Investigation Process Issues

The following article was originally published in Law360 on July 29.

To address the issues surrounding the incidental seizure of privileged communications within a broader seizure of electronic data, the U.S. Department of Justice recently created a new Special Matters Unit within
the Fraud Section.

The unit will function as a specialized team to address

Companies that operate in more than one jurisdiction that are either carrying out an internal investigation or are subject to a criminal or regulatory investigation by U.S. law enforcement agencies will almost certainly need to consider the legality of trans-Atlantic data transfers.  Under European law, in particular, companies falling short in compliance with data protection laws could face fines of up to the higher of €20 million or 4% of annual global turnover.

With the introduction, in 2018, of the General Data Protection Regulation (“GDPR”) which generally prohibits (with some exceptions) the transfer of EU-based personal data outside of the European Economic Area (“EEA”) and other legislation, the overhaul of the EU data protection framework often leaves companies under investigation by U.S. law enforcement with tough decisions to make between complying with their obligations – or their wish – to meet U.S. prosecutors’ demands and abiding by relevant data protection laws.  In particular, some EU-based companies have found themselves at the receiving end of U.S. prosecutors’ requests or subpoenas for documents, in circumstances where compliance with them could potentially risk hefty domestic fines for breaching data protection laws.  There may also be other considerations to be borne in mind, such as relevant bank secrecy laws and common law rights to privacy, where a failure to comply with the relevant law could result in criminal sanctions including imprisonment.

Developments in U.S. and U.K. law, however, have introduced a framework for the legal cross-border transfer of data via cooperation between international authorities.  In addition to ensuring compliance with the GDPR and other privacy obligations in conducting data transfers,  U.S.- and U.K.-based communication service providers (“CSPs”)[1] should familiarize themselves with the recently signed U.K.-U.S. Bilateral Data Access Agreement (the “Agreement”).  The Agreement facilitates the objectives of the U.S. Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) and the U.K. Crime (Overseas Production Orders) Act 2019 (the “COPOA”).  According to a communication by U.S. Attorney General William Barr to Congress earlier this year, the Agreement was scheduled to become effective on July 8, 2020, but there has been no official announcement from either the U.S. or U.K. governments on the status of the Agreement.  Indeed, earlier this month, the U.K. government anticipated that the Agreement would “come[] into use later this year[.]”  We discuss the implications of these developments and considerations for U.S.- and U.K.-based companies needing to transfer personal data[2] across the Atlantic to facilitate investigations.Continue Reading Data Transfer Considerations in Investigations

This third post in our parallel proceedings series discusses how to reconcile the conflicting requirements of making voluntary self-disclosures (VSDs) to multiple agencies. We listed the relevant agencies in our first post, all of whom may be interested in a VSD, depending on the potential violations. In our second post, we discussed how to structure an investigation that involves those agencies. While none of these agencies imposes an absolute requirement to voluntarily disclose a violation (with limited exceptions where disclosure is required), they all offer significant benefits for doing so.

Where more than one agency is involved, disclosure of violations to each of the relevant agencies should be done simultaneously, including the Department of Justice (DOJ) if there is or appears to be potential willfulness or intent. When making the decision to disclose, the company should also consider any potential violations in related subject areas (i.e., anti-money laundering, customs, or anti-bribery and corruption laws).Continue Reading US Export Controls and Economic Sanctions Investigations: The Perils of Parallel Proceedings (Part 3, Voluntary Disclosures)

Patrick Linehan, Zoe Osborne, Brittany Prelogar, Katherine Dubyak, and Jefferson Klocke co-authored an article titled “Considerations For Conducting Remote Internal Investigations” for Law360. The article, published April 3, discusses some of the legal and practical considerations in conducting remote investigations as the world grapples with containing the spread of COVID-19.

UK law enforcement is not immune to the unprecedented levels of business disruption caused by COVID-19. While not all agencies have published specific guidance on how they propose to operate and conduct enforcement investigations during this crisis (including, for example, Her Majesty’s Revenue & Customs, the Serious Fraud Office, and the National Crime Agency), a