Since 2007, the surge in Foreign Corrupt Practices Act (FCPA) cases has been among the most dramatic international enforcement storylines. In addition to the sharp increase in the number of FCPA cases filed each year—and the resulting fines—the Justice Department and the Securities and Exchange Commission now employ increasingly aggressive tactics in corruption investigations, including wiretaps and sting operations. These trends show no signs of abating. Assistant Attorney General Lanny Breuer recently indicated that he expects FCPA actions to expand and intensify in the years to come.
Whenever corruption allegations arise, companies must act fast to determine the veracity of the claims and the scope of the behavior in question. Time is of the essence, because self-reporting FCPA violations to the U.S. government has the potential to reduce any eventual penalties. But speedy investigations are often thwarted by foreign data protection laws that govern data privacy, corporate confidentiality and state secrets. In other words, companies can’t access or transfer regulated data to the U.S. that could either vindicate them or help ameliorate the consequences of violations.
In Europe, data privacy laws can be a significant challenge. Individual countries have statutes that control personally identifiable information, and some of these statutes are particularly strict. In France, for example, criminal data violations can result in corporate fines approaching $2 million and prison terms up to five years for individuals. Although European privacy laws generally are the most well known, similar data-protection regulations exist in throughout Asia, Brazil, Latin America and the Commonwealth of Independent States nations that can have a high level of FCPA risk.
In China, where the vast majority of enterprises are partially state-owned, the government itself can be a barrier. Companies conducting investigations need the cooperation of the Chinese government for the release of any substantive information. Because the enterprises’ interests don’t necessarily align with the revelation of wrongdoing, that relationship can be complicated at best.
Such obstacles can significantly challenge the e-discovery process in corruption investigations. Failure to fully appreciate the subjective data restrictions in each relevant jurisdiction can result in new layers of liability for the company, its outside counsel and other third parties involved. Moreover, U.S. regulators and prosecutors are largely unsympathetic to these foreign pressures, and they still expect companies to present a prompt, thorough and accurate assessment of alleged FCPA violations. Failure to do so invites deeper government scrutiny and harsher penalties.
Fortunately, there are steps companies can take to comply with foreign data restrictions that keep them in compliance with local laws, yet still allow swift reporting to the U.S. government. First and foremost, it’s essential to have local counsel—whether in-house or outside—who understand local regulations and can anticipate potential problems at the outset of internal investigations and be prepared with a local e-discovery plan.
Some large or high-risk companies have hired a dedicated data privacy counsel—a lawyer tasked with understanding the data laws in each of the countries in which the business operates. The best way to minimize regulatory entanglements is to understand the legal landscape and have a discovery plan prepared ahead of time. Companies that have prepared local discovery plans can move faster and more effectively to avoid local compliance violations and work around data restrictions where possible.
Such plans may require that e-discovery related document review occurs on-site to limit data transfer in line with local data protection laws. Performing document review on-site necessitates additional travel and logistical expenses but offers many advantages. Companies can quickly identify critical documents and determine which ones may require special treatment. In some cases, documents may be removed from the country with user consent. In other cases, companies may be able to file special applications with local governments to release documents. When obtaining the complete document is not possible, a local team can work with to perform redactions of regulated personal data while preserving information material to the case.
On-site data collection and review can be efficiently scheduled to occur with employee interviews. This starts the discovery process early, providing as much time as possible to navigate local legal issues, and also allows the company to deal with all travel and scheduling issues at once.
Finally, companies must rigorously prioritize and focus their international investigations on the electronic information that is most critical to the case. This helps to limit the number of documents slated for potential transfer across the border. This stands in contrast to domestic e-discovery procedures, in which the aim is often to collect and process vast amounts of data in an effort to identify everything potentially relevant, and then perform a comprehensive search across the data corpus. By narrowing the data collection to the only those data sources that are known to be potentially relevant, investigators can identify crucial documents faster, limit the number of irrelevant documents that undergo review and begin the process of reviewing and redacting as soon as possible.
Companies that anticipate and plan for data protection challenges ahead of time fare far better over the course of an investigation. They don’t have to backtrack on timelines with the U.S. government—a common occurrence that never helps companies’ cases—and they place themselves in the best position to limit penalties even in the event a violation is revealed.