to believe, based on some assessment of facts, that it is impracticable to use less intrusive production order powers or doing so creates a risk of destruction of evidence. As such, unannounced raids tend to indicate, though not conclusively, that the company is a suspect.
- Are any of the company’s employees suspects, and do they pose any ongoing risks to the business? When employees are suspects, a company should ensure that data collection and any internal investigation is conducted without tipping off the implicated employees or ‘trampling over the crime scene’, while adhering to local data protection and labour law.
- Which authority is making the request, and is the request reasonable? Some authorities are more aggressive than others; this is worth factoring in when setting the response strategy. Equally important is determining whether there are multiple authorities involved. Requests from less familiar jurisdictions, where the independence of prosecutors and the judiciary might be less assured, pose additional questions: Is there a political or monetary motivation? Are employees at risk of arrest and imprisonment without adequate due process? And what are the rules of corporate liability, if any? A request for information should be carefully reviewed to ensure that it appears reasonable in terms of scope and the basis for the request, and should state the power under which the request was made.
12.3 Data collection and review
The company will at an early stage start to think about whether it has the responsive data and the appropriate process for collecting it. Data from digital devices to be produced to the authorities should be collected in a forensically sound way. At a high level, this means that the collection is carried out by skilled persons who can retrieve and preserve whole images of various types of devices in a manner that is repeatable with consistent results. It is vital to capture all relevant material, and having a systematic and methodical approach, which is clearly recorded, will help. The investigation support team should include someone with detailed knowledge of the company’s IT systems and structure and will be, preferably, experienced in data extractions.
A company is also likely to want to understand for itself what the collected data reveals. The data review is invariably the most time-consuming and costly part of the production exercise. It is therefore imperative to try to agree realistic deadlines with the authorities at the outset and to communicate promptly if any slippage is anticipated. Most authorities will want a written record, usually in the form of witness statements, of the methodology used in the data collection and imaging, the process and rationale behind any filtering of the data, and how the review was conducted and the instructions given to the reviewers.
A corporate can manage the costs incurred in a data collection and production exercise by: having an established panel of specialist law firms, which should yield discounted rates, but maintaining flexibility to go off-panel as individual case needs dictate; outsourcing the data collection and document review to professional service providers or even doing it in-house if there is the requisite capability, instead of the law firm doing it; ensuring that the document review is as focused as possible through appropriate filtering and, possibly, use of AI technology; setting a budget at the outset and sticking to it unless extensions are approved; and monitoring costs monthly to ensure the exercise remains within budget.
12.4 Principal concerns for corporates contemplating production
There are numerous, often competing, concerns when a company produces documents to the authorities. One obvious but important concern is the impact that the disclosed material might have on (1) the authority’s investigation, or even pre-investigation, and (2) the company’s status with the authority. Another concern is to identify and then to protect any intellectual property, trade secrets or proprietary information, or commercially sensitive information that might be contained, or decipherable, from the material to be disclosed. This concern will accentuate when the company is co-operating with several international and domestic authorities, or where multiple authorities have taken, or could take, an interest. The disclosed material could end up being shared between the various authorities, which could result in the limitations on use that the disclosed material can be put to in one jurisdiction not applying in another.
Special care must be taken at the start and throughout the investigation to have clear records of who is authorised on behalf of the company to instruct and receive advice from external lawyers, and is therefore the client. The purpose of any internal investigation is important also and should be recorded. Is it to obtain legal advice on the company’s position in relation to a law enforcement or regulatory authority’s interest? Is it to gather information for the purposes of a disclosure to the authorities? Or, is it to do with actual or contemplated litigation, or a combination of reasons?
In view of the requirement under English and Welsh law for adversarial litigation to be in reasonable contemplation for litigation privilege to be applicable, which will not ordinarily be the case at the beginning of an internal investigation, it is necessary to try to protect sensitive communications through legal advice privilege. However, legal advice privilege only applies to communications between the lawyer and the client, or through their respective agents. The client includes those individuals who have been authorised on behalf of the company to instruct lawyers and receive advice from them. Eminent commentators suggest that employees to be interviewed by lawyers in an internal investigation should be expressly authorised by the company to communicate with the lawyers to receive legal advice so that the interview may be protected by legal advice privilege. However, doing so would void aspects of the US Upjohn warning. This would bring into question whether such an interview is protected under US privilege principles. Suffice to say that legal privilege in internal investigations is a real minefield, and there are no easy answers to how to deal with the currently expanding differences between the US and UK approaches to legal privilege.
A company will also be keen to restrict the ability of third parties to use the information disclosed to the authorities in civil proceedings against the company. Such restrictions could be imposed by making clear at the time of production that the information is confidential and, when dealing with UK authorities, stated to be provided on a limited waiver of legal privilege or without prejudice privilege basis.
Federal courts in the United States, however, are reluctant to recognise selected waivers of privilege in relation to documents produced as part of an investigation or prosecution. The information may lose the protection of privilege and be subject to discovery by other parties.
Adherence to data protection principles is another important concern, especially when the information is being provided voluntarily and there is not the protection given by a document production order or subpoena, which usually overrides any local data protection rules. Since 25 May 2018, article 48 of the EU General Data Protection Regulation (GDPR) has restricted the ability of companies to transfer information out of the European Union to respond to orders or requests of foreign courts or authorities. Under the article, personal data can only be transferred outside the European Union to respond to, for example, law enforcement or regulatory subpoenas or production orders, or court orders for disclosure, through the mutual legal assistance treaty route or other provision of the GDPR. As the application of article 48 is yet to be examined by the courts, it is unclear whether voluntary disclosure to the authorities is covered.
12.5 Obtaining material from employees
There will often be a wide pool of employees, a few of whom might be ‘suspects’ or ‘targets’, who hold relevant information. It is important to first identify which, if any, of those employees should be notified of the data collection, bearing in mind the SFO cautioning against putting employees on notice and its desire to have the data collection undertaken with minimal risk of interference. Local law on data collection and the company’s own policies on data collection and the giving of notice or even obtaining the express consent of the employee to the collection will also need to be considered. The key is to weigh any risk of relevant information being destroyed, and displeasing the requesting authority, if notice of the data collection is given to employees against any specific local law requirements and internal data collection policies.
It is common for employees to have personal material on work devices. If there are no reasonable grounds to believe that giving notice of a data collection exercise to an employee creates a risk that data will be destroyed, the employee could be instructed to separate personal material from work material before the device is copied. The personal material would then be safe from inadvertent disclosure to the authorities. If this separation of personal data is not possible because, for instance, the collection needs to be covert, then the filtering and review before disclosure, if appropriate, should provide adequate safeguards against personal data being handed over.
Less common is work material being stored on personal devices. If that same material also exists on a work device or on the company’s servers, it can be collected from there rather than from the employee’s personal device. Clearly, it is not possible for a company to covertly extract data from an employee’s personal device but it may be possible to do so with the employee’s express consent. Such situations should be catered for in the contract of employment and company internal policies.
As a best practice, companies should guard against this thorny issue of commingling of personal and business information by instituting appropriately tailored policies. It may not, however, be reasonable to expect that a company device will never be used for some personal purposes but companies should provide written limitations on the kinds of use that are acceptable and permitted. In any event, the transfer of business data through personal devices or email accounts should always be prohibited.
12.6 Material held overseas
Because of the global nature of business, information that is required by a law enforcement or regulatory authority might be held by the company’s overseas subsidiaries – and in multiple locations at that.
When a company seeks to provide information it is not obliged to, in other words to make voluntary disclosure, it should assess whether this would expose it to potential claims of breaching the confidentiality or data protection rights of employees or third parties.
Despite a company’s desire to co-operate with a subpoena or production order, there may be significant legal hurdles, such as blocking statutes, preventing it from providing the material. There have been several US and UK court decisions that, applying the ‘law of the forum’ principle, ruled that the risk of prosecution for breaching an overseas blocking statute is not a reasonable ground for not complying with a court’s order for discovery. In those circumstances, the company’s lawyers must speak with the authority concerned, explain the issues and diplomatically suggest that the authority consider obtaining the information through the MLAT route or through police-to-police information exchange. A legitimate alternative is available if the information also exists independently in another jurisdiction, which does not have blocking statutes, provided it had been transferred there previously for valid business or legal purposes and not to get around the blocking statute.
12.7 Concluding remarks
As explained in Chapter 11, there are many good reasons why a company might wish to take a proactive approach and voluntarily provide information rather than waiting for a subpoena or production order. It could, for example, give the best opportunity for maximising co-operation credit. Indeed, the senior UK judge granting the Rolls-Royce DPA cited voluntary provision of material as one of the ways Rolls-Royce demonstrated ‘extraordinary’ co-operation. Depending on the facts of the case, in the authors’ view, there could be little to no loss of credit by asking for a production order rather than voluntarily disclosing provided (1) there is early dialogue with the authorities and (2) the issues are reported before the authority learns of them separately through another source.
In some circumstances a company might wish to think carefully about whether they need to demonstrate extraordinary levels of co-operation. One way to do so would be to waive legal privilege over certain class of documents to influence the company’s eligibility for the United States Department of Justice’s FCPA Corporate Enforcement Policy or a DPA. The joint CPS and SFO Guidance on Corporate Prosecutions explains that ‘genuinely proactive’ self-reporting is a public interest factor militating against the prosecution of a company. A voluntary waiver of privilege is relevant to determining whether a company has genuinely and proactively co-operated with the SFO or other authority, and consequently to the assessment of whether it is in the public interest to prosecute or to invite the company to DPA negotiations. The company might therefore wish to think carefully about which documents it believes are truly legally privileged and whether in fact to assert legal privilege over them.
1 Femi Thomas is global head of investigations and Tapan Debnath is senior legal counsel in Nokia Corporation’s ethics and compliance investigations department. The views expressed are the authors’ (or as otherwise attributed) and do not represent the views of Nokia Corporation.
2 While change of company personnel (and culture) is a desirable outcome in most cases involving serious wrongdoing, it will probably need to be considered after a thorough review of the issues.
3 Some companies have an in-sourced legal support function that handles, for example, initial review of contract terms, which can, with some training and guidance, be utilised to do the first document review in an internal investigation.
4 In United States v. Allen, 864 F.3d 63 (2d Cir. 2017), the US Court of Appeal overturned the convictions and indictments of two LIBOR traders because, among other things, the testimony given by the defendants to the UK FCA under compulsion was used against them in their trial, which was held to be an infringement of the defendants’ Fifth Amendments rights. This is an example of information given in one jurisdiction with statutory limitations on its use in that jurisdiction being used without limitation, initially at least, by another jurisdiction.
5 Three Rivers District Council and others v. Governor and Company of the Bank of England (No. 6)  1 AC 610, HL, para. 53 (per Lord Rogers).
6 Although the threshold for establishing that civil, as opposed to criminal, litigation is lower: The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation Limited  EWHC 1017 (QB), para. 159. The Chancellor of the High Court ruled in Bilta (UK) Ltd v. Royal Bank of Scotland Plc & Anor  EWHC 3535 that in the present case documents created in an internal regulatory investigation after a ‘watershed moment’ of HMRC writing to allege tax fraud was covered by legal professional privilege.
7 Property Alliance Group Ltd. v. Royal Bank of Scotland plc.  EWHC 1557 (Ch) without prejudice privilege applied to negotiations with the FCA with a view to arriving at a settlement. The without prejudice rule applies to exclude negotiations genuinely aimed at settlement from being given in evidence.
8 See In Re Columbia/HCA Healthcare Corp. Billing Practices Litig., 293 F.3d 289 (6th Cir. 2002)
9 See, for example, David J Kessler et al., ‘The Potential Impact of Article 48 of the The Sedona Conference Journal, volume 17, 2016, No. 2 on Cross Border Discovery From the United States’ in The Sedona Conference Journal, volume 17, 2016, No. 2.
10 Speech by Alun Milford, SFO General Counsel, Annual Employed Bar Conference, 26 March
2014, available at: https://www.sfo.gov.uk/2014/03/26/corporate-criminal-liability-deferred-
11 Such as, among others, the French, Swiss or Italian blocking statutes. Breach of the Swiss blocking statute has been prosecuted on several occasions, whereas breach of the French blocking statute has only been prosecuted once since inception in 1968. However, Sapin II has a provision for breach of the French blocking statute which leads some commentators to believe that it will be more readily enforced. In any event, article 48 of the GDPR has similar effect to blocking statutes across the EU.
12 For example, Secretary of State for Health and Others v Servier Laboratories and Others (Servier)  EWCA Civ 1234 and National Grid Electricity Transmissions PLC v ABB Limited and Others  EWHC 822 (Ch).
13 Rolls-Royce did not self-report but still received a DPA because of its ‘extraordinary’ co-operation. See Serious Fraud Offce v. Rolls-Royce PLC and another, Case No. U20170036 (2017), paras. 21-22.
14 The Corporate Enforcement Policy adapted and replaced the FCPA Pilot Program, https://www.justice.gov/criminal-fraud/corporate-enforcement-policy. The policy includes a presumption of a declination where the company voluntarily self-reports, fully co-operates with a DOJ investigation and makes timely and appropriate remediation.
15 Of course, the implications of full or selective waiver of privilege must be very carefully thought through.