Corporate Investigation in Brazil: The Challenges Arising from the Lack of Specific Legislation and the Necessary Observance of the Fundamental Rights of the Subject of the Investigation ()
1. Introduction
This article aims to analyze the conduct of internal investigations within legal entities as an expression of compliance policies, considering that, a priori, there is no specific regulation on the matter within Brazilian law.
Indeed, Law No 12.846/2013—known as the “Brazilian Anti-Corruption Law” or “Clean Company Act”—merely mentions, in Article 7, VII1, the encouragement for legal entities to report irregularities. The former Decree-Law No. 8.420/2015, which regulated the aforementioned law, stated in Article 42, X2, that the existence of a whistleblowing channel was merely a parameter for evaluating the quality of a compliance program. Currently, Decree-Law No. 11.129/2022 establishes rules for internal investigations of legal entities involved in crimes against public administration. However, it fails to address the limits of investigative bodies, such as granting access to case files, respecting the right to remain silent, and ensuring, overall, the observance of the fundamental rights of the investigated party.3
At first glance, there are no clear and specific guidelines in Brazilian legislation regarding the framework of internal investigations, particularly concerning the rights of the investigated party or the possibility of independently producing evidence (defensive investigation).
As a result, the following question arises: Should corporate investigations adhere to the limits imposed on public investigations, particularly regarding the respect for the fundamental rights of the investigated party?
Based on this guiding question, the aim is to determine whether a private legal entity (the focus of this brief essay) is indeed authorized to initiate an investigative procedure, how evidence should be gathered, and whether there are limits to internal investigations similar to those required of official state bodies (such as the judicial police and the public prosecutor’s office). Additionally, it examines the consequences of disregarding these parameters when collecting evidence.
To achieve this, the first chapter will discuss the concept of regulated self-regulation and the definition of compliance policies, as well as the promotion of compliance practices in Brazil and the current legislation.
Next, the essay will explore internal investigations within compliance policies, addressing whether such investigations are mandatory, and will analyze the contrast between the corporate panopticon model and the stakeholder democracy model.
The final chapter will present the possible limitations on corporate investigations, particularly when they conflict with the fundamental rights of the investigated party. It will also examine the stance of Brazil’s higher courts on related issues, given the absence of specific legislative regulation on the matter in the country.
To address the central question guiding this research, we have methodologically employed a bibliographic and jurisprudential review, also applying Karl Popper’s (1975) hypothetico-deductive method, which combines observations and hypotheses and, through a cyclical process, refines the techniques used for observations and continuously reexamines hypotheses, always aiming to refute its assertions.
2. Regulated Self-Regulation, New Social Risks and Brazilian
Legislation
The growth of business relations and the strengthening of market globalization have given rise to new risks for global society. Corruption scandals worldwide4 have triggered demands for greater state intervention to mitigate the risks inherent in economic activities, particularly those involving corporations.
It is evident that Criminal Law is no longer merely the ultima ratio; instead, it has become a strong arm of the State, essential for regulating the activities of legal entities—a phenomenon known as the expansion of criminal law.5 This growing sense of insecurity and the emergence of new risks have led to another development: the sharing of criminal liability between public and private entities to prevent unlawful acts, a concept known as regulated self-regulation.
As Coca Vila (2013: pp. 43-44) points out, large corporations have taken on a fundamental role in society, being responsible for a wide range of services and even public functions (directly or indirectly). Therefore, it is only natural and legitimate for the State to intervene, regulating and aligning corporate private interests with the public interest:
“Despite some initial reservations and a few current dissenting opinions, it is now unquestionable that the State can and must regulate this area, including through criminal sanctions. How could the State forgo its most powerful instrument in areas where risks are numerous and their containment particularly complex? The conventional view of regulatory action highlights two opposing perspectives: freedom and control, or, if you prefer, the two contrasting political models: liberalism and statism. However, between a pure state intervention model where the State exclusively drafts—broadly applicable norms and then takes on the role of supervising and, if necessary, sanctioning any violations (command-and-control)—and an absolute liberal model, where, according to Smith’s ‘invisible hand’ theory, the State simply waits for companies to independently develop their own optimal risk containment systems in competitive markets (unconstrained freedom), there exists a range of intermediate models. In my view, these intermediate models better reflect how the Leviathan currently seeks to balance corporate private interests with the broader interests of society. In any case, although the phenomenon of self-regulation may seem novel to criminal law scholars, it has long been recognized that there is also law that is not directly imposed by the State. For instance, Kirchhof noted as early as the late 1980s the existence of the State’s monopoly on legal recognition (Rechtsanerkennungsmonopol), as opposed to a monopoly on the creation of law (Rechtsetzungsmonopol)” (Vila, 2013: p. 44).
At first, there are various forms of regulation, ranging from deregulation and classical state regulation (or heteroregulation) to more modern approaches derived from self-regulation, such as meta-regulation, regulated self-regulation (or co-regulation), and pure self-regulation (Vila, 2013: p. 44).
Self-regulation arises from the realization that the State is no longer capable of independently regulating business activities (heteroregulation). The increasing complexity of social relations, the levels of technological development, and the rise of globalization—combined with the specialization and professionalization of activities and the complexity of organizational structures—create significant obstacles for the State to adequately manage social structures. Additionally, the financial crisis of the welfare state has made it clear that the State is not only structurally but also financially incapable of effectively regulating such activities (and even if resources were available, it might lack the necessary expertise) (Vila, 2013: p. 46).
At the same time, history has shown that market deregulation under a laissez-faire approach is also not an effective solution, as previously discussed (e.g., economic crises, high levels of corruption, and other illegal practices). Therefore, self-regulation does not imply a complete withdrawal of the State from market affairs. It requires a rethinking of regulatory strategies, where the State leverages businesses to achieve its objectives (Vila, 2013: p. 46).
In this context, the State delegates part of its regulatory function to corporations, aiming to maximize legal compliance, as oversight of activities would rely heavily on the self-regulation of legal entities. In this way, the State “takes the helm and lets civil society row”, allowing self-regulation and self-enforcement models to enhance the State’s ability to steer society more effectively. But self-regulation, as previously mentioned, is still classified into pure self-regulation, meta-regulation, and regulated self-regulation. Regarding pure self-regulation, Coca Vila explains that it results from the internal organization of the company, that is, social contracts, collective agreements, or statutes, and therefore consists of private rules established by the legal entity itself. It refers to the notion of the individual’s negative freedom, as well as the political autonomy and sovereignty of the entity (in this case, the company itself). Furthermore, at this stage, there is no promotion, imposition, or supplementation—either directly or indirectly—by the public sector concerning these rules (Vila, 2013: p. 47).
These are private norms related to the specific risks of the company and its field of activity, which may establish guidelines or standards of practice, with the State remaining on the sidelines of these provisions, without interfering in their drafting, supervision, and, depending on the case, even in the imposition of sanctions (Vila, 2013: pp. 48-49). This is exemplified by the Code of Ethics, which outlines the principles guiding corporate conduct, where society acknowledges and accepts its social responsibility.
Meta-regulation—although Coca Vila emphasizes that there is no single definition of the term—refers to the establishment of general rules by the State (principles) from which companies would establish their internal regulations or grant incentives afterward for the development of specific areas. Minimum standards may be set for the company to self-regulate, such as the indication of principles, but these are sufficiently abstract to allow the legal entity to establish its own rules (Vila, 2013: p. 50).
Finally, there is regulated self-regulation (enforced self-regulation), which consists of subordinating the process of corporate regulation to the concrete goals and public interest predetermined by the State. In this model, the State, as the holder of regulatory authority, engages companies to collaborate by drafting their own normative frameworks (Vila, 2013: p. 51).
Regulated self-regulation can manifest in different forms. One approach is delegated self-regulation, where the State grants the company the power to regulate itself in specific instances but retains the authority to review, supervise, and impose sanctions. The reverse is also possible: the public entity regulates the company but delegates the enforcement process. Another form is devolved self-regulation, where the State transfers the authority of regulation, supervision, and sanctioning to the company while still maintaining oversight of the rules and their execution. Lastly, there is cooperative self-regulation (co-regulation), where the State works alongside the company to develop specific regulatory systems. In this arrangement, the company or an interested third party grants the public authority access to all necessary information in exchange for tailored and individualized regulatory frameworks. To facilitate this cooperation, the State employs bilateral working groups and administrative bodies that include representatives from the regulated entities (Vila, 2013: pp. 51-52).
Certainly, the self-imposition of rules to be observed by the company’s stakeholders (employees), under the penalty of internal accountability for any committed irregularities, along with the possibility of reporting the offense to public authorities, constitutes regulated self-regulation6. This model, however, has been subject to criticism by legal scholars for representing the privatization of the public function of preventing and repressing unlawful acts.
There is a clear perception of the preventive inefficacy of legal regulations, and more specifically, of criminal law provisions in curbing the numerous corruption scandals that plague the international community. This situation effectively results in the privatization of criminal law. The 2008 global financial crisis further amplified the importance of compliance policies within criminal law as a means of regulated self-regulation (Coimbra & Manzi, 2010: pp. 1-3).
According to Bacigalupo (2011: p. 17), Economic Criminal Law has a more preventive role, aimed at avoiding the occurrence of criminal offenses, rather than focusing solely on its well-known repressive aspect. In this regard, Bacigalupo (2011: p. 17) explains that the economic crisis may, therefore, have a dual criminal dimension: firstly, looking to the past, due to the harm caused; but also towards the future, as it is foreseeable that there will be an increase in corporate duties, the violation of which could result in severe administrative or criminal sanctions. If this is the case, it will be necessary to account for an increase in the risks of regulatory liability for companies and their executives. In the predicted future, there will be a rise in normative subsystems generated by regulators, leading to a significant number of rules whose compliance will be enforced through the threat of sanctions (both administrative and criminal), adding to the already considerable number of existing regulations. Consequently, the issue of preventing the risks of regulatory liability will increase accordingly (Bacigalupo, 2011: p. 17).
From another perspective, it becomes clear that it is in society’s overall interest to make every effort to prevent corruption, as emphasized by Percy García Cavero (2016: pp. 221-222). Nowadays, the obligation of companies to contribute to the fight against corruption through the adoption of internal mechanisms aimed at preventing or, in any case, detecting the conduct of their individual members or related third parties who attempt to corrupt public officials is increasingly evident. This obligation arises from the combination of several factors from different sources, namely: the international consensus on the need to suppress acts of corruption committed by companies against public officials, as these acts severely distort competition in globalized or unified markets; the principle of good corporate governance, which requires companies to control their legal compliance risks by adopting regulatory compliance programs; and the legislative trend of regulating the criminal liability of legal entities in countries influenced by the continental European legal system, based on the notion of defective corporate organization, particularly when evidenced by the absence of an adequate compliance program (Cavero, 2016: pp. 221-222).
The culture of compliance in Brazil primarily emerged from the understanding of the country’s need to align with international market strategies. In fact, the demands of foreign governments and companies to engage only with legal entities that have regulations aimed at preventing infractions, especially corruption (both public and private), have significantly influenced Brazil’s shift in approach.
In this context, Lucas Alfredo Fantin and Patricie Barricelli Zanon (2019: pp. 93-85) highlight the enactment of the Money Laundering Law (Law No 9613/98) as the first significant public policy signaling this cultural change towards zero tolerance for corruption and money laundering. This law also led to the creation of the Council for Financial Activities Control—establishing a governance system that not only encouraged legal entities to adopt regulations to prevent such offenses but also imposed actual obligations on specific entities to implement these measures. Subsequently, with the introduction of the new Money Laundering Law (Law No 12.683/2012), this policy was further strengthened through two key changes compared to the previous version: the removal of the exhaustive list of predicate offenses and the enhancement of financial intelligence mechanisms. The authors also emphasize Brazil’s adherence to the Financial Action Task Force (GAFI/FATF), particularly concerning regulations in the financial market (norms issued by the Brazilian’s Central Bank and the Securities and Exchange Commission) and legislative developments (Fantin & Zanon, 2019: pp. 83-85).
Influenced by international regulations7, Brazil enacted the Anti-Corruption Law (Law No 12.846/2013), which introduced a new approach in the Brazilian legal system by focusing on preventive measures aimed at avoiding acts of corruption from the outset. Known as the “Clean Company Act”, this law created a broader legal framework, as prior to its enactment, only scattered laws addressed the consequences of corruption committed by legal entities and their managers (Bijos and Nóbrega, 2015: p. 240). In Brazil, examples include the prohibition of contracting with the public sector outlined in the Bidding Law (Law No 8666/93), the Auction Law (Law No 10.520/02), and the Organic Law of the Federal Court of Accounts (Law No 8.443/92). Additionally, companies could be held accountable for economic infractions under the Competition Defense Law (Law No 12.529/11) and the Money Laundering Law (Law 9613/98).
The Anti-Corruption Law established strict compliance requirements, imposing severe consequences for both individuals and legal entities in civil and administrative spheres, as well as criminal liability for company executives, partners, and those responsible for the organization. Complementing this framework, Brazilian legislation also includes specific criminal offenses such as active corruption in international business transactions (Article 337-B) and influence peddling in international business transactions (Article 337-C), along with an explanatory provision defining who qualifies as a foreign public official (Article 337-D), all of which were added to the Penal Code (Decree-Law No 2.848/1940) by Law No 10.467/2002.
Regarding Brazilian internal regulations on corporate investigations and their limits, the current governing framework is Presidential Decree No. 11.129/2022. Unlike Decree-Law 8420/2015, this new regulation establishes minimum rules for initiating the Administrative Liability Procedure. It offers a more comprehensive approach than its predecessor by explicitly addressing preliminary investigations in Article 3 (Brasil, 2022a) which states that the head of the entity’s internal affairs office or the competent unit, upon becoming aware of a possible harmful act against the federal public administration, shall, through an admissibility assessment and a reasoned order, decide to initiate a preliminary investigation, to recommend the initiation of an Administrative Liability Procedure or to recommend the dismissal of the matter. Moreover, Article 3 provides further details on the preliminary investigation in this context
However, despite this advancement, the decree fails to outline the specific stages of a corporate investigation and does not delve into a crucial issue: the necessity of upholding the fundamental rights and guarantees of the investigated party within the scope of internal investigations. This includes the right to remain silent, the right to access investigation materials, and the right to independently produce evidence to contest accusations (defensive investigation).
In this way, the question emerges: what are the limits in conducting corporate investigations?
3. Corporate Internal Investigations as Essential to the
Effectiveness of the Criminal Compliance Program
The initial attention centers on whether the legal entity is obligated to initiate an investigation and, subsequently, how this procedure should be regulated. This leads to the core question of this chapter: should internal investigations adhere to the same standards as public investigations, especially concerning the protection of the fundamental rights of the investigated individual, such as full access to investigative records, the right to remain silent, and the confidentiality of sources?
It is important to emphasize that, for a compliance program to be considered effective, the corporation’s response upon receiving a report of misconduct by an agent related to the company—through its whistleblowing channels—will also be considered.
Indeed, a legal entity that, despite being aware of irregularity, deliberately fails to investigate may be deemed complicit in the illegal conduct, not only by public opinion—potentially damaging the corporation’s image and social identity—but also by public authorities. This could lead to discussions about the potential criminal liability of the compliance officer and the top management of the legal entity8. The characteristics of a company’s compliance program are intrinsically linked and proportional to the level of risk and the specific peculiarities of each legal entity. Additionally, it is crucial to consider the distinctive factors of each business organization (Maeda, 2013: pp. 167-201).
The assessment of the effectiveness of a compliance program is intrinsically linked to the purpose of the evaluation. In this context, Nieto Martín (2021: pp. 8-9) distinguishes between two types of effectiveness assessments. Retrospective evaluation focuses on the effectiveness of the compliance program at the time the events occurred, aiming to determine whether the program, at that specific moment, had effective controls in place to prevent the offense committed by the legal entity in its concrete form of manifestation. This type of evaluation investigates the past and remains indifferent to whether the compliance program improved or deteriorated after the offense took place (Martín, 2021: pp. 8-9).
Prospective evaluation, on the other hand, has a different nature. It assesses whether the compliance program is effective with a forward-looking approach. Therefore, it has a broader objective, evaluating the entire compliance program or its effectiveness concerning specific types of offenses (such as corruption or environmental crimes). One of the main issues debated regarding the effectiveness of compliance programs is the failure to adequately consider this dual criterion of effectiveness. Most evaluation standards aim to be valid in both contexts. For instance, the standards that establish benchmarks—such as ISO standards—certify that a compliance program is well-oriented towards future risks but do not necessarily provide an appropriate framework for assessing retrospective effectiveness (Martín, 2021: pp. 8-9).
The damage resulting from compliance risks is significant, not only from an economic perspective but also in terms of reputation. It is evident that a compliance function must be attentive to both financial aspects and the preservation of corporate image (Ysla, 2012: p. 34). Internal investigations, as a crucial component of any effective compliance program aimed at preventing and detecting illicit activities, also serve a broader purpose related to clarifying any violations of the code of ethics and the compliance regulations that support it (Martín, 2019: pp. 293-294). In this context, internal investigations encompass a set of inquiries conducted by a legal entity, with or without the involvement of external parties, aimed at verifying facts brought to their attention that indicate potential violations of legal, ethical, and/or internal regulations. These investigations are clearly distinct from routine oversight activities, as they are inherently reactive in nature, whereas the latter are integrated into the company’s daily operations (Canestraro & Januário, 2020: p. 294).
Corporate investigation is not merely an aid in building a company’s defense, although it can occasionally play a relevant role in that regard. It functions as authentic “corporate police” in response to the demands of compliance programs. Its purpose is to gather information that clarifies illicit activities, both for internal purposes and for cooperation with authorities, aiming to enforce the principles and provisions established by codes of conduct and internal manuals. Additionally, internal investigations can assist in fulfilling the duty of vigilance regarding the source of risk (the company) and in defining the responsibilities of the legal entity’s managers and employees (Silva, 2021: p. 82).
Internal investigations, essential to meet the prevention requirements established by regulated self-regulation, share certain similarities with police inquiry procedures. This connection exists because the rules of current criminal procedure and their constitutional guarantees guide the investigator when faced with the dilemma between the employee’s obligation to cooperate with the investigation—a logical consequence of their employment contract—and the need to safeguard fundamental rights, such as the nemo tenetur se detegere principle, which protects against self-incrimination (Chagas, 2020: pp. 207-208).
The decision to initiate an internal investigation presumes a likelihood, based on the analysis of initial evidence, that some irregularity has occurred. Information about this potential irregularity may come to the attention of the compliance manager or an ethics committee through an anonymous report or, for example, through civil and administrative proceedings involving the company, court notifications, or even information reported by the media.
The company must evaluate the initial elements of the report and, if necessary, initiate an investigation led by an individual unconnected to the reported facts and equipped with the required technical knowledge. The investigation must be conducted respectfully, ensuring that the rights of the accused individual are always protected (Ragués i Vallès, 2013: p. 195).
Anonymous reports are typically submitted through whistleblowing systems, which are essential tools in compliance programs and are consistently recognized as one of the core pillars of an effective compliance program.
A company’s whistleblowing channel is often the primary source for the compliance department to detect irregularities, making it essential for the company to adopt parallel measures to ensure its effective implementation. It is important to highlight measures that ensure whistleblowers are protected from retaliation and that their anonymity is preserved, as well as measures that guarantee that reported complaints are thoroughly investigated by agents with the necessary independence (Spinelli, 2019: p. 286).
Beatriz García Moreno (2019: pp. 267-268) emphasizes that internal reporting provides the company with the opportunity to address the issue before it becomes public, highlighting that the proper regulation and internal structuring of a whistleblowing and corporate investigation procedure are crucial for gaining the trust of employees who may report colleagues potentially involved in irregularities. The long-term success of the whistleblowing channel depends not only on its proven effectiveness—demonstrated by its capacity to receive anonymous reports—but also on the use of the correct and most efficient method as a genuine preventive tool of social control (effectiveness). This approach strengthens strategies for identifying and, when necessary, repressing illicit behavior, while simultaneously contributing to the transformation of the corporate environment (Marin & David, 2021: p. 119).
However, caution is necessary, as robust and costly programs can be exploited for economic infractions or the illegitimate use of company resources, especially in cases of overcompliance. In this context, Saad-Diniz (2021: p. 43) warns that due to inexperience, fear of regulatory oversight, or even deliberately, techniques such as due diligence, internal investigations, and whistleblowing programs are sometimes used as part of business strategies or as tools for strategic market domination.
Nevertheless, the question remains as to whether the fundamental rights of an employee accused of committing an irregular act must be observed. In this regard, we move on to the central theme of this article: in the absence of specific regulations governing corporate investigations in Brazil, is there an obligation to adhere to the rules applied to public investigations?
The topic faces significant international doctrinal divergence, as highlighted by Isabelle Pereira (2021: pp. 188-189). On the one hand, there is the perspective presented by John Coffee, who argues that corporate investigations are confined to the realm of private relations, and therefore, corporations are not obligated to follow public rules applicable to state authorities, such as the protection against self-incrimination guaranteed by the Fifth Amendment of the U.S. Constitution. On the other hand, Lothar Kuhlen contends that the truth cannot be pursued at any cost, emphasizing the need to preserve the rights of the investigated employee. He draws a parallel between an internal interview and the interrogation of a suspect at a police station, advocating for similar protective measures (Pereira, 2021: p. 189).
Juan Pablo Montiel (2013: p. 267) presents an intermediate position. Here, he focuses on two general principles that could guide the overall design of an “internal procedural ordinance”. The first concerns the need for these written rules to genuinely reflect the interests of the parties involved, especially the employee. This would help balance the power dynamics within the employment relationship and create a more favorable environment for employees to engage in the self-cleaning process. The second principle aims to ensure the rules of due process. This presents significant complexity, as due process occupies an intermediate position in this context. While it is not entirely excluded—despite internal investigations being primarily governed by private law—it is also not fully applicable, given the notable similarities to criminal proceedings and the potential risk to employees’ fundamental rights during the investigation. The major challenge, therefore, is to rethink an internal investigation framework that ensures a system of intermediate safeguards (Montiel, 2013: p. 189).
Indeed, internal investigations will generally follow these stages: (a) preliminary phase; (b) initiation of the investigation; (c) the investigation itself; and (d) disclosure of findings and subsequent measures, such as the initiation of proceedings to adjudicate the offending party and, if necessary, the reporting of the wrongdoing to public authorities.
The procedure may be conducted by the company’s compliance officer (compliance department) and other corporate employees, such as legal counsel, human resources personnel, accountants, among others. However, as Wagner Giovanini (2019: pp. 263-264) rightly warns, the ideal approach is to hire an external law firm9 to ensure the integrity of the investigation and the impartial implementation of necessary measures against any individual within the company. Additionally, concerns may arise regarding potential breaches of professional confidentiality10 by in-house legal counsel providing services to the corporation, which could lead to disciplinary actions by the relevant professional body11. This is yet another reason why outsourcing the investigation to an external firm is strongly recommended.
It should be emphasized that among the types of evidence to be gathered, documentary evidence—such as investigators’ access to emails, cell phones, laptops, and cloud-stored file folders—is fully accepted, provided that these are company-owned assets and that the corporation’s code of conduct explicitly states this ownership12. This notification serves to eliminate doubts regarding the legality of the evidence and to preemptively address any concerns about potential violations of privacy.13
Regarding Brazilian internal regulations on corporate investigations and their limits, the current framework is established by Presidential Decree No. 11,129/2022. Unlike Decree-Law No. 8,420/2015, this regulation introduces minimum rules for initiating the Procedimento Administrativo de Responsabilidade (PAR—Administrative Accountability Procedure). More comprehensive than its predecessor, it explicitly addresses the preliminary investigation in Article 3.14 However, it does not delve into the core issue raised here: the necessary observance of the investigated party’s fundamental rights and guarantees, including the right to remain silent, access to investigative materials, and, potentially, the right to conduct a defensive investigation.
Indeed, if there are indications of wrongful acts committed by any employee, particularly of a criminal nature, an internal investigative procedure may be initiated. Once the investigation is launched by the designated team or group, a detailed planning memo outlining the investigative steps, identifying the parties involved, and defining the scope of the procedure must be prepared.
All stages of the investigation must be meticulously documented, with clear identification of the evidence collected. At the conclusion of the process, a final report should be drafted, like those produced by public authorities such as police commissioners and prosecutors. This report must include the origin of the complaint, a factual narrative, identification of the alleged perpetrator, the evidence gathered (with a traceability record linking it to the original source), and the final investigative findings.
Given the different doctrinal positions, it is important to emphasize that the very choice of the investigation model directly impacts the observance, or lack thereof, of the fundamental rights and guarantees of the investigated individual.
4. Necessary Limits to the Execution of Corporate
Investigations
As Adan Nieto Martín (2013a: pp. 183-187) explains, two models can be adopted in corporate investigations: the corporate panopticon model and the stakeholder democracy model.
The corporate panopticon model is rooted in the punitive and inquisitorial legacy that guides the legislation of many countries. As a result, corporate compliance programs often replicate this structure, concentrating power in the hands of top management, where repression of irregular conduct is prioritized over its prevention. This model also leads to stricter scrutiny and sanctioning of employees, while discrediting whistleblowers, especially when allegations involve top executives.
In contrast, the stakeholder democracy model focuses on prevention by promoting ethical values and their dissemination, while also establishing mechanisms to control the decisions of top management, aiming to combat the abuse of power. This approach implements a system of checks and balances, enabling oversight by the “people”, with mechanisms that allow both shareholders and stakeholders to review corporate decisions. Compliance programs within this framework follow the logic of “good governance”, prioritizing a culture of legality and ethics.
Consequently, the first model prioritizes stricter control measures as the primary metric for evaluating the quality of a compliance program, focusing on constant surveillance of employees—reflecting the panopticon model—and heavy investment in corporate investigations and the punishment of individuals. This approach even develops “criminal profiles” (risk profiling) of stakeholders, leading to undeniable violations of privacy, such as accessing emails, messages exchanged between employees, using surveillance cameras, hiring private investigators, and employing other measures driven by distrust and aimed at repressing potentially deviant behaviors. Corporate investigations and the imposition of sanctions are prioritized, and whistleblowers are rewarded.
Oppositely, the second model evaluates the quality of the compliance program based on the implementation of an ethical culture, focusing on strengthening the company’s identity. While control mechanisms still exist, they are aimed at promoting ethical values and fostering a culture of legality within the organization. The objective is to maintain respectful relationships among employees and spread core values, encouraging lawful behavior. Control measures focus on accounting practices, due diligence, supplier selection, and similar activities. Investigation and punishment become a last resort, with a priority on protecting the fundamental rights of employees. In this model, the whistleblower assumes an ethical role, reporting irregularities not for personal gain but out of civic duty.
This leads to the core discussion of this article: should corporate investigations be subject to the same limits as state-led prosecutions? While corporate investigations operate within private relationships, there remains a need to balance business interests with fundamental rights.
4.1. The Effectiveness of Fundamental Rights and the Opposition
to Contractual Autonomy in Brazilian Jurisprudence
As previously outlined at the beginning of this work, this is precisely the meaning and foundation of what has been termed “regulated self-regulation”. It refers to the acknowledgment of the necessary autonomy granted to companies to self-regulate—given that it would be an impossible task for the State to oversee every aspect—while still preserving the State’s legitimacy to intervene whenever such self-regulation proves ineffective or, in this case, harmful to fundamental rights.
The application of Private Law rules would, in principle, be considered, as noted by Ingo Sarlet (2005: p. 216). The author explains that the primary advantage of the theory of protective duties lies in its foundation within the framework of Private Law. As a result, specific protective duties cannot be predetermined or defined in abstract and general terms; instead, they require concrete interpretation based on their specific context and, only then, give rise to subjective rights (Sarlet, 2005: p. 216).
In this scenario, the prominent Brazilian jurist expands on the theory of “private rights”, emphasizing that at its core lies the understanding that individuals’ fundamental rights require protection not only from state authorities—since the State is merely one potential source of threats—but also from private actors, particularly business groups, corporations, and others who wield significant social and economic power. In this context, some have persuasively argued that this reality reflects yet another dimension of the broader phenomenon in which the strong pose a threat to the weak (Sarlet, 2005: p. 218).
On the other hand, for those who argue that the mere asymmetry between holders of “social power” and other private individuals does not, by itself, justify the direct applicability of fundamental rights in such relationships—since the former also hold fundamental rights, particularly their contractual autonomy—it is the role of the legislator to use the tools at their disposal to regulate these relationships. Examples include provisions aimed at combating cartels, implementing quota policies, preventing abusive clauses, and, in the context of this study, establishing clear guidelines for internal investigations.
Once again, the insights of Ingo Sarlet (2005: p. 246) are drawn upon to demonstrate that in the realm of private relationships marked by asymmetry between the parties, the need to recognize the effectiveness of fundamental rights becomes evident. This assertion gains even greater relevance in the national context, characterized by deep social inequalities. He explains:
“Even though it is not appropriate to simplistically limit the binding effect of fundamental rights on private parties solely to situations of clear factual inequality (economic or social), it is crucial to recognize that an uncritical adoption of the position predominantly embraced in Germany immediately encounters obstacles in the national context. This is due to the evident reality that the foundations of a certain degree of factual and legal equality are severely compromised in Brazil, as highlighted by the high—and continuously increasing—levels of socioeconomic oppression and, consequently, the heightened influence of the so-called social powers.
If even in developed countries that, to varying degrees, embody the characteristics of a democratic (and social) rule of law it is accepted—despite the reservations already mentioned—that in relationships marked by inequality, the more “powerful” private party is directly bound by the fundamental rights of the less powerful (even though both hold fundamental rights), then this binding effect must be even more strongly recognized within the national legal framework. In Brazil, the notion of a social state exists largely as a formal provision, with its practical realization benefiting only a small fraction of the population.” (Sarlet, 2005: p. 246).
In Brazilian jurisprudence, the effectiveness of fundamental rights in private relationships—whether direct or indirect—has also been a subject of debate. Although not directly addressing the issue examined in this study, it provides important guidelines for shaping its resolution. An example of this is the judgment in Extraordinary Appeal No. 201.819-8 from Rio de Janeiro, where a former member of the Brazilian Union of Composers contested his exclusion from the organization, arguing that his constitutional rights to full defense and adversarial proceedings had not been observed.
In her opinion, Justice Ellen Gracie ultimately prioritized the autonomy of the parties in private relationships, considering the invocation of the provision contained in Article 5, item LV of the Brazilian Constitution inappropriate to justify the appellant’s reinstatement to the ranks of the Brazilian Union of Composers, as can be inferred from her vote:
“I understand that private associations have the freedom to organize themselves and establish rules governing their operations and the relationships among their members, provided they comply with existing legislation. When an individual joins an association, they are aware of its rules and objectives and agree to them.
The controversy regarding the exclusion of a member from a private entity must be resolved based on the association’s bylaws and the applicable civil legislation. Therefore, the constitutional foundation attributed by the lower court is unfounded, and invoking Article 5, LV of the Brazilian Constitution to support the respondent’s request for reinstatement to the ranks of the Brazilian Union of Composers (UBC) is entirely inappropriate.
If the procedure outlined in the association’s bylaws was followed for the exclusion, there is no violation of the principle of full defense. The application of this principle to the present case was misguided, which justifies granting the appeal.”
As derived from the ruling, the decision was anchored in the formal aspects of the relationship between the parties, presuming an equal footing between them and, therefore, that the relationship should be governed by the exercise of their respective autonomies. However, in the subsequent majority opinions, which will be discussed further, it became evident that there was an asymmetrical relationship between the Brazilian Union of Composers and the appellant, given that the latter depended on his association with the former to receive payments related to copyright royalties.
In other words, when addressing the tension between the rights of parties equally entitled to fundamental guarantees—on one side, the right to private autonomy, and on the other, the appellant’s right to freely exercise his profession - the dissenting opinions favored the protection of the latter. In this regard, Justice Gilmar Mendes stated:
“Considering that the Brazilian Union of Composers (UBC) is part of the ECAD structure, it is undeniable that, in this case, by restricting the respondent’s defense opportunities, the UBC assumes a privileged position, predominantly determining the extent to which its members can enjoy and exercise their copyright rights.
In other words, this entity functions within what can be described as a public space, even though it is not a state institution.
This reality must be emphasized, especially in cases where the sole source of income for members is the receipt of royalties derived from their compositions. In such situations, denying constitutional defense guarantees could ultimately restrict their very freedom to practice their profession.
Therefore, the penalties imposed by the appellant on the respondent significantly exceed the boundaries of the right to association and, more importantly, the right to defense. Consequently, strict adherence to the constitutional guarantees of due process, adversarial proceedings, and full defense (Article 5, LIV and LV of the Brazilian Constitution) is imperative.
This case, therefore, transcends the simple freedom to associate or remain associated. Membership in such entities mostly represents, for many individuals, an almost mandatory condition for engaging in their professional activity.”
In a similar vein, Justice Joaquim Barbosa, recognizing the far-reaching effects of fundamental rights, stated in his opinion:
Indeed, one of the inescapable consequences of the almost universal acceptance of the supremacy of the Constitution and constitutional jurisdiction as a tool to safeguard it lies in the fact that fundamental rights—an undeniable imperative of all democracies—are no longer conceived solely as limitations imposed exclusively on the State. In Europe, and even in the United States, where significant hermeneutical efforts are made to overcome the state action doctrine, private relationships are no longer entirely beyond the reach of the constraints imposed by fundamental rights.
In another landmark case, during the judgment of Extraordinary Appeal No. 161.243, the far-reaching effectiveness of fundamental rights was once again recognized—specifically, the right to equality for a Brazilian worker in relation to other employees of the same nationality employed by the company. In this case, the rights guaranteed to French workers under the company’s bylaws were not extended to the Brazilian worker, leading the appellant to claim a violation of the principle of equality enshrined in Article 153, §1 of the Brazilian Federal Constitution.
4.2. Necessary Limits to Corporate Investigation
Moreover, one of the most debated topics in the field of internal investigations is undoubtedly the scope of the investigated employee’s right to remain silent, as well as their right not to produce evidence against themselves. Can an employee refuse to answer a question posed by a private investigator, considering the evident employment relationship between unequal parties and the fact that the information requested is of utmost interest to the company?
Juan Pablo Montiel (2013: p. 270) explains that the potential impacts on the nemo tenetur se ipsum accusare principle15 are among the most debated issues concerning the implementation of internal investigations. The core question is whether an employee is obligated to provide information or documents to lawyers hired by the company to conduct the investigation, even if such information could later be used against them. The complexity of this issue lies in the intersection between public and private law, where it becomes challenging to avoid conflicts between the guarantees governing both spheres (Montiel, 2013: p. 270).
Daniel Zaclis (2023: p. 186) notes that although it is common for companies to offer a form of “amnesty” to employees who cooperate with internal investigations, the possibility cannot be ruled out that the employee may still face criminal prosecution by the State afterward, regardless of any agreement made with their employer.
An employee’s refusal to answer an employer’s questions, especially when directly related to their job duties, may not only constitute a breach of their duty to provide accountability but also a violation of the employer’s orders and instructions, potentially justifying disciplinary action, including dismissal. The employer’s managerial authority grants them the right to question the employee about how they perform their work tasks, and the employee is expected to respond in full detail. The issue arises here, as the employee may be compelled to answer the interviewer’s questions with all the information they possess; however, by fulfilling their contractual or employment obligations, they may inadvertently compromise their defense in a potential future criminal proceeding (Martín, 2019: pp. 314-315).
The Supreme Federal Court in Brazil, since the last century, in the context of criminal prosecutions conducted by the State, has established that the principle grants the investigated individual the right to lie about the facts and deny the commission of the crime (STF, 1991). The application of the right to remain silent in the context of internal investigations may depend on local laws and the company’s internal policies. In this regard, Nieto Martín (2019: p. 314) warns that the conduct of interviews presents significant legal challenges, as they may constitute a violation of fundamental rights, particularly the right against self-incrimination, leading the individual to contribute to their own accusation.
The principle of nemo tenetur se detegere serves as a political limitation on the admissibility of criminal evidence, rooted in the set of public liberties guaranteed by the Federal Constitution. Although internal investigations occur within the realm of private relationships, these relationships are inherently asymmetrical (such as the employer-employee dynamic). Therefore, it is not possible to entirely dismiss the application of this guarantee during an interview process (Silva, 2021: pp. 161-162).
Since internal investigations also fall within the scope of labor law, the nemo tenetur principle would not directly govern this legal area. However, if information obtained during an internal investigation disregards this constitutional principle, such information cannot be used as evidence in a criminal proceeding (Montiel, 2013: p. 272).
The fundamental rights of employees must be established as inviolable limits for compliance activities and, naturally, as boundaries for the actions of the company’s management and the employer’s control mechanisms. Internal investigations cannot come at the expense of individuals’ fundamental rights; instead, it is essential to find a balance between the company’s duty to detect and prevent crimes and the obligation to respect the rights of its employees. This balance is particularly crucial given the increased potential for violations by private parties, a risk that has become even more pronounced with technological advancements (Pena, 2023: p. 524).
If an employee enters an interview under the threat of dismissal or disciplinary sanctions for not fully providing information, it is evident that they are under pressure, raising questions about their genuine willingness to disclose such information and potentially self-incriminate. When the intention is to produce evidence admissible in judicial proceedings, it is essential to observe the same guarantees applied in public investigations. Otherwise, the evidence may be deemed inadmissible by the court or evaluated with diminished credibility (Pena, 2023: p. 528).
The investigated employee has the right to be clearly informed of the allegations made against them, to review the various pieces of evidence presented, to submit their own evidence and arguments—including the indication of new witnesses—and to have legal counsel present during the interview. Throughout the process, the presumption of innocence, a constitutional principle guaranteed by the Brazilian Federal Constitution, must always be upheld (Martín, 2019: p. 320).
In the workplace, the horizontal effectiveness of rights becomes even more significant due to the special relationship of subordination, where the employee may be subject to control measures by the employer to ensure the fulfillment of their duties. However, this does not strip the employee of their rights, such as the right to privacy and the confidentiality of communication, which must impose limits on the employer’s surveillance and control measures. The key concept here is the reasonable expectation of privacy, first developed by the jurisprudence of the United States Supreme Court (Pena, 2023: p. 525).
Beyond the challenges related to interviews, it is essential to examine the issues surrounding the provision of information technology tools by companies to their employees that are often used in corporate investigations and can impact fundamental rights such as privacy and the confidentiality of communications. Monitoring employees’ activities is a crucial compliance practice that companies should implement. This measure aims to prevent behaviors that violate internal and external regulations and to gather evidence that supports necessary actions (Tamer & Bueno, 2019: p. 268).
However, in the absence of a comprehensive legislative and jurisprudential framework on the matter, the legitimacy of actions taken by investigators will depend on an assessment of the specific circumstances. According to Nieto Martín (2019: p. 308), this evaluation should consider three categories of cases based on the fundamental rights that may be affected: the impact on the employee’s privacy when using company-provided technological tools; the impact on the employee’s privacy in spaces within the company designated for their personal use; and the impact on the confidentiality of communications.
Regarding the privacy of employees using electronic tools provided by the company (such as computers, emails, mobile phones, landlines, and internet access), it is possible for the company to access digital files that store electronic conversations held by employees through messaging programs installed on a computer shared by all workers and accessible via a company-held password. Similarly, the company may access emails sent through the employee’s corporate email account16 (Martínez, 2021: p. 147).
It is essential for the employer to clearly inform the employee, from the outset of their employment, that there is no expectation of privacy regarding the devices and technological tools provided by the company. In the absence of such warnings, or if they are issued inadequately, it becomes debatable whether the company has the right to examine how the employee used these resources (Martín, 2019: p. 309). In cases where the records involve productive tools owned by the company but placed under the responsibility of the employee, the employer is fully authorized to establish, in advance, the conditions of use and the type of information that these tools may contain (Martín, 2013b: p. 135).
Josefa Ridaura Martínez (2021: p. 147) explains that when there is an explicit prohibition on the personal use of professional email, limiting it solely to work-related purposes, the company implicitly holds the right to monitor its use to ensure the employee is fulfilling their duties and responsibilities. However, Adan Nieto Martín (2019: p. 309) cautions that this right could be abused if the employer, for instance, uses this authority to pry into the personal lives of employees.
Certain invasive measures are prohibited, such as monitoring employees’ personal messages, documents, and emails, even if accessed through company-provided technological devices. Additionally, when it comes to a corporate cellphone containing personal content, despite being a work tool, it still carries an expectation of privacy (Zaclis, 2023: p. 231).
Considering that no fundamental right has an absolute nature, the employer may be justified in accessing such evidentiary material (including information technology tools) if the requirements of the principle of proportionality are met. This means there must be a legitimate purpose for the intrusion, with no alternative motives; there must be a sufficient degree of suspicion17; and the access must be appropriate, necessary, proportionate, and suitable to the specific circumstances of the case (Martín, 2019: pp. 309-310).
Regarding the confidentiality of communications, the third fundamental right of an employee that can be affected in an internal investigation, according to Nieto Martín (2019: pp. 312-313), it refers to the content of a communication whose access occurs at the moment it takes place, affecting the channel through which it develops (e.g., wiretapping). Considering that the confidentiality of communications enjoys constitutional protection in Brazil (Article 5, XII, Constitution), judicial authorization is required.
On the other hand, if the employer informs employees that, in conversations conducted using the company’s telephones, they do not have an expectation of privacy, and that the company may monitor or record them for later use, it could be possible to access their content, initially, without infringing upon the fundamental right to the confidentiality of communications (Martín, 2019: p. 313).
Regarding cameras and microphones for environmental recording in the workplace, once again, for there to be an unlawful violation of the employee’s right to privacy, there must be a lack of knowledge/consent regarding the existence of such technological devices. This analysis is decisive in the necessary balancing of conflicting rights (Martínez, 2021: pp. 149-150). The expansion of covert investigative methods has been the reality of criminal investigative practices over the last two decades. Immersed in a context of tension between liberty and security and influenced by the rhetoric of risk, the State tends to produce norms with the clear purpose of increasing resources available for the enforcement of repressive criminal law, resulting in infringements on fundamental rights (Prado, 2014: p. 59).
The legitimate exercise of the company’s right to monitor employees through the productive elements of its property requires the concurrence of a series of elements. Firstly, for the company’s right to control the employee’s work to be legitimate, it is crucial that surveillance and control measures are implemented “to verify the employee’s compliance with their obligations and duties” (Martín, 2013b: p. 140). On the other hand, the employer should not be allowed to use a surveillance method that is not a corporate tool or to extract information from the employee’s personal email, possibly saved on their corporate machine (Martín, 2013b: p. 140).
Regarding the collection, processing, and forensic analysis through new technologies18, including artificial intelligence19, of the electronic tools provided by the company, these can be carried out if there is prior alignment of expectations between the company and the employee. Ideally, the company can use keywords related to the topic of the investigation, avoiding the analysis of emails on unrelated matters and, especially, strictly personal topics not related to the employee’s duties within the company.
Regarding the use of artificial intelligence, while the inclusion of information obtained and processed by AI in criminal proceedings may be permitted, a critical assessment of its credibility remains imperative. Despite significant advancements in AI technology, numerous challenges persist concerning transparency and, consequently, the contestability of AI-driven decisions. When considering the use of AI tools at various stages of an internal investigation, it becomes evident that the environment presents even greater challenges for the defense of those affected by such informational elements, even when the right to a future adversarial process is ensured (Januário, 2023: p. 770). Daniel Zaclis (p. 247) asserts that, except in exceptional cases, the disregard for adversarial rules in the evidentiary process prevents the consideration of elements extracted from investigations.
When admitted in criminal proceedings, informational elements obtained and processed by AI cannot be deemed sufficient to convict a company or to serve as definitive proof of guilt for co-defendants. Their evidentiary value is comparable to that of informational elements resulting from state-led investigative actions, such as police investigations (Januário, 2023: p. 763).
5. Conclusion
Globalization and technological advancements have brought many challenges for society as a whole; with changes in commercial relationships, the risks for the State have increased, even revealing its inability to alone monitor the scope of operations of legal entities.
Consequently, the notion of shared responsibility between the private sector and the state entity in preventing and even repressing illicit corporate conduct emerges, which is referred to as regulated self-regulation (the establishment of rules by legal entities based on frameworks set by the State).
In recent years, companies have seen the intense development of compliance programs to operate with greater legal conformity, as well as to prevent and detect crimes committed by their employees, enabling better control of criminal, financial, and reputational risks.
Private investigations conducted by a company, despite lacking state regulation in Brazil outlining each step and enumerating the personal rights of the investigated individual, raise concerns related to the protection of fundamental rights of the employees being investigated. This happens because, if there is an intention to use the evidence produced in an internal investigation in a future criminal procedure conducted by the State, the same fundamental rights that are guaranteed to the investigated individual (or at least should be guaranteed) in a state-led criminal prosecution must be ensured.
Regarding the technological devices provided by the company, information that is potentially collected through forensic extraction and later processed and analyzed by artificial intelligence programs can be used as evidence, as long as the employee is ensured prior knowledge of this information.
Therefore, there is no expectation of privacy, with evident limitations in cases of personal emails that are potentially saved on the corporate computer or in locations where the employee has a reasonable expectation of privacy.
Regarding interviews, if the company intends to use their results in a procedure led by the State, the fundamental rights of the interviewed subject must be guaranteed, just as they would in a public investigation. If this is not done, the judge should not consider these elements of evidence, as they would be in violation of constitutional principles.
As a useful tool capable of reducing the complexities inherent in a risk society, criminal compliance has various metrics of effectiveness. After all, it is not uncommon for companies to create “drawer” compliance programs. Concerning internal investigations, a reactive part of the program, respecting the fundamental rights of the employee is essential to allow for the future judicial evaluation of the evidence produced, preventing the waste of the company’s time, energy, and assets.
Precisely due to the absence of specific legislation on the matter, if a company deliberately chooses not to respect the fundamental rights and guarantees of its employees, and the corporate investigation along with its conclusions remain undisclosed to the state, there will be no consequences for the company’s top management.
However, if the facts become known to the state—whether through an employee, the media, or even the dismissed worker who was the subject of the investigation—the evidence produced in the corporate inquiry will be deemed inadmissible by official authorities. This inadmissibility arises from the failure to comply with the Constitution of the Federative Republic of Brazil and procedural criminal law. Consequently, public authorities will be required to conduct the entire investigative process independently, bearing the burden of proving that no causal link exists between the evidence obtained in the state-led investigation and the materials produced during the corporate inquiry. Failure to do so may result in the evidence being declared inadmissible due to derivation, in accordance with the fruits of the poisonous tree doctrine.
An employee who believes their fundamental rights were violated during the internal investigation may seek reinstatement through the Labor Court in the event of dismissal. Additionally, they may report the potential commission of criminal offenses to public authorities, such as the police or the Public Prosecutor’s Office. These offenses could include unlawful coercion (Article 146, Brazilian Penal Code20), threats (Article 147, BPC21), violation of correspondence (Article 151, BPC22), and unauthorized access to an information system (Article 154-A, BPC23).
Finally, as a further consequence of failing to uphold the employee’s fundamental rights, the state may refuse to enter into a leniency agreement (Brasil, 2016) or negotiate one under less favorable terms for the company if it deems that the investigation was not conducted seriously. In such cases, the authorities may perceive the inquiry as a mere “window dressing” effort, concluding that the company’s compliance policies were either nonexistent or merely superficial. Additionally, law enforcement may interpret the investigation as having been deliberately flawed, with the intent of concealing the potential involvement of the compliance officer or a member of the company’s senior management in the alleged offenses.
It should be emphasized that external audits play a fundamental role in assessing the quality of corporate investigations, as they serve as effective mechanisms for identifying and even reporting to public authorities the use of sham compliance programs and abuses committed against employees.
These audits should be commissioned by the company itself; however, nothing prevents the state from requiring specific public agencies to conduct such verifications, particularly when the company is engaging in government contracts. This is already reflected in Brazil’s Public Procurement Law (Law No. 14,133/2021, Articles 17024 and 17125), which establishes compliance obligations for companies contracting with the state.
Furthermore, it is essential to highlight the role of institutes in granting quality certifications, such as the “Pró-Ética” seal (Brasil, 2022b). In this regard, the Ethos Institute—a well-recognized entity in Brazil—partners with the Office of the Comptroller General (CGU), an agency of the Ministry of Transparency, to evaluate the effectiveness of corporate compliance programs. A regulatory framework should be established to assess the quality of corporate investigations as a prerequisite for awarding such certifications.
Moreover, the company’s commitment to respecting the fundamental rights of the employee will only be evident if a model of stakeholder democracy is adopted, based on mutual respect and trust between the parties.
In this regard, the credibility of the investigative procedure can only be assured if the fundamental rights and guarantees of the accused are duly respected, which in turn fosters greater trust among employees in the company’s senior management. Conversely, any violation of these rights will generate a sense of distrust among stakeholders regarding the company’s integrity, creating an environment of fear, tension, and institutional discredit. This not only undermines interpersonal relationships but also directly impacts employee performance, ultimately affecting the organization’s overall efficiency and reputation.
Biographical Note
Fernanda Ravazzano Lopes Baqueiro is Postdoctoral Fellow in Criminal Compliance at the State University of Rio de Janeiro (UERJ). Postdoctoral Fellow in International Relations at the University of Barcelona, Spain (UB). PhD and Master’s in Public Law from the Federal University of Bahia (UFBa). Law graduate from UFBa. Professor at both the undergraduate and graduate programs at UFBa. Coordinator of the Research Group titled “Criminal Compliance and Regulated Self-Regulation: Necessary Limits for the Protection of Public Freedoms at UFBa”. Author of books and articles. Criminal lawyer and partner at Thomas Bacellar Advogados Associados.
João Canna Brasil is Master’s student in Criminal Law at the Federal University of Bahia (Research Area: Compliance and Corporate Self-Regulation). Postgraduate degrees in Economic Criminal Law from Getúlio Vargas Foundation—FGV/SP and from the Institute of Economic Criminal Law at the University of Coimbra. Postgraduate degree in Criminal Law and Criminology from Pontifical Catholic University of Rio Grande do Sul—PUC/RS. Law graduate from the Federal University of Bahia. Completed extensions in Criminal Law and Criminology at the University of Salamanca—Spain, Anti-Corruption Compliance and Corporate Internal Investigations at Legal, Ethics and Compliance—LEC/SP. Certified CPC-A and CPIIC by LCB/FGV. Criminal lawyer at Sebástian Mello, Marambaia e Lins Advocacia Criminal.
Pancho Rivas Franco Lima Gomes is Master’s student in Criminal Law at the Federal University of Bahia (Research Area: Compliance and Corporate Self-Regulation). Postgraduate degrees in Criminal Sciences from the Faculty of Law of Vitória (FDV), Espírito Santo, Brazil. Federal Police Commissioner for 19 years, with extensive experience in drug enforcement, anti-corruption efforts, and financial crime investigations. In 2018, he was appointed General Coordinator of Drug Enforcement at the Directorate of Investigation and Combat of Organized Crime within the Federal Police Department.
NOTES
1Article 7: “In the application of sanctions, the following will be taken into consideration: […] VII— the cooperation of the legal entity in the investigation of the violations”. (Brasil, 2013).
2Article 42: “For the purposes of the provisions in §4º of Article 5, the integrity program will be evaluated regarding its existence and implementation based on the following parameters: […] X—whistleblowing channels for reporting irregularities, open and widely publicized to employees and third parties, along with mechanisms aimed at protecting good-faith whistleblowers.” (Brasil, 2015).
3Access to the case files is only guaranteed during the initiation of the Administrative Disciplinary Process, but not during the preliminary investigation. In this case, Article 9 of Decree-Law No 11.129/2022: “The legal entity may monitor the Administrative Accountability Process (PAR) through its legal representatives or attorneys, with full access to the case files being ensured. Sole Paragraph. The removal of physical case files from the public office is prohibited; however, copies—preferably in digital format—may be obtained upon request.” (Brasil, 2022a).
4The Watergate and Chevron scandals stand out in the United States (Cerqueira, Ravazzano, & Costa, 2022: pp. 1018-1020).
5From a structural perspective, the most significant characteristics of globalization-related crime are twofold. On one hand, it is broadly organized crime. This means that it involves groups of people structured hierarchically, whether within corporations or even in the strict form of criminal organizations. The dissociation this creates between the direct execution of the act and legal responsibility also results in the harmful outcome often being significantly separated—both in space and time—from the actions of the key individuals involved in the criminal plan. From a material standpoint, globalization-related crime is committed by powerful actors and is characterized by the magnitude of its effects, which are typically economic but can also be political and social. Its capacity to destabilize markets and to corrupt public officials and government leaders is another notable feature (Sánchez, 2001: p. 87).
6In this context, as an expression of regulated self-regulation, the implementation of compliance policies within the corporate sphere aims, at first, to prevent (or avoid) the occurrence of irregular conduct by stakeholders. Accordingly, internal rules are established, outlined in the company’s code of ethics and manual of best practices (or guidelines), and subsequently disseminated. For a genuine cultural shift within the legal entity to occur, the company’s top management must be committed to fostering an environment of integrity, encouraging other employees to act ethically and in compliance with both internal and external (state-imposed) regulations. In a second phase, when it is determined that, despite preventive measures, a report (via the whistleblowing channel) has been made regarding an irregularity, an internal corporate investigation must be conducted to determine the authorship and materiality of the deviant behavior, as well as the potential initiation of disciplinary proceedings with the imposition of sanctions. In other words, corporate investigations are likewise an expression of regulated self-regulation, but within the realm of enforcement.
7“Especially the FCPA, the Bribery Act, in addition to the regulations of the Organization for Economic Cooperation and Development (OECD), as well as the ratification and entry into force of the Convention on Combating the Corruption of Foreign Public Officials in International Business Transactions, and also the ratification of the Convention in 2000, amending the Penal Code and Law 9613/98—the Anti-Money Laundering Law. Regarding the fight against corruption, the Inter-American Convention Against Corruption of the OAS in 1996—promulgated in Brazil through Decree 4410/2002—is also noteworthy, with an explicit provision in Article VIII on transnational bribery and Article IX on illicit enrichment, as well as the United Nations Convention Against Corruption (Mérida Convention)—Decree No. 5,687/2006.”
8For a deeper discussion on the criminal liability of managers for omission, see Ilana Martins Luz, “Compliance e omissão imprópria” (Luz, 2018).
9If the company’s compliance department remains responsible for managing the investigation, the precautions highlighted by Wagner Giovanini (2019: pp. 265-266), must be strictly observed.
10Violation of Professional Confidentiality: Article 154—Disclosing, without just cause, a secret of which one has knowledge due to their function, ministry, office, or profession, and whose disclosure may cause harm to another: Penalty—Detention for three months to one year, or a fine ranging from one conto to ten contos de réis. (See Law No. 7,209/1984). Sole Paragraph—Prosecution shall only proceed upon formal representation (Brasil, 1940).
11Article 35—Lawyers have a duty to maintain confidentiality regarding any facts they become aware of during their professional practice.
Sole Paragraph—Professional confidentiality extends to facts that lawyers have come to know by virtue of functions performed within the Brazilian Bar Association (Ordem dos Advogados do Brasil).
Article 36—Professional confidentiality is a matter of public order and does not depend on a client’s request for discretion.
§ 1º—All communications of any nature between lawyers and their clients are presumed confidential.
§ 2º—Lawyers acting as mediators, conciliators, or arbitrators are also bound by the rules of professional confidentiality (CFOAB, 2015).
12For further information on the subject, explore into Wagner Giovanini (2019) and Cerqueira, Ravazzano and Costa (2022).
13The company, during an internal investigation, may access the employee’s communication and information devices, if these are company-owned and that established technology use protocols clearly state that the employee has no expectation of privacy in their use. If the employee has been informed that company computers or smartphones may not be used for personal purposes, such intervention will not constitute a violation of the right to privacy. However, it is advisable that such interventions adhere to the principles of proportionality, minimal intrusion, and rationality. If the employee has been warned that company computers or smartphones may not be used for personal purposes, the intervention will not infringe on their right to privacy (Montoya, 2018).
14Article 3—The head of the entity’s internal affairs office or the competent unit, upon becoming aware of a possible occurrence of a harmful act against the federal public administration, shall, within the scope of admissibility assessment and through a reasoned decision, determine:
I—the initiation of a preliminary investigation;
II—the recommendation to initiate a Procedimento Administrativo de Responsabilidade (PAR—Administrative Accountability Procedure); or
III—the recommendation to dismiss the matter.
§ 1º—The investigation referred to in item I of the main section shall be confidential and non-punitive, aimed at determining indications of authorship and materiality of harmful acts against the federal public administration.
§ 2º—The preliminary investigation shall be conducted directly by the entity’s internal affairs office or competent unit, as established by regulation, or by a committee composed of two or more members appointed from among career civil servants or public employees.
§ 3º—The preliminary investigation shall include all necessary actions to clarify the facts under investigation, including all legally admissible procedures, particularly:
I—recommending to the initiating authority the precautionary suspension of the effects of the act or proceeding under investigation;
II—requesting the involvement of specialists with technical or operational knowledge from public bodies, entities, or other organizations to assist in the analysis of the matter;
III—requesting banking information on the movement of public funds, including confidential data, provided that secrecy is shared with oversight bodies;
IV—requesting, through the competent authority, the sharing of tax information regarding the investigated legal entity, as provided for in item II of § 1º of Article 198 of Law No. 5,172 of October 25, 1966 (National Tax Code);
V—requesting judicial representation or equivalent bodies of the affected entities to take necessary legal actions for investigation and prosecution of harmful acts, including search and seizure measures, whether in Brazil or abroad;
VI—requesting documents or information from individuals or legal entities, whether public or private, domestic or foreign, or from international public organizations.
§ 4º—The period for concluding the preliminary investigation shall not exceed 180 days, subject to extension by an act of the authority referred to in the main section.
§ 5º—Upon completion of the preliminary investigation, the obtained information shall be submitted to the competent authority, along with a conclusive report on the existence of indications of authorship and materiality of harmful acts against the federal public administration, for a decision on whether to initiate the PAR (Brasil, 2022a).
15This principle means that no one is obligated to accuse themselves or produce evidence against themselves. It is a legal principle that safeguards an individual’s right to remain silent and protects against self-incrimination in legal proceedings.
16The Superior Court of Justice (STJ) in Brazil, through its Sixth Panel, ruled that judicial authorization is not required to obtain evidence from WhatsApp messages sent to a corporate email on a company-owned work computer. According to Justice Nefi Cordeiro, the corporate email “is not equivalent to personal correspondence, and there is no violation of privacy when the employer accesses message files stored on a computer used as a work tool and owned by the company” (REsp No. 1.875.319—PR, ruled on September 15, 2020)
17On this topic, Nieto Martín (2019: pp. 309-310) explains that “prospective intrusions or those carried out merely for ‘fishing expeditions’ are not lawful. This also means that the proportionality test cannot be applied in a general manner but must be conducted in relation to everyone affected”.
18In this regard, Adán Nieto Martín (2019: pp. 313-314) points out that: “In some internal investigations, the company may need to examine thousands of documents, which makes it necessary to rely on specific software programs and sophisticated search methods. Beyond this practical issue related to the massive search and analysis of data, a subsequent and more important problem is how to ensure the authenticity of all these documents.”
19With the advancement of artificial intelligence technologies, various programs have been developed to provide greater effectiveness in corporate internal investigations, especially when considering a large amount of data involved. On this topic, Túlio Xavier Januário (2023: p. 733) explains that artificial intelligence tools can assist the company in adapting to the compliance with regulations present in vast national and international legislation.
20Unlawful Coercion. Article 146—Coercing someone, through violence or serious threat, or by any other means that reduces their ability to resist, into refraining from doing what the law allows or into doing what the law does not require: Penalty—Detention from three months to one year, or a fine (Brasil, 1940).
21Threat. Article 147—Threatening someone, whether through words, writing, gestures, or any other symbolic means, with unjust and serious harm: Penalty—Detention from one to six months, or a fine (Brasil, 1940).
22Violation of Correspondence. Article 151—Unlawfully accessing the contents of sealed correspondence addressed to another person: Penalty—Detention from one to six months, or a fine (Brasil, 1940).
23Unauthorized Access to an Information System. Article 154-A—Illegally accessing another person’s information system, whether connected to a computer network or not, with the intent to obtain, alter, or destroy data or information without the explicit or implicit authorization of the device’s user, or to install vulnerabilities for illicit gain. (Amended by Law No. 14,155/2021). Penalty—Imprisonment from one to four years, and a fine (Amended by Law No. 14,155/2021) (Brasil, 1940).
24Article 170—Oversight bodies shall adopt, in their supervision of the acts provided for in this Law, criteria of opportunity, materiality, relevance, and risk, considering the justifications presented by the responsible agencies and entities, as well as the results obtained from the contract, in compliance with the provisions of § 3 of Article 169 of this Law. § 1º—The justifications provided by the responsible agencies and entities must be submitted to the oversight bodies by the conclusion of the instruction phase of the process and may not be removed from the case files. 2º—Failure to provide the required information shall not prevent oversight bodies from making determinations nor delay the application of any procedural deadlines. § 3º—Oversight bodies shall disregard documents that are irrelevant, merely delaying tactics, or of no interest for clarifying the facts. § 4º—Any bidder, contractor, or individual or legal entity may file a complaint with internal control bodies or the competent Court of Accounts regarding irregularities in the application of this Law (Brasil, 2021).
25Article 171—In oversight and control procedures, the following shall be observed: [...] II—The adoption of objective and impartial procedures and the preparation of technically substantiated reports, based exclusively on the evidence obtained and structured in accordance with the audit standards of the respective oversight body. This ensures that personal interests and biased interpretations do not interfere with the presentation and handling of the facts identified (Brasil, 2021).