The International Investigations Review: EU Overview
Criminal law in the European Union is an area that still falls within the remit of each Member State. Hence, the rules on whether or not a corporate can be criminally liable and on the criminal sanctions in the event of liability vary according to the relevant Member State, including in areas that concern the transposition of EU Directives (for instance on financial services and banking) that require Member States to establish sanctions.
Having said that, there is a variety of EU authorities and regulators that, albeit strictly speaking active in the regulatory and administrative field, have far-reaching investigative and sanctioning powers as well. These powers often do not differ significantly from those of criminal authorities. Because of the nature and effects of the measures taken and sanctions imposed by regulators on the corporates and individuals (e.g., senior management) affected by them, these persons often benefit from the same fundamental rights and guarantees under EU and national law that apply to purely criminal sanctions.
Well-known examples of such regulatory authorities are the EU competition authorities (which wield powers across all sectors and areas of economic activity) and the EU financial and banking regulators (which supervise, investigate and sanction the conduct and activities of financial services providers, including banks). Other authorities, while created pursuant to Member States' national law, find their investigation and enforcement powers in EU regulations. This is, for example, the case for national data protection authorities that investigate and enforce potential breaches of the General Data Protection Regulation (GDPR).
i EU competition law: the example of leniency
Undertakings are not obliged to self-report when they discover an internal wrongdoing that could constitute a competition law infringement. They may, however, voluntarily opt to do so in competition cases to benefit from a leniency programme.
Under EU competition law, the conditions and benefits of leniency applications are enumerated in the Commission Notice on immunity from fines and reduction of fines in cartel cases (Commission Leniency Notice). Undertakings that are part of a cartel can apply for leniency. By contrast, abuses of dominant position, vertical agreements and horizontal agreements that are not cartels within the meaning of the Commission Leniency Notice cannot benefit from the leniency programme.
Leniency is granted on a first-come, first-served basis. If an undertaking or association of undertakings wants to obtain full immunity from fines, it must be the first to submit information and evidence enabling the European Commission to carry out a targeted inspection or to establish an infringement. A company that does not qualify for full immunity can apply for a reduction of the fine if it provides evidence that represents significant added value to the evidence already in the possession of the European Commission. In all cases, the leniency applicant must also end its involvement in the alleged cartel (except when the European Commission decides otherwise to preserve the integrity of the inspections), cooperate fully and expeditiously with the European Commission throughout its investigation, and provide all evidence in its possession. The applicant may not destroy, falsify or conceal any evidence relating to the alleged cartel, either prior to the submission of the application or during the investigation.
In assessing whether the conditions for leniency are satisfied, the European Commission enjoys a margin of discretion.
A company cannot be certain whether the competition authorities will consider the information provided to be sufficient to qualify for immunity or fine reduction. Also, leniency applications, under European competition law, provide no protection against private law claims for damages from customers or competitors.
Under the Antitrust Damages Directive, final decisions by the competition authorities constitute irrefutable proof of fault in private damage claims. The Antitrust Damages Directive also facilitates disclosure of evidence. However, leniency statements are shielded from requests from disclosure. Other documents in the investigation file may be disclosed, albeit that the court must balance the interests of the victims with the interest of effective public enforcement of competition law (i.e., keeping the leniency programme attractive for undertakings).
ii EU financial services and banking: the example of whistle-blowing
As further shown below, various EU legislations in the area of banking and financial services or dealing with a specific topic (e.g., anti-money laundering (AML)) already contain a number of obligations to set up whistle-blowing mechanisms.
General: 2019 EU Whistle-blowing Directive
Until recently, there was no cross-sectoral EU legislation dealing with such mechanisms generally. This has changed with the adoption on 7 October 2019 of the Whistle-blowing Directive (the Directive). EU Member States have until 17 December 2021 to implement the Directive into their national legislation.
This Directive lays down minimum standards for the protection of 'reporting persons' (i.e., individuals (natural persons) reporting or publicly disclosing information on breaches acquired in the context of their work-related activities) and 'persons concerned' (i.e., individuals or legal entities who are referred to in the report or public disclosure as persons to whom the breach is attributed or with which they are associated). The employment status of the reporting person, and whether or not that person works in the private or public sector, is irrelevant. The protection also applies to, for instance, shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including the non-executive members thereof.
The breaches relate to an extensive list of EU legislations in a variety of areas that go beyond financial services or AML. They also include, among others, public procurement, product safety, transport safety, protection of the environment, food safety and health, consumer protection, the protection of privacy and personal data, and IT-security. This Directive contains in this sense the 'default rules', whereas the rules on whistle-blowing that are contained in specific EU legislation will continue to apply.
The Directive first obliges EU Member States to ensure that legal entities set up internal reporting channels and procedures. As a rule, this obligation does not apply to legal entities in the private sector with fewer than 50 employees. As an exception, undertakings that are active in the financial sector or that are otherwise obliged entities for AML purposes are always captured by this obligation. Legal entities in the private sector with 50 to 249 employees are allowed to share resources for the receipt and possibly investigation of whistle-blowing reports.
EU Member States are also obliged to establish external reporting channels and to designate to this effect the authorities competent to receive, give feedback and follow up on reports. As the Directive captures more areas than those for which there are currently already competent authorities in place for such external reporting, EU Member States will undoubtedly need to establish new authorities that are specifically competent for such reporting.
Besides internal and external reporting channels, the Directive also protects in certain circumstances 'public disclosures' (i.e., persons who publicly disclose information on breaches falling within the scope of the directive).
Finally, the Directive obliges EU Member States to provide for a wide range of protections for reporting persons and persons concerned. These cover, among others, the confidentiality of their identity (albeit with important exceptions), the compliant processing of their personal data and the protection against retaliation.
EU whistle-blowing legislation in the area of financial services
At the EU level, various pieces of legislation in the areas of financial services generally and banking specifically also contain rules on the establishment of whistle-blowing mechanisms. These mechanisms also typically have an internal dimension (i.e., procedures for the reporting by employees to their employer of possible infringements) and an external dimension (i.e., procedures with the regulators for the reporting by employees or other persons that deal with financial services firms or banks of possible infringements to the regulators).
Thus, for instance, Article 32 of the EU Market Abuse Regulation requires Member States to ensure that the respective national administrative authority that is competent for market abuse infringements establishes effective mechanisms to enable reporting of actual or potential infringements of this Regulation. These mechanisms must include at least:
- specific procedures for the receipt of reports of infringements and their follow-up, including the establishment of secure communication channels for such reports;
- within their employment, appropriate protection for persons working under a contract of employment, who report infringements or are accused of infringements, against retaliation, discrimination or other types of unfair treatment at a minimum; and
- protection of personal data both of the person who reports the infringement and the natural person who allegedly committed the infringement, including protection in relation to preserving the confidentiality of their identity, at all stages of the procedure without prejudice to disclosure of information being required by national law in the context of investigations or subsequent judicial proceedings.
In the same context, the Market Abuse Regulation also obliges Member States to require employers who carry out regulated activities to have in place appropriate internal procedures for their employees to report infringements of the Regulation.
Finally, the Market Abuse Regulation allows Member States to provide for financial incentives to persons who offer relevant information about potential infringements of the Regulation to be granted in accordance with national law where those persons do not have other pre-existing legal or contractual duties to report the information. The conditions for the provision of these incentives are that (1) the information is new, and (2) it results in the imposition of an administrative or criminal sanction, or the taking of another administrative measure, for an infringement of the Regulation.
A similar requirement to establish internal and external whistle-blowing mechanisms is also provided for in other EU legislation, such as, for instance, in relation to MiFID II, undertakings for collective investment in transferable securities (UCITS), insurance distribution and packaged retail and insurance-based investment products (PRIIPs).
Finally, the same requirement exists in relation to the activities and supervision of credit institutions. The details of this requirement are laid down in Article 71 of the 2013 EU Banking Directive. The whistle-blowing mechanism to be established thereunder is to encourage the reporting of potential or actual breaches of both the national provisions implementing the 2013 EU Banking Directive and the 2013 EU Banking Regulation.
As regards credit institutions in the eurozone, the European Central Bank (ECB) obviously has an essential supervisory role to play, being at the helm of the Single Supervisory Mechanism (SSM). As the competent authority within the meaning of the aforementioned Article 71, the ECB has set up a 'breach-reporting mechanism'. The rules and procedures governing this mechanism are laid down in Articles 36 to 38 of the SSM Framework Regulation. They set forth that any person may, in good faith, submit a report directly to the ECB if that person has reasonable grounds for believing that the report will show breaches of the 'relevant EU law' by the institutions supervised by the ECB or by the supervisors themselves (both the ECB and the national competent authorities for banking supervision). Where a breach relates to other areas of activity by a bank that do not fall under the ECB's supervisory competences (e.g., consumer protection or the implementation of anti-money laundering rules), it is outside the ECB's mandate to follow up on the breach. Instead, the breach should be reported to the national authorities that are competent for these areas. All personal data concerning both the person who does the reporting and the person who is allegedly responsible for the breach shall be protected in compliance with the EU data protection framework. Also, the ECB shall not reveal the identity of a person who has made such a report without first obtaining that person's explicit consent, unless disclosure is required by a court order in the context of further investigations or subsequent judicial proceedings.
With regard to significant supervised entities, that is, those entities that are directly supervised by the ECB, the ECB itself assesses the report. By contrast, with regard to less significant supervised entities, the ECB only assesses reports for breaches of ECB regulations or decisions. The ECB forwards reports concerning less significant supervised entities to the relevant national competent authority, without communicating the identity of the person who made the report, unless that person provides his or her explicit consent.
While anyone who has knowledge of a potential breach may report this to the ECB, the ECB has indicated that compliance officers, auditors and other employees of a bank are the groups that are more likely to have knowledge of possible wrongdoing. The breaches that are most commonly reported to the ECB concern the inadequate calculation of own funds and capital requirements as well as governance issues within credit institutions.
iii Investigation of potential breaches of data protection legislation
Since 25 May 2018, the GDPR governs the processing (i.e., any sort of operation, including the mere storage) of personal data (wholly or partly) by automated means and the processing of personal data that forms part of a filing system (even if it is not processed by automated means) within the European Union. The person (individuals or legal entities) processing personal data and determining the purposes and the means of a processing is defined as the 'controller'. The identifiable individual to whom personal data relates is defined as the 'data subject'. The GDPR also defines a third category of actors that are qualified as 'processors' (i.e., persons processing personal data under the instructions of a controller).
In addition to setting out the general legal regime for such processing activities, the GDPR contains provisions in relation to investigations of potential breaches and their enforcement. It requires Member States to provide for at least one public authority to be in charge of the monitoring of the application of its provisions. It also sets out requirements in relation to the independence of the authority and qualification of its members, as well as their tasks and powers.
Among these tasks, national supervisory authorities are required to (1) monitor and enforce the application of the GDPR, (2) handle complaints lodged by a data subject (i.e., the individual to whom the personal data relates), or by a body, organisation or association and to investigate the subject-matter and keep the complainant informed of such investigation, (3) conduct investigations, including on the basis of information received by another authority.
In conducting their tasks, the national supervisory authorities must be granted the following investigative powers:
- ordering controllers or processors to provide any information they require for the performance of their tasks;
- carrying out data protection audits;
- reviewing data protection certifications;
- notifying a controller or processor of an alleged infringement of the GDPR; and
- obtaining access to all personal data and to all information necessary for the performance of their tasks and access to any premises, including to any data processing equipment and means, in accordance with EU or national procedural law.
In practice, many investigations by national supervisory authorities are launched following a notification of a 'personal data breach' (i.e., a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed). Under the GDPR, controllers are required to notify personal data breaches to the competent national supervisory authority without undue delay, and at the latest, within 72 hours of becoming aware of such data protection breach, unless it is unlikely to result in a risk to the rights and freedom of natural persons.
i EU competition law
Under EU competition law, the European Commission may impose fines on corporates of up to 10 per cent of the annual consolidated worldwide turnover of the undertaking. In setting the fine, the European Commission takes into account the gravity and duration of the infringement. The Fining Guidelines provide more guidance on how the European Commission will exactly calculate the fines. These Guidelines are not binding on the European courts, which exercise full jurisdiction and can review the fine. However, the instances when the European courts have adjusted fines in competition cases remain exceptional. A 10 per cent reduction of the fine can be granted under EU competition law if an undertaking agrees to enter into a settlement with the competition authority. In doing so, the undertaking concerned must admit its involvement in the infringement.
ii EU financial services and banking
The SSM started in November 2014 and is one of the four pillars of the EU Banking Union. It is particularly relevant for the supervision of credit institutions in the eurozone. It is composed of the ECB and the national authorities that are competent for the supervision of credit institutions in their respective EU Member State. The ECB has a key role in the SSM, as it is responsible for its effective and consistent functioning. In addition, it has, among the thousands of credit institutions that are established in the eurozone, full and direct supervisory authority over 'significant institutions'. To ensure compliance with the supervisory rules and its regulations and decisions in this area, the ECB has significant supervisory, investigative and sanctioning powers.
The ECB's investigative powers are similar to those that have been granted to other EU financial supervisory authorities, such as the European Securities and Markets Authority in the areas of supervision of over-the-counter derivatives, central counterparties and trade repositories, and of credit rating agencies. Thus, the ECB has the right to require legal and natural persons to provide all information that is necessary to carry out its supervisory tasks. It also has the right to require the submission and examination of documents, books and records, to obtain written or oral explanations from the representatives or staff of such persons, and to conduct all necessary on-site inspections at the business premises of the institutions under its supervision, including without prior announcement.
If an institution supervised by the ECB, intentionally or negligently, breaches a requirement under directly applicable EU law for which administrative sanctions are made available, then the ECB has the right to start a sanctioning procedure and impose administrative pecuniary sanctions. The same right exists in case of breaches of regulations or decisions adopted by the ECB in exercising its supervisory tasks. The ECB also has the right to publish the imposition of such sanctions, irrespective of whether or not a decision has been appealed. However, in certain exceptional circumstances, publication may be anonymised or delayed.
In other cases – for instance, breaches of national legislation that transposes EU Directives – the ECB can only require the national supervisory authorities to open a sanctioning procedure with a view to taking action to ensure that appropriate sanctions are imposed by the national authorities.
The ECB imposes its sanctions in accordance with the ECB Sanctioning Regulation. This Regulation, among others, sets forth the procedural rules and time limits for the imposition of sanctions, as well as their judicial review.
iii Data protection
To enforce any breach of the provisions of the GDPR, national supervisory authorities are granted a range of corrective powers, such as:
- issuing warnings that intended processing operations are likely to infringe the GDPR and if such processing has taken place and infringed the GDPR, issuing reprimands;
- ordering the controller or processor to comply with a data subject's request to exercise his or her rights pursuant to the GDPR or to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
- imposing a temporary or definitive limitation including a ban on processing and to order the suspension of data flows to a recipient in a third country or to an international organisation; and
- imposing an administrative fine, in addition to, or instead of the abovementioned measures, depending on the circumstances of each individual case.
Under the GDPR, national supervisory authorities may impose administrative fines up to €20 million or up to 4 per cent of the total worldwide annual turnover of the preceding financial year of an undertaking, whichever is higher. As of early 2020, after 20 months of entry into force of the GDPR, GDPR regulators have already issued hundreds of fines for amounts totalling several hundreds of millions of euros. While such fines have caught a lot of attention, the impact of the other corrective powers should not be underestimated, such as banning a processing activity or ordering the suspension of data flows outside the EU.