---

Some clarification to the U.S. – E.U.[1] data protection impasse was made on February 1, 2006, when the European data protection authorities (the Article 29 Working Party[2] ("WP29")) issued an Opinion[3] setting out detailed guidelines on the establishment of whistleblowing procedures.  The Opinion seeks to provide guidance to enable companies to comply with Sarbanes-Oxley obligations imposed on U.S. publicly traded companies in a manner consistent with E.U. privacy law.  The Opinion, however, does not resolve many tensions between the Sarbanes-Oxley Act ("SOX") and E.U. privacy principles.

Moreover, many multi-national companies have adopted more expansive whistleblowing procedures, including reporting on matters not covered by Sarbanes-Oxley, such as concerns about crimes, civil offences, miscarriages of justice, professional conduct, employment matters, intellectual property, or dangers to health and safety or the environment, and other subjects.  These broader schemes are not permitted under the Opinion.  Multi-nationals are therefore well advised to review their whistleblowing provisions in light of the new Opinion and their obligations under SOX. 

Background

Following a series of U.S. corporate scandals, in 2002 the U.S. Congress adopted the Sarbanes-Oxley Act, which, among many other things, requires companies listed on U.S. stock exchanges to establish anonymous reporting procedures for employee complaints to audit committees regarding fraud in accounting, auditing, and financial reporting.[4]  This requirement applies to European companies whose shares are traded on U.S. stock exchanges, and also applies to European subsidiaries of U.S. companies listed on U.S. stock exchanges. 

The suspicion and caution with which E.U. authorities view anonymous reporting is typified by the French reaction.  The use of a whistleblowing scheme was prohibited by a French regional court.[5]  The French Data Protection Authority ("CNIL")[6] also banned the introduction of such schemes at two French subsidiaries — McDonald’s France and CEAC, a division of Exide Technologies — as they violated French privacy law.[7]

The CNIL opined that local labor laws and practices already provided employees with sufficient opportunities to notify superiors, employee representatives, internal auditors, or the human resources department of any suspicious conduct.  The CNIL also argued that broad reporting schemes could contravene French criminal law because "denunciations" are considered a criminal act (this stems from the events of World War II when "denunciations" were encouraged by the Vichy Government, which collaborated with the Germans).[8] 

Reversing its earlier position that whistleblowing lines are intrinsically threatening, and in an effort to resolve the conflict, the CNIL subsequently adopted guidelines for French companies wishing to implement whistleblowing schemes required under Sarbanes-Oxley.[9]   At the end of December 2005, the CNIL also published a Decision, complemented by a Questions & Answer document,[10] alleviating registration requirements.[11]  Provided a company complied with the recommendations stated in the Decision, it must only formally declare its compliance with the conditions and benefit from a blanket authorization.  

In Germany, whistleblowing schemes have been ruled out by labor courts unless they are implemented in consultation with local works councils.[12] 

More akin to the U.S. approach, in 1998 the UK Information Commissioner[13] adopted the "Public Interest Disclosure Act," which is significantly broader in scope than the French guidelines and which addresses the reporting concerns of employees in a much wider fashion.[14] 

This inconsistent European approach may have prompted the WP29 to issue the Opinion, which purports to allow whistleblowing schemes limited to Sarbanes-Oxley issues but only if such schemes comply with certain conditions.[15]

Significant Aspects of the Opinion

When Are Whistleblowing Schemes Considered Lawful?

To the extent that "blowing the whistle" involves the collection and processing of "personal data,"[16] whistleblowing is subject to the Member State implementation of the provisions of the E.U. Data Protection Directive ("Directive").[17]  According to the Opinion, whistleblowing schemes may only be permitted if they are established as a result of "legal obligations." The WP29 stated that only an obligation under E.U. Member State law may serve as a legal basis to process personal data.  Foreign laws such as Sarbanes-Oxley therefore do not establish a legal obligation under E.U. standards.  The Opinion, however, goes on to state that whistleblowing is also legitimate where foreign legal obligations fulfill a "legitimate purpose" under E.U. standards.  The Opinion concludes that Sarbanes-Oxley serves legitimate purposes under E.U. standards.

In addition, according to the WP29, whistleblowing schemes should complement existing complaint and control mechanisms under E.U. Member State audit and labor rules providing for reporting to superiors, employee representatives, internal audit departments, or the human resources department.  Also, the use of whistleblowing schemes should be strictly voluntary, and employees should be clearly informed about the non-obligatory nature of the scheme.

What Data May Be Collected?

In accordance with the Directive’s "proportionality principle," the Opinion states that data collected through whistleblowing schemes should be limited to what is strictly necessary for the report and follow-up investigation.  The Opinion also states that companies should consider limiting the scheme to those employees who have access to accounting, auditing and financial information.  In September 2005, similar concerns caused a French regional court to rule that workers on the factory floor could not use reporting schemes as they do not have access to financial or accounting information.[18]

Anonymous Reports

Although anonymous reporting is commonplace in the U.S., it is not an accepted practice in Europe (which is perhaps a reflection of historical unease).  The Opinion recommends that anonymous complaints be discouraged and that anonymous reporting channels not be advertised. 

To address concerns about retaliation, the Opinion states that the identity of employees who raise concerns should be kept confidential.

However, perhaps in recognition of Sarbanes-Oxley requirements, anonymous reporting is permitted as long as it is not made compulsory.  Also, according to the Opinion, anonymous reports should be treated with caution, and there should be a prior examination of the report prior to the report being communicated within the organization.

Rights of Defense

A major point of contention regarding the implementation of whistleblowing schemes in Europe concerns the accused person’s right to contest any report.  The Opinion states that companies that decide to implement reporting schemes must ensure that appropriate information is provided to all persons identified in a report.  At a minimum, the accused person must be informed of: (i) the entity responsible for the whistleblowing scheme; (ii) the nature of the accusations that have been made; (iii) the departments or services that may receive the report (including the company itself and any of its affiliates); and (iv) how the accused may exercise rights of access and correction.  The Opinion recognizes that evidence may first need to be secured before the accused is notified of any allegations.

Organization of the Whistleblowing Scheme

Pursuant to Articles 16 and 17 of the Directive, all processing of personal data must be confidential and secure.  The Opinion recommends that (i) the whistleblowing scheme is set up and administered by "specially trained and dedicated people" who serve under confidentiality duties; (ii) the whistleblowing scheme is neither part of a "human resources department" at the company nor integrated into any other specific department, i.e. the scheme must operate under a separate independent department; and (iii) the company ensures that whistleblowing reports are only transmitted to this particular independent department.

In the event a company chooses to outsource the scheme to a third party, the Opinion states that a contract must be in place between the parties to ensure that the third party outsourcer complies with all confidentiality and security measures.  Such agreements should include the following: (i) strict confidentiality obligations; (ii) an obligation to communicate the information processed only to persons belonging to the company’s dedicated internal team; (iii) an obligation to comply with data protection principles; (iv) a commitment to process the data only for the specific purposes for which they were collected and to act only on instructions from the controller; (v) compliance with the data retention periods by which the data controller is bound; (vi) an undertaking to destroy or return all paper and electronic materials when the contract is terminated; and (vii) an obligation to implement appropriate security measures.  Nevertheless, the Opinion states that liability will rest with the company organizing the scheme, not the third party outsourcer. 

Transferring Whistleblowing Reports Outside the E.U.

Although the Opinion considers it "preferable" for companies to implement local whistleblowing schemes in Europe, in practice, most U.S.-based multinationals will employ a centralized system set up in one country (most likely the U.S.) to effectively deal with all reports made through the scheme.  If the scheme relies on European subsidiaries’ transferring data outside the E.U., then the Opinion states that companies will need to comply with the Directive’s provisions on international data transfer restrictions.[19] 

However, to the extent that data are collected directly by the U.S. company, for example by means of a U.S. website or a U.S. telephone hotline, and the European subsidiary plays no part in the establishment or maintenance of the scheme, there may be no "international transfer" of data within the meaning of the Directive.  Only in instances where the E.U. and the U.S. entities collaborate, by jointly deciding what personal data are collected and by what means, or by the European subsidiary determining this on its own, will there be a "data transfer" within the meaning of the Directive.

Conflicts Between the Opinion and Sarbanes-Oxley

The Opinion specifically quotes the requirement of Sarbanes-Oxley that the audit committees of publicly traded companies must establish procedures for "the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters."  Notwithstanding this acknowledgment, the Opinion contains guidance that clashes with these requirements in the following respects:

• The Opinion recommends that companies discourage anonymous employee complaints and not advertise the existence of anonymous channels;
• The Opinion recommends the creation of a separate organization, separate from the human resources department, consisting of specifically-trained personnel to investigate employee complaints, despite no such requirement by Sarbanes-Oxley;
• The Opinion recommends that companies should "deal with reports locally, i.e. within one E.U. country, rather than automatically share all the information with other companies in the group"; and
• The Opinion recommends that personal data not be transferred to countries outside the E.U. that do not have privacy laws equivalent to E.U. privacy laws, unless companies in such other countries agree to certain privacy requirements.

On February 16, 2006, the Chairman of WP29 wrote a letter to the Chairman of the Securities and Exchange Commission ("SEC") requesting that the SEC provide assurances that companies located in the E.U. that comply with the Opinion will be viewed as having complied with their obligations under Sarbanes-Oxley.  Given the number and importance of the conflicts between the Opinion and Sarbanes-Oxley, it is difficult to see how the SEC will be able to provide the requested assurances.[20]

Compliance Strategies

In the meantime, companies seeking to comply with E.U. data protection laws should consider the following when setting up whistleblowing schemes accessible to employees based in the E.U.:

• Limit the scope of whistleblowing schemes to complaints relating to Sarbanes-Oxley matters (i.e., accounting, auditing, banking, and financial corruption);
• Consider disassociating the general ethics code form the reporting scheme;
• Notify employees about the details of the whistleblowing scheme, including the entity responsible for the scheme, the personnel receiving the reports, third-party service providers, the purpose of the scheme, the right to access and modify information reported under the scheme, and the voluntary nature of the scheme;
• Encourage employees to identify themselves while protecting the confidentiality of their identities;
• Ensure that all persons identified in reports are provided with complete information, including a description of the incident and possible recipients, as soon as the evidence is secured;
• Collect reports through a dedicated channel;
• Ensure that reports are either deleted or securely archived if no proceedings of legal action or disciplinary sanctions were initiated within two months after making the report;
• Enter into appropriate contracts with providers of reporting services, particularly as regards the confidentiality of information collected, security measures in place, cooperation with requests for access and rectification, and retention policy;
• Provide whistleblowers and implicated employees with the opportunity to access information, and to modify or delete any inaccurate or incomplete information when appropriate; and
• State that misuse of the scheme, i.e. such as bad faith allegations, may result in disciplinary actions and legal proceedings.