Some clarification to the U.S. – E.U.1 data protection impasse was made on February 1, 2006, when the European data protection authorities (the Article 29 Working Party2 ("WP29")) issued an Opinion3 setting out detailed guidelines on the establishment of whistleblowing procedures. The Opinion seeks to provide guidance to enable companies to comply with Sarbanes-Oxley obligations imposed on U.S. publicly traded companies in a manner consistent with E.U. privacy law. The Opinion, however, does not resolve many tensions between the Sarbanes-Oxley Act ("SOX") and E.U. privacy principles.

Moreover, many multi-national companies have adopted more expansive whistleblowing procedures, including reporting on matters not covered by Sarbanes-Oxley, such as concerns about crimes, civil offences, miscarriages of justice, professional conduct, employment matters, intellectual property, or dangers to health and safety or the environment, and other subjects. These broader schemes are not permitted under the Opinion. Multi-nationals are therefore well advised to review their whistleblowing provisions in light of the new Opinion and their obligations under SOX.

Background

Following a series of U.S. corporate scandals, in 2002 the U.S. Congress adopted the Sarbanes-Oxley Act, which, among many other things, requires companies listed on U.S. stock exchanges to establish anonymous reporting procedures for employee complaints to audit committees regarding fraud in accounting, auditing, and financial reporting.4 This requirement applies to European companies whose shares are traded on U.S. stock exchanges, and also applies to European subsidiaries of U.S. companies listed on U.S. stock exchanges.

The suspicion and caution with which E.U. authorities view anonymous reporting is typified by the French reaction. The use of a whistleblowing scheme was prohibited by a French regional court.5 The French Data Protection Authority ("CNIL")6 also banned the introduction of such schemes at two French subsidiaries — McDonald’s France and CEAC, a division of Exide Technologies — as they violated French privacy law.7

The CNIL opined that local labor laws and practices already provided employees with sufficient opportunities to notify superiors, employee representatives, internal auditors, or the human resources department of any suspicious conduct. The CNIL also argued that broad reporting schemes could contravene French criminal law because "denunciations" are considered a criminal act (this stems from the events of World War II when "denunciations" were encouraged by the Vichy Government, which collaborated with the Germans).8

Reversing its earlier position that whistleblowing lines are intrinsically threatening, and in an effort to resolve the conflict, the CNIL subsequently adopted guidelines for French companies wishing to implement whistleblowing schemes required under Sarbanes-Oxley.9 At the end of December 2005, the CNIL also published a Decision, complemented by a Questions & Answer document,10 alleviating registration requirements.11 Provided a company complied with the recommendations stated in the Decision, it must only formally declare its compliance with the conditions and benefit from a blanket authorization.

In Germany, whistleblowing schemes have been ruled out by labor courts unless they are implemented in consultation with local works councils.12

More akin to the U.S. approach, in 1998 the UK Information Commissioner13 adopted the "Public Interest Disclosure Act," which is significantly broader in scope than the French guidelines and which addresses the reporting concerns of employees in a much wider fashion.14

This inconsistent European approach may have prompted the WP29 to issue the Opinion, which purports to allow whistleblowing schemes limited to Sarbanes-Oxley issues but only if such schemes comply with certain conditions.15

Significant Aspects of the Opinion

When Are Whistleblowing Schemes Considered Lawful?

To the extent that "blowing the whistle" involves the collection and processing of "personal data,"16 whistleblowing is subject to the Member State implementation of the provisions of the E.U. Data Protection Directive ("Directive").17 According to the Opinion, whistleblowing schemes may only be permitted if they are established as a result of "legal obligations." The WP29 stated that only an obligation under E.U. Member State law may serve as a legal basis to process personal data. Foreign laws such as Sarbanes-Oxley therefore do not establish a legal obligation under E.U. standards. The Opinion, however, goes on to state that whistleblowing is also legitimate where foreign legal obligations fulfill a "legitimate purpose" under E.U. standards. The Opinion concludes that Sarbanes-Oxley serves legitimate purposes under E.U. standards.

In addition, according to the WP29, whistleblowing schemes should complement existing complaint and control mechanisms under E.U. Member State audit and labor rules providing for reporting to superiors, employee representatives, internal audit departments, or the human resources department. Also, the use of whistleblowing schemes should be strictly voluntary, and employees should be clearly informed about the non-obligatory nature of the scheme.

What Data May Be Collected?

In accordance with the Directive’s "proportionality principle," the Opinion states that data collected through whistleblowing schemes should be limited to what is strictly necessary for the report and follow-up investigation. The Opinion also states that companies should consider limiting the scheme to those employees who have access to accounting, auditing and financial information. In September 2005, similar concerns caused a French regional court to rule that workers on the factory floor could not use reporting schemes as they do not have access to financial or accounting information.18

Anonymous Reports

Although anonymous reporting is commonplace in the U.S., it is not an accepted practice in Europe (which is perhaps a reflection of historical unease). The Opinion recommends that anonymous complaints be discouraged and that anonymous reporting channels not be advertised.

To address concerns about retaliation, the Opinion states that the identity of employees who raise concerns should be kept confidential.

However, perhaps in recognition of Sarbanes-Oxley requirements, anonymous reporting is permitted as long as it is not made compulsory. Also, according to the Opinion, anonymous reports should be treated with caution, and there should be a prior examination of the report prior to the report being communicated within the organization.

Rights of Defense

A major point of contention regarding the implementation of whistleblowing schemes in Europe concerns the accused person’s right to contest any report. The Opinion states that companies that decide to implement reporting schemes must ensure that appropriate information is provided to all persons identified in a report. At a minimum, the accused person must be informed of: (i) the entity responsible for the whistleblowing scheme; (ii) the nature of the accusations that have been made; (iii) the departments or services that may receive the report (including the company itself and any of its affiliates); and (iv) how the accused may exercise rights of access and correction. The Opinion recognizes that evidence may first need to be secured before the accused is notified of any allegations.

Organization of the Whistleblowing Scheme

Pursuant to Articles 16 and 17 of the Directive, all processing of personal data must be confidential and secure. The Opinion recommends that (i) the whistleblowing scheme is set up and administered by "specially trained and dedicated people" who serve under confidentiality duties; (ii) the whistleblowing scheme is neither part of a "human resources department" at the company nor integrated into any other specific department, i.e. the scheme must operate under a separate independent department; and (iii) the company ensures that whistleblowing reports are only transmitted to this particular independent department.

In the event a company chooses to outsource the scheme to a third party, the Opinion states that a contract must be in place between the parties to ensure that the third party outsourcer complies with all confidentiality and security measures. Such agreements should include the following: (i) strict confidentiality obligations; (ii) an obligation to communicate the information processed only to persons belonging to the company’s dedicated internal team; (iii) an obligation to comply with data protection principles; (iv) a commitment to process the data only for the specific purposes for which they were collected and to act only on instructions from the controller; (v) compliance with the data retention periods by which the data controller is bound; (vi) an undertaking to destroy or return all paper and electronic materials when the contract is terminated; and (vii) an obligation to implement appropriate security measures. Nevertheless, the Opinion states that liability will rest with the company organizing the scheme, not the third party outsourcer.

Transferring Whistleblowing Reports Outside the E.U.

Although the Opinion considers it "preferable" for companies to implement local whistleblowing schemes in Europe, in practice, most U.S.-based multinationals will employ a centralized system set up in one country (most likely the U.S.) to effectively deal with all reports made through the scheme. If the scheme relies on European subsidiaries’ transferring data outside the E.U., then the Opinion states that companies will need to comply with the Directive’s provisions on international data transfer restrictions.19

However, to the extent that data are collected directly by the U.S. company, for example by means of a U.S. website or a U.S. telephone hotline, and the European subsidiary plays no part in the establishment or maintenance of the scheme, there may be no "international transfer" of data within the meaning of the Directive. Only in instances where the E.U. and the U.S. entities collaborate, by jointly deciding what personal data are collected and by what means, or by the European subsidiary determining this on its own, will there be a "data transfer" within the meaning of the Directive.

Conflicts Between the Opinion and Sarbanes-Oxley

The Opinion specifically quotes the requirement of Sarbanes-Oxley that the audit committees of publicly traded companies must establish procedures for "the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters." Notwithstanding this acknowledgment, the Opinion contains guidance that clashes with these requirements in the following respects:

  • The Opinion recommends that companies discourage anonymous employee complaints and not advertise the existence of anonymous channels;

  • The Opinion recommends the creation of a separate organization, separate from the human resources department, consisting of specifically-trained personnel to investigate employee complaints, despite no such requirement by Sarbanes-Oxley;

  • The Opinion recommends that companies should "deal with reports locally, i.e. within one E.U. country, rather than automatically share all the information with other companies in the group"; and

  • The Opinion recommends that personal data not be transferred to countries outside the E.U. that do not have privacy laws equivalent to E.U. privacy laws, unless companies in such other countries agree to certain privacy requirements.

On February 16, 2006, the Chairman of WP29 wrote a letter to the Chairman of the Securities and Exchange Commission ("SEC") requesting that the SEC provide assurances that companies located in the E.U. that comply with the Opinion will be viewed as having complied with their obligations under Sarbanes-Oxley. Given the number and importance of the conflicts between the Opinion and Sarbanes-Oxley, it is difficult to see how the SEC will be able to provide the requested assurances.20

Compliance Strategies

In the meantime, companies seeking to comply with E.U. data protection laws should consider the following when setting up whistleblowing schemes accessible to employees based in the E.U.:

  • Limit the scope of whistleblowing schemes to complaints relating to Sarbanes-Oxley matters (i.e., accounting, auditing, banking, and financial corruption);

  • Consider disassociating the general ethics code form the reporting scheme;

  • Notify employees about the details of the whistleblowing scheme, including the entity responsible for the scheme, the personnel receiving the reports, third-party service providers, the purpose of the scheme, the right to access and modify information reported under the scheme, and the voluntary nature of the scheme;

  • Encourage employees to identify themselves while protecting the confidentiality of their identities;

  • Ensure that all persons identified in reports are provided with complete information, including a description of the incident and possible recipients, as soon as the evidence is secured;

  • Collect reports through a dedicated channel;

  • Ensure that reports are either deleted or securely archived if no proceedings of legal action or disciplinary sanctions were initiated within two months after making the report;

  • Enter into appropriate contracts with providers of reporting services, particularly as regards the confidentiality of information collected, security measures in place, cooperation with requests for access and rectification, and retention policy;

  • Provide whistleblowers and implicated employees with the opportunity to access information, and to modify or delete any inaccurate or incomplete information when appropriate; and

  • State that misuse of the scheme, i.e. such as bad faith allegations, may result in disciplinary actions and legal proceedings.

Footnotes

1. The 25 Member States of the European Union (E.U.) currently are: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, the Netherlands, and the United Kingdom.

2. The Working Party was established by Article 29 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data, and on the free movement of such data. Official Journal L 281, 31 (hereinafter "Directive"). It is composed of representatives of national data protection authorities and the data protection unit at the European Commission acts as its secretariat.

3. Article 29 Data Protection Working Party: opinion paper 1/2006 on the application of E.U. data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime. WP117. Available at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2006/wp117_en.pdf. For ease of reference, this document is referred to herein as the "Opinion."

4. Audit committees of publicly traded companies are required to establish "procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters." Sarbanes-Oxley, Section 301 (4); 15 U.S.C. Section 78 j-l(m)(4).

5.Tribunal de Grande Instance de Libourne, 15 Septembre 2005, Comité d’établissement BSN Glasspack et autre c/ Sté BSN Glasspack. This decision is an "ordonnance de référé", which is the emergency procedure before French civil courts enabling a judge to request an injunction to stop imminent potential damage. In this case, the potential damage concerned the risk of a breach of the civil liberties of the employees of this company in France who could have been potentially targeted by the whistle-blowing scheme put in place without the prior authorization of the CNIL.

6. Commission Nationale de l'Informatique et des Libertés.

7. See our firm’s update at www.mofo.com/news/updates/files/update02035.

8. The French Code Pénal (Criminal Code) article 226-10, considers as a crime (délit) all false accusations (dénonciations calomnieuses). False accusations must be made against a particular person, must have the consequences of bringing sanctions on its recipient, and must be made either to police, administration, judicial officials or to employers. False accusations may result in 5 years imprisonment and a fine of up to €45,000.

9. November 2005 : English version available at: http://www.cnil.fr/index.php?id=4.

10. French version available at http://cnil-front1.heb.fr.colt.net/index.php?id=1983.

11. Autorisation unique n°AU-004, available at
http://cnil-front1.heb.fr.colt.net/index.php?id=1907&delib%5Buid%5D=83&cHash=460880f125.

12. WAL-MART Landesarbeitsgericht Rheinland-Pfalz, Urteil vom 19.01.2005, Az: 10 Sa 820/04.

13. Data Protection Authority for the United Kingdom.

14. The Act applies to people at work raising genuine concerns about crimes, civil offences, miscarriages of justice, dangers to health and safety or the environment and the cover up of any of these. Reporting schemes that allow complaints to be made on other broader issues such as human resources matters are not covered by the Opinion and are likely to be challenged under E.U. privacy laws.

15. Under French law, for example, the introduction of whistleblowing regimes on matters other than accounting, auditing, financial reporting, financial fraud, corruption, etc., requries an explicit permit from the CNIL. According to CNIL staff, it is unlikely that such a permit will be given for reporting schemes that allow complaints on human resources matters.

16. See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "E.U. Directive"). Article 2 of the Directive defines "personal data" as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity".

17. Ibid.

18. Tribunal de Grande Instance de Libourne, 15 Septembre 2005, Comité d’établissement BSN Glasspack et autre c/ Sté BSN Glasspack.

19. For international transfers to the United States (considered by the European Commission to be a country that does not ensure an adequate level of data protection), the company will need to have subscribed to the Safe Harbor Scheme, entered into a transfer contract with the E.U. company that has been approved by local data protection authorities, or set up binding corporate rules approved by local data protection authorities. Further information is available at www.mofo.com/news/updates/files/update1170.html.

20. Available at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/others/2006-16-02-whistleblowing_en.pdf.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved