A portion of the Sarbanes-Oxley's whistle blowing provisions requires the company complying with the provisions to allow a method of “anonymous” reporting of wrongful acts by the company to governmental agencies. The concept was to facilitate employees’ ability to report on the companies without fear of reprisal.
However, Europe rejects such concepts of anonymous reporting, considering such acts as tantamount to the anonymous accusations of crime that tainted the European continent during the Nazi, Fascist and Communist years. Companies in the United States wishing to do business in Europe thus face a recurring problem as to how to conform to the conflicting requirements as to whistle blower protections. This article briefly describes the issue and makes some recommended solutions.
THE BASIC LAW:
Section 301(4) of the Sarbanes-Oxley Act requires the audit committee of every United States based publicly traded company to establish procedures for "the confidential, anonymous submission by employees....of concerns regarding questionable accounting or auditing matters" (emphasis supplied). To comply with § 301(4), many employers have designed whistle blowing systems, such as telephone "hotlines", enabling employees to report potential violations anonymously.
However, United States publicly traded companies operating in Europe have found that deep-seated ideological differences as to the desirability of anonymous reporting systems have given rise to a conflict between § 301(4) and European data protection laws. Pursuant to European Union Directive 95/46/EC (the Directive), employers' collection, processing, and use of "personal data" must be consistent with four broad principles:
1. Legitimacy: In the whistle blowing context, data processing must be necessary for either compliance with a legal obligation imposed by an EU member-state or furtherance of the legitimate interests of the controller or third party to whom data is disclosed, unless "such interests are overridden by the interests for fundamental rights and freedoms of the data subject."
2. Fairness: The data subject must be informed about the entity responsible for the whistle blowing scheme, the facts he/she is accused of, the recipients of the information, and how to exercise his or her rights of access and rectification.
3. Proportionality: The processing of personal data "must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed."
4. Rights of Access and Rectification: Data subjects have a right to access data relating to them, and may seek to have inaccurate or incomplete information rectified.
The tension between § 301(4) and data protection laws first came to light after two decisions by the French data protection authority (the CNIL), in which it declared illegal the whistle blowing systems proposed by McDonald's France and a French subsidiary of Exide Technologies, due to a concern that the systems created an unreasonable risk of causing "organized systems of denouncement."
WP 29 AND RECOMMENDED SOLUTIONS OF CONFLICT
Subsequently, the CNIL clarified that not all forms of anonymous reporting are prohibited and pointed to several suspect features of the two proposed systems, including their broad scope and failure to consider the use of non-anonymous channels of reporting.
In response to employers' growing concerns, European data protection authorities issued guidance to employers seeking to establish simultaneous compliance with SOX and data protection laws. A February 2006 opinion by the group charged with overseeing implementation of the Directive, Working Party 29 (WP 29), concluded that simultaneous compliance is possible provided certain conditions are met. In its view, while anonymous whistle blowing systems may be justifiable in light of employers' legitimate interest in protecting against fraud and misconduct, that interest is nevertheless subject to a "balance of interests test" in which employers must take into account the privacy interests of employees.
WP 29 continues to wait for an official response from the SEC, but until that moment comes, the prudent employer will reevaluate its whistle blowing system. Employers are encouraged to consider the following compliance measures recommended by data protection authorities:
1. Creating other Channels of Communication: Anonymous whistle blowing systems should be complementary to other channels of communication. Anonymous reports should be "the exception to the rule", and employers should encourage employees to identify themselves by ensuring that their identity will be kept confidential.
2. Adopting Special Handling Procedures: Where anonymous reports are used, special precautions should be taken, including examining the report as to the appropriateness of its possible circulation and processing anonymous reports with greater speed.
3. Limiting the System's Scope: Employers should consider limiting the categories of persons who may report and be reported to those with involvement in financial and accounting matters and limiting complaints that can be reported anonymously to "questionable accounting or auditing matters."
4. Providing Employees with Adequate Information: Employees must be informed of the system's existence, functioning, and purpose, possible recipients, and the existence and means of exercising one's rights of access and rectification.
5. Notifying the Accused: The accused should be informed as soon as practicably possible of the entity responsible for processing the complaint, the allegations, departments that may receive the report, and the means of exercising rights of access and rectification.
6. Limiting Data Retention Periods: If unsubstantiated, data should be deleted immediately. Otherwise, it should be retained no more than two months after verification has been completed.
7. Ensuring Adequate Security and Management: Employers should take all reasonable technical and organizational steps to ensure data is secure, including establishing a specific organization to handle complaints.
Transfer of Information: A second compliance issue arises when an employer establishes a system in which complaints will be transferred outside of the EU. Pursuant to the Directive, the transfer of personal data to a country that does not ensure an "adequate level of protection", such as the United States, must be justified. The use of certain model contractual clauses between transferor and transferee or participation in the U.S. Department of Commerce's "safe harbor" program provides such justification. Employers that wish to transfer complaints from Europe to an external service provider outside the EU should ensure that the contract includes provisions providing for confidentiality, limited disclosure of data, compliance with all the rules the employer is subject to, and destruction of the data upon termination of the contract.
Local Labor Laws: Yet a third compliance issue arises in the guise of national labor and employment law. In November 2005, a German Labor Court of Appeals affirmed a lower court's decision to strike down Wal-Mart's Code of Ethics on the grounds it was not formed in consultation with the works council. Accordingly, companies that either trade their debt or their shares on US stock exchanges operating in Europe will have to carefully examine local labor laws relating to employee representation rights along with data protection laws before they implement cross-border codes of ethics.
Companies attempting to comply with Sarbanes-Oxley who implement anonymous hotline procedures and cross-border codes of conduct face legal obstacles and cultural challenges. Careful attention to the requirements of local law should be observed to avoid legal challenges and damage to the company's reputation. Nevertheless, some proactive planning and obtaining appropriate legal advice can create systems that should satisfy the requirements of both jurisdictions.