Article

Cross-border investigations — a growing risk

Alexei Dudko, Sebastian Lach, and Antonin Lévy


Enforcement actions and legislative activities continue to soar. Interagency cooperation is on a spike, too, and this increases the risk of double jeopardy. Taken together, these signal that global companies face a growing risk of cross-border investigations. And whether internal or authority driven, this creates challenges.

For a start, when under investigation, you have to confirm that you comply with local laws and customs. Other, more practical challenges include the need for a consistent approach to your response and active communication, plus the need to manage stakeholders from headquarters as well as locally.

Meanwhile, you have to satisfy the home authority — the Securities and Exchange Commission (SEC), Serious Fraud Office (SFO), and Department of Justice (DOJ), for example.

All this can lead to conflicting obligations. On the one hand you must comply with local and international laws; on the other, you must comply with an enforcement agency that accepts nothing less than your complete cooperation.

Well before a cross-border investigation starts and before tensions mount, you must consider all potential issues. You can then put in place measures to enable you to comply with the authorities yet protect your interests. Data privacy rules, blocking statutes, state secret rules, and local labor law specifics — these are just some of the issues you may come up against.

Data privacy rules

Data privacy laws become relevant in Europe; they’re also established in Asia and other regions. With broad legal frameworks, the laws apply to all kinds of processing, not only to automated processing of employee data. As an example, merely granting remote access is often regarded as data transfer. In Europe, in particular, the ruling on the invalidity of the Safe Harbor framework and the new European Data Protection Regulation has resulted in an even more regulated environment.

In Russia, data privacy rules include an individual’s constitutional rights to private life, personal and family secrets, privacy of correspondence, and rights to personal data related to the individual. In practice, this concept makes it unlawful, and it may even trigger criminal liability, to review an employee’s computer and work emails without their consent (or transfer them across borders). It’s important, then, to get all consents before any such data can be processed and reviewed.

Instant-register to read full article