Internal investigations: understand how legal and regulatory developments change the calculus around privilege and data privacy

In the U.K., there has been intense scrutiny of internal investigations, particularly in the wake of recent scandals involving, e.g., the Post Office. The Post Office statutory public inquiry has not yet reported, but questions were raised concerning the conduct of internal investigations by lawyers. The UK Solicitors Regulatory Authority (SRA) has issued new guidance for solicitors involved in designing investigations policies or conducting internal investigations.

In Belgium, the new Private Investigations Act aims to strike a balance between a company’s right to conduct an internal investigation and the rights of an individual under investigation. The new law contains licensing requirements for external and in-house investigators, prohibits investigations into certain sensitive areas (including political opinions, religious beliefs, trade union membership, and sexual behavior and orientation), and establishes formal documentation processes.

In the U.K. there are new requirements for companies on launching an internal investigation into allegations of sexual harassment. In France the ‘Defender of Rights’ organization has published guidance on how internal investigations should be carried out, and on what is considered a reasonable duration for an investigation.

Key takeaways – internal investigations:

• Depending on the jurisdictional nexus of a likely investigation, check whether there are specific requirements that should be factored into internal investigations policies and procedures. It will often be easier to design the internal investigation to factor those expectations in at the outset, rather than reverse-engineer it afterwards.
• Take local law advice when investigations concern operations or individuals based overseas. There may be special rules, e.g., about the treatment of interviewees, how data can be collected, or how the investigation can be structured to take advantage of available privileges. Failing to adhere to rules may prejudice the business. 

Whistleblowing and internal investigations

As protection for whistleblowers increases, businesses should check they have strict anti-retaliation policies in place, as well as training programs to foster a culture of transparency and accountability. Whistleblower reports must be dealt with in a timely fashion, with investigations initiated and resolved promptly and comprehensive records kept.  

In jurisdictions where whistleblowing protections have been recently enhanced, whistleblowers may feel greater confidence coming forward, so business may expect an uptick in internal investigations. 

Be very careful with non-disclosure agreements (NDAs) too.  In the U.S. the SEC and CFTC has brought various enforcement actions designed to ensure that companies did nothing that could be perceived as chilling potential whistleblowers’ ability to submit complaints. Both agencies reached multiple settlements with companies that entered into confidentiality agreements with employees and clients in various scenarios that the regulators alleged could be read to preclude parties from raising regulatory concerns to the authorities as whistleblowers, in violation of SEC Rule 21F-17(a) and CFTC Rule 165.19(b) respectively. Similarly, in the U.K., the Victims and Prisoner Act 2024 makes void any provisions in agreements that prevent victims of criminal conduct from disclosing certain information.

Data privacy 

An internal investigation can require documents and/or data created in one jurisdiction to be reviewed by lawyers in another. This can be difficult if there are local laws which restrict the transfer of data out of the jurisdiction. For example:

• In China, the development of national security-related legislation adds significant complexity to evidence gathering and review during an investigation. Other jurisdictions have blocking statutes which apply to restrict evidence being moved abroad to assist the authorities in another country, e.g., investigating authorities.
• The Safeguarding National Security Ordinance came into force in Hong Kong in March 2024, introducing new national security offences such as treason, theft of state secrets, and external interference. The offences relating to state secrets are of relevance to cross-border investigations as multinational businesses are now required to consider whether documents may contain state secrets prior to disclosure to overseas authorities.

Privacy and employment laws can pose additional challenges to consider if access to a personal device becomes necessary. Many organizations do not have robust IT policies concerning an employee’s personal use of mobile devices and other IT equipment. Obtaining consent to access a personal device, particularly during the throes of an investigation, can create tensions, as well as test a company’s policies and employment agreements. We are already seeing employees and trade unions leveraging existing data privacy laws to challenge the outcome of internal investigations.

A common practice is developing in some jurisdictions of retaining pool counsel or independent counsel for individual employees to review and identify responsive correspondence from an employee’s personal device. 

Post-Brexit, through the Data (Use and Access) Bill, the U.K. Government proposes to amend the U.K. GDPR to establish a new and additional “recognized legitimate interest” legal basis to process personal data which is likely to be of relevance for an investigation. Unlike the existing typical “legitimate interest” basis, no balancing test would be required to rely on the new basis. One such “recognized legitimate interest” is processing necessary for the purposes of (a) detecting, investigating, or preventing crime, or (b) apprehending or prosecuting offenders. 

Key takeaways – data privacy:

• Businesses must implement formal data protection-compliance procedures for conducting an internal investigation to avoid jeopardizing any steps they may want to take once their inquiries are complete.
• Ensure that employment policies and agreements are fit for purpose, and actively policed. One approach is for policies to make clear that personal devices cannot be used for business purposes in any circumstances, and then to reiterate this message in the regular compliance training and communication program.
• Check whether there are specific local requirements.

A&O Shearman’s market-leading white-collar defense and global investigations practice takes a holistic, coordinated approach to navigating clients through criminal, regulatory, and internal investigations. 

This article is part of the A&O Shearman Cross-border White-Collar Crime and Investigations Review 2025.