Excerpted from the December 20, 2022 edition of Law360
The US Department of Justice (DOJ) recently revised its corporate criminal enforcement policies to emphasize “timely” disclosure for companies to disclose potential misconduct. Companies are now “on the clock” to expedite investigations – and if the government believes that companies are “dragging their feet” they could lose “cooperation credit.” Companies that claim there are foreign policy laws or other restrictions that complicate their investigation need to identify “workarounds” so as not to be seen as deliberately “slow-walking” their disclosures.
White collar attorneys who specialize in cross-border investigations are concerned that this policy will leave companies in a “predicament” trying to both appease prosecutors while not running afoul of laws like the GDRP or China’s data protection rules.
Pierce Atwood litigation and white-collar attorney Kathleen Hamann, a former prosecutor in DOJ’s FCPA unit and former policy counsel for the Fraud Section, noted that “navigating data protection laws can be challenging in the midst of an internal investigation, and it’s complicated when DOJ hasn’t gotten involved yet.” Kate added, “Not everything’s been interpreted to a degree where you can competently say this is what’s allowed, this is what’s not allowed. You have to assume a certain amount of risk.”
Another challenge is the varying degrees of expertise among DOJ offices, where a smaller US attorney’s office that does few corporate prosecutions may not have an expert on staff. Kate stated, “Even given that I was in the Foreign Corrupt Practices Act Unit, the understanding of the blocking statutes and what was in the [GDPR predecessor] Data Protection Directive were not at the level that you would really need for most of the prosecutors, even in that unit, to understand whether an assertion of data protection was legitimate or not.”
“For example, in a purely voluntary disclosure situation involving European individuals with GDPR protections who are potentially the people responsible for misconduct, once defense counsel hands over all the information about those individuals to the DOJ, those same individuals are the people most likely to claim GDPR violations, given their situation. Without the cover of a US grand jury subpoena or court order, a company could find itself between a rock and a hard place.
“I think to some prosecutors it’ll sound like you’re trying to escape individual accountability or protect European executives or what have you. I worry [about] the smaller offices that don’t do as many corporate resolutions. People really need training to understand how it works in practice, to know where to go to get guidance to really implement it effectively.”
Kate indicated that she thinks the DOJ’s view is that “once a company has a strong reason to believe that there is actual criminality going on, that’s when the department first wants to hear about it. But that doesn’t necessarily mean that’s the point at which you know which individuals to point to. Disclosing too early can also make internal investigations more difficult. There’s a difference between outside counsel sitting employees down for interviews and saying ‘We’re just trying to understand what’s happening internally’ and advising them that there’s an ongoing DOJ investigation.
There are countries where once the Department of Justice is involved in the investigation, there are disclosures that have to be made to employees, and you can’t leverage their employment to make them cooperate”