Internal investigations and public enforcement actions pose significant legal challenges for companies. The inherent multidisciplinary nature of the most frequent issues, which requires an in-depth knowledge not only of the laws and regulations of the relevant industry, but also of criminal, corporate, contract, data protection and labour law (often in more than one jurisdiction), increases these challenges.
The activities that companies and corporate groups carry out change (thus, different legal requirements come into play) depending on whether the investigation is: (i) proactive (eg, in the case of investigations triggered by employee whistleblowing or findings by internal auditors, without any public authorities’ investigation or enforcement); or (ii) reactive (eg, following dawn raids by antitrust authorities or regulators or document seizures by public prosecutors).
A proactive investigation entails the existence of pre-established procedures that, by addressing broader situations, may be more complex than those used when reacting to a specific activity carried out by public authorities. Whistleblowing procedures are a relevant example of this; the Italian parliament has recently approved a new set of rules (which will apply broadly, including in anti-corruption cases) that provide enhanced protection to whistleblowers.
In the case of investigations triggered by enforcement activity of public authorities, responses to their requests or initiatives (eg, requests for documents or employee interviews and on-site inspections) must be managed in the most appropriate way. In particular, in order to mitigate the risk of becoming liable, on the one hand, towards public authorities, for lack of co-operation, and, on the other hand, towards third parties, such as employees, clients, and business partners, for disclosing disproportionate information. Especially when foreign authorities are involved, challenges may also include conflicts between information requests made by public authorities and obligations deriving from national law.
Under Italian law, internal investigations, particularly those involving a cross-border element or a highly-regulated sector, raise issues that are common to proactive and reactive investigations.
When structuring an investigation, it is important to first consider that companies can outsource investigation activities to third parties (such as external lawyers, audit firms, private investigators, data recovery companies or even other group companies), provided that proper entitlement of these third parties under corporate, labour and data protection law is ensured.
Compliance with data protection law raises significant issues, the relevance of which will increase due to the applicability, starting from 25 May 2018, of EU Regulation 2016/679 (the GDPR). Indeed, the territorial scope of the GDPR is wider than that of the data protection legislation currently in force, since it includes companies that, albeit not having an establishment in Italy, offer products and services to individuals in Italy or monitor their behaviour. Additionally, fines under the GDPR could be up to €20m or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
Data protection rules require employers to consider the proportionality of the investigative measures they implement, which is particularly relevant with respect to collection and review of employees’ electronic data. In particular, any information unrelated to the work activity of an employee or, in any event, to the subject-matter of the investigation should be promptly isolated and excluded from the investigation.
Additional relevant issues include how to find, in the absence of employee consent, a legal ground to justify personal data processing. On a case-by-case basis, it should be assessed whether, for instance, the data processing could be justified by the need to ‘establish or defend legal claims before a judicial authority’ or whether a ‘legitimate interest’ of the data processor exists.
Moreover, concerns under data protection law arise when investigation activities include transferring personal data to countries (eg, where affiliate companies or the parent company are located) that are not considered to ensure an adequate level of personal data protection, since ad hoc instruments (such as standard contractual clauses, binding corporate rules or, only for the US, the Privacy Shield) may often be necessary.
When the findings of an investigation are meant to be used in the context of a criminal proceeding, criminal law procedural rules come into play, restricting some activities to external counsel only and providing for specific requirements for the activities and for documenting their outcome.
Legal privilege protection applies to documents prepared in view of a defence in criminal proceedings to the extent that these documents have been drafted by external counsel or expert witnesses, and it is enhanced when they are stored at counsel’s office or are included in correspondence with counsel. Additionally, in Italy legal privilege does not protect, per se, communications with or work-product of in-house counsel.
Corporate governance issues arise with respect to whether and when information regarding the developments and the outcome of the investigation can be disclosed to various functions or bodies of the company (eg, human resources, in-house counsel, the board of directors or the board of statutory auditors) and to the parent company or other affiliates.
When to disclose the outcome of an investigation to employees that are suspected of misconduct is also a sensitive matter, since the employer’s interest to confidentiality (which ensures the effectiveness of the investigation) must be balanced with these employees’ rights of defence under labour law.
Internal investigations are particularly important for the company’s defence where offences triggering corporate liability are at issue. Under Italian Legislative Decree No. 231 of 8 June 2001 (the 231 Law), companies may incur ‘administrative’ (indeed, quasi-criminal) liability in connection with certain crimes committed in their interest or for their benefit by executives. Such crimes include a wide number of corporate and financial offences, such as corruption, embezzlement, fraud against public authorities and money laundering.
Liability may be limited or excluded by the adoption of an adequate organisational, management and control model (a 231 Model), aimed at preventing these offences from being committed, and the appointment of an ad hoc supervisory body. Therefore, companies acting in Italy have strong incentives to adopt a 231 Model.
When a criminal investigation is launched in connection with alleged crimes falling within the scope of the 231 Law, the company’s 231 Model is subject to careful scrutiny by prosecutors aimed at assessing its adequacy, which would allow the company to escape liability or at least to avoid or mitigate certain penalties (eg, a ban on entering into public procurement contracts and a suspension or revocation of regulatory licences).
When involved in criminal proceedings, companies frequently decide to enhance their 231 Models in any event, even independently from the developments in the specific proceedings, in order to minimise the risk of being exposed in the future to liability under the 231 Law. In this respect, internal investigations are critical to timely find potential flaws in a 231 Model and adopt appropriate remedial actions.