Internal investigations in Italy have become the preferred legal instrument for companies to identify and, when possible, prevent the commission of improper behaviours that can trigger liabilities for corporations. Specifically, Legislative Decree No. 231, adopted on 8 June 2001 (Decree 231), introduced corporate criminal liability as a consequence of the commission of a number of criminal offences, such as corruption, financial and corporate crimes as well as money laundering, by companies’ managers and employees.
Internal investigations are approached by companies either as a reaction to initiatives of Italian public prosecutors in order to gather elements useful for the defence within the criminal proceeding, or proactively and independently of the formal knowledge of a pending criminal investigation, as a consequence of anonymous letters, internal controls carried out by the compliance function and even news reports. Indeed, an early identification of possible misconduct is considered a crucial element of an effective compliance programme that, being able to prevent the commission of crimes, helps the company to avoid or mitigate corporate criminal liability according to the provisions of Decree 231.
Following the recent adoption by the Italian Parliament of the new legislation on whistleblowing, which provides for different measures to protect employees who report an offence within their organisation in both the private and in the public sector, internal investigations are expected to achieve a success even more extensive.
Companies that wish to conduct internal investigations in Italy need to pay attention to a number of legal issues such as legal privilege, data protection and employment law-related concerns and disclosure obligations, as well as to the protection of whistleblowers and management of their reports.
Conducting internal investigations in Italy
A company may decide to conduct an internal investigation for many reasons, such as having become aware of the risk of an upcoming proceeding for corporate criminal liability pursuant to Decree 231.
Internal investigations would typically entail several activities, including:
- the collection and analysis of the relevant documents available to the company;
- the completion of a forensic investigation;
- interviews with the ‘key people’ able to provide relevant information on the case, who may be employees or people external to the company; and
- the adoption of remedial actions.
The investigation plan can comprise also a self-assessment on the compliance programme of the company aimed at verifying its adequacy at preventing crimes.
In Italy, internal investigations should preferably be carried out by an external counsel, appointed for this specific purpose, with the formalities provided for ‘defensive investigations’ by the Italian Criminal Code of Procedure, so as to ensure that its findings enjoy the maximum protection available from a legal privilege perspective. Indeed, by doing so the findings of investigations remain in the exclusive availability of the defence counsel and the client, who can decide whether or not to disclose them to the public prosecutor.
Conducting an internal investigation in compliance with the provisions of the Italian Criminal Code of Procedure requires complying with certain formalities. Minutes of typical activities of the corporate investigations have to be drafted, such as in case of employees’ interviews. In greater detail, in the interview’s minutes, the questions asked and the answers given must be accurately indicated and the document has to be signed by the legal counsel and the interviewee as well as by any other person attending the interview. The interview’s minutes can also be drafted ‘in a summarised form’ if the interview is audio recorded.
The minutes should also include the initial warnings made to the interviewee before the start of the interview, in which the defence counsel of the company is called to explain his or her own role and for which reasons he or she is carrying out the defensive investigation. The interviewees must also be made aware of the fact that they are not obliged to answer but, if they decide to do so, they must tell the truth, otherwise they may commit a crime.
Interviewees, who may be company employees or other third parties, are not obliged to take part in interviews: the fact of not cooperating with the defensive investigations, however, may be relevant for the employees under a disciplinary standpoint on the basis of a general duty of cooperation with the employer or specific provisions set forth in a company’s policies.
Moreover, interviewees do not have the right to be assisted by an attorney during interviews, unless they have been charged with a criminal offence in the very same criminal proceeding for which the investigation is being made or in a connected or related criminal proceeding.
Legal professional privilege in Italy and its protection in the context of internal investigations
Legal professional privilege certainly plays a pivotal role within internal investigations, in light of the fact that the mere act of producing and circulating documents, if not dealt with correctly, may lead to a loss of privilege, resulting in documents being disclosed in subsequent proceedings involving the company concerned.
From a general standpoint, under Italian law, legal privilege protects the confidentiality of communications between lawyers and their clients if the following two cumulative requirements are met.
First of all, the information between the client and its lawyer must have been exchanged in relation to the direct exercise of the right of defence of the client.
Second, such information exchange must involve an independent and external lawyer, who must not be bound to the client by any employment relationship. As a consequence of this, communications between a client and its in-house lawyers do not attract legal privilege, as recently confirmed by Italian case law.
As to internal investigations, therefore, it is advisable that they are carried out by an external defence counsel appointed for the purpose.
Legal privilege is protected to a wider extent in the context of criminal proceedings and related internal investigations that the company may decide to carry out. Indeed, despite there being no particular restrictions on the documents that could be seized under Italian law, public prosecutors cannot carry out inspections and searches at the premises of the defence lawyer formally appointed, unless the latter is himself indicted. Moreover the documents and correspondence related to internal investigations and defence in criminal proceeding cannot be seized, unless these documents constitute the corpus delicti.
Legal privilege is terminated when the document ceases to be confidential. In this regard, loss of privilege is certainly a complex issue that needs to be addressed properly, particularly in the context of internal investigations.
Therefore, lawyers should put the maximum effort into ensuring that legal privilege is preserved by adopting a number of general measures, such as labelling written communications as ‘Privileged and Confidential’ (especially as regards the report that embodies the findings and recommendations of the investigation), restricting the circulation of privileged documents both outside and within the company (eg, by using a ‘restricted’ mailing list) and generally imposing a duty of confidentiality.
In this regard, it would be beneficial to have defence lawyers drafting a sort of ‘communication protocol’, both to avoid the risk of loss of privilege and to prevent the drafting of unnecessary written documents or communications that may not attract legal privilege.
Including a specific clause in the company’s internal policies and procedures regulating internal investigations, specifying that the latter are carried out in relation to the direct exercise of the right of defence of the company, may also be considered.
A difficult balance between information gathering and privacy-related concerns
In order to be able to conduct informed and effective internal investigations, it is certainly necessary to be aware of the potential conflicts between data privacy concerns and the need for gathering information that implies the processing of employees’ personal data.
According to the Italian data protection regime, which will be enhanced by the entry into force of the General Data Protection Regulation (GDPR), envisaged for 25 May 2018, personal data shall be processed lawfully, fairly and in a transparent manner, as well as collected for specified, explicit and legitimate purposes.
In addition, in compliance with the principle of data minimisation, it shall be ensured that employees’ personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Therefore, personal data shall be gathered in accordance with the ‘theme’ of internal investigations and, as a consequence of this, it would be opportune in selecting relevant employees’ emails to be reviewed by means of keywords related to the subject of the investigation. Moreover, when collecting documents and information useful for internal investigation, it would be advisable, where possible, to separate from the start the irrelevant personal data of the individuals involved from the data to be actually used within the investigation, in order to reduce the risk of any privacy violations and to facilitate the recovery of data useful for the investigation.
Even though, in very general terms, for data processing purposes it is necessary to obtain the consent of individuals whose information and data needs to be collected, with particular regard to defensive investigations and the need to defend legal claims before any judicial authority, only specific information in connection with data processing is required.
In compliance with the guidelines adopted by the Italian Privacy Authority in 2007 in relation to the use of emails and the internet in the employment context, companies should also adopt specific internal guidelines, to be approved by trade unions and publicised internally, in order to enable the employer to carry out controls on employees’ internet files and emails. Indeed, the guidelines shall include a specific clause, by means of which employees would be made aware of the fact that the employer may execute controls on employees’ internet files and emails during internal investigations.
With specific regard to cross-border investigations, issues may arise in relation to the transfer of personal data in those countries that are deemed as not meeting certain minimum requirements in relation to data protection; in these circumstances specific contractual clauses or the so-called ‘Privacy Shield’ for data transfer in United States may need to be introduced.
Complying with data protection law is crucial even in light of the fines that may be imposed for the violations of GDPR provisions, which could be up to €20 million or up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Unlawful data processing is also protected under criminal law and may well entail the impossibility to use the data illicitly gathered in the context of a subsequent judicial proceeding.
Employment law legal issues in relation to internal investigations
Internal investigations are also influenced by Italian employment law provisions, with particular regard to Law No. 300 dated 20 May 1970 (Workers’ Statute), which regulates the relationships between the employer or company and their employees.
Being the employment relationship inevitably imbalanced in favour of the employer, the Italian legislator tried to regulate thoroughly the scope and the limits of companies’ powers, in order to protect employees from any kind of abuse. Indeed, as a general rule, the Workers’ Statute explicitly prohibits any potential investigation, carried out by the employer, on employees’ personal views related to politics, religion, memberships of trade unions and personal life.
In addition the use of any kind of remote control systems in order to monitor the work of the employees, is possible only under specific circumstances, aiming at both ensuring the respect for the employees’ rights of dignity and privacy, and at simplifying potential controls that employers may decide to carry out.
In this regard, Italian case law found that the pieces of evidence obtained through remote controls can be used within criminal proceedings against the ‘controlled’ employee. Indeed, according to courts, the prohibitions or limitations set forth by the Statute apply only in the event that the employer wants to make sure that the employee is carefully executing his or her duties, whereas they should not apply whether remote controls were performed in order to avoid the commission of criminal offences by the employees.
In the context of internal investigations, interviews with employees should be conducted carefully to avoid raising any disciplinary challenge. Indeed, disciplinary proceedings against employees are specifically regulated by the law and require the observance of certain formalities, such as a written notice in which the alleged wrongdoings are properly detailed. Challenging a disciplinary violation in the context of interviews may entail the invalidity of the subsequent disciplinary proceedings.
The new Italian legislation on whistleblowing
The Italian Parliament recently adopted Law No. 179, dated 30 November 2017, which provides for several protection measures in favour of whistleblowers, both in the public and the private sectors.
Any form of retaliation or discrimination against the employees who decide to report an offence is prohibited and any measures of this kind (ie, such as discriminatory dismissal or demotion) adopted against whistleblowers must be considered null and void. In this regard, the burden of proof lies on the employer, who is obliged to demonstrate that the acts of discrimination or retaliation, if any, were adopted for reasons totally unrelated to the report made by the whistleblower.
The new whistleblowing related provisions for the private sector fit into the wider framework regarding corporate criminal liability pursuant to Decree 231, requiring legal entities to update their compliance programmes which must include, among others, the creation of different reporting channels able to protect the identity of the whistleblowers, as well as penalties imposed on whoever infringes the measures of protection of whistleblowers or, wilfully or negligently, makes groundless reporting.
In the event of the lack of updating of compliance programmes with the above-mentioned specific measures on whistleblowing, the compliance programmes cannot be deemed as adequate to prevent criminal offences, so not excluding or mitigating corporate criminal liability pursuant to Decree 231. The same negative effect would also be determined by the non-conduction of proper internal investigations as a consequence of whistleblowers’ reports.
Internal investigations and self-reporting cooperation
Italian law does not provide for an obligation on companies and defence counsels to report crimes that can be discovered during internal investigations to the competent authorities.
On the other hand, public officials have the duty to report criminal offences of which they become aware within their professional activities. Moreover, with particular regard to money laundering, specific sector regulations provide for the duty of certain individuals or entities (eg, financial intermediaries) to disclose suspicious transactions to the competent authorities.
With specific regard to the defence counsel, in addition to the possibility of not reporting any crimes he or she became aware of, it is also provided that he or she has the power not to disclose all the incriminating evidence against his or her clients.
Internal investigations also allow the appointed defence counsel to delegate his or her powers to his or her substitute attorneys, private detectives and consultants. This means that all the professionals involved in the internal investigations do not have the obligation to report any criminal offences that may result from their investigation activities to the public authorities.
It is therefore up to the company and the defence counsel to decide whether or not to disclose the findings of the investigation on a case-by-case basis. Notwithstanding, it has to be considered that self-reporting does not prevent the start of a criminal investigation in case of commission of crimes that the public prosecutor has an obligation to investigate (eg, bribery and corruption, money laundering, certain types of fraud).
In addition, even if mitigation effects are not specifically provided for by Italian law in the event of self-disclosure, cooperation with the authorities may be taken positively into account by the judge in the quantification of the penalty and may also result in the non-application or reduction of pretrial disqualifying sanctions pursuant to Decree 231.