Navigating evolving guardrails for internal investigations

Rather than marking a new direction, these developments reaffirm the steady evolution of the regulatory landscape for internal investigations and the need for businesses to stay abreast of developments. Timelines, planning and evidence collection can be affected, calling for earlier scoping, clearer privilege strategies, and robust data handling plans across borders. 

Expectations of authorities continue to evolve

More authorities are paying attention to how companies handle their internal investigations. Many demand that organizations can demonstrate their methods, oversight, and the integrity of their evidence, not just present their findings. For example:

• In the UK, the Serious Fraud Office’s refreshed Corporate Cooperation and Enforcement guidance places weight on early engagement, preservation discipline, transparent methodologies, provenance of digital evidence, and thoughtful interview sequencing. It signals that well‑structured internal investigations can influence outcomes at the charging, DPA, and sentencing stages.
• In France, soft‑law frameworks and guidance increasingly shape how companies investigate. The Parquet National Financier (the National Financial Prosecutor’s Office) may propose a tailored methodology and treat adherence as a mitigating factor in CJIP discussions (CJIP is the French settlement mechanism similar to a DPA used in the UK and the U.S.) even as privilege over investigation materials remains unsettled.
• The Dutch Public Prosecution Office’s new guidance on self-reporting and cooperation formalizes expectations for internal investigations: prompt preservation, proportionate scope and verifiable source logs, transparency over methods and sources, periodic updates, and avoidance of selective disclosures. These benchmarks can affect fine reductions and resolution routes.
• In the EU, those using AI tools are expected to map provider/deployer roles and maintain audit trails under the EU AI Act, expectations echoed by supervisors and likely to be tested in audits.

Key takeaways—internal investigations:

• Depending on the jurisdictional nexus of a likely investigation, check whether there are specific requirements that should be factored into internal investigations policies and procedures.
• Take local law advice when investigations concern operations or individuals based overseas. There may be special rules, e.g., about the treatment of interviewees, how data can be collected, or how the investigation can be structured to take advantage of available privileges. Failing to adhere to rules may prejudice the evidence collected and the outcome of the investigation.

Privilege remains uneven

Many businesses conducting internal investigations into allegations of misconduct are keen to retain control over the communication of the outputs of those investigations. This is especially so given the risk of external investigations by authorities and/or follow-on litigation such as securities claims.

Whether legal privilege applies to protect documents created during an internal investigation will remain a reoccurring theme in 2026. Maintaining confidentiality and the legal privilege of internal investigation reports continues to be a challenge in some jurisdictions, although there were some helpful developments, too. For example:

• French criminal authorities continue to treat many internal investigation materials as outside attorney client privilege, with dawn raid practice testing boundaries. The French Supreme Court’s divergent rulings (from the Commercial and Criminal chambers) compounded uncertainty.
• In contrast, recent U.S. appellate authority reaffirmed privilege and work product protection for outside counsel conducted internal investigations even when findings inform business decisions or are shared with auditors.

Key takeaways - privilege:

• Early privilege advice and planning are essential to making informed decisions on how to structure an internal investigation, report on its outcome, and communicate, if necessary, with the authorities.
• Cross-border issues must also be considered given that privilege rules vary by jurisdiction, and, in some jurisdictions, might be very limited (for example Japan and Italy). Companies should exercise careful control over the location of sensitive materials and the pathways through which investigative data moves into and out of certain jurisdictions.

Whistleblowing and NDAs

As protection for whistleblowers continues to increase (and even calls for more incentives in the UK) businesses should check they have strict anti-retaliation policies in place, as well as training programs to foster a culture of transparency and accountability. Whistleblower reports must be dealt with in a timely fashion, with investigations initiated and resolved promptly and comprehensive records kept.

In jurisdictions where whistleblowing protections have been recently enhanced (e.g. Japan, U.A.E), or where whistleblower retaliation penalties have started to be imposed (e.g. as in Australia in 2025) whistleblowers may feel greater confidence coming forward, so business may expect an uptick in internal investigations.

Following the adoption of the EU Whistleblowing Directive (2019/1937) internal investigations conducted in EU Member States stemming from a whistleblowing report must comply with specific rules set out in the Directive and local implementing laws, e.g. providing substantive feedback to the whistleblower in a timely manner, maintain confidentiality, addressing the reported breach).

Be very careful with non-disclosure agreements (NDAs). In the UK, law reforms during 2025 limit the use of NDAs around harassment, discrimination and victims of crime, with further carve outs for disclosures about responses to criminal conduct. Further reform to NDAs is ongoing. Employers should anticipate a tilt toward prompt, well documented investigations over confidentiality driven settlements.

Data privacy and employment laws

An internal investigation can require documents and/or data created in one jurisdiction to be reviewed by lawyers in another. This can be difficult if there are local laws which restrict the transfer of data out of the jurisdiction.

Data localization and privacy rules continue to influence investigative planning. For example:

• In China, national security laws and practice now extend beyond defense secrets to “espionage adjacent” areas such as supply chain data and economic intelligence. Ordinary corporate fact‑finding may be considered risky if it touches sensitive people, data, industries, places, or methods. Counsel should assume that investigative work touching on supply chains, procurement, technical specifications, mapping/locational datasets, and employee information may implicate national security concerns where counterparties are state‑linked or operate in strategic sectors.
• The Safeguarding National Security Ordinance, in force in Hong Kong since March 2024, is bedding in. It introduced new national security offenses such as treason, theft of state secrets, and external interference. The offenses relating to state secrets are of relevance to cross-border investigations as multinational businesses are now required to consider whether documents may contain state secrets prior to disclosure to overseas authorities.
• The Trade Control Department of Japan’s Ministry of Economy, Trade and Industry (METI) January 2025 guidance on movement of industrial data should be taken into account if conducting investigations with Japanese touchpoints.
• A new statutory tort of privacy introduced in Australia will impact investigative steps during white-collar investigations and demand greater governance over surveillance and data collection mechanisms. 

Privacy and employment laws can pose additional challenges to consider if access to a personal device becomes necessary. Many organizations do not have robust IT policies concerning an employee’s personal use of mobile devices and other IT equipment. Obtaining consent to access a personal device, particularly during the throes of an investigation, can create tensions, jeopardize the confidentiality of the investigation, and test a company’s policies and employment agreements. We are already seeing employees and trade unions leveraging existing labor and data privacy laws to challenge the outcome of internal investigations.

A common practice is developing in some jurisdictions of retaining pool counsel or independent counsel for individual employees to review and identify responsive correspondence from an employee’s personal device. 

In the UK the Data (Use and Access) Act 2025 amends the UK data protection regime. The Act introduces a new “recognised legitimate interest” legal basis to process personal data. Of the five recognised legitimate interest conditions, one is likely to be particularly relevant to crime and investigations - organisations will be able to rely on the legal basis where that processing is necessary for the purposes of detecting, investigating or preventing crime, or apprehending or prosecuting offenders. For in-house teams, this legal basis may give greater confidence in processing personal data in the context of crime-related investigations. Read more in the UK Country report.

Key takeaways – data privacy and employment laws:

• Businesses must implement formal IT and data protection-compliance procedures for conducting an internal investigation to avoid jeopardizing any steps they may want to take once their enquiries are complete.
• Ensure that employment policies and agreements are fit for purpose, and actively policed. One approach is for policies to make clear that personal devices cannot be used for business purposes in any circumstances, and then to reiterate this message in the regular compliance training and communication program.
• Check whether there are specific local requirements.

A&O Shearman’s market-leading white-collar defense and global investigations practice takes a holistic, coordinated approach to navigating clients through criminal, regulatory, and internal investigations.

This article is part of the A&O Shearman cross-border white-collar crime and investigations review 2026.