Cross-Border Investigations

Introduction

The more countries and jurisdictions are involved, the harder it becomes to run and complete an investigation quickly, efficiently, and comprehensively. Various issues arise like language barriers, different cultural perceptions, local laws, data privacy provisions, and blocking statutes. All of those have to be coordinated at the same time. Such investigations are, therefore, not only difficult to complete but also bear the risk that the investigation itself may lead to cases of non-compliance. As a consequence, those in charge of such investigations have to be mindful to avoid generating such risks – also for themselves personally.

While it is no substitute for individually tailored legal advice, this Guide aims to reduce those very risks. It provides a general overview of investigations on the European continent to help orient those leading or involved with such investigations. The following article provides an overview of the most important questions and considerations that arise during the various stages of an investigation – from the beginning to the end.

Investigating Compliance Hotline Reports

All around the world, employees are more and more encouraged to raise concerns and report violations of legal, compliance, or ethical topics. In Europe, companies continuously need to monitor legal developments in that regard, in particular, the implementation of the EU Whistleblower Protection Directive (EU) 2019/1937.

The EU Whistleblower Protection Directive aims to provide common minimum standards of protection to whistleblowers who report breaches of EU law from their employer. It contains requirements particularly on the reporting channels to be set up, the communication with reporters, and the responsibilities for investigating the compliance reports. In addition, the EU Whistleblower Protection Directive compels the member states to provide effective penalties, for example, for hindering whistleblower reports.

Even though the implementation deadline expired by 17 December 2021, not all EU member states have yet implemented the directive. This is why, on 27 January 2022, the European Commission initiated infringement proceedings against a total of 24 European countries. The European Commission has thereby set an ultimatum to implement the directive into national law. In 2023, the Commission took Germany, Italy and six other countries to the European Court of Justice and demanded monetary sanctions with the cases still pending. At the beginning of 2024, only Poland and Estonia had still not transposed the directive into national law.

The extent to which the directive has so far been implemented varies from one member state to another. In some member states, the law only meets the directive's minimum requirements. In contrast, other countries broadened the scope and focused on stronger protection of whistleblowers. Therefore, the various adoptions and reforms as well as administrative guidelines regarding the EU Whistleblower Protection Directive in each member state's national law need to be monitored.

Start of a Cross-Border Investigation

After an initial assessment of which countries are implicated in the investigation, various issues have to be considered

The first question is often whether local support is needed. The answer will often be yes. Mostly, local in-house legal capabilities will be sufficient. However, outside counsel or other external resources will sometimes have to be consulted. In this regard, it has to be noted that it may prove difficult to find the right experts in certain countries. In many locations, there is seldom an abundance of white collar crime or compliance experts. Therefore, it is advisable to build and maintain a network of experts in the most important countries, even before an investigation starts. In crisis situations (like dawn raids or cyber-attacks), there may not be time to search for local support. Even if there is time, if competitors or other companies are faced with the same problem, the best counsel may already have been taken or may already be conflicted once they are approached. Working with non-expert counsel, especially in smaller legal markets, can bear risks and create inefficiencies.

Once the team has been assembled, the next question is whether one is even allowed to investigate in the respective country. This question must be answered with the help of dedicated local counsel. In this regard, one has to differentiate between blocking statutes and data privacy considerations. A blocking statute will often mean that all or certain investigative measures may not be allowed or only with special permission. Data privacy concerns relate to the treatment of data containing personal information, but they rarely present an absolute obstacle to any investigative step. To provide a simple example: A blocking statute may prevent an interview, while data privacy laws may simply limit the use of information gathered from an interview or call for special measures for the collection and treatment of that data.

Once the question of blocking statutes has been addressed, one may have to clarify whether specific bodies like trade unions, works councils, corporate supervisory boards, financial stakeholders and shareholders have to be informed of the start of the investigation or the information that led to the investigation. Some local laws have very rigid and detailed disclosure requirements. The violation of any such requirements might hinder the investigation or even lead to civil or criminal liability of the company or the individual actors.

In addition, it must be carefully assessed whether early disclosures to local law enforcement agencies are necessary or would be helpful from a strategic standpoint. In some countries, certain situations call for such disclosure under the applicable local laws. In other countries, it is culturally necessary to involve the authorities to maintain a cooperative atmosphere. In other countries, however, such disclosures are uncommon and may create more problems than they solve. In cross-border cases, where many authorities may be involved, there may be a strategic advantage to disclosing information in a certain order or having one authority take the lead. Especially at this stage, local expertise – legally and culturally – is very helpful to avoid making the wrong decisions.

The Investigative Phase

Once all obstacles that may hinder the start of an investigation have been cleared, the company can start the investigation.

An investigation often begins with so-called immediate measures. Normally, the first task is to ensure that any potentially ongoing criminal or unlawful conduct is stopped. This frequently means monitoring certain payment streams or putting specific individuals at least under close monitoring to make sure that all their actions are appropriate going forward. It may also mean checking whether certain products can still be sold on the market.

Another early step is to ensure that all data potentially relevant to the investigation is preserved. This may entail a wide range of measures, from issuing a data hold to suspending auto-delete functions to immediately imaging data carriers. These measures play an important role in dissuading local prosecutors from performing dawn raids. If one can demonstrate that all relevant data has been stored securely, it may even be disproportionate for prosecutors to raid companies.

The investigation team then has to decide who will formally lead the investigation. The question often comes down to whether this is done by in-house counsel or external lawyers. In this regard, the sensitivity of the matter and privilege protection will often be decisive factors. The rule of thumb is that countries in Continental Europe often award very little privilege protection to in-house counsel. This can even mean that work product of outside counsel in the custody of the company's in-house counsel could be seized and reviewed by the authorities in some jurisdictions. Therefore, the decision is not only who runs the investigation but also where to generate and store sensitive work products.

In particular when communicating with reporters, performing interviews, collecting and reviewing information, data privacy laws have to be considered. The good news is that a uniform European Data Privacy Regulation came into force in 2018. This reduced the impact of local law specifics. On the other hand, local law specifics are not entirely abolished. For example, certain labour laws or criminal laws may contain stricter provisions on data handling. In addition, potential penalties substantially increased, and rules became more stringent. Given the potential legal exposure and the complexity of the issue, it is strongly recommended that expert data privacy counsel be part of any cross-border investigation team in all phases. Another specific issue in cross-border cases is the "export" of data to other countries. This can be particularly problematic if such countries do not have an equivalent level of data privacy protection compared to the European Union. This may necessitate a case-by-case analysis and may also call for additional protective measures like reducing data amounts or redacting personal information before any data transfer.

The right of participation of works councils and/or trade unions during an investigation may also need to be considered. Local laws will have different views in this regard. A mistake in this area can have serious consequences. It cannot only damage the relationship between the company and its employees, but it can also lead to the end or at least to an interruption of the investigation itself. Disregarding the rights of a works council may allow this body to obtain a cease-and-desist order against the investigation.

Interviews often also raise various legal issues, such as the need for data privacy waivers and the need for special instructions on the right to not self-incriminate or the right to legal counsel. Each jurisdiction has its own rules and best practices in this regard. If an interviewee is not adequately instructed or the interview is otherwise not done correctly, these issues can lead to evidence being deemed inadmissible down the road.

The End of the Investigation

Questions arising at the end of an investigation may also vary from one jurisdiction to the other. However, some issues are frequently in focus in many countries.

The first question, which comes up rather frequently, is whether a detailed investigation report should be produced or not. This is, again, linked to the question of privilege. If in-house counsel produces an investigation report, this report may not be privileged in many countries on the European continent. Even if outside counsel produces the report, it may have only limited protection if it enters into the custody of the company. In some countries, authorities may view the waiver of privilege and production of the report as necessary to demonstrate good faith and cooperation. There may then be pressure to produce such a report.

Another step at the end of the life cycle of an investigation is remediation. Firstly, this may make an update of internal processes necessary. What is legally possible and state of the art with respect to internal guidelines may differ greatly, especially throughout Europe. For companies operating in multiple jurisdictions, it may be necessary to conform worldwide internal guidelines to the higher legal standard in the home jurisdiction, even though a lower standard may be permissible in local jurisdictions. In the end, it is often in the home jurisdiction where the biggest risks lie.

Secondly, personnel measures like warning letters, training and terminations will play an important role in any remediation. In this regard, it is important to note that countries may have different deadlines for implementing personnel measures. If the deadlines are missed, personnel measures may not be taken for that reason alone. Furthermore, it may be necessary to involve works councils or trade unions in such processes. The prerequisites for termination will also differ greatly among countries. For example, it may be much easier to terminate an employee in the United Kingdom than in France or Germany.

Finally, a step that is sometimes missed at the end of an investigation is recovery. In many countries, board members are responsible for compliance in companies. If a major compliance failure arises, board members may be liable to the company if they had knowledge of the conduct or if they had responsibility for the respective compliance topic and failed to implement an appropriate compliance system. The company may then even be under a duty to assess such claims against its own board members and – if there is substance to such claims – pursue them. This may even mean that if the company or its management fails to assess and pursue such claims, those responsible for the assessment may themselves be liable for the omission. In Germany, for example, this can even lead to the criminal liability of the supervisory board for breach of fiduciary duties.

Conclusion

When doing a cross-border investigation in or involving Europe, many steps have to be kept in mind. Issues can arise at every stage in the life cycle of an investigation. It is not necessary to know all the answers from the beginning, but important to ask the right questions. Once a potential issue has been identified, the investigative process can be set up and managed in a way that minimises risks.

 


 

Dr. Sebastian Lach
Partner
Hogan Lovells Munich
T +49 69 96236 308
E sebastian.lach@hoganlovells.com


Sebastian Lach leads the German Compliance and Investigations practice and is co-CEO of ELTEMATE – the Hogan Lovells technology company. Sebastian has successfully advised on a wide range of criminal investigations relating to more than 50 countries, including FCPA, SEC/DOJ implications. He is therefore familiar with appropriate use cases for all major eDiscovery platforms and tools as well as databases. Most of his investigations for Fortune 500 and DAX 40 clients included vast technology-driven data forensics, including data collection, data processing and data review. With his understanding of technology in the legal industry, he was instrumental in developing the firm's legal tech strategy. In his role as Co-CEO of ELTEMATE, he leads a market-leading team of AI experts, data scientists, software engineers and data analytics professionals focused on developing innovative AI solutions, particularly in the area of generative AI. Sebastian Lach utilises his extensive experience of over 15 years working at the intersection of technology and legal practice to advise clients on the selection and implementation of cutting-edge legal tech solutions.


Désirée Maier
Partner
Hogan Lovells Munich
T +49 89 29012 340
E desiree.maier@hoganlovells.com

Désirée Maier advises clients on issues relating to white-collar criminal law and compliance. She has particular expertise in the life sciences and health care sector. One focus of her work lies on setting up and conducting cross-border investigations and in the defence against allegations of a criminal nature. She has extensive experience in advising during dawn raids, coordinating compliance of investigations with requirements under German, local law, U.S. and UK law as well as communicating with law enforcement authorities. Désirée also regularly advises on the establishment and implementation of global compliance systems, including the performance of compliance audits. In addition, she has expertise in connection with civil law claims arising from compliance matters. Désirée worked in the legal department of a U.S. Fortune 500 company with global responsibility for internal investigations and is head of the compliance working group of the German Mergers & Acquisitions Association.


Dr. Lukas Ritzenhoff
Partner
Hogan Lovells Berlin
T +49 30 800 9300 60
E lukas.ritzenhoff@hoganlovells.com
Lukas Ritzenhoff advises clients from various industries on white collar criminal law issues, compliance and internal investigations. He is particularly experienced in highly regulated industries. Lukas has extensive experience in assisting with dawn raids and cross-border regulatory investigations, conducting internal investigations and compliance audits. He also advises on the development and implementation of global compliance management systems. One of his main areas of focus is the implementation of legal tech tools and the use of artificial intelligence. He was listed as one of the most renowned lawyers for compliance by WirtschaftsWoche in 2023 and 2019 and was named by Legal 500 Germany as a "Rising Star" in the field of compliance for 2024.