How companies conduct internal investigations has evolved considerably, partly due to the European Union (EU) General Data Protection Regulation (GDPR). At multinational organizations, internal investigations are often global, and investigators inquiring into possible criminal misconduct can’t afford to get caught breaking the law themselves.
In internal investigations, gathering relevant documents is usually the most important piece, apart from witness interviewing. And in some investigations, documents say much more than witnesses. So, internal document gathering is vital. Collecting documents for an investigation can require overcoming technological challenges, such as locating electronic files, crafting searches, recovering Internet search histories, capturing metadata, retrieving ostensibly deleted documents and text messages, and remotely accessing workers’ company devices.
While the technological challenges may be significant, investigatory document gathering within the United States presents few legal challenges so long as the organization follows recommended practices, such as having previously told staff that the employer owns all company information and systems and that management reserves its right to access company data without notice.
This plays out differently abroad, especially under the GDPR and other countries’ data protection laws.
Data Protection Laws
Outside the U.S., even if management notified workers that it owns the company systems and has the right to search them without notice, data protection laws might nonetheless restrict the organization from looking at its own files, systems and security camera footage during an investigation.
In the EU, data law allows a company to review its own data only for “the specified, explicit and legitimate purposes” for which that organization originally collected that data in the first place (GDPR Article 5(1)(b)). For example, a company that maintains an e-mail system for internal and external communications arguably can’t legally access its own e-mail system to conduct an investigation that might get someone fired. When an investigation examines conduct that might constitute a criminal offense, GDPR Article 10 also arguably limits the employer’s right to collect investigatory data.
In addition, some EU jurisdictions have other restrictions against company investigators searching and reviewing employee text messages, e-mails, company documents, Internet search histories and security camera footage. For example, some jurisdictions decree that an employer may never read any employee e-mail with the word “Personal” in the subject line because those e-mails presumably are not company-related. This is true even though savvy employees who understand this might easily misuse the “Personal” label to hide company-related communications.
As another example, France prohibits managers from accessing employee e-mails until the company goes to court and brings in a court officer to oversee the review.
In Germany and elsewhere, collective labor law arguably requires notifying works councils, which represent employees, and unions before the employer searches workers’ e-mails and documents. Any company “data privacy officer” may have to be involved, and this officer may be duty-bound under the GDPR to argue that less employer access during the investigation is better.
In Germany, Italy, Poland and some other European jurisdictions, the whole company e-mail and intranet system might be deemed a telecommunications network regulated under “telecoms” law. In that case, the employer searching its own systems risks doing an illegal wiretap, akin to a telephone company listening in on its customers’ private phone calls.
Restrictions on data use extend far beyond the EU. For example, in Alberta, Canada, an employer usually cannot read employee e-mails unless the employee has consented in advance.
In a 2013 Chinese case, even though the employer had notified workers that e-mails on company servers were “company property rather than personal communication,” and China had no broad data protection law, the Guangdong Foshan Intermediate People’s Court held that an employer’s review of staff e-mails during an internal investigation was illegal.
[SHRM members-only online toolkit: Introduction to the Global Human Resources Discipline]
Factors to Consider
In a cross-border investigation, think through all legal issues before accessing internal documents. Then, work up a defensible compliance strategy and implement it. Complying with all the legal strictures here can be complex. Among the considerations:
- The jurisdictions at issue.
- How the company set up its systems, and whether its systems trigger telecoms laws.
- The notices that the organization has given workers about its systems.
- Whether affected employees have signed consents regarding employer access to investigatory data.
- Whether the searches will reveal personal data about customers, suppliers and other nonemployees.
- Whether the searches will uncover any sensitive or criminal offense data (GDPR Articles 9-10).
- How works councils, union representatives and the company’s data privacy officer are likely to respond to the search.
One tip: When making required disclosures about data processing, clarify that the “specified, explicit and legitimate” purpose for reviewing all company communication systems—including e-mail, intranet and security cameras—is an internal investigation. Going on record helps employers gather documents in global investigations later.
Donald C. Dowling Jr. is a shareholder with Littler in New York City.