The U.S. Sarbanes-Oxley Act of 2002 ("SOX") requires audit committees of public companies to establish procedures for the anonymous submission by employees of that company of concerns related to accounting and financial matters. Multinational corporations, however, have to be careful to consider data protection, labor and human rights legislation in the EU and other countries in the design of their whistleblower programs.
In mid-2005, the French data protection authority ("CNIL") prohibited the implementation of two SOX-inspired whistleblowing programs submitted for CNIL approval by affiliates of McDonald’s and Exide Technologies. Also, in mid-2005, a German labor court invalidated certain provisions of Wal-Mart’s code of conduct, including the use of a hotline for reporting violations, because they had not been negotiated with the works council. These decisions reflect the unease in many EU countries over the concept of encouraging individuals to inform against others anonymously and without an immediate opportunity for the accused person to respond.
In an effort to permit SOX-styled hotlines and codes of conduct to coexist in compliance with French data protection laws, the CNIL issued guidelines in late 2005. Following that, in February 2006, the EU issued its own pan-European guidance on whistleblower programs ("EU Guidelines"). The EU Guidelines provides guidance but because each EU member state has responsibility for interpreting and implementing the EU Guidelines, it may be interpreted differently in each EU member state.
Overall, the EU Guidelines provides recommendations on (i) the type of data that may be collected, ensuring that the data received is of trustworthy quality, (ii) providing the employees with information on the workings of the whistleblower system, (iii) protecting the rights of the incriminated person, and (iv) taking the appropriate security measures to ensure that the information gathered is not lost or diverted from its purpose, and that the identity of the whistleblower remains confidential. The EU Guidelines also provide recommendations on the management of the whistleblower schemes.
To ensure compatibility with EU data protection law, companies with EU subsidiaries, seeking to set up whistleblower systems in such countries should consider the following:
- The scope of whistleblower systems should be limited to complaints relating to SOX matters, such as accounting, auditing, banking and financial corruption. Complaints concerning other matters such as general labor, harassment or employment should be handled through other avenues.
- Anonymity of the reporting individual is allowed, but not required. Anonymous reporting should not be encouraged and prior to accepting an anonymous report, the reporting person should be informed that he will not suffer retaliation and that his identity will be kept confidential.
- Employees should be notified of the voluntary nature of the whistleblower system.
- Any personal data obtained should be either kept in the EU member country, or transferred outside the EU only in adherence to EU cross-border data transfer obligations, which includes either obtaining consent of the individual affected, a data protection agreement or complying with the certain "safe harbor privacy principles" issued by the U.S. Department of Commerce.
- The accused person should be promptly notified and the details of the complaint should be provided to the accused individual, once the company has been able to take measures to protect or secure evidence and prevent its destruction.
- The accused person should be allowed to access his data and request rectification or even deletion of it, but such access rights do not include entitlement to information about third parties, such as the whistleblower’s identity.
- Any whistleblower complaint found to be unsubstantiated should be deleted immediately. Personal data related to whistleblower reports should not be kept more than two months after closure of the investigation.
- Reasonable precautions should be taken to preserve the security of data and to prevent accidental or unlawful destruction, loss or access.
- Any third-party providers that manage telephone and/or e-mail hotline systems should be contractually bound to refrain from using the data collected for illegitimate purposes and should keep the data confidential and retain such data within the time limits for data storage.
- A small specially-trained group, bound by confidentiality obligations should be set up within the company, to handle whistleblower reports.
Each EU state is different and companies should consult with the data protection authority in that country in implementing a whistleblower program in such state. Some countries may be subject to an EU Works Council requirement, as in Germany, whereas some countries may require notification and/or approval of data protection authorities, as in France. Therefore companies should ensure compliance with each individual country’s laws in designing its whistleblower program for such country.
For further information or questions on implementing a whistleblower program for foreign subsidiaries in the EU, please contact a member of our Corporate Practice Group.