International Investigations

2. Plan for a (Future) Rainy Day

If a restrictive data privacy regime is in play and the client is a multinational corporation, counsel must plan at the outset for a potential divergence of interests between the U.S. parent corporation ' the entity obliged to produce documents in response to demands from regulators such as the SEC ' and its foreign subsidiary ' the entity most likely to be charged under the applicable local data privacy act if violations occur. While not a particularly pleasant discussion to have at the outset, the need for separate counsel should be considered at the earliest opportunity.

3. Know Your Client's Policies and (Prior) Practices

Become familiar with your client's IT policies in the relevant jurisdictions. The tendency may be to delegate this task, but resist the temptation. Just as importantly, validate whether policy and practice are aligned by assessing the data already within the grasp of regulators like the SEC. If the government is interested in information that may already have been transmitted to the United States or otherwise has been routinely transmitted by the company, you will not want those facts to come to light after you have refused to produce information on data privacy grounds. The circumstances of transmission may ultimately provide a proper basis for avoiding production, but you will want to lay out the facts and your interpretation of the data privacy law candidly, to avoid any appearance of bad faith.

4. Get a Local Law Opinion

When a matter involves document collection or review in a foreign jurisdiction, it is important to obtain an opinion from counsel familiar with local data privacy restrictions or consult with your client's in-house personnel who are knowledgeable about the data privacy laws and regulations that apply in each jurisdiction (if such personnel exist).

A prudent course is to obtain a written opinion from local counsel in each country/jurisdiction in which documents will be collected or reviewed. It is also important to note that these laws are evolving and new data privacy laws are being enacted regularly as international attention around these issues grows; thus, you should not rely blindly on prior local law opinions.

Establishing a good relationship with knowledgeable local counsel is important. As these laws are often complicated and enforcement decisions are not always transparent, it is critical to find experienced local counsel that can offer practical advice regarding changes that may affect your clients. Further, there can be important differences between the letter of data privacy laws and their interpretations by local regulators; and, as noted above, U.S. prosecutors and regulators ' while they generally acknowledge the restrictions of foreign data privacy regimes ' are often skeptical that U.S. lawyers will use the terms of paper regimes as a “shield” to prevent disclosure of information that companies do not want to produce. A credible opinion by reputable local counsel helps address this risk.

5. Make Your Client a Stakeholder, Rather than a Defendant

In other words, don't give up on traditional government-to-government solutions. The government has multiple tools at its disposal for government-to-government cooperation, such as mutual legal assistance treaties (MLATs), through which it can request the transmission of documents that may otherwise be subject to data privacy restrictions. These mechanisms are lengthy, cumbersome and may not yield results, particularly where the data sought may be sensitive for political reasons beyond data privacy concerns. Still, these mechanisms exist, in part, to protect private companies and citizens from being caught between conflicting government requirements across multiple jurisdictions.

Do not let the results of the Big Four matter discourage you from pressing U.S. authorities to seek a government-to-government solution. At the outset of any matter involving document production or even merely disclosure of information to the U.S. government, it is important to advise the government of any data privacy considerations that may be at play, to establish the merits of your concern and preempt later suggestions that you are attempting to shield information from disclosure.

6. Structure Your Investigation with Data Privacy in Mind

Experienced local counsel can provide not just a summary of the strict legal requirements under local data privacy laws, but also practical guidance as to how to navigate these complexities during an investigation. For example, in many circumstances, consent obtained from investigation targets may create a clear path for review and disclosure. Where this is not a practical solution, other avenues may exist to streamline the investigative process; for instance, some data privacy laws include exceptions allowing for review where credible evidence of a potential violation exists or the information has been screened by local counsel.

The location of collection, review and interviews must also be thoughtfully planned to avoid data privacy violations and reduce associated costs. For example, while transmitting documents to the United States is generally unacceptable under European-style data privacy laws, nearby Canada is often a “safe harbor.” Rather than flying teams overseas, review may be conducted just across the border, minimizing cost and allowing more ready access to information. Further, in certain cases, local counsel has advised that read-only review from terminals in the United States is permissible, where documents are stored on servers abroad and can be reviewed in the United States but not printed or downloaded. This allows for a large portion of the work to be completed from the United States, with travel reserved for interview preparation and more deep-dive reviews of culled documents.

Additionally, with respect to witness interviews, protected personal data can easily creep into interview notes. As such, with an eye toward data privacy, a protocol should be set up to review and redact any notes or work-product returning to the United States. Un-redacted notes can then sometimes be stored on-site in the country of the investigation or in another safe-harbor country, for easy access.

Finally, it may also be possible to report the results of an investigation to the U.S. government without including personal data. While this approach will not alleviate data privacy concerns arising from evidence collection and review, it can be a practical solution to avoid a subpoena that impacts data privacy restrictions and, therefore, it is one more example of the importance of addressing data privacy concerns in the earliest stages of an international investigation.

Conclusion

The Big Four decision (and the SEC's choice to pursue the action despite at least a partial government-to-government solution) ups the ante for U.S. lawyers conducting international investigations. Now, U.S. lawyers conducting investigations in jurisdictions with data privacy restrictions can no longer simply count on government-to-government cooperation to address these as-yet-unresolved conflicts of laws; rather, lawyers must actively plan to confront this legal conflict. Despite this tension, the landscape remains eminently navigable for strategic lawyers who make data privacy a standard part of every investigation's assessment, planning, and execution.

Laurence A. Urgenson (lurgenson @mayerbrown.com), Chairman of this newsletter's Board of Editors, is a partner at Mayer Brown, Washington, DC. Matthew J. Alexander ([email protected]), an Associate Editor of this newsletter, is also with Mayer Brown. Jamie A. Schafer is an associate with Kirkland & Ellis, LLP.

As we discussed in last month's newsletter, the limits on discovery of private information are often far greater in other countries than they are in the United States. Following are some steps that can be taken in order to avoid running afoul of these limitations.

1. Learn the Applicable Data Privacy Restrictions

The first step in any analysis is to identify the data privacy restrictions that apply to your investigation, before taking any affirmative steps. In this new era, it is vitally important that lawyers resist the understandable urge to obtain the evidence immediately, before they have a firm grasp on the data privacy regime(s) in play, as simple acts like leaving the country with your notes (or even the fact of investigating itself) may trigger a violation.

2. Plan for a (Future) Rainy Day

If a restrictive data privacy regime is in play and the client is a multinational corporation, counsel must plan at the outset for a potential divergence of interests between the U.S. parent corporation ' the entity obliged to produce documents in response to demands from regulators such as the SEC ' and its foreign subsidiary ' the entity most likely to be charged under the applicable local data privacy act if violations occur. While not a particularly pleasant discussion to have at the outset, the need for separate counsel should be considered at the earliest opportunity.

3. Know Your Client's Policies and (Prior) Practices

Become familiar with your client's IT policies in the relevant jurisdictions. The tendency may be to delegate this task, but resist the temptation. Just as importantly, validate whether policy and practice are aligned by assessing the data already within the grasp of regulators like the SEC. If the government is interested in information that may already have been transmitted to the United States or otherwise has been routinely transmitted by the company, you will not want those facts to come to light after you have refused to produce information on data privacy grounds. The circumstances of transmission may ultimately provide a proper basis for avoiding production, but you will want to lay out the facts and your interpretation of the data privacy law candidly, to avoid any appearance of bad faith.

4. Get a Local Law Opinion

When a matter involves document collection or review in a foreign jurisdiction, it is important to obtain an opinion from counsel familiar with local data privacy restrictions or consult with your client's in-house personnel who are knowledgeable about the data privacy laws and regulations that apply in each jurisdiction (if such personnel exist).

A prudent course is to obtain a written opinion from local counsel in each country/jurisdiction in which documents will be collected or reviewed. It is also important to note that these laws are evolving and new data privacy laws are being enacted regularly as international attention around these issues grows; thus, you should not rely blindly on prior local law opinions.

Establishing a good relationship with knowledgeable local counsel is important. As these laws are often complicated and enforcement decisions are not always transparent, it is critical to find experienced local counsel that can offer practical advice regarding changes that may affect your clients. Further, there can be important differences between the letter of data privacy laws and their interpretations by local regulators; and, as noted above, U.S. prosecutors and regulators ' while they generally acknowledge the restrictions of foreign data privacy regimes ' are often skeptical that U.S. lawyers will use the terms of paper regimes as a “shield” to prevent disclosure of information that companies do not want to produce. A credible opinion by reputable local counsel helps address this risk.

5. Make Your Client a Stakeholder, Rather than a Defendant

In other words, don't give up on traditional government-to-government solutions. The government has multiple tools at its disposal for government-to-government cooperation, such as mutual legal assistance treaties (MLATs), through which it can request the transmission of documents that may otherwise be subject to data privacy restrictions. These mechanisms are lengthy, cumbersome and may not yield results, particularly where the data sought may be sensitive for political reasons beyond data privacy concerns. Still, these mechanisms exist, in part, to protect private companies and citizens from being caught between conflicting government requirements across multiple jurisdictions.

Do not let the results of the Big Four matter discourage you from pressing U.S. authorities to seek a government-to-government solution. At the outset of any matter involving document production or even merely disclosure of information to the U.S. government, it is important to advise the government of any data privacy considerations that may be at play, to establish the merits of your concern and preempt later suggestions that you are attempting to shield information from disclosure.

6. Structure Your Investigation with Data Privacy in Mind

Experienced local counsel can provide not just a summary of the strict legal requirements under local data privacy laws, but also practical guidance as to how to navigate these complexities during an investigation. For example, in many circumstances, consent obtained from investigation targets may create a clear path for review and disclosure. Where this is not a practical solution, other avenues may exist to streamline the investigative process; for instance, some data privacy laws include exceptions allowing for review where credible evidence of a potential violation exists or the information has been screened by local counsel.

The location of collection, review and interviews must also be thoughtfully planned to avoid data privacy violations and reduce associated costs. For example, while transmitting documents to the United States is generally unacceptable under European-style data privacy laws, nearby Canada is often a “safe harbor.” Rather than flying teams overseas, review may be conducted just across the border, minimizing cost and allowing more ready access to information. Further, in certain cases, local counsel has advised that read-only review from terminals in the United States is permissible, where documents are stored on servers abroad and can be reviewed in the United States but not printed or downloaded. This allows for a large portion of the work to be completed from the United States, with travel reserved for interview preparation and more deep-dive reviews of culled documents.

Additionally, with respect to witness interviews, protected personal data can easily creep into interview notes. As such, with an eye toward data privacy, a protocol should be set up to review and redact any notes or work-product returning to the United States. Un-redacted notes can then sometimes be stored on-site in the country of the investigation or in another safe-harbor country, for easy access.

Finally, it may also be possible to report the results of an investigation to the U.S. government without including personal data. While this approach will not alleviate data privacy concerns arising from evidence collection and review, it can be a practical solution to avoid a subpoena that impacts data privacy restrictions and, therefore, it is one more example of the importance of addressing data privacy concerns in the earliest stages of an international investigation.

Conclusion

The Big Four decision (and the SEC's choice to pursue the action despite at least a partial government-to-government solution) ups the ante for U.S. lawyers conducting international investigations. Now, U.S. lawyers conducting investigations in jurisdictions with data privacy restrictions can no longer simply count on government-to-government cooperation to address these as-yet-unresolved conflicts of laws; rather, lawyers must actively plan to confront this legal conflict. Despite this tension, the landscape remains eminently navigable for strategic lawyers who make data privacy a standard part of every investigation's assessment, planning, and execution.

Laurence A. Urgenson (lurgenson @mayerbrown.com), Chairman of this newsletter's Board of Editors, is a partner at Mayer Brown, Washington, DC. Matthew J. Alexander ([email protected]), an Associate Editor of this newsletter, is also with Mayer Brown. Jamie A. Schafer is an associate with Kirkland & Ellis, LLP.