The whistleblower hotline quandary: diverse whistleblower systems around the globe--and hotlines deemed illegal in France--are creating problems for companies seeking to operate uniform, global systems. Three attorneys review the issues and discuss possible solutions.
Companies have typically responded to this requirement (Section 301) by establishing an employee whistleblower hotline (either telephone- or web-based). Conversely, the French Data Protection Authority (known as "CNIL") recently deemed such hotlines to be illegal. The conflict between Sarbanes-Oxley and French data protection law presents a compliance conundrum for non-U.S. entities, forcing them to weigh the risk of noncompliance with Sarbanes-Oxley against that of an enforcement action in France for running afoul of data protection law.
Section 301 does not mandate specific procedures, but allows audit committees wide discretion in developing a suitable system. Companies are free to decide who should receive complaints, how to ensure anonymity and how to effectively communicate the existence of the system to employees.
Hotline Decisions in the EU
In both France and Germany, administrative bodies and courts have addressed the implementation of whistleblower systems designed to comply with Sarbanes-Oxley by European subsidiaries of U.S. companies, but some provisions differ from those in the U.S.
In France, two recent decisions by the CNIL prohibiting the use of anonymous whistleblower hotlines exemplify the conflict between the U.S whistleblower provisions and data protection law. The CNIL indicated that employee whistleblower hotlines are governed by the French Data Protection Act (the Act) regulating "data controllers."
Pursuant to the Act, two American-headquartered companies--McDonald's France and Compagnie Europeenne d'Accumulateurs (CEAC), a subsidiary of Exide Technologies--sought prior authorization from the CNIL to operate their whistleblower hotlines. Despite efforts by both companies to reduce the discriminatory potential of the hotlines, the CNIL determined that the hotlines "could result in an organized system of workplace denouncements."
Because CNIL concluded that the hotlines could lead to erroneous or slanderous workplace denunciation, it took the view that whistleblower hotlines are, in effect, illegitimate. The fact that the whistleblower systems could have been used to report practices that are illegal pursuant to French law--and not only under U.S. law--would likely not have had an impact on the CNIL's decision.
CNIL also found that the hotlines could lead to the stigmatizing of employees. It pointed out that other means exist to comply with law and company rules, such as: employee training; auditing the company's financial transactions and books; and reporting violations to the labor inspectorate and other competent authorities.
CNIL took this position despite the fact that use of the hotlines was not mandatory; suspected employees were granted substantial rights, such as being informed soon after violations were reported; and suspected employees had ample opportunity to defend themselves.
It criticized the fact that a suspected employee would not receive notice of a complaint at the moment his or her data was processed (at the same time the complaint was made) and, therefore, the employee had no meaningful right to object to the processing of the data. Yet, CNIL did not cite a specific provision of the Act upon which it based this finding.
Beyond the French border, a local German labor court in Wuppertal recently refused to allow Wal-Mart Stores Inc. to implement a German-language version of its company code of conduct for its German subsidiary. Specifically, the code required employees to report misconduct by means of an anonymous toll-free telephone hotline. Wal-Mart did not consult its German works council before drafting or implementing the code, and the works council subsequently sued Wal-Mart, arguing that it could not implement the code without permitting the works council to first exercise its co-determination rights.
The court held that many provisions in the code could be implemented without consent of the works council, but that the provisions related to anonymous telephone hotlines required the council's consent. The decision hinged on labor law issues, not data protection law issues.
CNIL's Correspondence With the SEC
During both June and July, CNIL sent letters to the U.S. Securities and Exchange Commission (SEC) explaining its position on whistleblower hotlines under French data protection law; it sought to initiate a dialogue with the SEC on these issues. In its July 29th letter, CNIL proposed a three-month moratorium on SEC enforcement against French entities subject to Sarbanes-Oxley whistleblower requirements. The SEC responded generally and agreed to begin a dialogue in an effort to find a solution that will allow companies to comply with both French and U.S. law.
In its response to the CNIL in August, the SEC emphasized that the whistleblower provisions of Sarbanes-Oxley were "drafted broadly so that companies could implement [procedures] as best suits their needs and or/local requirements." The SEC expressed hope that, among other possibilities, the entities subject to regulation by both the SEC and the CNIL could ease CNIL's concerns by implementing safeguards on the use of the information that would be provided via the whistleblower hotlines.
CNIL has scheduled a meeting in November with U.S. government officials to discuss the disagreement over Sarbanes-Oxley compliance overseas. It has stated publicly that it intends to explain why compliance with Sarbanes-Oxley is problematic from a European data protection perspective.
Until the CNIL and SEC reach an agreement on this issue, many multinational companies may find themselves, as the adage goes, between a rock and a hard place. Because CNIL questioned the basic legitimacy of whistleblower systems, it is difficult to devise a solution that both allows for such a system and complies with French law.
In Germany and other EU member states, companies have found it easier to legitimize their whistleblower systems by first reaching agreements with works councils, and courts and legal commentators have not questioned the legitimacy of such agreements.
In France, even if an agreement were reached with the relevant works council, it could still be challenged because the subject of the agreement (an anonymous whistleblower hotline) would be deemed fundamentally illegitimate. Thus, for now, companies seeking to operate uniform, global whistleblower systems are faced with having to comply with divergent local legal requirements.
Companies operating in Europe can mitigate the risks to the data protection rights of employees by introducing certain protections in the operation of their whistleblower systems. In France (and possibly elsewhere), the effectiveness of this approach is uncertain, however, because CNIL did not indicate in its decision that the legitimacy of a whistleblower system is conditioned on how it is set up or the protections it contains. Nevertheless, companies might consider the following modifications to their European hotlines:
* Define more narrowly the categories of violations that are reportable. Companies could make the whistleblower system in Europe available to address only complaints regarding questionable accounting or auditing matters, clearly defining the types of violations employees can report and limiting those types of violations to narrow categories of abuses that are specifically addressed by Sarbanes-Oxley.
* Inform employees immediately when a complaint is made against them. If employees who have been reported are immediately told of a complaint implicating them, this would remove one of CNIL's major objections. This might defeat the purpose of having a whistleblower system, however, because immediately notifying an employee of a complaint before the company had time to investigate might tarnish the investigation (by providing the opportunity to destroy evidence of a violation).
* Set up a trusted third party to whom complaints could be made, and who could then pass them on to the company. CNIL has expressed concern that companies will punish or fire employees based on information provided through the hotlines. Employers can mitigate this concern by setting up a trusted third party to filter complaints before they are passed on to the employer.
* Limit the way in which anonymous complaints are investigated. Since CNIL's concerns focused on the use of anonymous complaint systems, companies could limit the way anonymous data is used. For instance, companies could accept anonymous complaints but not use them as the sole basis for a targeted investigation against a specific employee.
* Localize the system in Europe. In neither case did the CNIL explicitly mention that McDonald's or CEAC operated their whistleblower systems in the U.S. Nevertheless, the fact that the systems were based in the U.S. may not have gone unnoticed by CNIL. Companies could set up their ethical systems using locally formulated processes, not U.S. ones.
* Build protections into the system. Companies could take steps to reduce the likelihood that employees will misuse the system. For instance, they could instruct employees that there are severe penalties for making a complaint in bad faith. Companies also could have clear written procedures for investigating complaints, which grant due process rights to employees about whom complaints are made. These procedures should incorporate basic principles of European data protection law.
Global companies will need to manage this issue on both the local level and the pan-European level. There is presently no simple solution to legalizing the use of anonymous whistleblower hotlines in France. Each company's strategy with respect to its hotline will need to be based on how the company's hotline operates, its level of compliance with data protection laws and its relationship with its works council and the particular laws of the company's geographic location.
The absolute nature of the CNIL's decisions does not point to any clear path for companies to follow to legalize use of a whistleblower system in France. Moreover, the systems that were addressed in the two decisions granted substantial protections to employees; thus, it is questionable whether additional protective measures would help legitimize such a system.
Managing the issue on a pan-European basis is just as important as dealing with local compliance. Data protection authorities in other European countries (such as Spain and Switzerland) are already looking into the whistleblower issue, and it is clear that data protection authorities in some countries (such as Belgium) would likely adopt the French position if the issue were presented to them. Moreover, the European Commission is under substantial pressure to adopt an opinion on the issue.
If the CNIL and SEC are able to reach a workable solution, allowing French companies to implement whistleblower systems that comply with legal requirements in both countries, this will take some pressure off other data protection authorities to forbid such systems.
Because many EU data protection authorities and the European Commission (EC) have scant knowledge about Sarbanes-Oxley and the structure of the required hotlines--and are now seeking information about them--it is essential for companies to coalesce around this issue to provide useful information to the regulators. This will not only help prevent the issue from migrating to other countries, but could also help better inform the French data protection authority as it considers the issue further.
The authors are with the international law firm Hunton & Williams LLP. Lisa Sotto (email@example.com), based in New York City, is a partner and heads the Privacy and Information Management practice. Chris Kuner (firstname.lastname@example.org), based in Brussels, is a partner and heads the International Privacy and Information Management practice. Aaron P. Simpson (email@example.com) is an associate based in New York City.
RELATED ARTICLE: takeaways
* Sarbanes-Oxley Section 301 mandates audit committees of public companies establish procedures for employees to submit concerns on accunting and auditing matters.
* Companies have typically responded by establishing telephone or web-based employee whistleblower hotlines.
* In France and Germany, provisions for implementing whistleblower systems for European subsidiaries of U.S. companies differ from those in the U.S.
* The French Data Protection Authority (CNIL) and U.S. Securities and Exchange Commission (SEC) are in talks to compromise on compliance for French-based companies.
|Printer friendly Cite/link Email Feedback|
|Author:||Simpson, Aaron P.|
|Date:||Nov 1, 2005|
|Previous Article:||Two generations of CFOs: how different are they? We asked CFOs under 40 and over 60 years of age how they approach the same challenges, circa 2005....|
|Next Article:||Get better results from long-term incentive pay: performance-based long-term incentives do not merely reduce the variance in earnings or reduce P & L...|