Challenge: Within the US, internal investigations into suspicions or allegations of employee misconduct follow an increasingly-well-defined approach. But conducting a US-style investigation abroad raises high hurdles under local employment and data laws.

When an American employee falls under suspicion of some type of on-job wrongdoing—be it bribery, sabotage, accounting fraud, sexual harassment, antitrust collusion or some other wrongful act—conscientious and compliant US multinationals have a good idea how to respond. By now, after so many highly-publicized corporate scandals, strategies for conducting a domestic-US internal investigation are becoming increasingly similar, although "best practices" differ depending on the context. (See Laura Brevetti, "Self Detection: So Key, So Difficult," New York Law Journal, July 13, 2009, at S2.)

In conducting an internal investigation overseas, a US multinational may feel tempted to pull out its domestic-US kit of state-of-the art investigation tools and strategies. But employment and data protection laws differ widely outside the US, which means American investigation strategies need significant retooling before export. After all, no multinational investigating illegality abroad can afford to be accused, itself, of illegality in how it conducts its investigation.

This is a 30-point checklist for adapting common US-style internal investigation strategies to workplaces outside the US. Because laws in every country differ, as do the details of every internal investigation, this discussion cannot point out each legal hurdle that might impede an investigation anywhere in the world. Rather, this is an issue-spotting overview of the data and employment law issues likely to arise when a US multinational conducts a US-style investigation internationally. These 30 points are divided into four stages of an internal investigation: (I) launching an international investigation framework, (II) initial response to an allegation/suspicion, (III) interviewing witnesses and (IV) communications, discipline and remedial measures.

Stage I. Launching an International Investigation Framework: Create a cross-border framework or protocol for how headquarters will conduct internal investigations into allegations or suspicions of workplace misconduct arising outside the US.

Pointer: Adapt, for the international context, US strategies on conducting investigations into suspicions or allegations of employee misconduct.

1. Implement a Code of Conduct: Impose a code of conduct that prohibits all acts considered wrongful. Most major US multinationals already impose on their worldwide workforces internal ethics codes that spell out the specific infractions their employees, worldwide, may not commit. These codes usually prohibit: insider trading, environmental crimes, bribery/payments violations, intellectual property infractions, accounting improprieties, discrimination/harassment and other offenses. Some codes include an express provision addressing internal investigations. Be sure both the content and the launch (roll out) procedures of a global code comply with the law in each affected jurisdiction. (See Donald C. Dowling, Jr., "Global Codes of Conduct," chapter 4 in Compliance Guide for Executives (Lexis/Matthew Bender 2009).)

2. Launch a Whistleblower Hotline: The raison d’être for a whistleblower hotline is to elicit allegations of wrongdoing, which then need to be investigated. Implement and communicate any international hotline consistent with applicable law. Sarbanes-Oxley-regulated multinationals must offer report "procedures" for the "confidential, anonymous submission by employees" of "complaints and concerns regarding questionable accounting or auditing matters" (Sarbanes-Oxley Act of 2002, Pub.L. No. 107-204, at § 301). Even non-SOX-regulated multinationals commonly outsource international hotlines to specialist hotline-answering firms. But hotline law in Europe is surprisingly complex. For example: Germany, the Netherlands and other EU member states require consulting with employees before launching a hotline; Belgium, France, Spain and other states require government filings to disclose a hotline or get affirmative government approval; France, Germany and other states allow hotlines for reporting only a limited pool of infractions; France and Spain prohibit an employer from saying hotlines accept anonymous calls. (See Donald C. Dowling, Jr., "Sarbanes-Oxley Whistleblower Hotlines Across Europe: Directions Through the Maze," 42 ABA The International Lawyer 1 (2008).) Also, in Hong Kong employees should consent to a hotline.

3. Build Channels for Cross-Border Data Transfers: In cross-border investigations, information identifying employees almost inevitably gets transmitted back to headquarters. Before undertaking a specific investigation, build channels allowing the legal "export" of investigation data. This is a keen issue in jurisdictions like Belgium and the Netherlands where laws impede cross-border transmissions of workplace accusations specifically. In Europe these channels include "model contractual clauses," "safe harbor," and "binding corporate rules." If existing channels fail expressly to cover "investigation" data, expand them. In Hong Kong an appropriate data-export channel can be employee-signed data-transfer consents. (See, e.g. Donald C. Dowling, Jr. and Jeremy Mittman, "International Privacy Law," chapter 14 in Proskauer on Privacy (PLI pub.).) Start early: Building these channels takes time, and it will be too late after a specific allegation or suspicion sparks an actual investigation.

4. Grant Necessary Data Subject Access: A basic investigatory best practice is to keep investigation files confidential to safeguard the integrity of the investigation and to protect witness/whistleblower confidentiality. Counterintuitively, data laws can actually require turning investigation notes and files over to targets or witnesses. In EU jurisdictions, employee "data subjects" enjoy broad rights to access, and to request deletion or "rectification" of, employer-maintained documents identifying them. In jurisdictions such as Hungary, employee rights are particularly strong. One EU opinion says investigation targets need to be notified they are being investigated as soon as there is no substantial risk that notice "would jeopardize" the investigation. (Opinion 1/2006, Article 29 Working Party, 00195/06 WP 117 (Feb. 1, 2006).) Balance the vital need for investigatory confidentiality against employees’ legal rights. Work out a position before an investigation target demands immediate access. Articulate a defensible business case for delaying employee access.

5. Disclose Investigation Procedures: An in-house investigation framework or protocol is considered a system for processing employee data. As such, some jurisdictions require employers to disclose investigation frameworks to employee "data subjects" and to local government data agencies, and to inform and consult with employee representatives over investigation procedures (like US "mandatory subject of bargaining" rules). This disclosure/consultation step will seem intrusive to US-based multinationals, but having taken this step frees up an organization to conduct a broader investigation once the need arises. Government agents and employee representatives may be skeptical of investigation frameworks, so articulate a clear business case. Separately, be sure to declare "investigation procedures" as one express purpose for human resources data processing; include "investigation purposes" as an express data-processing purpose in: data privacy policies, employee data processing notifications/consents and EU-to-US "model contractual clauses," "safe harbor," or "binding corporate rules" (see ¶17).