The Parameters of Privilege in Multi-Jurisdictional Investigations
Legal professional privilege is a complicated but important issue in the context of corporate investigations in Asia. The concept of privilege is not universally recognised across the region and those countries where protection exists apply different tests.
As those involved in investigations know, it is rare for a corporate investigation to remain within the borders of a single country and under the investigation of a single regulator. Rather, the relevant behaviour, data and individuals will span a number of jurisdictions. It is often the case that regulators in long-arm jurisdictions, such as the United Kingdom and the United States, will also become involved. Regulators and authorities in those jurisdictions will be looking to apply their own rules of privilege.
Navigating the competing rules of privilege is further complicated by recent enhancements to privacy rules and the modernisation of working practices. It is no longer the case that an investigation will involve the simple extraction of data from within a company's server. With the use of social platforms (such as WeChat and WhatsApp) and bring your own device (BYOD) policies, the ownership of data and the ability to control its use have become significantly more complex. It is therefore not possible for lawyers and their clients to consider the issue of privilege in a vacuum. Dealing with privilege in investigations requires a holistic consideration of competing privilege rules, technological influences and the rise of personal data regulation.
This article briefly summarises privilege in Asia, as well as in the United States and the United Kingdom. It then explores some of the international trends impacting privilege and the use of data in investigations. Finally, it offers some practical tips to help corporates control privilege in investigations.
Approaches to privilege
Civil law jurisdictions
Civil law countries in Asia – such as China, Japan, Korea, Indonesia, Thailand and Vietnam – do not recognise privilege. These jurisdictions do, however, recognise that lawyers owe a duty of confidentiality over documents provided to them by their clients.
Confidentiality rights apply only to evidence in the possession of the lawyer and can be overridden by the authorities. In the absence of an express statutory or procedural provision, authorities are entitled to demand that the client grant access to confidential documents or communications and the client is required to supply the requested information in a prompt, full and accurate manner. As such, they are of limited assistance in enforcement actions.
This approach is reflected in civil law jurisdictions outside Asia. For example, in Germany, a raid by law enforcement authorities on US law firm Jones Day's Munich office, seizing documents concerning the Volkswagen emissions scandal, was held by the Federal Constitutional Court in July 2018 to be constitutional. Volkswagen and Jones Day's argument that the raid was illegal because privileged material was seized failed, even though Jones Day argued that this compromised its cooperation with US authorities, including the US Department of Justice.
Common law jurisdictions
Common law countries in Asia, including Hong Kong, Singapore, India and Malaysia, have retained the traditional common law concept of legal professional privilege. Others, such as the Philippines, that import both civil law and common law characteristics, recognise privilege in the same way. Companies under investigation in these jurisdictions may avail themselves of privilege and its protections, although it is important to note that privilege will not usually apply where documents are generated to further fraudulent or illegal acts.
Most jurisdictions apply rules of privilege that stem from English law, meaning the application of two heads of legal professional privilege: legal advice privilege and litigation privilege.
Legal advice privilege
Legal advice privilege applies to confidential communications between a lawyer and his or her client where the purpose of the communications is to seek or give legal advice.
There are differences in the scope of this privilege in Asia. For example, the Hong Kong position departs from the English law test in that it applies a 'dominant purpose' threshold to the purpose of the communication. What constitutes 'legal advice' has been widely defined as anything done by a lawyer (including foreign lawyers and in-house counsel acting in a legal capacity) within a relevant legal context.1 Hong Kong law also applies an expansive approach to who is the client.2The result is that privilege protection is wider than it would be under English law.
Unlike Hong Kong, Singapore, for example, does not apply a dominant purpose test to legal advice privilege and it does not apply an expansive definition of 'client'. Therefore, legal advice privilege is more narrowly interpreted. However, Singapore's Court of Appeal has left open the possibility that a dominant purpose test could potentially apply to a third-party report prepared to enable the client to obtain legal advice.3 It is unclear whether this more expansive approach, focusing on purpose and encompassing documents created by third parties, would be applied if the issue were to come before the same court again.
Litigation privilege is wider than legal advice privilege. It covers confidential communications between a lawyer and his or her client, or a lawyer or client and a third party (such as a witness of fact, expert witness or consultant) where the dominant purpose is advising on, or obtaining evidence in relation to, actual or contemplated litigation. This would cover criminal investigations and most regulatory investigations, but not investigative inquiry tribunals.
To waive or not to waive?
Once privilege attaches to a document, a client can waive privilege over it, either expressly or impliedly. In investigations, a client may do this to cooperate with a regulator or law enforcement authority's request for documents. This is particularly relevant where leniency is granted for cooperation. Many regulators and authorities have formal policies to incentivise cooperation in exchange for leniency, including Deferred Prosecution Agreement procedures in the US, UK and (soon) Australia. Voluntarily providing significant relevant materials and the complete results of internal investigations (thereby waiving privilege in the process) is often seen as a central tenet to DPA and leniency programmes. Companies frequently request assurances from relevant authorities that disclosure to them does not waive privilege with regard to third parties.
This partial waiver doctrine can be risky. For example, in the US, some courts have observed the doctrine, while others have held that disclosure, even with written assurances of confidentiality and non-waiver, constitutes a waiver of privilege with regard to third parties.4
Of course, a right to provide documents and waive privilege assumes a right of control over them. With the proliferation of data, work devices and platforms, this is becoming an increasingly grey area because it is difficult to identify who controls the data. The increased use of informal exchange platforms (such as WeChat and WhatsApp) or even the use of devices owned by an employee through BYOD policies makes it more difficult to establish a company's right to obtain – let alone use – data created during the course of business. This is discussed in more detail below.
Long-arm jurisdictions: UK and US
Many multi-jurisdictional investigations will involve investigations by the authorities in the United Kingdom or United States applying their broad extraterritorial anti-bribery laws. It is therefore important to understand the rules of privilege as they apply in those jurisdictions. This is because the relevant authorities will apply those rules, and not the rules of the country where the document was created or the communication was made, in assessing any claim to privilege.
As mentioned above, the two limbs of legal professional privilege are legal advice privilege and litigation privilege. For litigation privilege, a dominant purpose test is applied, while no such test exists for legal advice privilege. However, the latter covers a narrower range of communications. The term 'client' is narrowly defined in English law, including only individuals within a client entity who are authorised to obtain legal advice on that entity's behalf, as opposed to all employees. Accordingly, many documents prepared during the course of an investigation may not be protected by privilege.
Recent cases on privilege in investigations
The English courts have considered the issue of privilege in respect of documents created during investigations, in particular, notes created by lawyers of interviews with the client company's employees.
The 2017 case of Serious Fraud Office (SFO) v Eurasian Natural Resources Corporation Ltd (ENRC) considered whether documents prepared during the course of an internal investigation were protected by privilege. The High Court.5 found that such documents were not covered by litigation privilege, even though there was likely to be (and eventually was) a criminal investigation by the SFO into the company's alleged misconduct. The Court of Appeal reversed this finding in September 2018.6 It held that a criminal investigation could be considered litigation in this context. A criminal prosecution was contemplated by ENRC, and the SFO's relationship with the company was adversarial. As such, ENRC's internal investigation notes were protected by litigation privilege.
However, ENRC's alternative claim based on legal advice privilege failed at first instance and on appeal. Documents that comprised lawyers' notes of interviews with the employees were not privileged as there was no evidence that the interviewees were authorised to seek and receive legal advice on behalf of the client company. The Court of Appeal stated that it was bound by Three Rivers No. 5 and the very narrow interpretation of 'client'. It was in favour of departing from the rule, which prejudiced large companies, but concluded that this was a matter for the Supreme Court. The court also rejected an argument that the lawyers' notes were privileged on the basis that they were lawyers' working papers, endorsing previous decisions that lawyers' working papers are privileged only if they 'betray the trend of the legal advice'.
In light of this decision, information gathered or documents prepared during the course of an internal investigation, if prepared by a lawyer and where a criminal investigation is contemplated, should be protected by litigation privilege. Although the findings in this decision will have the most impact on investigations undertaken in England and Wales, it will also have an effect on how investigations are run in Asia and elsewhere across the globe.
Like other common law jurisdictions, privilege in the US attaches to communications relating to legal advice and documents prepared in anticipated litigation. The US adopts a wide interpretation of 'client' and applies looser tests, such that privilege is recognised in a broader sense than in other jurisdictions. To claim legal advice privilege (attorney–client privilege), four basic elements must be present: (i) a client; (ii) a lawyer; (iii) a communication in aid of giving or seeking legal advice; and (iv) a reasonable and continuing expectation of confidentiality.7 Privileged investigation materials may include confidential interviews with company employees (subject to Upjohn procedures requiring attorneys to warn employees that privilege resides with the company and that the company may choose to waive this privilege).
'Work product doctrine' in the US protects documents prepared by the company or its representatives (eg, attorneys and specialists), in anticipation of litigation. Most documents created during an internal investigation by a company's counsel, or at counsel's direction, are considered attorney work product, including witness interview notes.
Motions.8 have recently been filed in the US courts asserting that pure 'fact-finding' investigations by law firms should not attract privilege, but this has so far not garnered support. As such, internal investigation notes will be protected by privilege in the US (subject to the partial waiver issues with regard to authorities mentioned above) but not in the UK, unless litigation is anticipated. In a world where multiple international enforcement actions are common and communication sharing between authorities is increasing, companies are in a difficult position. This poses obvious issues in terms of the strategy a company should adopt to privilege, document production and cooperation.
International trends impacting privilege in investigations: data privacy
As stated above, once a document is protected by privilege, it is up to the client whether to maintain that privilege or waive it. However, the ownership of the data and the right to control its use (or indeed waive privilege) is impacted by the evolution of data privacy laws. This has restricted the rights of the employer company to collect, transfer and use personal data. It also makes it more difficult for data that is owned by the company, but that contains personal data, to be disclosed during the course of an investigation. Many companies employ BYOD policies whereby an employee can purchase and use his or her own device for work. This applies to both computers and phones, and further blurs the line between company data and employee data.
Some recent cases highlight these issues in the context of investigations. In Carpenter,.9 the US Supreme Court, in a 5:4 decision, ruled that authorities accessing sensitive information from a cell phone via a third party, such as a wireless provider, requires a warrant. This has in turn been deployed in the high-profile FCPA investigation of Hong Kong former minister Patrick Ho in an attempt to limit information investigators could access from his cell phone. Ho's motion was dismissed in July 2018, but nevertheless highlights how personal data issues are being deployed strategically to resist disclosure in external investigations.
In the context of internal investigations, a company's collection and use of personal data from an employee during the course of an investigation recently caused trouble for the employer company. In China, as part of an internal investigation, China Auto Logistics collected data of its employees, which the employees subsequently reported to the police. A number of executives of the company resigned following the investigation and the company announced its securities would be delisted from the Nasdaq stock market on 1 August 2018.
The upshot is that data privacy laws must be borne in mind in the context of investigations and related privilege and disclosure assessments. We summarise below some of the issues to bear in mind in Asia, as well as in light of the EU's General Data Protection Regulation (GDPR).
Protection afforded by Asia's data privacy laws
Data privacy laws protect personal data, which is information capable of identifying a living person. Stricter standards apply to sensitive personal data, such as information on thoughts, beliefs, political opinions and health records. Laws in Asia vary from very strict (eg, South Korea and China) to relatively light-touch, relying instead on confidentiality laws or sector-specific regulations, usually in the banking industry. Regardless of the maturity of the jurisdiction, across the region, there are common themes to data privacy laws conferring on individuals rights that specific steps will be taken before their personal data is collected and shared with third parties.
Generally, individuals should be notified and provide their consent to how their personal data is used and disclosed (this is 'processing' in the data protection context). Consent, express or implied, is generally required for processing and employees tend to sign broad consents as part of their employment terms to allow their employers to process personal data for various purposes.
Particular issues in investigations
In the context of cross-border investigations, the extent to which Asian countries restrict transfers offshore (eg, to international law enforcement agencies, company subsidiaries or other third parties) varies. Several limit transfers to countries that are deemed to adequately protect personal data. For example, in July 2018, Japan and the EU Commission signed a reciprocal adequacy decision allowing the free flow of personal data between Japan and the EU. In the absence of such an agreement, most multinational companies factor transfer into the employee consents signed at the on boarding stage. If consents have not been signed, applicable data privacy legislation should be analysed to see whether there is an exemption allowing for the transfer of the data in question for the purposes of the investigation (providing information to authorities conducting criminal investigations being a common statutory exemption).
The impact of the GDPR
Europe's General Data Protection Regulation came into force on 25 May 2018 and seeks to tackle online transnational data and privacy issues through its extraterritorial application. By taking into account not only the location of data processing but also the location of individuals whose personal data is processed, it applies to anyone who collects personal data about EU citizens, wherever in the world it may be (with some exceptions). Companies and organisations may only handle or process such data in a legitimate, fair and transparent way, informing data subjects about their processing activities and having an appropriate legal basis for processing (which may or may not be consent).
Particular issues in investigations
In keeping with many other data privacy laws, the GDPR does not apply to processing 'by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security' (article 2). This gives authorities the right to receive from third parties, typically the investigated company or other authorities, personal data in the context of regulatory criminal investigations. This is, of course, subject to any claim to privilege, which could be waived. However, in internal investigations, article 2 would not apply. In these circumstances, a combination of processing conditions under the GDPR and local law exemptions and derogations (where applicable) in the relevant jurisdictions must be reviewed. This needs to be assessed on a case-by-case basis.
In light of the above, privilege rules and data privacy laws should always be assessed in the context of investigations. Either may limit the use and transfer of evidence.
Practical considerations in multi-jurisdictional investigations
Ultimately, whether documents prepared or collected for cross-border investigations are privileged or subject to data privacy laws will depend on where the investigation is conducted as well as the factual circumstances surrounding the creation of the document.
Once privilege attaches to a document, it is important to understand who controls the privilege and whether that data can be used. Deciding to waive privilege over a document in order to seek leniency is a hollow offer if the data is unable to be provided for issues of data privacy.
Certain steps can be taken in light of the evolving case law and regulatory reforms to maintain the discretion over the use of data. These include:
• When considering how your company does business, it is important to manage the ownership and control of the company's data and documents both through policies and in practical application. This means controlling the exchange of data through social platforms (such as WeChat or WhatsApp) or through uncontrolled sources (such as BYOD). It will be of little comfort to a company that a certain document is privileged if it has no ability to maintain that privilege or waive it (if desired).
• As a general rule, documents containing sensitive information or advice should be limited to lawyer–client communications and not be distributed widely or outside the client corporate. They should never be sent on a social platform or by informal methods that might hand over practical control of the communication to another party. Any communications over which privilege will be claimed should be sent to a lawyer by the client, keeping in mind that the English position on who is the client is narrow. Indeed, determining who the client is differs from jurisdiction to jurisdiction but should generally be tightly defined, both to preserve privilege and to limit contagion or waiver issues.
• When considering whether to waive privilege over a document, either wholly or partially, it is important to establish who that privilege belongs to. In circumstances where the privilege belongs to more than one party, issues around the waiver of joint privilege and common interest privilege need to be considered. The improper waiver of privilege – or the improper use of personal data – can have serious implications.
The collection and use of data is becoming an increasingly difficult issue to navigate in Asia. While legal professional privilege can offer some protection in a number of jurisdictions in the region, there are still some jurisdictions that do not recognise privilege, and those that do apply their own rules. It is important that lawyers and corporates involved in cross-border investigations familiarise themselves not only with the rules of the jurisdiction in which the conduct occurred, but also the rules in other jurisdictions that may become relevant at a later point in time.
It is also critical that corporates think holistically about the use of privileged data. The global nature of investigations means that the use of data is fettered not only by privilege but also by the increasing regulation of personal data.
1 Citic Pacific Ltd v Secretary for Justice (No. 2)  HKEC 1263.
2 The Hong Kong Court of Appeal in Citic Pacific Ltd v Secretary for Justice (No. 2) rejected the narrow interpretation of client adopted in England under Three Rivers District Council v Governor and Company of the Bank of England (No. 5)  QB 1556 where only a small subset of (senior) individuals within an organisation qualified as the client for privilege purposes.
3 Skandinaviska Enskilda Banken AB (Publ), Singapore Branch v Asia Pacific Breweries (Singapore Pte Ltd)  SGCA 9.
4 In June 2018, the United States Court of Appeals for the Fourth Circuit upheld a non-waiver agreement on behalf of Walmart in a privilege dispute with the Department of Justice. Given the facts of the case and the plain terms of the agreement, the court barred the US government from compelling an in-house lawyer to discuss the contents of the interview with a grand jury. However, at the same time, the court confirmed the view that, generally speaking, 'waiver of privilege as to the government results in waiver as to all other parties.' (In re Grand Jury 16-3817 (16-4), No. 17-4183, 2018 WL 3156935, 4th Cir 27 June 2018).
5  EWHC 1017 (QB).