Options for internal investigations under Italian law and data protection issues

Following up on our previous article regarding internal investigations in Italy, issues that arise when the internal investigation concerns a white-collar crime are also worth addressing. When there is knowledge (or suspicion) that a crime has been committed within a company and a criminal proceeding is pending (or may be brought), internal investigations become particularly important and sensitive.

In these instances, an internal investigation, if both proper and timely, allows the company not only to preserve documents and information, but also to consider defence strategies or, depending on the circumstances of the case, remedial programmes and/or self-reporting actions.

In practice, at the outset the company should carefully assess the structure and scope of the investigation.

In principle, the company can opt for investigations that are not governed by specific statutory rules (standard investigations) or for ‘defence investigations’ pursuant to the procedural rules in Articles 327-bis and 391-bis to 391-ter of the Italian Code of Criminal Procedure.

While standard investigations can be carried out by both in-house and external counsel, only external counsel formally appointed for the purposes of pending or prospective criminal proceedings are entitled to carry out defence investigations. Defence investigations must be conducted and documented following specific statutory requirements. In particular, witness interviews require a formal invitation and explanation of the interviewee’s rights (eg, right to remain silent) and duties (eg, obligation to tell the truth); and the interview must be minuted verbatim and/or tape-recorded.

Defence investigations not only offer stronger protection of legal privilege, but they also allow counsel to use the results of the investigation as admissible evidence in the pending or prospective criminal proceedings. The difference with standard investigations is particularly evident when considering witness statements. In contrast to standard investigations, if information is gathered in accordance with the procedural rules of defence investigations, the statement can be then (i) produced as evidence during the public prosecutor’s investigations or at the preliminary hearing, and/or (ii) used to challenge any different account that the interviewee may provide if examined in the trial.

There is no clear-cut answer to the question of whether one option should in any case be preferred. The answer will depend on the overall context of the specific case and ultimately on the purpose of the investigation (eg, whether the investigation is essentially a fact-finding exercise or whether the primary goal is to secure evidence in pending or prospective criminal proceedings).

Another related issue that must be addressed at the outset of the investigation is whether the purpose is to conduct an independent, impartial assessment or to gather evidence in support of the defence.

Under the Italian legal system, there is no requirement or expectation that an internal investigation is impartial. Indeed, with respect to defence investigations it is quite the opposite, since Article 327-bis of the Italian Code of Criminal Procedure empowers criminal counsel to conduct investigations aimed at collecting evidence supporting the defence.

As discussed above in relation to the structure of the investigation, the choice will depend on the specific circumstances of the case (eg, whether the company’s primary need is to defend itself and its managers in a criminal proceeding or to carry out a full-fledged assessment of potential misconduct and then determine whether to implement remedial actions, such as strengthening internal controls, taking action against personnel involved or, potentially, reporting to authorities).

Furthermore, having to deal with white-collar crime and conducting related internal investigations raises issues of compliance with data protection legislation. Obviously, conducting internal investigations entails processing of personal data of the individuals involved. Therefore, compliance with data protection rules (such as those concerning the legal basis applicable to the data processing, the information that data subjects must be provided with, data security, retention periods and so on) has to be ensured in this context.

The applicability, starting from 25 May 2018, of EU Regulation 2016/679 (GDPR) increased the relevance of data protection issues, particularly due to (i) the magnitude of the fines applicable in the case of non-compliance, and (ii) the data subjects’ increased awareness of their rights under data protection legislation.

It is important to point out that Italian legislation that amended the Italian Privacy Code after GDPR came into force confirmed a provision pursuant to which personal data processed in violation of data protection legislation ‘cannot be used’ (unless, if used in court, applicable procedural rules provide otherwise).

On a different level, the commission of a crime could directly affect personal data, when it causes ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data […]’ (ie, a data breach pursuant to Article 4(12) of the GDPR). This may be particularly common when cyber crimes are at issue. In this respect, data protection requirements impose to put in place adequate security measures based on the standards set out in the GDPR. To this end, pursuant to Article 32 of the GDPR, the technical means and the overall organisation of data processing must ensure an appropriate level of security for personal data, which must be assessed based on the risks of potential breaches. Therefore, the risks to confidentiality, integrity and availability of personal data have to be considered in advance, in order to design and implement adequate safeguards, which must apply throughout the whole data processing chain. In particular, third-party vendors must be selected carefully after conducting a review, and audits where necessary, of the adequacy of their security arrangements.

EU regulators and, in certain cases, the affected individuals, must be promptly notified of data breaches that qualify as relevant under the GDPR (Articles 33 and 34). However, with respect to data breaches originating from the commission of a crime, this notification should ‘take into account the legitimate interests of law enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach’ (Recital 88 of the GDPR). As the Article 29 Working Party noted, this may mean that, in certain circumstances, and on the advice of law enforcement authorities, communication of a data breach (particularly to the affected individuals) may be delayed until such time as it would not prejudice such investigations.