This practice note has been reviewed and updated by the contributors.
A note which describes the data protection and employment issues that arise when European companies listed at US stock exchanges set up corporate compliance (whistleblowing) hotlines in order to fulfil obligations under section 301(4) of the US Sarbanes-Oxley Act 2002. The note also discusses recent regulatory developments in the EU relating to whistleblowing hotlines, and suggests compliance strategies to ensure that hotlines comply with EU data protection laws.
Corporate compliance hotlines (so-called whistleblowing hotlines) allow employees to report their concerns anonymously, by telephone or e-mail, about possible violations of corporate rules by their co-workers. Rules on whistleblowing are often included in an ethics code or code of conduct with which employees are required to comply. Although these codes of conduct vary in content, they usually include a set of common standards covering, among other things:
Relationships between employees.
In some countries, such as the United States, public companies are also legally obliged to establish codes of conduct covering employees' behaviour relating to financial, accounting and corporate governance matters. Where this is the case, multi-national companies typically adopt corporate compliance hotlines not only in the country where the obligation arises, but also for subsidiaries and branch offices in other countries.
Following a series of court cases in France, Germany and Sweden, the legality of European whistleblowing hotlines has increasingly been called into question. Courts and data protection regulators of European countries such as France and Germany had resisted the introduction of such hotlines, largely because of the stigma that is historically attached to anonymous informing in those countries. Emerging regulatory guidance and case law has forced many European companies to adapt their hotlines to try to ensure that they are compliant. Today the issue remains far from settled as many companies try to navigate compliance with both European data protection legislation and other laws or corporate policies mandating the use of whistleblowing hotlines.
This note examines the origins of this issue and recent regulatory developments in the EU. It also discusses compliance strategies that companies may wish to implement to avoid falling foul of EU data protection laws.
Following a number of high-profile accounting scandals involving large corporations such as Enron and WorldCom, the US Congress adopted the Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as the Sarbanes-Oxley Act of 2002 (www.practicallaw.com/8-382-3784) (SOX). SOX established new or enhanced standards for all US public company boards, management and public-accounting firms.
Section 406(a) of SOX requires all companies listed on US stock exchanges to adopt a code of ethics for senior financial officers or persons performing similar functions, which must include standards to promote:
Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest in personal and professional relationships.
Full, fair, accurate, timely and understandable disclosure in periodic reports, which are required to be filed by issuers.
Compliance with applicable governmental rules and regulations.
Similar provisions are included in the listing rules of the two biggest US stock exchanges, NASDAQ (www.practicallaw.com/4-382-3639) and the New York Stock Exchange (www.practicallaw.com/4-382-3644) (NYSE), which also require companies listed in those markets to adopt corporate governance guidelines or codes of conduct applicable to officers, directors and employees to address compliance with laws, rules and regulations and to report any illegal or unethical behaviour (see, for example, NYSE: Listed Company Manual: 303A.00 Corporate Governance Standards, at 303A.10, and NASDAQ Rule 5610).
US entities must implement a confidential and anonymous reporting procedure for reporting questionable accounting or auditing matters (§ 301(4), SOX). It is illegal for companies to "discharge, demote, suspend, threaten, harass, or in any other manner discriminate against" employees for making use of these procedures for the purpose of reporting accounting irregularities or for assisting government and regulatory agencies in their inquiries into such irregularities (§ 806, SOX). SOX is enforced by the US Securities and Exchange Commission (www.practicallaw.com/9-382-3806) (SEC).
The rights and remedies of reporting employees were further enhanced in July 2010 when the US passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (www.practicallaw.com/4-502-8619) (Dodd-Frank Act) introducing a new incentive regime which provides individuals with significant financial incentives when they disclose "original information" to the regulator which leads to successful enforcement action. It also strengthens legal protection for prospective whistleblowers against retaliation. These incentives are likely to lead to more investigations being carried out.
It remains unclear whether the foreign affiliates of US-listed companies need to comply with all SOX requirements. In Carnero v Boston Sci Corp, 433 F3d 1 (1st Cir 2006), cert denied, 126 S Ct 2973 (2006), the First Circuit held that section 806 of SOX does not protect a foreign citizen who reports accounting irregularities at a US corporation's foreign subsidiary. This approach was followed by the Administrative Review Board of the US Department of Labor (www.practicallaw.com/2-501-6354) in Ahluwalia v ABB, Inc, ARB 08-008, 2007-SOX-44 (ARB June 30, 2009) and Pik v Goldman Sachs Group, Inc, ARB 08-062, 2007-SOX-92 (ARB June 30, 2009). By contrast, it was concluded in Walters v Deutsche Bank AG, 2008-SOX-70 (ALJ Mar. 23, 2009) that section 806 protected a complainant who worked in Switzerland for a Swiss subsidiary of a foreign, publicly traded parent company covered by SOX. This was because:
The retaliatory decision and some of the protected activity occurred in the US.
The complainant alleged that he spent some time working in the US.
Although the alleged securities law violations did not occur in the US, the adverse effects were felt in the US.
It remains to be seen whether the new rights under the Dodd-Frank Act will have an extraterritorial effect in practice. The law does not restrict the types of persons who can receive a financial incentive, with the exception of certain auditing firms and law enforcement staff, and therefore employees outside the US might be eligible.
This possible limitation does not necessarily affect the extraterritorial applicability of code of conduct or whistleblowing requirements under sections 301 and 406 of SOX. Companies failing to comply with SOX requirements may face heavy fines and, in extreme cases, de-listing from the stock exchange on which their shares are traded. Therefore, US-listed companies should make sure that their European subsidiaries comply with those requirements.
In the UK, the Public Interest Disclosure Act 1998 (PIDA) protects workers against being subjected to any detriment on the ground that they have made a protected disclosure (www.practicallaw.com/8-200-3427) about their employer or co-worker. A protected disclosure is a disclosure that a worker makes in good faith, reasonably believing that the information tends to show malpractice within the company. A protected disclosure may relate to:
A criminal offence.
The breach of a legal obligation.
A miscarriage of justice.
A danger to the health or safety of an individual.
Damage to the environment.
The deliberate covering up of information showing any of these matters.
(For more information, see PLC Employment, Flowchart, Protected disclosures (www.practicallaw.com/4-202-3205).)
Workers in the UK can still be protected under PIDA even if the relevant disclosure concerned a failure by the employer that took place overseas, or where non-UK law applied to the failure. A worker can make a protected disclosure:
To his employer (through whatever systems that employer has in place).
To a person whom the worker reasonably believes to be solely or mainly responsible for the failure.
To a relevant body as prescribed by the Secretary of State (see PLC Employment, Checklist, Whistleblowing: prescribed persons (www.practicallaw.com/9-202-3378)).
Since April 2010, claimants in employment tribunal proceedings have been able to indicate their consent to the tribunal notifying the appropriate regulator of the relevant disclosure. Therefore, even if a whistleblowing claim fails or settles, it is now for the appropriate regulator to decide whether to conduct an investigation or continue to investigate the facts underlying the original accusations.
For more information about the legislative framework in the UK, see PLC Employment, Practice note, Whistleblower protection (www.practicallaw.com/8-200-3903) and PLC Employment, Flowchart, Protected disclosures (www.practicallaw.com/4-202-3205).
Unlike SOX, PIDA does not require employers to establish formal whistleblowing procedures. However, an employer will usually have an interest in knowing of any malpractice, wrong-doing or misconduct in the workplace as soon as practicable so that any problems can be addressed at an early stage. Employers will also want to minimise the risks which arise when a worker makes a protected disclosure, for example, the reputational risk for the company and the risk that the worker might be dismissed or suffer a detriment as a result of the disclosure. Many employers, therefore, choose to implement whistleblowing policies which:
Contain standards of behaviour which the employer expects its workers to conform to.
Establish a structure that enables a worker to disclose malpractice, wrong-doing or misconduct to someone in the organisation other than their immediate line manager.
Such policies will usually also describe the protection provided to workers making a qualified disclosure.
For further information on whistleblowing policies in the UK, see Practice note, Effective whistleblowing policies: Drawing up a whistleblowing policy (www.practicallaw.com/8-422-5228) and PLC Employment, Standard document, Whistleblowing policy (www.practicallaw.com/1-200-2049).
The Bribery Act 2010 is likely to increase the number of whistleblowing claims, but it will be a defence to the new corporate offence of failure to prevent bribery if a commercial organisation has implemented adequate procedures designed to prevent bribery. What amounts to adequate procedures is set out in guidance that was published in March 2011 (see Legal update, Bribery Act 2010: Guidance about procedures which relevant commercial organisations can put in place to prevent bribery (www.practicallaw.com/5-505-4679)). The guidance sets out six principles that are intended to give all commercial organisations a starting point for planning, implementing, monitoring and reviewing their bribery free business regime. Principle 5 (Communication (including training) states that commercial organisations must seek to ensure that their bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it the organisation faces. Companies should review and revise their existing hotlines to comply with the new anti-bribery procedures once they are adopted.
Where formal whistleblowing procedures are put into place, employers must ensure these comply with EU and UK data protection requirements.
Before 2005 there were few, if any, indications that European companies operating internal compliance hotlines might be violating data protection laws through their use of such systems. Industry appeared to have been caught unawares when, in 2005, data protection regulators in France and an employment court in Germany separately examined the question of whether whistleblowing hotlines were lawful, and concluded that they were not.
In France, questions about the legality of whistleblowing hotlines arose when two companies, McDonalds France and Compagnie Européenne d'Accumulateurs (CEAC/Exide Technologies), sought regulatory approvals from the French National Commission for Data Protection and Liberties (CNIL) for their compliance hotlines (McDonald's, CNIL Délibération No 2005-110, May 26 2005 and CEAC/Exide Technologies, CNIL Délibération No 2005-111, May 26 2005). In May 2005, the CNIL decided that the McDonalds and CEAC/Exide Technologies hotlines would violate France's data protection regime because:
French data protection law applied despite the hotlines having significant US connections. Among other things, the CNIL believed that both CEAC/Exide Technologies and McDonalds France would have a meaningful role to play in the operation of their respective hotlines by making them accessible to French employees and following up on submitted complaints.
The hotlines would lead to an organized system for submitting reports and collecting personal data on French employees in a manner contrary to French data protection law, which provides that any processing of personal data must respect the fundamental rights of French citizens.
By enabling staff to submit anonymous complaints, the hotlines would increase the risk that staff would make false allegations that could injure the reputation of co-workers.
The hotlines would give rise to a disproportionate amount of collection and processing of personal data relating to French employees. Instead, more targeted devices for reporting alleged infractions of the companies' codes or applicable laws would be more appropriate.
Where complaints referred to employees, as possible wrongdoers or otherwise, those employees would not be informed adequately or in a timely manner about the collecting and processing of their personal data.
The legality of whistleblowing hotlines was considered again in December 2009 when the French Court of Cassation ruled that a company's whistleblowing procedure was illegal because its scope was unrestricted. A French-listed company, Dassault Systèmes, had implemented a whistleblowing system the scope of which included material breaches of the principles described in the company's Code of Business Conduct where the vital interests of the company or the physical or moral integrity of a person were at stake. These vital interests included, for example:
The infringement of intellectual property rights.
Conflicts of interest.
Sexual or psychological harassment.
Since 2005, under the CNIL’s single authorisation AU-004 regarding the use of whistleblowing schemes (referred to the single authorisation) (see CNIL: Guideline document for implementation of whistleblowing systems (10 November 2005)), French companies have been required to register their whistleblowing schemes with the CNIL (see box, Developments in EU member states: France). A company must either file a formal request for approval with the CNIL or, if the hotline falls within the scope of the single authorisation, obtain the CNIL's authorisation automatically by formally declaring that the company complies with the relevant conditions in the single authorisation. The single authorisation indicates that data collected under a scheme should only relate to accounting, financial and anti-corruption issues, including compliance with Section 301(4) of SOX.
However, as initially enacted, the single authorization indicated that information falling outside this scope, but which may affect the vital interests of the business or the physical or moral integrity of employees, could be sent to the relevant persons in the company. In its ruling, the court clarified that if the scope of a compliance hotline is not limited to auditing and financial matters, the hotline must be authorised specifically by the CNIL. The single authorisation is not intended to broaden the permitted scope of the hotline but only to indicate that matters that fall outside of this limited scope may, in limited circumstances, be transferred to appropriate persons within the company.
The court also ruled that information about fair processing (for example, access rights) has to be provided directly to data subjects and therefore it is not sufficient to refer the data subjects to the terms of the single authorisation.
On 14 October 2010, the CNIL modified the single authorisation to reflect the court’s decision, deleting the open-ended provision allowing for reports on matters that pose a threat to the vital interests of the company. Companies that wish to apply their hotline to this broader set of concerns will now have to seek a normal authorization from the CNIL and can no longer rely on the single authorization procedure. However, the recent amendment also expanded the scope of hotlines permitted under the single authorisation by including reports aimed at combating anti-competitive practices.
For an overview of the French data protection regime, see Article, Data Protection: France (www.practicallaw.com/6-502-1481).
In 2005, a subsidiary of US company Wal-Mart was defending itself before a local employment court in Wuppertal, in the German state of North Rhine-Westphalia. The court had to decide whether Wal-Mart violated section 87 of Germany's Work Council Constitution Act (Betriebsverfassungsgesetz) by failing to engage in a co-determination procedure with its works council, an employee-elected organisation that represents the employees’ social and personal interests before the employer, before implementing a code of conduct. The co-determination rights apply where the consent of the works council is a mandatory requirement under German employment law for under undertaking particular measures. Walmart's 29-page code of conduct contained a list of rules for employees and called upon Wal-Mart employees to use a hotline to report suspected code violations by co-workers. The central issue was not whether the Wal-Mart hotline breached Germany's data protection regime through its internal reporting regimen, but rather whether Wal-Mart had failed to comply with its obligations under German employment law. Nonetheless, the case was seen as broadly calling into question the legitimacy of whistleblowing hotlines under German law.
In June 2005, the Wuppertal employment court held that Wal-Mart had indeed violated Germany's Betriebsverfassungsgesetz by issuing its corporate code without consulting with its German works council (Arbeitsgericht Wuppertal, 15 June 2005, 5 BV 20/05, NZA-RR 2005, 476). The court concluded that Wal-Mart's code required works council pre-approval because it imposed additional burdens on staff (that is, employees could be sanctioned for not complying with the code, including failing to use the hotline to report breaches of the code) and because the hotline was viewed as a mechanism for monitoring employee performance.
The state employment court in Duesseldorf dismissed Wal-Mart's appeal in its decision in November 2005, mainly following the lower court's ruling. However, it also held that a specific condition contained in the Wal-Mart code of conduct, namely a prohibition on romantic relationships between co-workers where one of them is in a position to influence the working conditions of the other, violated individuals' personality rights as set out in Articles 1 and 2 of the German Constitution.
On 17 March 2010, the Stockholm Administrative Court upheld a decision of the Swedish Data Protection Authority concerning the conditions under which an internal whistleblowing hotline may be implemented in Sweden. Under the Swedish Data Protection Act (personuppgiftslagen), only public authorities are allowed to process data relating to criminal convictions or suspected criminal offences. However, the Data Protection Authority has issued a number of statutory exemptions that allow private organisations to process such data and maintain hotlines more generally, subject to certain conditions being met. One such condition is that only company executives and persons in key positions can be reported through the hotline. Three multinational organisations challenged the imposition of this condition, but it was upheld by the Stockholm Administrative Court.
For an overview of the Swedish data protection regime, see Article, Data Protection: Sweden (www.practicallaw.com/8-502-0348).
The developments in France and Germany generated enormous interest among data protection regulators as well as anxiety within industry. US organisations, in particular, became deeply worried that the CNIL ruling suggested that SOX hotlines conflicted with French data protection rules. As a result, the EU's Article 29 Data Protection Working Party (Working Party) released an opinion paper in early 2006 to provide industry with further guidance.
The Working Party was set up under Article 29 of Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) to act as an independent advisory body on data protection and privacy. One of its tasks is to promote a more uniform application across the EU of the principles contained in the Data Protection Directive.
In February 2006, the Working Party released a working paper on the application of EU data-privacy rules to internal whistleblowing schemes (WP117). WP117 discussed whether, and to what extent, whistleblowing hotlines targeting financial and accounting improprieties, including specifically SOX hotlines, can co-exist with EU data protection laws, and provides some useful recommendations on how to operate such schemes lawfully. The timing of WP117's publication, immediately following the CNIL and Wuppertal court decisions, suggests that the Working Party wants to arrive at a harmonised European approach promptly and avoid the possibility that national data protection regulators will adopt divergent positions.
The scope of WP117 is limited to:
"The application of EC data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime."
Because of this, the Working Party did not address other data protection issues arising from whistleblowing hotlines generally. Although the Working Party has indicated that it may publish a subsequent opinion or working paper to deal with other kinds of hotlines, it has not yet done so. WP117 is therefore the only opinion paper setting out the Working Party's views on the matter.
The processing of personal data inside the EU and the transfer of such data from the EU to countries outside the European Economic Area (www.practicallaw.com/0-107-6555) (EEA) is subject to the data protection regime set out in the Data Protection Directive. The Directive introduced broad obligations on those who collect personal data (data controllers (www.practicallaw.com/5-107-5723)), as well as conferring broad rights on individuals about whom data is collected (data subjects (www.practicallaw.com/0-107-5725)).
Personal data is defined in Article 2(a) of the Directive as information relating to either an identified person or a person who can be identified, directly or indirectly, by a reference number or by one or more factors specific to him.
The Directive has been implemented in the UK through the Data Protection Act 1998. For a detailed description of the UK data protection regime, see Practice note, Overview of UK data protection regime (www.practicallaw.com/7-107-4765).
Article 6 of the Data Protection Directive requires that personal data must be provided fairly and lawfully. For whistleblowing schemes to be lawful, the processing of personal data carried out as part of the procedure must be legitimate and must satisfy one of the grounds set out in Article 7 of the Directive. These grounds include, among others, situations where:
The processing is necessary for compliance with a legal obligation to which the data controller is subject. This could arguably include a company's obligation to comply with the provisions of SOX or other legislation requiring the establishment of whistleblowing hotlines. However, the Working Party concluded that an obligation imposed by a foreign legal statute or regulation, such as SOX, does not qualify as a legal obligation that (under Article 7(c) of the Data Protection Directive) would legitimise data processing in the EU. It found that any other interpretation would make it too easy for foreign legislators to circumvent the EU rules laid down in the Data Protection Directive.
The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed. The Working Party acknowledged that whistleblowing schemes adopted to ensure the stability of financial markets and the prevention of fraud, the fight against bribery, banking and financial crime, or insider trading might be seen as serving a legitimate interest of a company that would justify the processing of personal data by means of such schemes. It also accepted the need for companies to comply with the US regulatory framework as a legitimate interest of those companies. However, the Working Party pointed out that Article 7(f) of the Directive required a balance to be struck between that legitimate interest and the fundamental rights of data subjects. Accordingly, the Working Party argued that this balance-of-interest-test should take into account:
The seriousness of the alleged offences that can be notified.
The consequences for the data subjects.
It therefore advocated that adequate safeguards should be put into place as well as provisions that allowed the data subject to object at any time, on compelling legitimate grounds, to the processing of the data relating to them.
The Working Party also made the following recommendations for structuring a whistleblower hotline scheme that is compatible with EU data protection laws:
Application of data quality and proportionality principles. The Working Party recommended that hotlines be structured, whenever feasible, to limit both the number of persons entitled to report alleged improprieties and the number who might be incriminated through their use.
Reporting on a named basis. The Working Party suggested that organisations should not encourage employees to submit anonymous reports, although it conceded that it might be impossible to prevent employees from doing so. Instead organisations should encourage employees to submit reports on a named, confidential basis. Significantly, this was seen by some as a softening of the CNIL position and a concession to US companies subject to SOX, which calls for a mechanism whereby employees may submit confidential, anonymous reports. However, on the question of whether SOX requires a mechanism for reporting improper accounting or auditing matters on a confidential or anonymous basis (or arguably both), the SEC interprets the statute as requiring a hotline which enables employees to make anonymous (not just confidential) complaints (Letter from Ethiopis Tafara, Director, SEC, to Peter Schaar, Chairman, Article 29 Working Party (8 June 2006)). To date, discussions between the SEC and representatives of the Working Party have helped to avoid direct conflict on this point.
Limitation of information provided through the whistleblowing scheme. The Working Party recommended that the type of information collected and processed through the scheme should be strictly defined and limited to accounting, auditing and related matters. Where an internal investigation revealed no evidence of wrongdoing by an employee, the associated personal data should be destroyed within two months. The Working Party recommended that, in cases where wrongdoing was uncovered, the data should be kept until the end of the investigation and/or subsequent legal or disciplinary proceedings. After that point, organisations might be allowed to archive data in a separate information system if such retention was intended to mitigate future risks or liabilities.
Provision of information about the whistleblowing scheme. The Working Party reminded organisations that employees should be informed of the existence of, the purposes served by and the rights associated with a whistleblowing scheme before it is implemented, and that the organisation should hold in confidence the identities of those who submit reports in good faith.
Rights of incriminated persons. The Working Party observed that it was essential to balance the respective rights of the person incriminated, the whistleblower and the company's legitimate investigative needs. Consequently, organisations should employees whenever a hotline report associated them with wrongdoing. The employee should also be told who would receive a copy of any subsequent internal report in which their personal data appears, and about their right to access and rectify information appearing in such reports. However, the Working Party accepted that organisations could curtail these rights where there was a substantial risk that exercising them would jeopardise the company's ability to investigate the complaint.
Security of processing operations. The Working Party reiterated that organisations processing personal data must apply appropriate technical and organisational measures to keep secure any personal data that has been gathered through a whistleblowing hotline. It also noted that when organisations engage service providers (such as call centres) to furnish hotline services, those service providers are deemed to act as data processors. Accordingly, organisations must ensure that a service contract is in place that specifically includes provisions relating to data security. (For more information about the processing of personal data by third parties in the UK, see Practice note, Overview of UK data protection regime: Processing by third parties (www.practicallaw.com/7-107-4765).)
Management of whistleblowing schemes. To ensure that organisations maintain their hotlines in a secure and confidential manner, the Working Party recommended that organisations establish an independent internal team dedicated to handling whistleblower reports. The Working Party also recommended that complaints of a less serious nature should be handled in the EU, and not transmitted to overseas offices and management. However, the Working Party conceded that it may be necessary for complaints carrying serious ramifications for an overseas operation or a broader corporate family to be transmitted outside the EU.
Transfers to third countries. The Working Party recommended that a mechanism for complying with EU data-transfer rules must be in place whenever personal data that is collected in the course of operating an EU whistleblowing hotline is then transferred outside the EEA, for instance, to an organisation's corporate headquarters. The most likely options include transferring the data to a Safe Harbor participant in the US (for EU-US transfers only) or transferring it pursuant to either an EU model transfer contract or a set of binding corporate rules agreed among a group of companies. For more information about cross-border transfers of personal data to countries outside the EEA, see Practice note, Cross-border transfers of personal data (www.practicallaw.com/0-201-5764).
Compliance with notification requirements. The Working Party reminded organisations that they had to comply with any local notification rules applicable to hotlines and associated databases and systems. Some countries, such as France, the Netherlands and Belgium, also require regulatory approvals.
Although the Working Party's recommendations are not binding, organisations that operate whistleblowing hotlines in the EU, or make hotlines available to their EU workforce, should ensure that they comply with those recommendations and the guidance of relevant local data protection authorities to avoid a breach of EU data protection laws (see box, Developments in EU member states). Most EU data protection regulators have focused their attention on hotlines used for reporting accounting, auditing or related improprieties. However, this should be of little comfort to organisations operating other types of hotline or whistleblowing schemes. The concerns giving rise to WP117 and the guidance issued by national authorities are likely to apply equally to hotlines serving only a general internal compliance function, which raise the possibility of even greater data misuse.
Any attempt by organisations to avoid EU jurisdiction by limiting the extent to which their EU affiliates participate in the set-up and operation of a complaints system or the handling of complaints may turn out to be a risky strategy. Many EU data protection regulators will set a low threshold when deciding whether an EU affiliate's involvement with a hotline is sufficient to trigger jurisdiction. The CNIL, for instance, maintains that French law will apply to hotlines situated overseas if they are accessible to French employees. Moreover, such a strategy may prove difficult to put into practice, as it may become necessary for an EU affiliate to take action in response to well-grounded complaints and possibly commence disciplinary hearings involving the relevant employees. Data protection regulators may regard these follow-up activities as inextricably intertwined with the operation of the relevant hotline.
For their compliance systems to conform to EU data protection norms, organisations with whistleblowing hotlines in the EU should:
Narrow the scope of any existing hotlines so that they can be shown to be mandated by law or designed to deter activities or behaviours posing a real and significant risk to:
members of its workforce; or
the public at large.
Avoid deploying hotlines for general compliance purposes or procedures that could encourage employees to submit complaints on frivolous or inconsequential matters. Regulators may be willing to accept a system that elicits information relating to matters that could cause serious harm or give rise to liability for the company, but not systems that will be used by employees to report modest infractions of company policies with no real impact on the organisation.
Deploy hotlines that enable employees to report compliance deficiencies or concerns without necessarily having to make allegations against specific, named individuals. Allegations against particular individuals could still be made under local ad hoc complaint procedures that have a more formal (and less automated) character and are not anonymous.
Provide EU staff with information regarding:
the scope of the hotline;
how it should be used; and
the handling of complaints, including any rights that they may have in, and to, the data.
Remind employees should be reminded that other complaints mechanisms may exist, which they may prefer to use.
Instruct and encourage any employees using a hotline to furnish their own personal details when submitting a complaint, without necessarily prohibiting the submission of anonymous complaints.
Inform affected employees promptly whenever a complaint has been lodged attributing wrongdoing or improper conduct to them, unless doing so might jeopardise an investigation. Allow affected employees, where feasible, to learn the basic facts surrounding the complaint and to exercise their rights of access and correction.
Place a time limit on the retention of data gathered through the hotline, in line with the recommendations made in regulatory guidance papers. Where data are to be archived in order to mitigate the risk of future liability or harm to the company, those systems should be secure and the data should be kept to a minimum.
Ensure limited flows of complaint data (for complaints systems operating in the EU) to parties outside the EEA (including foreign group companies) unless the complaint can be shown to materially implicate the interests of the foreign entity.
Implement stringent data-processing contracts whenever any third-party service provider helps to operate the hotline.
Require a strict confidentiality agreement with all employees who handle complaint data on a regular basis, or who assist in the operation of the whistleblowing scheme.
Even organisations that adopt all of these measures may still be subject to the scrutiny of EU data protection regulators. Following recent developments, the risks associated with operating compliance hotlines in the EU remain difficult to quantify. Organisations should, therefore, continue to be cautious when implementing whistleblowing schemes in the EU. Most organisations whose hotlines permit the submission of anonymous complaints, in particular SOX hotlines, may need to rethink their current arrangements to deter anonymous complaints, without necessarily prohibiting them.
For some organisations, modifying existing hotlines may prove difficult or impracticable to achieve in the short term, or may expose the organisation to potential liability under other regulatory regimes that appear to mandate the use of non-compliant hotlines. In that event, it may be necessary to balance the risk of financial penalties arising from a breach of EU data protection laws and the reputational implications of non-compliance against the potential fines and sanctions that non-compliance with other regulatory obligations could attract.
The summary of non-UK law below reflects the law at 2 October 2010.
Since the publication of WP117 by the Working Party, a number of EU member states' data protection regulators have released local guidance or implemented local procedures for assessing or approving compliance hotlines. Although these developments have largely been consistent with WP117, some national regulators have made recommendations slightly at variance with WP117. These have watered down its harmonising effect.
On 5 December 2008, the Austrian Data Protection Commission (Datenschutzkommission) delivered its first decision on the operation of SOX whistleblowing hotlines in Austria. The conditions laid down for the hotlines are based on WP117 recommendations. The Commission authorises the operation of such schemes under two conditions:
Only SOX-related matters may be reported.
Only alleged wrongdoings of management-level employees may be reported.
In addition, the hotline must be approved by the works council or, if there is no works council, by each employee before it is implemented.
For an overview of the Austrian data protection regime, see Article, Data Protection: Austria (www.practicallaw.com/0-502-0328).
In Belgium, the Commission for the Protection of Privacy published guidelines in November 2006, which are closely aligned with WP117 (Recommandation No 01/2006 du 29 novembre 2006 relative à la compatibilité des systèmes d'alerte interne professionnelle avec la loi du 8 décembre 1992 relative à la protection de la vie privée à légard des traitements de données à caractère personnel). For instance, the Commission called for complete transparency and the provision of clear information to staff regarding the complaints hotline. It noted that such hotlines are meant to complement existing complaints mechanisms, and that they should not be used for reporting trivial incidents or issues. The information derived from them must be kept secure. In addition, the Commission reiterated that personal data should only be transmitted outside the EU to a related company, such as a parent, if the complaint has serious repercussions for the company as a whole and is not just a local (that is, Belgian) issue. The Commission also said that organisations using hotlines in Belgium should notify the Commission of their use.
Of particular note for organisations that are subject to Belgian rules is the need to designate a member of staff to handle complaints. These individuals must be made subject to a strict duty of confidentiality when handling complaint data, and they must enjoy a degree of independence in that role. They are responsible for assessing the data to ensure that it is adequate, factual and retained for the minimum amount of time necessary to investigate the complaint. Organisations also need to put in place appropriate safeguards in case this individual fails to perform his duties properly, harming either the person submitting a complaint or the person named in it.
For an overview of the Belgian data protection regime, see Article, Data Protection: Belgium (www.practicallaw.com/2-502-2977).
The Finnish Data Protection Ombudsman has published guidance on compliance hotlines. The guidelines set out the data protection requirements arising from the Finnish Personal Data Act (henkilötietolaki) and the Act on the Protection of Privacy in Working Life (työelämän tietosuojalaki) in the context of whistleblowing hotlines conforming largely with the suggestions in WP117. The main obligations arising from the guidance require companies to:
Consult employee representatives before implementing a whistleblower scheme.
Limit the information processed through the hotline to data concerning:
Inform any employees who are subject to a complaint about the complaint before using the relevant data in making any decision concerning the employee (for example, the decision to take disciplinary or related proceedings).
Ensure that employees referenced in compliance reports have a right to learn the identity of the employee submitting the report.
Establish clear retention periods for storing hotline data and ensure that data is not kept longer than is necessary to conduct the internal investigation, unless disciplinary or judicial procedures have started, in which case the data can be retained until such procedures are concluded.
Ensure that data is protected with adequate organisational and technical security mechanisms and designate a data-security controller (that is, an individual responsible for responding to questions and overseeing the system).
There is generally no requirement to notify the whistleblowing hotline to the Data Protection Ombudsman unless the operation of the hotline has been outsourced to a third party. Notification requirements might also arise if the personal data collected through the hotline is transferred outside the EEA.
The CNIL continues to devote much attention to the issue of compliance hotlines. While the Working Party was discussing the content of WP117, the CNIL developed its own guidelines, the single authorisation, which it released in November 2005, to assist companies in their compliance with both French data protection law and SOX rules (see CNIL: Guideline document for implementation of whistleblowing systems (10 November 2005)). In this document, the CNIL describes a two-tier system of notification. Companies operating their hotlines in conformance with the single authorisation qualify for a lighter and more straightforward self-authorisation regime, whereas other companies are required to rely upon a more cumbersome CNIL authorisation process. The two-tier authorisation scheme came into force in December 2005, but the CNIL has announced that it will review the conditions of the authorisation scheme in 2010.
To benefit from the simplified French authorisation procedure, organisations must ensure that their compliance hotlines are completely voluntary and that they supplement other internal corporate controls. The hotlines must be limited in scope to address only fiscal or financial matters, accounting or suspected bribery offences (although there may be scope to include other serious events). The schemes must operate in accordance with an internal system that guarantees the confidentiality of any information collected. The schemes must avoid the retention of personal data for more than two months where the complaint is found to be unfounded, and must otherwise ensure that data is deleted once associated disciplinary or judicial proceedings have finished (unless the data is archived to mitigate against future potential liabilities). Companies must:
Ensure that the personal data collected is correct.
Ensure the confidentiality of the whistleblower.
Allow an employee accused of impropriety the right to correct any incorrect information.
Many of the CNIL's recommendations mirror those contained in WP117, suggesting to many that the CNIL played a leading role in the preparation of WP117. Meanwhile, organisations that cannot meet these criteria must apply for individual authorisation, which involves the submission of a standard notification form that the CNIL has pledged to review within two months of receiving it.
The CNIL has also released additional guidance (see CNIL: FAQs on whistleblowing systems).
In April 2007, the German ad hoc Working Group on Employee Data Protection published a report entitled Whistleblowing - Hotlines: Internal Warning Systems and Employee Data Protection. This report was adopted by the working group of local data protection authorities in Germany (the Düsseldorfer Kreis) in April 2007. The report introduces guidelines that will allow companies to introduce whistleblowing hotlines and still remain compliant with German data protection law. The guidelines go beyond the Article 29 Working Party Opinion of February 2006, because in addition to dealing with accounting, auditing, bribery and financial crime, they also cover violations of ethical conduct and environmental and human rights legislation.
The German guidelines provide information on the following topics, among others:
The persons concerned.
Transfers of information to third parties.
Rules on the destruction of data.
They make the following recommendations:
Whistleblowing hotlines should supplement, and not replace, existing internal complaints-handling mechanisms.
Processing personal data through a whistleblowing hotline can be justified if it is for the purpose of ensuring financial stability within a company by preventing fraud and bribery and so on. However, such data processing will not be justified if it undermines the legitimate interests of data subjects in not having their data processed in this way. Companies must undertake a careful review of the legitimate interests of data subjects, particularly when considering the specific events that have led to suspicion being cast on the individual.
Companies must provide clear, unambiguous information about the purposes pursued by the hotline. To avoid misunderstandings, not every irregularity, including slight or presumed irregularities, should be reported. It must be clear that there is no value in having unsubstantiated incriminating reports.
The company should consider whether it is appropriate to restrict the number of persons to whom irregularities can be reported.
Whistleblowing procedures should keep the identity of the whistleblower confidential.
The data subject of a hotline report should be informed of the type of personal data collected and the purpose of its collection (amongst other factors), unless doing so will compromise the company's ability to gather evidence or conduct an investigation. However, even in these cases, the company should avoid long-term non-disclosure to the incriminated person.
In principle, the personal data of the whistleblower and the incriminated person should not be transferred to third parties. However, it must be made clear to the whistleblower that his identity may be disclosed to persons involved in further investigations or ensuing court proceedings.
If personal data is processed for the company's own purposes, such data should be erased as soon as it is no longer required. Generally, data should be destroyed within two months of the conclusion of an investigation.
The company should engage in early consultation with:
local data-privacy officers;
the organisation's works council; and
the relevant controlling department.
The guidelines do not discuss issues related to international data transfers. They also note that in the event of uncertainty, the German data protection authorities are available for advice.
For an overview of the German data protection regime, see Article, Data Protection: Germany (www.practicallaw.com/3-502-4080).
The Irish Data Protection Commissioner has published guidance on its website that refers to WP117 and specifically advises data controllers to follow the Working Party's guidance, since otherwise they risk being found in breach of Irish data-privacy law (see Data Protection Commissioner: Whistleblower schemes and compliance with the US Sarbanes-Oxley Act). Interestingly, the Irish authority suggests that compliance with SOX does not necessarily entail the collection of personal data, and that it is possible to operate a no-names whistleblowing hotline. Such a hotline would be used to gather information on internal accounting issues rather than individuals. Whether, in practice, organisations can avoid the collection of personal data and still satisfy their SOX commitments has yet to be seen, and the Irish position is arguably more hopeful than realistic.
The notification requirement arising with Italian hotlines remains unsettled. In the few cases where notifications for compliance lines were filed, the Italian regulator, the Garante, has refused to authorise the relevant hotlines on the basis that sensitive "judicial" data was being collected.
The Dutch Data Protection Authority released a guidance document on whistleblowing hotlines in January 2006. That document largely restated the positions taken and suggestions made in WP117, including recommendations that Dutch whistleblowing hotlines should:
Either be grounded in a local legal obligation applicable to the organisation, for instance, where the hotline is in response to foreign law demands (such as SOX), or facilitate the organisation's legitimate interests, in either case without interfering with the privacy interests of employees to an unwarranted degree.
Supplement the normal reporting mechanisms that exist within the organisation, which can include submitting complaints to the organisation's:
works council; or
external auditors, where appropriate.
Only be used for reporting substantial offences, not minor issues. Reports should be managed in such a way that the identity of employees submitting complaints would not be disclosed to the persons named in the complaint.
The Dutch guidance also suggests that international transfers of personal data arising from a hotline (for instance, transfers from an EU affiliate to its US headquarters) should ordinarily only relate to misconduct involving higher management. At the same time, it does not entirely rule out the possibility that complaints relating to lower rank employees may be transmitted to corporate offices abroad, although this should be rare.
In addition, the Dutch authority recommends that an organisation should inform employees that a report on them has been filed "not later than at the moment of the recording of the information," unless one of the narrow exceptions in Dutch law applies. Further, and in contrast to the Working Party's view, it recommends that organisations should appoint an external third party to operate their hotlines, rather than trying to operate the hotlines themselves. Organisations must also obtain regulatory approval from the Dutch regulator before implementing their hotlines.
As a result of discussions at the 7th Annual Meeting of the Spanish and Portuguese data protection agencies in December 2006, regulators agreed on a set of principles to govern the operation of hotlines in those two countries. The Spanish regulator has since published its own more detailed opinion (see Spain). However, the general set of principles are useful to gain an understanding of the position of whistleblowing hotlines in Portugal.
In summary, the main principles oblige companies to:
Ensure prior notification of the hotline to the relevant national data-privacy authority.
Define the precise scope of the hotline and, preferably, limit that scope to reporting suspected improper auditing or accounting matters.
Ensure that complaints are held in confidence and discourage the submission of anonymous complaints.
Ensure that reports are only submitted by employees of the organisation and, to the extent persons are named in a complaint, ensure those persons are in an employment relationship with the organisation.
Take steps to keep any data submitted through the hotline secure.
For an overview of the Portuguese data protection regime, see Article, Data Protection: Portugal (www.practicallaw.com/2-502-1949).
The Spanish Data Protection Agency (SDPA) has published its views regarding the use of whistleblowing systems. The SDPA's recommendations take the form of a reply to a formal request from an international pharmaceutical company, and so are not an official set of guidelines. However, they do give a good indication of the SDPA's approach.
The opinion states that reporting schemes are lawful provided that the processing involved relates to the parties in a contract (an employer and employee relationship is sufficient) and is necessary for the maintenance of that contract. The report states that the whistleblowing scheme should guarantee the confidentiality of the subject of the report and not include the possibility of anonymous reporting.
Other points in the recommendations include:
Data relating to the person who is the subject of the report must not be kept for longer than necessary to proceed with the relevant internal audit, or at most the period necessary to conduct any judicial proceedings that may stem from the investigation.
The person who is the subject of the report must be informed of its existence as soon as possible, and in any event within three months.
The company should employ security measures that satisfy the high level of security set out in Spain's Royal Decree 994/1999 as it is not possible to know in advance what types of data will be processed by the hotline and so it is conceivable that sensitive personal data will be processed. However, security will not need to be implemented at the highest level if it is not possible for the reporting system to involve the processing of sensitive data.
If employees are part of a trade union, the company should inform the union of any proceedings against its members.
Companies are obliged to notify the SDPA of the processing of personal data and must ask for authorisation if they intend to transfer the data to an affiliate in a country that does not provide equivalent levels of data security.
The Swedish Data Inspection Board (SDIB) issued decisions on 26 March 2008 in five cases regarding the processing of personal data through a hotline relating to suspected violations of law. According to the SDIB, the conditions for processing data within a compliance hotline are that:
The compliance hotline must complement the company's normal internal administration and must be voluntary. The hotline should only be used when it is objectively justified that the company's internal information and reporting channels should not be used instead.
The scope of the hotline must be limited to serious irregularities concerning:
internal accounting control;
banking and financial crimes.
The hotline may also be used for reporting serious irregularities concerning the company's vital interests or the life and health of individuals.
The compliance hotline may only be used to report key (that is, senior) personnel.
The controller of personal data must ensure that the processing of personal data is carried out in compliance with the Swedish Personal Data Act, for example, concerning transfers of personal data to third countries.
For an overview of the Swedish data protection regime, see Article, Data Protection: Sweden (www.practicallaw.com/8-502-0348).
Daniel P Cooper is of counsel in Covington & Burling LLP's London office, where he is head of the privacy and security practice.