Trade Compliance Flash: Protecting Attorney-Client Privilege in Human Rights Audits
Human rights due diligence is becoming an increasingly critical priority for multinational companies. In addition to the growing acceptance of companies' important role in respecting human rights, the heightened focus on human rights compliance has been prompted by a number of enforcement and regulatory developments — such as U.S. Customs and Border Protection's (CBP) significant increase in enforcement of U.S. laws prohibiting the import of goods made with forced labor, and mandatory due diligence and disclosure laws enacted in other jurisdictions.
In addition to regulatory scrutiny and enforcement risk, the reputational damage from adverse publicity can significantly affect a company's value. And customers and investors are increasingly demanding that companies institute and report on plans to address human rights concerns as part of their broader commitment to meet environmental, social, and governance (ESG) criteria. Human rights due diligence is thus becoming the norm. Given the law enforcement and media interest in the subject, it is virtually certain that litigation, including shareholder lawsuits, will intensify as well. Companies must understand their exposure and effectively engage with stakeholders to mitigate risks, but should take care to do so in a manner that maximizes the available protection of attorney-client privilege where appropriate.
In particular, companies have historically engaged auditing firms to conduct forced labor and social compliance audits — a key component of human rights due diligence — leaving audit reports and related activities outside the umbrella of privilege. However, given the emerging enforcement landscape and risk of shareholder lawsuits, legal and compliance departments should spearhead human rights compliance efforts while carefully considering potential steps to maximize the protections of attorney-client privilege. Taking practical steps to protect human rights due diligence under attorney-client privilege can serve the company in multiple ways.
First, attorney-client privilege encourages an open dialogue between counsel and client, which promotes "broader public interests in the observance of law and administration of justice," as the U.S. Supreme Court explained in Upjohn Co. v. United States in 1981. In particular, where audits uncover violations that require remediation, the company is best served by its counsel fully understanding the circumstances in order to provide legal advice in accordance with the standards expected by regulators, investors, and the public.
Second, audits and other diligence processes may uncover sensitive information that relates to both human rights standards and other legal requirements. The privilege serves to protect legal advice and findings on all of these issues. In weighing privilege considerations, it is worth noting that certain scenarios may inherently call for nonprivileged audits — for example, if a company is seeking certifications that require review by independent third-party auditors and/or disclosure of audit reports. In deliberations regarding these types of nonprivileged reviews, legal teams should have a seat at the table to ensure an informed weighing of risks and potential benefits.
When seeking to maximize the potential protections of the attorney-client privilege in human rights compliance efforts, companies should consider the following four practical steps.
1. Have counsel engage the auditor for the purpose of providing legal advice
Auditors' work may be structured to have a clear legal purpose: informing counsel's provision of legal advice to the company regarding potential risks and appropriate remediation of human rights abuses. Where the expertise of a nonlawyer expert, such as a forced labor auditor, is sought to inform counsel's legal advice to the company, counsel's communications with the auditor may be protected by the privilege. For that reason, companies should consider structuring their auditor relationships such that these third parties report through counsel. This structure should not be superficial. Rather, counsel should actively manage the auditor, including by reviewing and providing comment on any draft reports. And the auditor must provide specialized expertise that is necessary for counsel to understand the relevant issues and provide the legal advice.
2. Consider the location of counsel, both geographically and within the company
Companies operating outside of the U.S. should evaluate the effect of local law on claims of privilege. For example, in-house lawyers may not enjoy the same protections as outside counsel in some jurisdictions. Further, in-house counsel may be in the position of providing both legal and business advice. Courts will carefully interrogate whether communications are being made for a business — rather than a legal — purpose, such that they would not be covered by the privilege.
3. Limit the dissemination of reports beyond counsel
Confidentiality is a cornerstone of the privilege, and sharing otherwise privileged communications with third parties jeopardizes the protections otherwise afforded. When directing privileged audits, counsel should limit the dissemination of any third-party reports or communications to third-party suppliers. And even company employees may not need to review the report or learn the contents in order to perform their job. Limiting dissemination of communications from a third-party auditor should not be construed to bar sharing of the underlying facts learned through the audit, as discussed below.
4. Share nonprivileged information with stakeholders
Companies often wish to share information regarding their anti-forced labor compliance efforts with third parties, such as in response to requests from customers or investors, or to facilitate remediation with suppliers. Sharing audit reports, excerpts from reports, or legal conclusions may seem like a good idea, especially if the audits found that supplier practices were aboveboard. However, when an audit is privileged, such dissemination could result in a waiver of privilege over the reports, and discovery of not only the reports, but any communications related to them. That doesn't mean that companies can't make use of these efforts as part of their broader human rights compliance efforts, though. Indeed, meaningful engagement with stakeholders requires transparency, such that companies can have informed discussions with stakeholders and work together to help prevent human rights abuses. To this end, companies can and should share general information regarding the robustness of the process, or steps taken toward anti-forced labor and other human rights compliance. And because underlying facts themselves are not privileged, companies may also disclose certain information uncovered in the audit process. For example, discussions with suppliers regarding information from audits is important to remediate issues and facilitate collective efforts to prevent human rights abuses.
Marketing, corporate social responsibility, supply chain management, and other relevant company functions should take care to involve in-house and outside counsel, if engaged, to ensure that these communications do not result in inadvertent waivers of privilege — assuming the company has taken steps to preserve privilege in the first place.
This alert first appeared in Law360 on October 6, 2021.
For more information, please contact:
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.