The framework of internal corporate investigations in Brazil – between the best practices and the lack of regulation
Juliana Maia Daniel
Lefosse Advogados, Brazil
João Pedro de Souza
Lefosse Advogados, Brazil
The growing complexity of societal structures and their respective schemes for financial crimes have put a spotlight in compliance programmes and internal investigations in the past decades. In Brazil, one must navigate a scarcely regulated environment to conduct an internal corporate investigation. While Brazilian authorities encourage companies to follow best international practices for the development, implementation and enforcement of compliance programmes, the law provides little guidance on the possible directions and limits of potential internal investigations of wrongdoings within companies. Almost contradictorily, this dual environment – non-regulated while seeking to attend the best international practices – may sometimes hamper the conduction of effective internal investigations in Brazil.
Internal corporate investigations are a natural consequence of the implementation of compliance programmes, particularly because the latter establish parameters of expected and prohibited conducts of company members that are eventually assessed through an internal investigation. Since the enactment of Federal Law No 12,846/2013 (the ‘Anti-Corruption Law’), the existence of compliance programmes became an important step for Brazilian companies to diminish responsibility for internal wrongdoings. The Anti-Corruption Law created a major shift in Brazilian legislation by establishing objective responsibility for companies – that is, based solely on the assessment that the wrongdoing occurred – in both the civil and administrative spheres. The law includes severe sanctions for corruption acts, such as a pecuniary penalty of up to 20 per cent of the company’s yearly gross revenue. At the same time, the degree of sanctions must consider whether the company has cooperated with the authorities and has an implemented compliance programme that encourages the reporting of wrongdoings.
Since then, other laws included provisions that highlight the importance of compliance programmes. The newly edited Decree No 11,129/2022, that regulates the Anti-Corruption Law, set a novel risk-based approach to compliance programmes that demands companies to develop tailor-made policies according to their business. It also set the possibility of decreasing in up to five per cent the amount of fees imposed due for violations of the Anti-Corruption Law. In the same vein, Law No 14,133/2021 (the ‘Law on Public Biddings’) sets an obligation for companies to implement compliance programmes to participate in some specific biddings.
The expanding importance of compliance programmes within the Brazilian legislation has indirectly spread to that of internal corporate investigations. Given that these kinds of investigations seek to achieve the truth involving an alleged wrongdoing, cooperation by sharing their results with public authorities may lead to a reduction of sanctions imposed. This is the case of leniency agreements under both Law No 12,529/2011 (related to the protection of competition) and the Anti-Corruption Law, which require the company to reveal as much information as it can to sign such an agreement. Logically, more helpful information may grant better conditions for the company in these agreements.
Although conducting internal corporate investigations is encouraged within the Brazilian legal framework, there are no legal provisions setting specific parameters and limitations for such investigations. For that, one must seek examples of other jurisdictions and adapt them to the sparse national legislation that may somehow delimitate the do’s and don’ts of internal corporate investigations. In Brazil, they include concerns for privilege of information, collection of personal data, sharing of documents and conclusions, and respect for due process rights. These concerns permeate the entire conduction of the internal corporate investigations.
Internal corporate investigations are commonly initiated by external or internal (whistleblowing) reports of wrongdoings. The best international practices generally account for six steps to conduct the investigation:
- delimitation of potential impacts of the facts narrated;
- selection of the team to conduct the investigation;
- delimitation of the scope of work;
- analysis of documents and information;
- conduct of interviews; and
- report of the work conducted and findings.
The above steps are not fixed and may overlap or require few adjustments according to each case.
The first step is important to assess possible measures to be taken at the end of the investigation, that vary depending on whether the wrongdoing relates to internal norms, to civil or labour laws, or to potential crimes. At this preliminary stage of the investigation, which does not yet involve collection of documents and information, the aforementioned concerns do not yet have a high impact in the investigation. Still, it is important to guarantee the anonymity and/or protection of the whistleblower from this early stage to avoid internal or external retaliation and ensure a safe environment that stimulates wrongdoings reports.
In the second step, that is, selecting the team to work on the internal investigation, the company must consider potential conflicts of interests and the importance of securing the privilege of information. The risk of having conflict of interests tends to be particularly higher if the investigated individuals are in the C-level, which highlights the importance of having an independent compliance report structure. Depending on the circumstances, setting an ad hoc investigation committee may be a clever (and adequate) solution to avoid conflict of interests in corporate investigations. Although there is no prohibition on which persons can compose the investigative team, it should include professionals not related to the alleged wrongdoings and, at least, one lawyer to make sure that the privilege is guaranteed. All communications in the scope of the lawyer’s work are privileged under Brazilian law, which prevents undue leakage or improper usage of information collected within the investigation – particularly if the company eventually seeks an agreement with the public authorities. For that, it is in the best interests of the company to ensure the participation of a lawyer from the start of the investigation.
The third and following steps add data protection concerns. The Brazilian data protection law (LGPD) entered into force in 2021 and requires that any treatment of data be made pursuant to a legitimate aim and only to the extent required to achieve this aim. Internal corporate investigations will likely be considered as ‘necessary to serve the legitimate interests of the controller or a third party’ (Article 7, subparagraph IX of LGPD), given that Brazilian courts have already consolidated that these investigations are a right of the company to assess possible internal wrongdoings. Still, the same legal provision impedes that the treatment of data prevails over the fundamental rights and freedoms of the data subject that require protection of personal data. As such, the debate involving access to information in corporate investigations versus data protection is far from being settled. Recently, the Brazilian Federal Attorney General issued an opinion to the Supreme Court  arguing that the wide dissemination of information on labour and criminal lawsuits on the internet, through the consultation of individuals’ names, violates data protection rights and can result in websites’ liabilities, such as moral damage. This Attorney General opinion is particularly important, for instance, when it comes to background check tools, broadly used nowadays in the context of corporate compliance programmes, both to prevent wrongdoings from employees or third parties and to identify potential wrongdoings on internal investigations.
In this scenario, delimitating the scope of the investigation (the third step listed above) requires the analysis of which kind of data will be collected and must be specific on the importance of this data for the investigation. In other words, only strictly necessary data may be collected. Particular attention is required to access personal devices of the employees, where the risks of reaching sensitive information unrelated to the investigation are critical. It is in the best interests of companies to distribute corporate devices upon the hiring of employees and provide a clear warning that the devices can be monitored by the company. Even then, the investigation group must be careful not to exceed the scope of the investigation by including documents and information containing personal data unrelated to the investigation.
The fourth step deepens concerns for personal data usage, as it relates to the analysis of documents and information itself. Given the potential complexity and elevated impact of the investigation, it is common that a wide range of documents are selected for analysis. Several of these documents may carry personal and sensitive information that must be dealt with caution even if they are within the scope of the investigation. The LGPD foresees that the Data Protection Authority may require a report of the data treatment impacts, containing as minimal information: types of data collected, methodology used for collecting and ensuring the security of the information, and the controller's analysis of the measures, safeguards, and risk mitigation mechanisms adopted (Article 37, single paragraph of LGPD). For that, it is crucial to have a track record of the decision-making process, meaning that every step of the analysis – and of the investigation as a whole – should be properly documented by the investigation group.
In the fifth step, the investigation group must add a layer of concern for possible violations of due process rights. The results of internal investigations are not considered evidence in its legal definition, but rather ‘elements of information’. As such, any confession or other collected proof of the wrongdoing can still assist an eventual investigation or base leniency agreements with public authorities. It is of utmost importance that the elements of information are collected following due process rights, both because it strengthens the odds of the company getting better conditions in an agreement – or getting an agreement at all – and because it curtails possible retaliation from the party affected – for instance, civil and labor proceedings for compensation.
The sixth and final step puts together all the aforementioned concerns. The investigation report will generally contain all measures taken from the wrongdoing first report to the investigation team findings. It disposes which documents and information were analysed, how the analysis was conducted, and which steps were taken to reach the conclusions. All in all, a clear and well-built report will guide the company on how to proceed to address the wrongdoing and put them in an advantageous position to negotiate terms of an eventual agreement with public authorities.
With the expanding alignment of Brazilian legal framework with the best compliance practices, it is expected that future regulation provides a clearer path for the monitoring of compliance programmes and the conduction of internal corporate investigations. The recent shift in analysis of compliance policies to a risk-based approach has set an important milestone for companies to delimitate the scope of any internal investigations, as it allows them to develop specific proceedings and limits of expected conducts of their employees and enforce them accordingly. Still, the total lack of regulation in parameters for ‘do’s and don’ts’ in internal investigations create a somewhat unsteady environment that blurs the line of which acts can be conducted throughout the investigation. The sparse legislation provides some guidance on these limits, but the rising importance of the results of these investigations – particularly with the consolidation of leniency agreements – calls for more precise guidelines than the so-called best practices.
 The Attorney General opinion was issued in the context of a pending appeal filed with the Supreme Court of Justice (the Extraordinary Appeal 1307386), in which the website ‘Escavador’ requested the STF to establish a national legal thesis on the possibility of accessing this data.