By Melina Llodrá and Julieta D'Angelo


Attorney confidentiality


Communications between lawyer and client are protected under the attorney–client privilege principle: the attorney’s duty to protect client information confidentiality. The Argentinean national constitution recognizes such protection under the general criminal right of defense in the context of judicial proceedings and the right of not being obliged to self-incrimination, which is in line with several other Latin American (LATAM) countries such as Chile, Perú, Uruguay, and Brazil:


"No inhabitant of the Nation may be punished without previous trial based on a law enacted before the act that gives rise to the process, nor tried by special committees, nor removed from the judges appointed by law before the act for which he is tried. Nobody may be compelled to testify against himself, nor be arrested except by virtue of a written warrant issued by a competent authority. The defense by trial of persons and rights may not be violated.[1]"


When analyzing the previously mentioned confidentiality duty, it is essential to distinguish between in-house and external lawyers. Given their proximity to their employer, in-house counsel may have their objectivity and independence questioned. In this regard, there are different ideological positions.[2] It is generally considered that no difference should be made between external and in-house lawyers as long as the latter is registered in the corresponding professional association—and therefore subject to ethical and professional standards—as their independence is a key factor to practice law. It is commonly understood that attorney–client privilege should not be used to conceal irregularities. Therefore, there should be no confidentiality for documents or communications that were part of a violation of the law.


Preserving legal professional privilege in internal investigations allows lawyers and their clients to openly discuss underlying problems, conclusions, and alternative solutions. Without such privilege, companies might be highly exposed and unable to choose the best way to solve problems, especially since it is difficult to predict the outcome of an internal investigation when it begins.


Challenges of data protection in internal investigations


One critical matter in internal investigations is the protection given to whistleblowers, who could trigger an internal investigation by uncovering wrongdoings within an organization. A company can choose between different options to achieve such protection. One of the most common ways is to implement an anonymous whistleblowing channel. Moreover, protection can be ensured by taking the necessary measures to preserve the confidentiality of information reported, including the whistleblower’s identity.

Evidence gathering and management is also a challenging matter. Therefore, the issue of preservation, collection, and review of documents should be considered and planned as soon as possible. In most LATAM jurisdictions, how evidence is collected and preserved becomes more relevant if it is necessary to prosecute the case. If such evidence is not properly gathered, it will not be acceptable in court. Furthermore, in cross-border investigations, the openness of privileged material is a significant factor when demonstrating collaboration with the authorities, given that, as previously mentioned, there would be no confidentiality for documents or communications that were part of a violation of the law.

Deficiencies when gathering and preserving evidence may hinder the investigation, particularly with the inability to use such evidence in court proceedings. Furthermore, prosecutors might consider that inefficiencies while collecting and preserving evidence—obstruct the course of justice or at least an attempted one. Hence, the organization could be considered uncooperative. Therefore, clear evidence collection and preservation procedures are vital before launching any internal investigation.


Artificial intelligence in internal investigations


The use of artificial intelligence (AI) in an internal investigation can be a valuable tool for identifying potential violations, analyzing large amounts of data in a short period of time, and helping make more informed decisions. However, there are several data and information privacy issues to consider when using AI:

  • Consent: It is necessary to obtain consent from employees and other stakeholders before collecting and processing their personal data, which must be properly documented. In addition, it is necessary to clearly inform in writing about the purposes of the research and how AI will be used in the process.
  • Data minimization: AI should only use the data necessary to conduct the internal investigation. It is advisable to apply anonymization or pseudonymization techniques to protect the identity of the individuals involved wherever possible. In addition, data should be retained only for as long as necessary and securely deleted once the investigation is completed.
  • Data security: Appropriate measures must be implemented to protect data and prevent unauthorized access to personal data. For instance, encryption protocols, firewalls, and other technical and organizational security measures should be used to minimize the risks of loss, theft, or improper disclosure of information.
  • Fair and ethical use: AI must be used fairly and ethically. This involves avoiding bias and discrimination in the algorithms used, as well as ensuring that AI-based decisions are transparent and explainable. The privacy and data protection rights of individuals involved in the research must also be considered.
  • Human oversight: Although AI can perform data analysis efficiently, it is essential to have a human component in the process. Human experts must review and validate the research’s organization and conduct, as well as the results and conclusions generated by AI, to avoid possible errors or misinterpretations of AI results.
  • Compliance: Stay in compliance with applicable data protection and privacy laws and regulations, such as the General Data Protection Regulation (GDPR) in the EU or the California Consumer Privacy Act in the United States. Stay informed about updates and changes in legislation and adapt your practices accordingly.


GDPR and its impact on LATAM


GDPR applies to all organizations that process personal data of EU citizens, regardless of geographical location.

According to GDPR, organizations must fulfill several requirements and obligations to ensure adequate personal data protection. The following are the main requirements:

  • Consent: Organizations must obtain informed, specific, and explicit consent from individuals before processing their data, and individuals must be informed about their right to withdraw their consent at any time.
  • Individual’s rights: Individuals are granted several rights regarding their personal data, including the right of access, rectification, erasure, restriction of processing, portability, and objection to processing. Organizations must be prepared to comply with these rights and respond to individuals’ requests within a specified timeframe.
  • Responsibility and transparency: Organizations are responsible for ensuring that they comply with data protection regulations and must be able to prove it. In addition, organizations must be transparent in how they process personal data, providing clear and understandable information to individuals about how their data is processed.
  • Data Protection Impact Assessments: Organizations must carry out Data Protection Impact Assessments in certain circumstances, such as when processing data that could involve a high risk to individuals’ rights and freedoms.
  • Data security breach notification: Organizations must notify data protection authorities and individuals in the event of a personal data breach.

GDPR affects LATAM companies operating in the region and the EU. First, GDPR’s scope of application is not limited to European territory; it includes monitoring EU citizens outside the territory. Furthermore, a LATAM company with local subsidiaries in the EU must comply with the GDPR regarding the data processing activity carried out by its subsidiaries regardless of whether the services are provided outside the EU. Moreover, the “principle of purpose” will be applicable in those cases when the treatment of personal data of natural people located in the EU is carried out by companies not located in such territory when it is related to the offering of goods or services, whether free or onerous. Consequently, LATAM companies operating in the EU must comply with the GDPR.

In line with the regulation under analysis, in Argentina, a new draft law on personal data protection was introduced in the National Congress and is currently being discussed. Although Argentina was a forerunner in the region in terms of personal data protection and providing a robust regulatory framework, the legislation is more than 20 years old; it, therefore, needs to be updated to keep pace with new technology developments and GDPR.


Conclusion


Data privacy protection plays a crucial role in internal investigations within organizations. As companies navigate the complex landscape of uncovering potential misconduct or violations of internal policies, it is imperative to prioritize the protection of sensitive data and ensure compliance with relevant data privacy laws and regulations. Failure to do so can result in severe legal, financial, and reputational consequences for the organization.

Some recommended practices to address the challenge of protecting personal data in the context of internal investigations are clear written processes that cover the whole internal investigation, considering evidence collection, data use and preservation, and protection of the whistleblower’s identity. In addition, it is crucial to keep these processes up to date with new standards and principles that emerge both locally and internationally. In turn, adapting to each case’s particularities will be key to the credibility and validity of the investigation.

By prioritizing data privacy in internal investigations, companies can demonstrate their commitment to responsible data handling, protect the rights and privacy of individuals involved in the investigation, and mitigate legal and reputational risks. Ultimately, integrating robust data privacy protection measures into internal investigation protocols will foster trust among employees, stakeholders, and the broader public while upholding the highest standards of compliance and ethical conduct within the organization.


Takeaways


  • Protection of data privacy achieves better results in internal investigations given that it allows lawyers to discuss with their clients all details about potential problems.
  • Ensuring whistleblowers’ anonymity encourages them to report further potential wrongdoings than if the protection of their identities was not guaranteed.
  • Improving evidence management by protecting data privacy helps increase its credibility and ensures that the collected evidence will be useful and efficient in a judicial stage.
  • The inclusion of new tools like artificial intelligence is quite useful; however, it creates a challenge from the perspective of data privacy protection.
  • The General Data Protection Regulation’s impact on Latin American countries illustrates the importance of taking a worldwide approach when designing and implementing protection and data privacy processes.


1 Constitution of Argentina (official English translation, from Spanish), http://www.biblioteca.jus.gov.ar/Argentina-Constitution.pdf.

2 Raúl R. Saccani, “Investigaciones internas: una guía práctica,” Compliance, Anticorrupción y Responsabilidad Penal Empresaria, Thomson Reuters, May 2018, https://www.thomsonreuters.com.ar/content/dam/openweb/documents/pdf/arg/white-paper/supl_compliance_y_resp_penal_emp_15_mayo.pdf.