Like most multinational companies, International Paper runs a whistleblowing hotline to provide employees with an outlet to raise concerns. Often the calls are trivial, but sometimes they need investigating.
The hotline is available to staff across Europe, except those in one country: “We can’t set it up in France. Or we can, but it’s very limited,” says Kyrill Farbmann, the company’s ethics and compliance manager for EMEA.
French privacy laws—designed to protect people from false accusations—mean that employees can only use a hotline for a narrow range of issues, mostly around financial matters. And their anonymity can’t be guaranteed.
Other laws that relate to the investigation of employees mean Farbmann’s company has to write a unique code of ethics just for France. “I’m not saying that the country’s privacy laws are always wrong, but they do make our life difficult,” he says. “It’s a pity, but we work with it.”
French laws on whistleblowing are just one of the unexpected privacy barriers that can thwart U.S. companies when they try to run investigations in Europe.
U.S. workplace law imposes fairly few constraints on how American employers can investigate suspicions of employee wrongdoing, says Donald Dowling, a specialist in cross-border human resources law at White & Case.
“Overseas, though—especially in Europe—the environment differs greatly. Internal investigations abroad are subject to a raft of restrictions under the local law and culture of the foreign workplace.”
The biggest barrier is privacy, especially data privacy. According to a KPMG survey of executives, 46 percent said this was their number one headache when running cross-border investigations.
“U.S. companies cannot rely on understanding the broad differences in legislation as the devil is in the detail of local interpretation and variations in local legislation.”
John Smart, Head of Fraud & Investigation Dispute Services, EY
Countries across Europe have tough restrictions on the kinds of data that can be collected and transferred out of their jurisdiction. European Union laws and national regulations within its 28 member states put a high priority on protecting personal data.
There’s a fundamental legal right to the privacy of personal data, even if it’s held on the company’s computer systems or a device, such as a laptop or phone that the company provided.
Some of these restrictions can sound crazy to an American ear, as they turn accepted good practice on its head. In the United States, for example, investigators are careful to keep investigation files confidential, so as to safeguard the integrity of investigations and protect witnesses.
But European data protection law expressly requires employers, as data controllers, to turn personal data including internal investigation notes, reports, and files over to the very targets and witnesses identified in those files, says Dowling. Employees just have to ask.
Targets and witnesses also have broad rights to be informed about the existence of investigation files in the first place, to access them, and ultimately to request they are deleted or “rectified,” if they are named or identified, he adds.
In some European countries, including Italy, France, and Spain, the company has to get an employee’s consent before copying the hard-drive on their work laptop. “That means a covert investigation is almost impossible,” says John Smart, head of fraud investigation and dispute services at EY.
“U.S. companies cannot rely on understanding the broad differences in legislation as the devil is in the detail of local interpretation and variations in local legislation,” he adds.
Getting access to data is often just the first step. European data privacy laws also control the transfer of data out of a jurisdiction. Companies have to create “export channels” through which they can move data. There are three ways to do this: Adopt corporate policies that align with the jurisdiction’s data protection laws; use EU-approved contract clauses that provide a safe harbor; or get the consent of the employees concerned. “Building and expanding these channels can be slow and expensive, but waiting until a specific allegation or suspicion triggers an actual investigation will be too late,” says Dowling.
When deciding how to handle these issues, it’s wise to involve employee representatives, says Smart. “The best companies will have clear protocols across the various investigating groups—legal, compliance, internal audit, and HR,” he believes. “These will have been agreed locally with works councils and unions.”
Such consultation is often legally required, says Dowling. In many European jurisdictions an employer has to disclose its "personal data processing systems" to employees and the local regulator. This includes any policies and practices that govern how it runs internal investigations. In some areas the company has to agree upon the detail with employee representatives.
KPMG asked 60 worldwide executives in charge of investigations: “Which of the following are the top 3 challenges your company faces in the course of conducting cross-border investigations (select up to 3)?” Their answers are below.
“To Americans, all this disclosure and consultation over an investigation protocol seems intrusive,” says Dowling. “American multinationals like keeping their investigatory tactics confidential for the same reasons the Secret Service and the CIA do not broadcast investigatory techniques.”
It makes sense, though, to bite the bullet and disclose the investigatory framework, he adds, as that ensures compliance with local data laws and “frees you up to conduct broader international internal investigations when the need arises later.”
As Tim Hedley, global leader for fraud risk management at KPMG, says: “Balancing the integrity of the investigative process with the legal rights that overseas subjects enjoy under local law is both an art and a science.”
All this nuanced consultation might sound fine. But what if the party asking for information is a U.S. regulator or prosecuting agency? There are times when U.S. law says you have to hand over data, while EU law says the polar opposite.
“Unfortunately, this is an increasingly common issue,” says Smart. “It requires compliance officers and their advisers to have a very good understanding of the relevant legislation and to be able to negotiate a position jointly with the relevant authorities.
“However, sometimes the conflicting requirements become insurmountable and then it may become a question of avoiding the greatest pain in relation to non-compliance.” In other words, who is going to hit you with the biggest penalty?
Compliance executives can find themselves “stuck between a rock and a hard place,” says Seth Berman, a former U.S. Department of Justice Federal Prosecutor who is now a director at digital forensics agency Stroz Friedberg.
His advice is to pre-screen the requested data as a way of reducing what gets disclosed to a level agreeable in the European Union, or to ask the agency to be more specific about what it wants to achieve.
“There’s no question that a prosecutor will write a subpoena as widely as possible,” he says. “I’d often expect people to ask me to narrow it. It’s a very common conversation to say ‘what are you really looking for?’ or ‘what are your actual questions?’ You can then talk about what data they actually need.”
Another option is to ask the U.S. agency to get the information it wants via a regulator in the relevant European jurisdiction. “It’s usually not so black and white that it’s all or nothing,” says Berman. “Before you get to that point you should be able to chip away at the problem. The key is to try to address the issues as early as possible.”
And Berman offers another tip: Make sure colleagues in the United States know that the laws and business culture familiar at home is often very different to what Europeans regard as normal. “Problems arise when a U.S. lawyer blunders in and doesn’t realize the sensitivities,” he warns.