Internal investigations: understand how legal and regulatory developments change the calculus around privilege and data privacy

Employees are increasingly empowered to speak up, and there is intense scrutiny from government bodies, NGOs, investors, and the media on the conduct of companies and their people. 

Recent legislative developments raise new challenges in relation to preserving legal privilege of internal investigation reports and the evolution of whistleblowing legislation has changed the way sensitive allegations are handled across the world. At the same time, internal investigations will often cross borders and are therefore subject to a patchwork of different laws and regulatory expectations, e.g., on data privacy. 

We summarize the key issues that are emerging globally.

Preserving legal privilege

Many businesses want to conduct internal investigations into allegations of misconduct and are keen to retain control over the communication of the outputs of those investigations. This is especially so given the risk of external investigations by authorities and/or follow-on litigation such as securities claims.

Whether legal privilege applies to protect documents created during an internal investigation remained a reoccurring theme in several jurisdictions in 2024. Maintaining confidentiality and legal privilege of internal investigation reports continues to be a challenge. For example:

• In Australia, a recent court decision emphasised that an internal investigation report is only subject to legal professional privilege if it was created primarily to provide legal advice, or for use in anticipated or actual litigation. Where a report’s main purpose is to help management understand the causes of an issue and to remediate its impact, privilege will not apply. Engaging external counsel to investigate potential issues will not necessarily mean the report is protected. The ruling means that the structure and objectives of an investigation must be considered carefully.
• In France, internal investigations remain under the spotlight of criminal authorities. A legislative attempt to extend legal professional privilege to in-house lawyers’ legal advice in France has failed. Companies must be particularly careful around how they balance cooperating with enforcement agencies with their desire to preserve privilege in situations where a Convention Judiciaire d'Intérêt Public (CJIP, the French equivalent of a deferred prosecution agreement) may be offered.

Key takeaways - privilege:

• Early privilege advice and planning are essential to making informed decisions on how to structure an internal investigation, report on its outcome, and communicate, if necessary, with the authorities.
• Cross-border issues must also be considered given that privilege rules vary by jurisdiction, and, in some jurisdictions, might be very limited. 

Increased protection for the subject of an investigation 

The laws or guidance in many jurisdictions are evolving to better protect the rights of subjects of internal investigations. 

In the U.K., there has been intense scrutiny of internal investigations, particularly in the wake of recent scandals involving, e.g., the Post Office. The Post Office statutory public inquiry has not yet reported, but questions were raised concerning the conduct of internal investigations by lawyers. The UK Solicitors Regulatory Authority (SRA) has issued new guidance for solicitors involved in designing investigations policies or conducting internal investigations.

In Belgium, the new Private Investigations Act aims to strike a balance between a company’s right to conduct an internal investigation and the rights of an individual under investigation. The new law contains licensing requirements for external and in-house investigators, prohibits investigations into certain sensitive areas (including political opinions, religious beliefs, trade union membership, and sexual behavior and orientation), and establishes formal documentation processes.

In the U.K. there are new requirements for companies on launching an internal investigation into allegations of sexual harassment. In France the ‘Defender of Rights’ organization has published guidance on how internal investigations should be carried out, and on what is considered a reasonable duration for an investigation.

Key takeaways – internal investigations:

• Depending on the jurisdictional nexus of a likely investigation, check whether there are specific requirements that should be factored into internal investigations policies and procedures. It will often be easier to design the internal investigation to factor those expectations in at the outset, rather than reverse-engineer it afterwards.
• Take local law advice when investigations concern operations or individuals based overseas. There may be special rules, e.g., about the treatment of interviewees, how data can be collected, or how the investigation can be structured to take advantage of available privileges. Failing to adhere to rules may prejudice the business. 

Whistleblowing and internal investigations

As protection for whistleblowers increases, businesses should check they have strict anti-retaliation policies in place, as well as training programs to foster a culture of transparency and accountability. Whistleblower reports must be dealt with in a timely fashion, with investigations initiated and resolved promptly and comprehensive records kept.  

In jurisdictions where whistleblowing protections have been recently enhanced, whistleblowers may feel greater confidence coming forward, so business may expect an uptick in internal investigations. 

Be very careful with non-disclosure agreements (NDAs) too.  In the U.S. the SEC and CFTC has brought various enforcement actions designed to ensure that companies did nothing that could be perceived as chilling potential whistleblowers’ ability to submit complaints. Both agencies reached multiple settlements with companies that entered into confidentiality agreements with employees and clients in various scenarios that the regulators alleged could be read to preclude parties from raising regulatory concerns to the authorities as whistleblowers, in violation of SEC Rule 21F-17(a) and CFTC Rule 165.19(b) respectively. Similarly, in the U.K., the Victims and Prisoner Act 2024 makes void any provisions in agreements that prevent victims of criminal conduct from disclosing certain information.

Data privacy 

An internal investigation can require documents and/or data created in one jurisdiction to be reviewed by lawyers in another. This can be difficult if there are local laws which restrict the transfer of data out of the jurisdiction. For example:

• In China, the development of national security-related legislation adds significant complexity to evidence gathering and review during an investigation. Other jurisdictions have blocking statutes which apply to restrict evidence being moved abroad to assist the authorities in another country, e.g., investigating authorities.
• The Safeguarding National Security Ordinance came into force in Hong Kong in March 2024, introducing new national security offences such as treason, theft of state secrets, and external interference. The offences relating to state secrets are of relevance to cross-border investigations as multinational businesses are now required to consider whether documents may contain state secrets prior to disclosure to overseas authorities.

Privacy and employment laws can pose additional challenges to consider if access to a personal device becomes necessary. Many organizations do not have robust IT policies concerning an employee’s personal use of mobile devices and other IT equipment. Obtaining consent to access a personal device, particularly during the throes of an investigation, can create tensions, as well as test a company’s policies and employment agreements. We are already seeing employees and trade unions leveraging existing data privacy laws to challenge the outcome of internal investigations.

A common practice is developing in some jurisdictions of retaining pool counsel or independent counsel for individual employees to review and identify responsive correspondence from an employee’s personal device. 

Post-Brexit, through the Data (Use and Access) Bill, the U.K. Government proposes to amend the U.K. GDPR to establish a new and additional “recognized legitimate interest” legal basis to process personal data which is likely to be of relevance for an investigation. Unlike the existing typical “legitimate interest” basis, no balancing test would be required to rely on the new basis. One such “recognized legitimate interest” is processing necessary for the purposes of (a) detecting, investigating, or preventing crime, or (b) apprehending or prosecuting offenders. 

Key takeaways – data privacy:

• Businesses must implement formal data protection-compliance procedures for conducting an internal investigation to avoid jeopardizing any steps they may want to take once their inquiries are complete.
• Ensure that employment policies and agreements are fit for purpose, and actively policed. One approach is for policies to make clear that personal devices cannot be used for business purposes in any circumstances, and then to reiterate this message in the regular compliance training and communication program.
• Check whether there are specific local requirements.

A&O Shearman’s market-leading white-collar defense and global investigations practice takes a holistic, coordinated approach to navigating clients through criminal, regulatory, and internal investigations. 

This article is part of the A&O Shearman Cross-border White-Collar Crime and Investigations Review 2025.