The Clash of Global Privacy and Whistleblower Rules: How to implement a lawful whistleblowing system in EU countries

June 6, 2006

Some businesses, including public companies that must meet US Sarbanes-Oxley (SOX) requirements, have established ways for employees to report suspected improper internal activity on an anonymous or confidential basis known as whistleblowing systems.  Whistleblower hotlines are one way for companies to channel internal suspicions and gripes, both to catch and address improper activity if it is occurring and to provide employees with an in-house way of considering complaints and questions about activity that appears suspicious or improper.

Whistleblowing systems are being implemented under SOX on a global basis.  While there is a strong interest in setting up a global whistleblowing scheme or a similar scheme from one subsidiary to another, companies should be aware of the significant differences in privacy and employee protection laws in Europe, Canada, Japan, and other countries.

While the concept of whistleblowing has gained general acceptance in the United States, it runs counter to historic European social principles concerning defamation and anonymous informing.  Consequently, establishing and implementing a global whistleblowing system pursuant to SOX may violate foreign local laws.  The compatibility of a whistleblowing system should be assessed according to local personal data legislation and be adapted to it before implementation. 

The apparent incompatibility between SOX and EU Data Protection Rules led the European Working Party on Personal Data, an independent advisory body set up as part of the EU Directive, to adopt on February 1, 2006 an opinion (Opinion 1/2006) providing guidance on how internal whistleblowing schemes can be implemented in compliance with the EU data protection rules enshrined in the Directive.

This Opinion lays down the general requirements to assess the compatibility of whistleblowing systems with the Data Protection Directive.

  1. Legitimacy (art.7): to be legitimate, the whistleblowing system must be necessary for compliance with a legal obligation or for the purpose of a legitimate interest pursued by the controller.  The system’s rationale for European purposes must be the pursuit of a legitimate interest such as good corporate governance, the stability of financial markets and protection of shareholder interests.
  2. Quality and Proportionality (art.6): the personal data processed by the whistleblowing system must be adequate, relevant and not excessive in relation to the purposes sought. Consequently, it may be necessary to limit the number of persons entitled to report alleged misconduct and/or the individuals who may be incriminated.  Identified and confidential reports should be encouraged rather than anonymous reports.  The type of data collected must be limited to relevant facts strictly and objectively necessary to verify the allegations made.  Personal data must be deleted promptly – usually within two months of completion of the factual investigation and immediately if found unsubstantiated.  
  3. Provision of clear and complete information (art.10): the controller must inform its employees of the existence, purpose and functioning of the system, of their rights, of the identity of the recipients of the reports and of the confidential character of the identity of the whistleblower, and of the consequences of an abuse.
  4. Information and rights of the incriminated person and of the whistleblower: the controller must inform the incriminated person that personal data have been collected from a third party, that the person has a right to object to the processing but only on compelling legitimate grounds, the identity of the entity responsible for the scheme, the facts, the recipients of the report, and information on how to exercise the rights of access and rectification.  The person's right to access and rectify incorrect, incomplete or outdated data can be restricted but for specific purposes and on a case-by-case basis.  The whistleblower must be informed of the right of access, rectification and erasure as well as the confidential character of that person’s identity.
  5. Security of processing operations (art.17): Material security measures must be taken to preserve the security of the data when it is gathered circulated or saved, proportionate and in compliance with security regulations in member states.  The security measures must be adopted to ensure that reports and the identity of whistleblower remain confidential.
  6. Management of the whistleblowing system: a limited group of trained and dedicated people, with specific contractual confidentiality obligations, must be designated to manage the whistleblowing scheme.  It is possible to use an external service provider, such as a law firm, which must comply with personal data legislation and commit to particular confidentiality obligations.  Multinational groups should deal with reports locally rather than automatically sharing the information with other companies of the group except where necessary for the investigation.
  7. Transfer of reports to another company within the group in a third country and cross-border whistleblowing: transfers must be limited and justified by the nature and seriousness of the reported facts.  Transfers, notably where groups have set up cross-organization departments for the management of reports, will be possible if the third country ensures an adequate level of protection, namely where the recipient is an entity in a country that has subscribed to the EU’s Safe Harbor Scheme, has entered into a transfer contract with the EU providing adequate safeguards or has a set of binding corporate rules in place duly approved by the competent data protection authorities.
  8. Compliance with national notification or authorization requirements: the whistleblowing system must comply with the requirements of notification to, or prior checking by, the national data protection authority. 

Consequently, allowing employees to complaint about financial indiscretions through a whistleblowing system is permitted under EU Data Protection Rules subject to compliance with the EU Directive as explained above.  Nevertheless, as mentioned in the last requirement of the Opinion, national legislation of member states remains significant, and compliance with local obligations cannot be neglected.

France is a good example to illustrate this necessity: although very protective regarding Personal Data, it has found a way to reconcile its legislation with SOX obligations. 

Authorization to engage in a whistleblowing scheme in France is provided by the French Data Protection Authority ("Commission Nationale de l’Informatique et des Libertés" or "CNIL")  Under CNIL rules any whistleblowing system requires prior authorization because such a system may exclude individuals from the benefit of a right or of a contract in the absence of any specific legal provision.  In recent years many efforts to implement broad whistleblowing programs in France have been denied by the CNIL because the CNIL determined the programs would lead to global professional information systems disproportionate to the ends sought, and anonymous communications that may be included in a whistleblowing system were antithetical to French law and practice.

France adopted new policies in December 2005 in an effort to simplify notification duties of companies for whistleblowing systems.  Even though the French simple authorization solution was adopted before the EU Opinion was published, the CNIL has stated that its simple authorization of whistleblowing systems, as described below, complies with the Opinion.

The general requirements that must be satisfied to comply with the simple authorization are mainly those set out in the Opinion 1/2006.  Nevertheless, the simple authorization adopted by the CNIL is more specific than the Opinion on certain requirements, notably on the strict conditions of anonymous tipping, on the type of information that can be collected through the whistleblowing system and on the security measures to be implemented.

Once the company has verified the compatibility of its whistleblowing system with the simple authorization, it must send to the CNIL a written commitment that the system is compliant.  After that, the CNIL will send a receipt acknowledgment by regular mail.  This receipt authorizes implementation of the whistleblowing system. 

Even if the processing operations do not comply with the requirements of the simple authorization, the company can seek the CNIL's prior authorization, which is done by filing a standard declaration.  The CNIL will analyze the system and will refuse to grant its authorization only if the system does not sufficiently protect individuals under Data Protection Rules. 

The CNIL presented its simple authorization for whistleblowing systems to the US’ Securities and Exchange Commission in December 2005, and the SEC is not known to have objected to it.  The CNIL objective is for the SEC to confirm that compliance with the CNIL's simple authorization is compatible with SOX. 

Strategy before implementing the whistleblowing system in EU countries

Both US firms with European operations and non-US firms whose securities are traded on US markets should review and modify their whistleblowing and privacy policies in light of the requirements set forth in the EU Opinion and also under local legislation where a whistleblowing system is to be implemented.  Generally, the laws of EU countries are similar as they are based on the Directive, but local law rules differ as to specifics.  Consequently, companies should seek local counsel to assure local compliance.  Non-compliance with EU and local legislation can lead to termination of a whistleblowing system and can entail heavy financial penalties, as Data Protection Authorities have the power to fine non-complying entities and demand conformance. 

The evolution of EU, French and US laws and practices regarding the intersection of whistleblowing and personal privacy represents a willingness to find practical solutions to cross-Atlantic differences.  

This article was adapted by Christopher Mann for this newsletter from an article co-authored by Joseph J. Dehner of Frost Brown Todd LLC and Mathilde Croze of Jobard, Chemla & Associés , Paris, France.

Additional Documents: