Getting One Step Ahead In Cross-Border Investigations With Targeted Data Privacy Planning

Cross-border criminal investigations are increasingly common and often give rise to data privacy issues. The European Union's General Data Protection Regulation (GDPR) is well known, but other countries are increasingly enacting similar laws. While these laws are not necessarily focused on business emails, documents, and communications, their breadth can affect internal investigations and a company's ability to cooperate with regulators.

This article summarizes recent updates from the U.S. Department of Justice (DOJ) on the interplay between data privacy laws and cooperation credit. It provides practical guidance so companies can best position themselves in front of U.S. regulators.

THE DOJ'S VIEWS OF DATA PRIVACY

The DOJ's written policies have taken a seemingly flexible approach to data privacy. For example, the U.S. Justice Manual states that, with respect to investigations under the Foreign Corrupt Practices Act (FCPA), if "a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents." U.S. Justice Manual, Section 9-47.120(3)(b).

In practice, however, the DOJ has often taken a heightened view of what documents may be "prohibited" from production. The U.S. government has discouraged companies from relying on data privacy laws to resist disclosure. As former Assistant Attorney General Leslie R. Caldwell has noted, "foreign data privacy laws exist to protect individual privacy, not to shield companies that purport to be cooperating in criminal investigations." Companies can be between a rock and a hard place - wanting cooperation credit but without violating foreign data privacy laws.

In Oct. 2022, Deputy Attorney General Lisa Monaco released a new memorandum, known as the "Monaco Memo," announcing updates to the DOJ's corporate enforcement policies. The Monaco Memo focuses on steps a company can take to get cooperation credit.

The Monaco Memo made three important clarifications relating to data privacy. First, it clarified that the statements in the Justice Manual about data privacy apply not only to FCPA investigations, but also to "all corporations under investigation that are seeking to cooperate." If a company cannot cooperate, it must convince the prosecutor why it cannot proceed. Second, it is not enough simply to identify the restrictions on production arising from foreign data privacy laws. To get cooperation credit, companies must also identify "reasonable alternatives to provide the requested facts and evidence." Moreover, they must "work diligently to identify all available legal bases to preserve, collect, and produce such documents, data, and other evidence expeditiously." Third, not only will a company that uses data privacy laws to "shield misconduct inappropriately from detection" fail to get cooperation credit, but "an adverse inference as to the corporation's cooperation may be applicable if such a corporation subsequently fails to produce foreign evidence." These three clarifications enhance the actions a company may need to take in order to get cooperation credit.

PRACTICAL TIPS FOR COOPERATION CREDIT

Companies should think proactively about navigating data privacy issues in investigations. The DOJ values both the "quality and timeliness" of a Company's cooperation, so companies that cooperate too little or too late risk not receiving full, or any, credit.

Here are some practical tips on how companies can best position themselves to provide timely cooperation.

First, companies could reassess their electronic device policies. Data privacy protections become more complicated when a company has a "bring-your-own-device" policy. Employees' personal data can be commingled with business data, and employees may have more of a privacy interest as a result. Policies which explain that, by using a personal device, employees consent to review of that device during an investigation are not dispositive under many data privacy laws. Bring-your-own-device policies can also limit a company's ability to copy or back up data, which makes it difficult to comply with the DOJ requirement of identifying "reasonable alternatives to provide the requested facts and evidence."

Second, companies could assess where their servers are located. Servers in a country that does not have stringent data privacy laws could ease production to the DOJ. However, that ease of production needs to be balanced against potential downsides. For example, companies need to be careful to ensure that they would not be violating any local data privacy laws by housing servers in another country. Additionally, servers in another country might then be within the subpoena power of the U.S. or foreign governments, or accessible under Mutual Legal Assistance Treaties (MLATs).

Third, companies could work with local data privacy attorneys in countries where they have significant business and which are at a heightened risk of potential investigation. Local attorneys can help draft specific written consent forms which an employee can then be asked to sign in the event of an investigation. Such forms are particularly important in countries (a) where there is a stringent data privacy scheme (e.g., EU countries under the GDPR), (b) where the company conducts significant business with government entities, or (c) where there is a high corruption perception index (e.g., Russia, China, India, and Brazil). Many countries have statutory exceptions that allow disclosure if the company obtains specific written consent from the employee. In order to react quickly to a DOJ request, companies should know whether a consent form may be used and have a consent form that complies with local law already drafted.

Fourth, for the countries identified above, companies could work with foreign and domestic attorneys to consider whether, in response to a DOJ request, they can produce documents directly to a foreign regulator through an MLAT. The local regulator would then in turn disclose to the DOJ.

These are a few suggestions companies could consider to be proactive in their approach to data privacy. The key is having a plan for handling any such requests, at least in large markets or corruption hotspots where there may be a DOJ investigation. A company's preparation could go a long way in receiving full cooperation credit from the DOJ.