THE BOTTOM LINE
- Privilege is not absolute: A Dutch court found that standard procedures to protect legally privileged documents during a major criminal investigation were critically flawed, leading to a significant data breach.
- Cross-border risk is real: Sensitive attorney-client communications were inadvertently shared with German and Finnish authorities, demonstrating the magnified data security risks when companies are subject to a Joint Investigation Team (JIT).
- Stricter safeguards are now mandatory: The court has ordered a complete re-filtering of all seized data and mandated stronger, verifiable protocols to prevent investigators from accessing privileged information, particularly when exporting data.
THE DETAILS
This case arises from a significant criminal investigation by the Dutch Fiscal Information and Investigation Service (FIOD), codenamed “Greenhill,” into alleged “dividend stripping.” During the probe, authorities seized a vast amount of digital data, including emails and files from servers and data carriers. As is standard procedure, this data was handed to an investigating judge to filter out and protect documents covered by legal professional privilege. The method used was to “gray out” these sensitive files, rendering them inaccessible to the prosecution and investigative teams. However, this protective shield proved to be dangerously porous.
The court identified two critical failures in the process. First, the initial filtering was incomplete. Lawyers for the suspect discovered dozens of privileged documents, including their own communications, that had not been “grayed out” and remained fully accessible in the evidence room. The second failure was more alarming: when the FIOD created a copy of the data for its German and Finnish JIT partners, the act of exporting the files to a USB stick and a hard drive completely undid the “graying out” protection. This technical oversight meant that unredacted, privileged legal advice was delivered directly to foreign law enforcement agencies, a severe breach triggered by a seemingly routine procedural step performed without judicial oversight.
In its ruling, the Amsterdam District Court declared the complaint from the lawyers largely justified. While it denied the request to permanently delete the privileged files—citing the need to maintain the forensic integrity of the original data—it delivered a sharp rebuke of the current safeguards. The court ordered the investigating judge to conduct an entirely new filtering of the data. Critically, it also ordered the FIOD to draft a formal, detailed protocol explaining exactly how it will guarantee that “grayed out” data remains inaccessible to investigators in the future, especially during data exports. The court further mandated the release of system log files to provide transparency on who has accessed the sensitive data, reinforcing that procedural diligence in protecting privilege is not optional.
SOURCE
Source: District Court of Amsterdam
