Navigating issues in cross-border investigations

December 2021  |  SPECIAL REPORT: WHITE-COLLAR CRIME

Financier Worldwide Magazine

December 2021 Issue

It is beyond peradventure that financial crime constitutes a clear and present danger to financial stability in our global economy. In a world where financial crime knows no boundaries, various jurisdictions are attempting to tackle this scourge. As cross-border investigations become increasingly common, the ability to effectively deal with foreign regulators and other authorities has become essential for compliance and corporate executives.

Dealing with cross-border investigations has become increasingly complex and burdensome. As enforcement agencies are increasingly investigating financial crime, more than one foreign authority may want to assert jurisdiction over the misconduct under investigation. Risk of concurrent prosecutions in multiple jurisdictions is no longer theoretical. Whereas the double jeopardy rule – the protection against being tried twice for the same conduct – applies in various jurisdictions, it is certainly not consistently applicable in the cross-border context, depending on the jurisdiction and the laws regulating the impugned conduct. For example, in Canada, the Corruption of Foreign Public Officials Act states that a person who has been tried and dealt with outside Canada for an offence is deemed to have been so tried and dealt with in Canada.

The factors that lead authorities to choose whether to coordinate their efforts with their counterparts in another jurisdiction are inherently unpredictable due to obvious practical and political constraints. As a result, organisations facing multijurisdictional investigations should consider engaging with each foreign authority involved to mitigate the risks, to coordinate the effort and to consider whether a global resolution is possible.

Navigating through multijurisdictional investigations requires an extremely high level of awareness and astute legal reflexes since it implies multiple potential pitfalls. Certain privacy and constitutional issues could be at stake depending on the jurisdiction, the reputational risks and the legal consequences that could jeopardise the financial health of a business.

In this article, we address two of the foremost risks to consider: legal privilege and the transfer of data overseas.

For instance, an organisation that is the target of a cross-border investigation will likely receive regulatory or otherwise compulsory peremptory orders to disclose information. In doing so, it is critical for the organisation to consider potential issues that can arise relating to the retention of privilege over such materials, as well as compliance with overseas data protection laws. Navigating these risks can result in a legal and regulatory minefield, given that the laws of multiple jurisdictions may apply and be at odds with one another.

Protecting privilege

The scope of legal privilege is not a universal concept – what may be protected by the laws of privilege in one jurisdiction will not necessarily be protected in another. Where an organisation is faced with an information production request from a foreign authority, careful consideration should be given to whose rules of privilege apply.

Generally, in the context of attorney-client communications, the disclosure of materials to a third-party entity will typically implicate a waiver of privilege. This leads to the critical question of whether privileged materials disclosed to a foreign authority retain their privileged status. For example, if an investigator from the US Securities and Exchange Commission (SEC) formally requests the disclosure of information from a UK entity, which is protected by privilege under UK law, it is uncertain whether the acquiescence to such a request would constitute a waiver of privilege. Further, the answer may differ depending on whether the disclosure of information to the foreign authority was voluntary. To mitigate such uncertainty, it is advisable to include certain reservations before disclosing information, such that its disclosure to a foreign authority does not constitute a waiver of the privilege that shields it in its home jurisdiction. Further, it is best practice to expressly indicate that such a disclosure is being made under constraint and without waiving the self-incrimination principle, although these measures are certainly not foolproof.

Another point to consider is that some jurisdictions distinguish between external counsel and in-house counsel, in terms of privilege. For instance, in some continental European jurisdictions, as a rule, privilege may not extend to in-house counsel, given that the latter may not be considered sufficiently independent from their employers. As external lawyers are generally perceived as having greater independence compared to their in-house counterparts, investigations led by external counsel may lead to a greater likelihood of maintaining privilege, depending on the jurisdiction.

As a final precautionary point, the mere fact that an investigation is led by a lawyer, or that an investigation report is being prepared by a lawyer, does not automatically grant privilege to the work product stemming from the investigation, depending on the jurisdiction. While privilege will generally arise where a lawyer is investigating for the purposes of giving legal advice to their client, this may not be the case where a lawyer’s role in conducting the investigation is limited to a fact-finding function unrelated to the rendition of legal services. In such a case, it is doubtful that solicitor-client privilege will shield the investigation’s work product due to the mere fact that a lawyer was at the helm of such an investigation, although other types of privilege may apply. While recent cases in the UK and Canada have affirmed this line of reasoning, ultimately, the specific rules governing whether an investigation is privileged will be unique to the jurisdiction.

Transfer of data across borders

Where multiple jurisdictions are involved in an investigation, it is not uncommon for an organisation to be called upon to transfer data across national borders by a foreign authority or regulator. In such a case, it is critical for the organisation to consider the application of data protection and privacy laws in the jurisdictions involved, which may impose certain restrictions on the transfer of data across borders. As with privilege, what constitutes compliance with data protection requirements in the organisation’s home jurisdiction may not equate to compliance in the foreign investigative authority’s jurisdiction.

For instance, the General Data Protection Regulation (GDPR) imposes certain restrictions on the transfer and processing of data to a third country outside the EU for the purposes of disclosing materials to a foreign authority. Such obligations can be triggered where, for example, the SEC issues a subpoena to produce information on an EU entity registered on the New York Stock Exchange. In such a case, the targeted organisation may be placed in the unenviable position of having to simultaneously respect applicable data protection requirements, while also trying to comply with disclosure requests from a foreign authority.

Relatedly, certain jurisdictions restrict the cross-border transfer of data through the mechanism of a blocking statute. Put simply, such statutes prevent the disclosure of certain materials to foreign jurisdictions for the purpose of legal proceedings, barring the existence of a treaty or agreement between the jurisdictions providing for such a transfer. Therefore, where a blocking statute may apply, an organisation may find itself in the delicate position of, on the one hand, being compelled by a foreign authority to disclose information for the purpose of an investigation, and on the other, being prevented under penalty of law from transferring said information by the blocking statute.

An organisation can consider seeking an exemption from a restriction against the transfer of data from the relevant enforcement authority in the jurisdiction where the data is located. Alternatively, the organisation can seek to obtain the consent of concerned employees to circumvent data transfer restrictions and to comply with a foreign request for disclosure, where applicable.

In any event, an organisation should, at the very least, establish a dialogue with the relevant law enforcement authorities. An organisation’s decision of whether to disclose information to a foreign authority will necessarily be fact specific. For instance, whether the disclosure request is mandatory or voluntary, the level of coordination between the investigating authorities, and whether a data protection agreement exists between the jurisdictions involved are among the factors to consider.

Conclusion

Cross-border investigations are here to stay. As they become a fixture in the enforcement landscape, it is critical that companies consider how best to deal with the many complex issues that may arise when faced with parallel investigations. The various approaches to the laws governing privilege and data protection internationally underscore the importance of consulting local counsel in the jurisdictions involved and to engage with foreign authorities as early as possible in the process.

 

Stéphane Eljarrat is a partner and Frédéric Plamondon and Emily Lynch are associates at Osler, Hoskin & Harcourt LLP. Mr Eljarrat can be contacted on +1 (416) 862 6623 or by email: seljarrat@osler.com. Mr Plamondon can be contacted on +1 (514) 904 8109 or by email: fplamondon@osler.com. Ms Lynch can be contacted on +1 (514) 904 8164 or by email: elynch@osler.com.

© Financier Worldwide

BY

Stéphane Eljarrat, Frédéric Plamondon and Emily Lynch

Osler, Hoskin & Harcourt LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.