Staying ahead of rapid developments in investigation techniques – how to mitigate risk
As the nature and scope of global antitrust investigations continue to develop and expand, companies need to keep abreast of and anticipate issues they may face when under investigation. A combination of increasingly active agencies and sophisticated investigative techniques has seen changes in approach to a number of issues, including the types of media that agencies may want to access, legal professional privilege, data protection and even the types of conduct treated as cartels.
In Europe, the trend towards settlement of cartel cases looks set to continue, bringing shorter proceedings, reduced fines and fewer appeals of European Commission decisions. However, it also raises potentially contentious due process issues, not least in so-called ‘hybrid’ cases when some parties settle and the Commission continues its investigation against non-settling parties. At some point these may be tested in court, as may the Commission’s claim to be able to require production of documents stored outside the EEA but accessible within it.
In Asia, the number of antitrust authorities has grown rapidly and they are steadily increasing their investigation capacity and activity. In the past, Japan, South Korea and Taiwan were at the forefront, but agencies in China and Singapore have recently shown considerable appetite for pursuing international cartels, often mirroring investigations in other jurisdictions. Notably, the region’s latest antitrust enforcer, Hong Kong, carried out its first dawn raid in its first year of full operation.
Global companies caught up in investigations need to be aware of jurisdictional differences, which extend beyond legal differences. Cultural factors, such as the strong preference in China for a co-operative rather than a confrontational approach to resolving cases, with the duty to co-operate enshrined in law, must be understood. Officials expect incriminating documents to be flagged, and though this may go against the grain for those from some other cultures, respect for the local approach can pay off, often resulting in a quick and lenient outcome depending on the degree of co-operation.
Those accustomed to EU or US proceedings will be surprised by the extent to which Chinese officials expect, and indeed push for, a confession from companies involved in a cartel, after which they may drop the case or reduce the fine. Companies need to understand and respect the fact that for the Chinese an important aspect of the process is the education of wrongdoers.
Ninette Dodoo, Counsel, Beijing
Technology: a driver of change
Illicit conduct taking place electronically means that evidence is mainly found in electronic form, so authorities have developed increasingly sophisticated and intrusive tools for searching and analysing the data. The European Commission is now extending its focus from ‘unstructured’ material, such as email archives, to ‘structured’ sources, such as the databases and spreadsheets that companies use to organise and monitor their business. They know that employees are increasingly aware of the need to avoid writing incriminating emails, and that relevant data (for example evidence of systematic increase or reduction of tender prices in specific bidding situations) may instead be found in these business tools.
The European Commission made it clear in its 2015 Explanatory Note on dawn raids that it expects companies to provide a significant degree of co-operation in respect of IT issues, including being able quickly to block individual email accounts, disconnect running computers from the network, remove and re-install hard drives from computers and provide administrator access rights support. Given the significant penalties for obstruction, companies may wish to test in advance their capacity to respond to these requests, particularly where their IT capacity is located remotely or in the cloud or operated under contractual provisions with an outsourced IT service provider.
The European Commission is rapidly becoming better equipped in terms of technology and expertise, which means companies should manage their data and documents in such a way that they are equipped to respond to the kinds of demands that will be made on them in the event of a raid or investigation.
Katrin Gaßner, Partner, Rhineland
Privilege: no international convergence
Attitudes to legal professional privilege differ across the globe. This creates difficult disclosure strategy issues if a document is sought in two or more jurisdictions and different privilege rules apply: authorities in a jurisdiction where it is legally privileged may argue that privilege has been waived because it has been produced or seized in a different jurisdiction.
Hong Kong, Singapore and Thailand have a concept of legal privilege but most Asian jurisdictions do not. Privilege is not recognised by the Chinese authorities and the position is broadly similar in Indonesia, Korea and Japan. While in many of these jurisdictions lawyers owe a duty of confidentiality to their clients, it is far less extensive than legal privilege.
Data protection: avoiding the rock and the hard place
Data privacy issues arise because what an investigating authority demands may conflict with what a company is allowed to disclose, and because the rules vary hugely across jurisdictions. The US DOJ is particularly aggressive in requiring disclosure of communications and documents: the US position is essentially that a company owns whatever is on its computers and servers – and not even personal correspondence of employees is protected on grounds of data privacy. At the other extreme are countries such as Germany, where data protection rules are strict and backed by criminal sanctions including prison terms. In Europe, the trend is towards stricter protection, with a new EU regime entering into force in 2018 under the General Data Protection Regulation.
These differences raise more acute difficulties in cross-border cases. If anti-competitive conduct in the EU has effects in the US then US authorities may require production of documents related to the EU business, or they may object to the withholding of information through the redaction of material submitted. While the US demand is legal under US law, the company may be infringing the law, and even committing a crime, as well as opening itself up to claims for redress, in Europe. In some cases disclosure may be justified on the basis that it was required by law, but this does not help where voluntary disclosure is made, as in the case of a leniency application.
There may be other difficulties, even within a single jurisdiction. For example, if the law provides that the authority may have access to certain data, but that the company itself cannot have the same access, the company faces extra challenges in preparing to defend itself.
Data privacy has to be handled carefully in the US, because the kind of protection that applies in much of Europe simply doesn’t exist in the US. A leniency applicant or cooperating party in the US may not be able to disclose certain European information to the Department of Justice for fear of violating data privacy laws which could result in a jail sentence for someone in Europe.
Bruce McCulloch, Partner, Washington DC
Differences in approach between jurisdictions also extend to different views as to what constitutes a cartel. In the EU, uncertainty as to what kind of information exchange constitutes a cartel may hinder companies in deciding on their strategy. There is great risk in applying for immunity if you do not even know whether the conduct you have uncovered is classed as a cartel and so eligible for immunity.
Bea Tormey, Partner, London
Looking ahead in 2017
To keep ahead of these rapidly developing issues and challenges, a number of practical steps can be taken:
- check that your IT systems facilitate quick and appropriately refined responses to document requests in the event of an antitrust investigation. Extremely large amounts of data may need to be downloaded very quickly – not always easy with ‘cloud’ storage – and split up so that only the relevant documents (for example relating only to specific countries or products) are handed over to the authorities;
- ensure that you always know where your data actually is to be able to assess which law applies (again not easy with ‘cloud’ storage);
- put in place internal local guidance in each relevant jurisdiction to ensure that legally privileged documents are clearly labelled when they are created;
- put in place appropriate data retention guidance – save the data you need, and delete data that is simply not necessary anymore;
- ensure through compliance training that employees are aware that, in the event of an investigation, the authorities may gain access to any of their documents or communications, regardless of their means of creation or storage – including messages stored on handheld devices or communications on social media platforms;
- ensure through compliance training that employees are aware of internal policies in place on use of social media, chat rooms and the like;
- as far as local law allows, draft employment contracts so as to limit the data protection issues that may arise in the event of a document request from the authority and get local advice before responding to requests; and
- if you face a cross-border investigation, ensure that your response is fully co-ordinated and at the same time appropriate in the light of local laws and cultures.