Looking Before You Leap in International Investigations

International investigations are now commonplace for many white-collar criminal defense lawyers and, very often, following the facts means putting “boots on the ground” in a number of exotic and far-flung locales. In many (if not most) cases, these investigations will implicate foreign data privacy regimes, both entrenched and emerging.'

Historically, the risk of enforcement under these laws has proven to be largely theoretical. Consequently, data privacy has often been dismissed as a dry topic of legal discourse, with little impact for practitioners. Recent developments call this perception into question, particularly as U.S. regulators have more aggressively demanded that companies produce documents protected by data privacy regimes. A stark example of this is the Securities and Exchange Commission's (SEC or Commission) recent action against the Chinese subsidiaries of the “Big Four” accounting firms, for their refusal to produce documents ' including audit work papers pertaining to U.S.-listed Chinese companies ' because production would violate China's state secrets regulations.

With the SEC digging in its heels, data privacy restrictions proliferating, and foreign jurisdictions taking a tougher stance on local enforcement, it appears that U.S. lawyers are now stuck between a rock and a hard place, with foreign regulators on one side and their domestic counterparts at the SEC on the other. However, as is often the case, the situation is not as dire as it first appears. While international investigations are invariably more complicated in this new era of data privacy, with careful planning and several practical, proactive steps, lawyers can successfully navigate the new reality.

Prelude: Understand the Current State of Play

The increased need to deal effectively with foreign data privacy restrictions is driven by two developments: 1) the global uptick in enforcement and 2) U.S. regulators' increasing opposition ' as shown by the SEC's Big Four enforcement action ' to foreign data privacy regimes that limit compliance with document requests.

Global Uptick in Enforcement

While data privacy laws have long been on the books in many foreign countries, enforcement was largely non-existent. Not surprisingly, given the tension between the intrusiveness of U.S.-style investigations and the privacy rights of foreign citizens ' foreign data privacy enforcement activity has largely paralleled the global surge in anti-corruption enforcement, with foreign governments aggressively asserting data privacy or “state secrets” restrictions to avoid unwelcome exposure. Accordingly, U.S. lawyers conducting international investigations (and their clients) face increasing risk that violations of foreign data privacy regulations may have harsh consequences, up to and including the prospect of criminal sanctions.

The SEC's Big Four Enforcement Action

For years, U.S. government agencies have bristled at the barriers presented to international investigations by foreign data privacy regimes. Traditionally, these matters have been resolved through government-to-government negotiation, absolving companies of production obligations. However, foreign governments are not always receptive to these requests and, in those instances, companies have been left to choose between rejecting the U.S. government's information demands or producing requested documents in apparent disregard of foreign data privacy restrictions. Historically, low enforcement risk in foreign jurisdictions weighed in favor of production.

This conflict between U.S. policy and foreign data privacy regimes came to a head in May 2011, when the SEC issued a document subpoena to the Shanghai subsidiary of global accounting firm Deloitte Touche Tohmatsu CPA Ltd. (D&T Shanghai), in connection with the Commission's accounting fraud investigation of the firm's client. Among the requested documents were D&T Shanghai's work papers from its audit of the client. After no documents were produced, the Commission filed a subpoena enforcement action in U.S. District Court in Washington, DC, in September 2011. That matter was resolved in late January of this year, following government-to-government cooperation between the SEC and the China Securities Regulatory Commission (CSRC) in 2013 ' cooperation that resulted in some file sharing with the SEC.

However, the story does not end with this government-to-government solution. Rather, in the interim between filing and resolution, the Commission filed a broader enforcement action relating to similar issues in gaining access to documents from China. That action ' filed against D&T Shanghai, the Chinese affiliates of the other “Big Four” accounting firms (Ernst & Young; KPMG; and PwC), as well as a fifth firm, BDO China Dahua Co. ' signals a broader SEC policy stance that foreign data privacy restrictions cannot be used as a shield by U.S.-listed foreign companies. While many predicted the firms would get the legal equivalent of a scolding, without any prospective, real-world repercussions, the presiding Administrative Law Judge levied a six-month ban against the entities auditing U.S.-listed companies, a decision with far-reaching implications for U.S.-listed foreign companies.'

The financial market implications flowing from the decision are a separate concern not addressed in this paper, and the Big Four affiliates have indicated they intend to appeal; however, resolution of that action may take years. So, where does the decision leave lawyers conducting international investigations in the interim? While there are many ways to approach the data privacy quagmire, in next month's issue we will give you tips for navigating this complex world without finding yourself in a bind like the Big Four.

Laurence A. Urgenson Chairman of this newsletter's Board of Editors,'was a partner at Kirkland & Ellis LLP, at the time of this writing. He is now with Mayer Brown. Matthew J. Alexander ([email protected]) and Jamie A. Schafer'([email protected]), Associate Editors of this newsletter, are associates with Kirkland & Ellis.

International investigations are now commonplace for many white-collar criminal defense lawyers and, very often, following the facts means putting “boots on the ground” in a number of exotic and far-flung locales. In many (if not most) cases, these investigations will implicate foreign data privacy regimes, both entrenched and emerging.'

Historically, the risk of enforcement under these laws has proven to be largely theoretical. Consequently, data privacy has often been dismissed as a dry topic of legal discourse, with little impact for practitioners. Recent developments call this perception into question, particularly as U.S. regulators have more aggressively demanded that companies produce documents protected by data privacy regimes. A stark example of this is the Securities and Exchange Commission's (SEC or Commission) recent action against the Chinese subsidiaries of the “Big Four” accounting firms, for their refusal to produce documents ' including audit work papers pertaining to U.S.-listed Chinese companies ' because production would violate China's state secrets regulations.

With the SEC digging in its heels, data privacy restrictions proliferating, and foreign jurisdictions taking a tougher stance on local enforcement, it appears that U.S. lawyers are now stuck between a rock and a hard place, with foreign regulators on one side and their domestic counterparts at the SEC on the other. However, as is often the case, the situation is not as dire as it first appears. While international investigations are invariably more complicated in this new era of data privacy, with careful planning and several practical, proactive steps, lawyers can successfully navigate the new reality.

Prelude: Understand the Current State of Play

The increased need to deal effectively with foreign data privacy restrictions is driven by two developments: 1) the global uptick in enforcement and 2) U.S. regulators' increasing opposition ' as shown by the SEC's Big Four enforcement action ' to foreign data privacy regimes that limit compliance with document requests.

Global Uptick in Enforcement

While data privacy laws have long been on the books in many foreign countries, enforcement was largely non-existent. Not surprisingly, given the tension between the intrusiveness of U.S.-style investigations and the privacy rights of foreign citizens ' foreign data privacy enforcement activity has largely paralleled the global surge in anti-corruption enforcement, with foreign governments aggressively asserting data privacy or “state secrets” restrictions to avoid unwelcome exposure. Accordingly, U.S. lawyers conducting international investigations (and their clients) face increasing risk that violations of foreign data privacy regulations may have harsh consequences, up to and including the prospect of criminal sanctions.

The SEC's Big Four Enforcement Action

For years, U.S. government agencies have bristled at the barriers presented to international investigations by foreign data privacy regimes. Traditionally, these matters have been resolved through government-to-government negotiation, absolving companies of production obligations. However, foreign governments are not always receptive to these requests and, in those instances, companies have been left to choose between rejecting the U.S. government's information demands or producing requested documents in apparent disregard of foreign data privacy restrictions. Historically, low enforcement risk in foreign jurisdictions weighed in favor of production.

This conflict between U.S. policy and foreign data privacy regimes came to a head in May 2011, when the SEC issued a document subpoena to the Shanghai subsidiary of global accounting firm Deloitte Touche Tohmatsu CPA Ltd. (D&T Shanghai), in connection with the Commission's accounting fraud investigation of the firm's client. Among the requested documents were D&T Shanghai's work papers from its audit of the client. After no documents were produced, the Commission filed a subpoena enforcement action in U.S. District Court in Washington, DC, in September 2011. That matter was resolved in late January of this year, following government-to-government cooperation between the SEC and the China Securities Regulatory Commission (CSRC) in 2013 ' cooperation that resulted in some file sharing with the SEC.

However, the story does not end with this government-to-government solution. Rather, in the interim between filing and resolution, the Commission filed a broader enforcement action relating to similar issues in gaining access to documents from China. That action ' filed against D&T Shanghai, the Chinese affiliates of the other “Big Four” accounting firms (Ernst & Young; KPMG; and PwC), as well as a fifth firm, BDO China Dahua Co. ' signals a broader SEC policy stance that foreign data privacy restrictions cannot be used as a shield by U.S.-listed foreign companies. While many predicted the firms would get the legal equivalent of a scolding, without any prospective, real-world repercussions, the presiding Administrative Law Judge levied a six-month ban against the entities auditing U.S.-listed companies, a decision with far-reaching implications for U.S.-listed foreign companies.'

The financial market implications flowing from the decision are a separate concern not addressed in this paper, and the Big Four affiliates have indicated they intend to appeal; however, resolution of that action may take years. So, where does the decision leave lawyers conducting international investigations in the interim? While there are many ways to approach the data privacy quagmire, in next month's issue we will give you tips for navigating this complex world without finding yourself in a bind like the Big Four.

Laurence A. Urgenson Chairman of this newsletter's Board of Editors,'was a partner at Kirkland & Ellis LLP, at the time of this writing. He is now with Mayer Brown. Matthew J. Alexander ([email protected]) and Jamie A. Schafer'([email protected]), Associate Editors of this newsletter, are associates with Kirkland & Ellis.