The impact of blocking statutes on cross-border internal investigations
August 2019 | EXPERT BRIEFING | LITIGATION & DISPUTE RESOLUTION
A company investigating employee misconduct or violation of law, whether for internal purposes, relating to litigation or to make a disclosure to law enforcement or regulatory authorities, will often be required to transfer data across national borders. This article considers some of the key European legislation that restricts such cross-border transfers. Such measures, often referred to as blocking statutes, have historically been enacted to protect the sovereignty and commercial interests of the enacting country or in response to what is perceived as extraterritorial interference by other countries, such as US antitrust and trade sanctions enforcement.
A recent example is president Trump reimposing certain nuclear-related sanctions on Iran on 6 August 2018, to which the European Union (EU) responded on 7 August by updating the EU Blocking Statute to making it an offence for EU companies to comply with specified US sanctions. The EU Blocking Statute was introduced in 1996 to counter certain US extraterritorial sanctions relating to Cuba, Iran and Libya, and to protect EU companies engaged in trade deemed lawful by the EU.
Although this article looks at EU blocking statutes, it is worth noting that there are similar provisions in numerous other countries, such as Canada, Australia, China and Russia. It is also worth noting that there may be other restrictions to the processing and transferring of data from one jurisdiction to another, such as data protection laws.
The General Data Protection Regulation (GDPR), as well as having available very significant fines for breach, including in respect of data protection obligations, requires companies that seek to transfer data to a third country outside the EU for the purpose of disclosing it to overseas authorities, to comply with Articles 44 (general principles for transfers), 48 and 49. After Brexit, it remains to be seen whether the UK will be considered a third country or if another arrangement can be reached or whether it will need to apply to be recognised as having adequate data protection requirements.
Article 48 requires that a transfer in response to a court or authority’s order (or request) for disclosure of information may only be through established routes, such as mutual legal assistance treaties. Article 49 provides derogations for specific situations, such as to establish or defend legal claims, and appears wide enough to give latitude to companies to engage with authorities proactively and on a timely basis; however, the derogations, as is much of the GDPR, remain untested and companies must be cautious when transferring data in response to requests from authorities.
French Law no. 68-678 (dated 26 July 1968), as amended, or the French Blocking Statute, applies to individuals and companies that wish to transfer information out of France for the purposes of providing that information to foreign authorities, namely, courts, law enforcement or regulators, or for use in overseas litigation by the company of its own volition, or in response to a court order for disclosure or discovery.
Violation of the French Blocking Statute is punishable with up to six months imprisonment and a fine for individuals and for companies.
There is currently one known case in which the French Blocking Statute has been enforced: on 16 January 2008, the French Supreme Court upheld the conviction and sentence of €10,000 imposed on a French lawyer for taking evidence from a French citizen for use in US litigation. The facts are slightly unusual in that the French lawyer was found to have been untruthful in how he went about seeking to elicit information from the witness. There are no other known cases, although French Court decisions are usually kept confidential.
In addition, under Sapin II, the newly formed French Anti-Corruption Authority has taken on responsibility for ensuring compliance with the Blocking Statute. It remains to be seen if this signals a change in attitude in relation to enforcement of the French Blocking Statute.
Swiss restrictions on the transfer of data are contained with Article 271 of the Swiss Penal Code and Article 47 of the Federal Law Relating to Banking, which, respectively, make it a criminal offence to gather evidence on behalf of a foreign authority or for foreign proceedings on Swiss soil, or for an employee, officer, auditor or liquidator of a Swiss bank to divulge, or induce another to divulge, confidential banking information.
There are numerous high-profile examples of whistleblowers being convicted and sentenced for breaching bank secrecy. However, in October 2018, the Swiss Supreme Court ruled that an employee of a foreign subsidiary of a Swiss bank was right not to be convicted of breaching banking secrecy because the law applied to employees of the parent Swiss bank.
What are the implications for an internal investigation?
The Blocking Statute provisions are not triggered where the information is required for investigations that are purely internal and is not for disclosure to foreign authorities or use in foreign court proceedings. However, where the company expects that the internal investigation has a reasonable prospect of leading to a disclosure to foreign authorities or courts, even where foreign authorities or courts are not yet involved, the provisions would apply.
The restrictions imposed by banking law on internal investigations conducted by Swiss banks are even stricter. The bank is unable to transfer its own banking information outside of Switzerland, even if the internal investigation is related purely to inward-facing matters that would never reach foreign authorities or courts.
It is not usual for a company to find itself in a catch-22 situation: being compelled by a US court order or regulator’s subpoena to disclose information that is on servers in the EU, but being prevented from transferring the information by the Blocking Statute. A company faced with this dilemma should consider the following points.
It can seek a waiver of the restrictions against data transfer from the relevant authority of the country where the data is hosted. A recent example of this working well is the non-prosecution agreement given by the US Department of Justice (DOJ) to Zurich on 25 April 2019 for assisting in the evasion of US taxes. In that case, Zurich applied to the Swiss Federal Department of Finance for permission to waive Article 271 of the Swiss Penal Code so that it could provide full disclosure, including summaries of account information to the DOJ.
US and UK courts have traditionally held that the existence of blocking statutes is no bar against the court ordering discovery or disclosure, relying on there being little prospect of infringement of the Blocking Statute being enforced. However, US and UK courts have said that where a company raises blocking statute as a reason for not complying with a court order, the court must balance the interests of the requesting and requested party in deciding whether to seek to enforce the order. This gives an opportunity for a company to provide details of all reasonable steps it had taken to try to comply with the order and evidence of the implications for it to breach the blocking statute.
A company can request that the court or the law enforcement agency seek to obtain the foreign evidence through the judicial cooperation route, under the Hague Convention or bilateral or multilateral treaty, for mutual legal assistance. This method is through letters of request, which are petitions from a court in one nation to a court in another nation for assistance in obtaining information located in the requested nation. This route is available to litigants and foreign authorities but has been criticised for taking too long and offering little assurance over the information, if any, that is eventually received.
A company should also consider whether the same information exists in another jurisdiction which does not have restrictions against disclosure, whether in the form of blocking statutes or, for example, data protection regulation. If the information has not been moved there to avoid the Blocking Statute, it may be disclosable from that jurisdiction.
Tapan Debnath is senior legal counsel at Nokia Corporation. He can be contacted on +44 (0)7342 089 528 or by email: firstname.lastname@example.org.
© Financier Worldwide