We will track here amendments to this resource that reflect changes in law and practice.
A note which describes the data protection and employment issues that arise when European companies listed at US stock exchanges set up corporate compliance ("whistleblowing") hotlines in order to fulfil obligations under section 301(4) of the US Sarbanes-Oxley Act 2002. The note discusses recent regulatory developments in the EU relating to whistleblowing hotlines, and suggests compliance strategies to ensure that hotlines comply with EU data protection laws.
Corporate compliance hotlines (so-called "whistleblowing" hotlines) allow employees to report their concerns anonymously (by telephone or e-mail) about possible rule violations by their co-workers. Rules on whistleblowing are often included in an ethics code, or code of conduct, with which employees are required to comply. Although such codes of conduct vary in content, they usually include a set of common standards covering, among other things, discrimination, harassment, bribery and relationships between employees. In some countries such as the United States, public companies are also legally obliged to establish codes of conduct covering employees' behaviour relating to financial, accounting and corporate governance matters. Where this is the case, multi-national companies typically adopt corporate compliance hotlines not only in the country where the obligation arises, but also for subsidiaries and branch offices in other countries.
Following a series of court cases in France and Germany in 2005, the legality of European whistleblowing hotlines has increasingly been called into question. Courts and data protection regulators of European countries such as France and Germany had resisted the introduction of such hotlines, largely because of the stigma that is historically attached to anonymous informing in those countries. Emerging regulatory guidance and the recent case law has now forced many European companies to adapt their hotlines to try to ensure that they are compliant. Today, the issue remains far from settled, as many companies try to navigate compliance with both European data protection legislation and other laws or corporate policies mandating the use of whistleblowing hotlines.
This note examines the origins of this issue, and recent regulatory developments in the EU. It also discusses compliance strategies that companies may wish to implement to avoid falling foul of EU data protection laws.
Following a number of high-profile accounting scandals involving large corporations such as Enron and WorldCom, the US Congress adopted the Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as the Sarbanes-Oxley Act 2002 (SOX). SOX established new or enhanced standards for all US public company boards, management, and public accounting firms. Section 406(a) SOX requires all companies listed on US stock exchanges to adopt a code of ethics for senior financial officers or persons performing similar functions, which must include standards to promote:
Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships.
Full, fair, accurate, timely and understandable disclosure in the periodic reports required to be filed by the issuer.
Compliance with applicable governmental rules and regulations.
Similar provisions are included in the listing rules of the two biggest US stock exchanges, NASDAQ and NYSE, which also require companies listed in those markets to adopt corporate governance guidelines or codes of conduct applicable to senior financial officers and directors in relation to accounting, reporting and auditing matters (see, for example, NYSE Listed Company Manual, section 303A(9) and NASDAQ Rule 4350(n)).
Under section 301(4) SOX, US entities must implement a confidential and anonymous reporting procedure for reporting questionable accounting or auditing matters. Section 806 SOX makes it illegal for companies to "discharge, demote, suspend, threaten, harass, or in any other manner discriminate against" employees for making use of these procedures for the purpose of reporting accounting irregularities or for assisting government and regulatory agencies in their inquiries into such irregularities. SOX is enforced by the US Securities and Exchange Commission (SEC).
It remains unclear whether the foreign affiliates of US listed companies need to comply with all SOX requirements. In Carnero v Boston Sci. Corp, 433 F.3d 1 (1st Cir. Mass. 2006), cert. denied, 126 S. Ct. 2973 (2006), the First Circuit held that section 806 SOX does not protect a foreign citizen who reports accounting irregularities at a US corporation’s foreign subsidiary. However, this limitation of the extra-territoriality of individual rights does not necessarily affect the extra-territorial applicability of code of conduct or whistleblowing requirements under sections 301 and 406 SOX. Companies failing to comply with SOX requirements may face heavy fines and, in extreme cases, de-listing from the stock exchange on which their shares are traded. As long as the question remains under judicial review, US listed companies should make sure that their European subsidiaries comply with those requirements.
In the UK, the Public Interest Disclosure Act 1998 (PIDA) protects workers against being subjected to any detriment on the ground that they have made a protected disclosure (www.practicallaw.com/8-200-3427) about their employer or co-worker. A protected disclosure is a disclosure that a worker makes in good faith, reasonably believing that the information tends to show malpractice within the company. It may relate to the commission of a criminal offence, the breach of a legal obligation, a miscarriage of justice, a danger to the health or safety of any individual, damage to the environment or deliberate covering up of information tending to show any of the above five matters (see PLC Employment, Flowchart: Protected disclosures (www.practicallaw.com/4-202-3205)).
Workers in the UK can still be protected under PIDA even if the relevant disclosure concerned a failure by the employer that took place overseas, or where non-UK law applied to the failure. A worker can make a protected disclosure:
To his employer (through whatever systems that employer has in place).
To a person whom the worker reasonably believes to be solely or mainly responsible for the failure.
To a relevant body as prescribed by the Secretary of State (see PLC Employment, Checklist, Whistleblowing: prescribed persons (www.practicallaw.com/9-202-3378)).
For a detailed outline of the legislative framework see PLC Employment, Practice note, Whistleblower protection (www.practicallaw.com/8-200-3903) and PLC Employment, Flowchart: Protected disclosures (www.practicallaw.com/4-202-3205).
Unlike SOX, PIDA does not require employers to establish formal whistleblowing procedures. However, an employer will usually have an interest in knowing of any malpractice in the workplace as soon as practicable, so that any problems can be addressed at an early stage. Employers will also want to minimise the risks which arise when a worker makes a protected disclosure; for example, the reputational risk for the company, and the risk that the worker might be dismissed or suffer a detriment as a result of the disclosure. Many employers therefore choose to implement whistleblowing policies which:
Contain the standards of behaviour to which the employer expects to see workers conforming; and
Establish a structure that enables a worker to disclose malpractices to someone in the organisation other than their immediate line manager.
Such policies will usually also describe the protection provided to workers making a qualified disclosure. (For further information on whistleblowing policies, see Practice note, Effective whistleblowing policies: Drawing up a whistleblowing policy (www.practicallaw.com/8-422-5228) and PLC Employment, Standard document, Whistleblowing policy (www.practicallaw.com/1-200-2049).) Where formal whistleblowing procedures are put into place, employers must ensure these comply with EU and UK data protection requirements.
Before 2005 there were few, if any, indications that European companies operating internal compliance hotlines might be violating data protection laws through their use of such systems. Industry appeared to have been caught unawares when, in 2005, data protection regulators in France and an employment court in Germany separately examined the question of whether whistleblowing hotlines were lawful, and concluded that they were not.
In France, questions about the legality of whistleblowing hotlines arose when two companies, McDonalds France and Compagnie Européenne d’Accumulateurs ("Exide Technologies/CEAC"), sought regulatory approvals from the French National Commission for Data Protection and Liberties (CNIL) for their compliance hotlines (McDonald’s, CNIL Délibération No. 2005-110, May 26, 2005 and CEAC/Exide Technologies, CNIL Délibération No. 2005-111, May 26, 2005). In May 2005, the CNIL decided that the McDonalds and CEAC/Exide Technologies hotlines would violate France’s data protection regime because:
French data protection law applied despite the hotlines having a significant US nexus. Among other things, the CNIL believed that both CEAC/Exide Technologies and McDonalds France would have a meaningful role to play in the operation of their respective hotlines by making them accessible to French staff and following up on submitted complaints.
The hotlines would lead to an organized system for submitting reports and collecting personal data on French staff in a manner contrary to French data protection law, which provides that any processing of personal data must respect the fundamental rights of French citizens.
By enabling staff to submit anonymous complaints, the hotlines would increase the risk that staff would make false allegations that could injure the reputation of co-workers.
The hotlines would give rise to a disproportionate amount of collection and processing of personal data relating to French staff. Instead, more targeted devices for reporting alleged infractions of the companies’ codes or applicable laws would be more appropriate.
Where complaints were referred to members of staff, as possible wrongdoers or otherwise, those employees would not be informed adequately or in a timely manner about the collecting and processing of their personal data.
Around the same time, a subsidiary of US company Wal-Mart was defending itself before a local employment court in Wuppertal, in the German state of North Rhine-Westphalia. The court had to decide whether Wal-Mart violated Section 87 of Germany’s Work Council Constitution Act (Betriebsverfassungsgesetz) by failing to engage in a co-determination procedure with its works council before implementing a code of conduct. The 29-page code contained a list of conduct rules for employees and called upon Wal-Mart employees to use a hotline to report suspected code violations by co-workers. The central issue was not whether the Wal-Mart hotline breached Germany’s data protection regime through its internal reporting regimen, but rather whether Wal-Mart had failed to comply with its obligations under German employment law. Nonetheless, the case was seen as broadly calling into question the legitimacy of whistleblowing hotlines under German law.
In June 2005, the Wuppertal employment court held that Wal-Mart had indeed violated Germany’s Work Council Constitution Act by issuing its corporate code without consulting with its German works council (Arbeitsgericht Wuppertal, 15 June 2005, 5 BV 20/05, NZA-RR 2005, 476). The court concluded that Wal-Mart’s code required works council pre-approval because it imposed additional burdens on staff (that is, employees could be sanctioned for not complying with the code, including failing to use the hotline to report breaches of the code) and because the hotline was viewed as a mechanism for monitoring employee performance.
The state employment court in Duesseldorf dismissed Wal-Mart’s appeal in its decision in November 2005, mainly following the lower court’s ruling. However, it also held that a specific condition contained in the Wal-Mart code of conduct, namely a prohibition on "romantic" relationships between co-workers where one of them is in a position to influence the working conditions of the other, violated individuals’ personality rights set out in Articles 1 and 2 of the German Constitution.
The developments in France and Germany generated enormous interest among data protection regulators as well as anxiety within industry. US organisations, in particular, became deeply worried that the CNIL ruling suggested that SOX hotlines conflicted with French data protection rules. As a result, the EU’s Article 29 Data Protection Working Party (the working party) released an opinion paper in early 2006 to provide industry with further guidance.
The working party was set up under Article 29 of the Data Protection Directive (95/46/EC) (Data Protection Directive) to act as an independent advisory body on data protection and privacy. One of its tasks is to promote a more uniform application across the EU of the principles contained in the Data Protection Directive. In February 2006, the working party released a working paper on the application of EU data privacy rules to internal whistle-blowing schemes (WP117). WP117 discussed whether, and to what extent, whistleblowing hotlines targeting financial and accounting improprieties, including specifically SOX hotlines, can co-exist with EU data protection laws. The timing of WP117’s publication, immediately following the CNIL and Wuppertal court decisions, suggests that the working party wants to arrive promptly at a harmonized European approach promptly and to avoid the possibility that national data protection regulators would begin to adopt divergent positions.
Because the scope of WP117 is limited to "the application of EC data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime," the working party did not address other data protection issues arising from whistleblowing hotlines generally. Although the working party has indicated that it may publish a subsequent opinion or working paper to deal with other kinds of hotline, it has not yet done so. WP117 is therefore the only opinion paper setting out the working party’s views on the matter.
WP117 examines the extent to which Sarbanes-Oxley hotlines and related whistle-blower schemes comply with individual EU data-privacy principles and provides some useful recommendations on how to operate such schemes lawfully.
The processing of personal data inside the EU and the transfer of such data from the EU to countries outside the European Economic Area (EEA) is subject to the data protection regime set out in the Data Protection Directive. The Directive introduced broad obligations on those who collect personal data (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Personal data is defined in Article 2(a) of the Directive as information relating to either an identified person or a person who can be identified, directly or indirectly, by reference to a reference number or by one or more factors specific to him. The Directive has been implemented in the UK through the Data Protection Act 1998 (DPA). For a detailed description of the UK data protection regime, see PLC IPIT & Communications, Practice note, Overview of UK data protection regime (www.practicallaw.com/7-107-4765).
Article 6 of the Data Protection Directive requires that personal data must be provided fairly and lawfully. For whistleblowing schemes to be lawful, the processing of personal data carried out as part of the procedure must be legitimate, and must satisfy one of the grounds set out in Article 7 of the Directive. These grounds include, among others, situations where:
The processing is necessary for compliance with a legal obligation to which the data controller is subject. This could arguably include a company's obligation to comply with the provisions of SOX or other legislation requiring the establishment of whistleblowing hotlines. However, the working party concluded that an obligation imposed by a foreign legal statute or regulation (for example, SOX) does not qualify as a legal obligation that (under Article 7(c) of the Data Protection Directive) would legitimise data processing in the EU. It found that any other interpretation would make it too easy for foreign legislators to circumvent the EU rules laid down in the Data Protection Directive.
The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed. The working party acknowledged that whistleblowing schemes adopted to ensure the stability of financial markets and the prevention of fraud, the fight against bribery, banking and financial crime, or insider trading might be seen as serving a legitimate interest of a company that would justify the processing of personal data by means of such schemes. It also accepted the need of companies to comply with the US regulatory framework as a legitimate interest of those companies. However, the working party pointed out that Article 7(f) of the Directive required a balance to be struck between that legitimate interest and the fundamental rights of data subjects. Accordingly, the working party argued that this "balance-of-interest-test should take into account issues of proportionality, subsidiarity, the seriousness of the alleged offences that can be notified and the consequences for the data subjects". It therefore advocated that adequate safeguards should be put into place, as well as provisions that allowed the data subject to object at any time, on compelling legitimate grounds, to the processing of the data relating to them.
The working party also made the following recommendations:
Application of data quality and proportionality principles: The working party recommended that hotlines be structured, whenever feasible, to limit both the number of persons entitled to report alleged improprieties, and the number who might be incriminated through their use.
Reporting on a named basis: The working party suggested that organisations should not encourage employees to submit anonymous reports, although it conceded that it might be impossible to prevent staff from submitting such reports. Organisations should encourage employees to submit reports on a named, confidential basis. Significantly, this was seen by some as a softening of the CNIL position and a concession to US companies subject to SOX, which calls for a mechanism whereby employees may submit confidential, anonymous reports. Although the question of whether SOX requires a mechanism for reporting improper accounting or auditing matters on a "confidential" or "anonymous" basis (or arguably both), SEC interprets the statute as requiring a hotline which enables employees to make anonymous (not just confidential) complaints (Letter from Ethiopis Tafara, Director, SEC, to Peter Schaar, Chairman, Article 29 Working Party (8 June 2006)). To date, discussions between SEC and representatives of the working party have helped to avoid direct conflict on this point.
Limitation of information provided through the scheme: The working party recommended that the type of information collected and processed through the scheme should be strictly defined and limited to accounting, auditing and related matters. Where an internal investigation revealed no evidence of wrongdoing by a member of staff, the associated personal data should be destroyed within two months. The working party recommended that, in cases where wrongdoing was uncovered, the data should be kept until the end of the investigation and/or subsequent legal or disciplinary proceedings. After that point, organisations might be allowed to archive data in a separate information system if such retention was intended to mitigate future risks or liabilities.
Provision of information about the scheme: The working party reminded organisations that employees should be informed of the existence of, purposes served by, and rights associated with a whistleblowing scheme before it was implemented, and that the organisation should hold in confidence the identities of those who submit reports in good faith.
Rights of incriminated persons: The working party observed that it was essential to balance the respective rights of the person incriminated, the whistleblower and the company's legitimate investigative needs. Consequently, organisations had to inform employees whenever a hotline report associated them with wrongdoing. The employee had also to be told who would receive a copy of any subsequent internal report in which their personal data appeared, and about their right to access and rectify information appearing in such reports. However, the working party accepted that organisations could curtail these rights where there was a "substantial risk" that exercising them would jeopardise the company's ability to investigate the complaint.
Security of processing operations: The working party reiterated that organisations processing personal data must apply appropriate technical and organisational measures to keep secure any personal data that has been gathered via a whistleblowing hotline. It also noted that when organisations engage service providers (such as call centres) to furnish hotline services, those service providers are deemed to act as data processors. Accordingly, organisations must ensure that a service contract is in place that specifically includes provisions relating to data security. For detailed information about the processing of personal data by third parties, see PLC IPIT & Communications, Practice note, Overview of UK data protection regime: Processing by third parties (www.practicallaw.com/7-107-4765).
Management of whistleblowing schemes: To ensure that organisations maintain their hotlines in a secure and confidential manner, the working party recommended that organisations establish an independent internal team dedicated to handling whistleblower reports. The working party also recommended that complaints of a less serious nature should be handled in the EU, and not transmitted to overseas offices and management. However, the working party conceded that complaints carrying serious ramifications for an overseas operation or a broader corporate family could be transmitted outside the EU.
Transfers to third countries: The working party recommended that a mechanism for complying with EU data transfer rules must be in place whenever personal data collected in the course of operating an EU whistleblowing hotline is then transferred outside the European Economic Area (EEA), for instance to an organisation’s corporate headquarters. The most likely options include transferring the data to a Safe Harbor participant in the US (for EU-US transfers only) or transferring it pursuant either to an EU model transfer contract, or to a set of binding corporate rules agreed among a group of companies. For detailed information about cross-border transfers of personal data, see PLC IPIT & Communications, Practice note, Cross-border transfers of personal data (www.practicallaw.com/0-201-5764).
Compliance with notification requirements: The working party reminded organisations that they had to comply with any local notification rules applicable to hotlines and associated databases and systems. In some countries, such as France, the Netherlands and Belgium, prior regulatory approvals will also be required.
Although the working party’s recommendations are not binding, organisations that operate whistleblowing hotlines in the EU, or make such hotlines available to their EU workforce, should ensure that they comply with those recommendations and the guidance of the local data protection authority (see box, Developments in EU member states) to avoid a breach of EU data protection laws. Most EU data protection regulators have largely focused their attention on hotlines used for reporting accounting, auditing or related improprieties. However, this should be of little comfort to organisations operating other types of hotline or whistleblowing scheme: the concerns giving rise to WP117 and the guidance issued by national authorities are likely to apply equally to hotlines serving only a general internal compliance function, which raise the possibility of even greater misuse of data.
Any attempt by organisations to avoid EU jurisdiction by limiting the extent to which their EU affiliates participate in the set-up and operation of the complaints system or the handling of complaints may turn out to be a risky strategy. Many EU data protection regulators will set a low threshold when deciding whether an EU affiliate’s involvement with a hotline is sufficient to trigger jurisdiction. The CNIL, for instance, maintains that French law will apply to hotlines situated overseas if they are accessible to French employees. Moreover, such a strategy may prove difficult to put into practice, as it may become necessary for an EU affiliate to take action in response to well-grounded complaints and possibly commence disciplinary hearings involving the relevant employees. Data protection regulators may regard these follow-up activities as inextricably intertwined with the operation of the relevant hotline.
In order to conform their compliance systems to EU data protection norms, organisations should take the following steps:
Narrow the scope of any existing hotlines so that they can be shown to be mandated by law or designed to deter activities or behaviours posing a real and significant risk to the company, members of its workforce or the public at large.
Avoid deploying hotlines for general compliance purposes or procedures that could encourage employees to submit complaints on frivolous or inconsequential matters. Regulators may be willing to accept a system that elicits information relating to matters that could cause serious harm or give rise to liability for the company, but not systems that will be used by employees to report modest infractions of company policies with no real impact on the organisation.
Deploy hotlines that enable employees to report compliance deficiencies or concerns without necessarily having to make allegations against specific, named individuals. Allegations against particular individuals could still be made under local ad hoc complaint procedures that have a more formal (and less automated) character and are not anonymous.
Provide EU staff with robust informational disclosures regarding the scope of the hotline, how it should be used and the handling of complaints, including any rights that they may have in, and to, the data. Among other things, staff should be reminded that other complaints mechanisms may exist that they may prefer to use.
Instruct and encourage any employees using a hotline to furnish their own personal details when submitting a complaint, without necessarily prohibiting the submission of anonymous complaints.
Inform affected employees promptly whenever a complaint has been lodged attributing wrongdoing or improper conduct to them, unless to do so might jeopardise an investigation. Allow employees, where feasible, to learn the basic facts surrounding the complaint and to exercise their rights of access and correction.
Place a time limit on the retention of data gathered via the hotline, in line with the recommendations made in regulatory guidance papers. Where data are to be archived in order to mitigate the risk of future liability or harm to the company, those systems should be secure and the data should be kept to a minimum.
Ensure limited flows of complaint data (for complaints systems operating in the EU) to parties outside the EEA (including foreign group companies) unless the complaint can be shown to materially implicate the interests of the foreign entity.
Implement stringent data-processing contracts whenever any third-party service provider helps to operate the hotline.
Require a strict confidentiality agreement with all employees who handle complaint data on a regular basis, or who assist in the operation of the whistleblowing scheme.
Even organisations that adopt all of these measures may still be subject to the scrutiny of EU data protection regulators. Following recent developments, the risks associated with operating compliance hotlines in the EU remain difficult to quantify. Organisations should therefore continue to be cautious when implementing whistleblowing schemes in the EU. Most organisations whose hotlines permit the submission of anonymous complaints, in particular SOX hotlines, may need to rethink their current arrangements to deter anonymous complaints, without necessarily prohibiting them.
For some organisations, modifying existing hotlines may prove difficult or impracticable to achieve in the short term, or may expose the organisation to potential liability under other regulatory regimes that appear to mandate the use of non-compliant hotlines. In that event, it may be necessary to balance the risk of financial penalties arising from a breach of EU data protection laws and the reputational implications of non-compliance against the potential fines and sanctions that non-compliance with other regulatory obligations could attract.
The summary of non-UK law below reflects the law at 12 September 2007.
Since the publication of WP117 by the working party, a number of EU member state data protection regulators have released local guidance or implemented local procedures for assessing or approving compliance hotlines. Although these developments have largely been consistent with WP117, some national regulators have made recommendations slightly at variance with WP117. These have watered down its harmonising effect.
In Belgium, the Commission for the Protection of Privacy published Recommandation No° 01/2006 du 29 novembre 2006 relative à la compatibilité des systèmes d'alerte interne professionnelle avec la loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel in November 2006. The Commission’s guidelines are closely aligned with WP117. For instance, the Commission called for complete transparency and robust disclosures of information to staff regarding the complaints hotline. It noted that such hotlines are meant to complement existing complaints mechanisms, and that they should not be used for reporting trivial incidents or issues. The information derived from them must be kept secure. In addition, the Commission reiterated that personal data should only ever be transmitted outside the EU to another related company, such as a parent, where the complaint had serious repercussions for the company as a whole and was not just a local (that is, Belgian) issue. The Commission also said that organisations using hotlines in Belgium should notify it of their use.
Of particular note for organisations that are subject to Belgian rules is the need to designate a member of staff to handle complaints. These individuals must be made subject to a strict duty of confidentiality when handling complaint data, and must enjoy a degree of independence in that role. They are responsible for assessing the data to ensure that it is adequate, factual and retained for the minimum amount of time necessary to investigate the complaint. Organisations also need to put in place appropriate safeguards in case this individual fails to perform his or her duties properly, giving rise to harm either to the person submitting a complaint, or to the person named in it.
The CNIL continues to devote much attention to the issue of compliance hotlines. While the working party was discussing the content of WP117, the CNIL was developing its own guideline document that it released in November 2005 to assist companies in their compliance with both French data protection law and SOX rules. In this document, the CNIL describes a two-tier system of notification. Companies operating their hotlines in conformance with the CNIL’s recommendations qualify for a lighter and more straightforward authorisation regime (referred to as a "single authorisation"), whereas other companies are required to rely upon the current, more cumbersome CNIL authorisation process. The two-tier authorisation scheme came into force in December 2005.
To benefit from the simplified French authorisation procedure, organisations must ensure that their compliance hotlines are completely voluntary and that they supplement other internal corporate controls. They must be limited in scope to address only fiscal or financial matters, accounting or suspected bribery offences (although there may be scope to include other "serious" events). The schemes must operate in accordance with an internal system that guarantees the confidentiality of any information collected. The schemes must avoid the retention of personal data for more than two months where the complaint is found to be unfounded, and must otherwise ensure that data is expunged once associated disciplinary or judicial proceedings have finished (unless the data is archived to mitigate against future potential liabilities). Companies must ensure that the personal data collected is correct, ensure the confidentiality of the whistleblower and allow an employee accused of impropriety the right to correct any incorrect information.
Many of the CNIL’s recommendations mirror those contained in WP117, suggesting to many that the CNIL played a leading role in the preparation of WP117. Meanwhile, organisations that cannot meet these criteria must apply for individual authorisation, which involves the submission of a "standard notification" form that the CNIL has pledged to review within 2 months of receiving it. More recently, the CNIL has released additional guidance in the form of a Frequently Asked Questions document.
In April 2007, the German ad hoc Working Group on “Employee Data Protection” published a report entitled “Whistleblowing - Hotlines: Internal Warning Systems and Employee Data Protection”. This report was adopted by the working group of local data protection authorities in Germany (the Düsseldorfer Kreis) at its meeting on 19-20 April 2007. The report introduces guidelines that will allow companies to introduce whistleblowing hotlines and still remain compliant with German data protection law. The guidelines go beyond the Article 29 Working Party Opinion of February 2006, because in addition to dealing with accounting, auditing, bribery and financial crime, they also cover violations of ethical conduct, environmental and human rights legislation.
The German guidelines provide information on the following topics amongst others: basic principles, persons concerned, notification duties, transfers of information to third parties and rules on destruction of data. For instance:
Whistleblowing hotlines should supplement, and not replace, existing internal complaints handling mechanisms.
Processing personal data via a whistleblowing hotline can be justified if it is for the purpose of ensuring financial stability within a company by preventing fraud and bribery and so on. However, such data processing will not be justified if it undermines the legitimate interests of data subjects in not having their data processed in this way. Companies must undertake a careful review of the legitimate interests of data subjects, particularly when considering the specific events that have led to suspicion being cast on the individual.
Companies must provide clear, unambiguous information about the purposes pursued by the hotline. To avoid misunderstandings, not every irregularity, including slight or presumed irregularities, should be reported. It must be clear that there is no value in having unsubstantiated incriminating reports.
The company should consider whether it is appropriate to restrict the number of persons to whom irregularities can be reported.
Whistleblowing procedures should keep the identity of the whistleblower confidential.
The data subject of a hotline report should be informed of the type of personal data collected and the purpose of its collection (amongst other factors), unless doing so will compromise the company’s ability to gather evidence or conduct an investigation. However, even in these cases, the company should avoid long term non-disclosure to the incriminated person.
In principle, the personal data of the whistleblower and the incriminated person should not be transferred to third parties. However, it must be made clear to the whistleblower that his identity may be disclosed to persons involved in further investigations or ensuing court proceedings.
If personal data is processed for the company’s own purposes, such data should be erased as soon as it is no longer required. Generally data should be destroyed within 2 months of the conclusion of an investigation.
In addition, the guidelines recommend early consultation with local data privacy officers, an organisation’s Works Council and the relevant controlling department. The guidelines do not discuss issues related to international data transfers. It also notes that in the event of uncertainty, the German data protection authorities are available for advice.
The Irish Data Protection Commissioner has posted guidance on its homepage that refers to WP117 and specifically advises data controllers to follow the working party’s guidance, since otherwise they risk being found in breach of Irish data privacy law. Interestingly, the Irish authority suggests that compliance with SOX does not necessarily entail the collection of personal data, and that it is possible to operate a no-names whistleblowing hotline. Such a hotline would be used to gather information on internal accounting "issues" rather than "individuals." Whether, in practice, organisations can avoid the collection of personal data and still satisfy their SOX commitments has yet to be seen, and the Irish position is arguably more hopeful than realistic.
The Dutch Data Protection Authority released a guidance document on whistle-blowing hotlines in January 2006. That document largely restated the positions taken and suggestions made in WP117, including recommendations that Dutch whistleblowing hotlines should:
Either be grounded in a local legal obligation applicable to the organisation, or facilitate the organisation’s legitimate interests without interfering with the privacy interests of employees to an unwarranted degree - for instance, where the hotline is in response to foreign law demands (such as SOX).
Supplement the normal reporting mechanisms that exist within the organisation, which can include submitting complaints to the organisation’s senior management, HR department, works council or, where appropriate, external auditors.
Only be used for reporting "substantial offences," not minor issues. Reports should be managed in such a way that the identity of employees submitting complaints would not be disclosed to the persons named in the complaint.
The Dutch paper also suggests that international transfers of personal data arising from a hotline, for instance transfers from an EU affiliate to its US headquarters, should ordinarily only relate to misconduct involving "higher management". At the same time, the Dutch paper does not entirely rule out the possibility that complaints relating to "lower rank employees" may be transmitted to corporate offices abroad, although this should be rare. Further, the Dutch authority recommends that an organisation should inform employees that a report on them has been filed "not later than at the moment of the recording of the information," unless one of the narrow exceptions in Dutch law applies. Further, and in contrast to the working party’s view, it recommends that organisations should appoint an external third party to operate their hotlines, rather than trying to operate the hotlines themselves. Organisations must also obtain regulatory approval from the Dutch regulator before implementing their hotlines.
As a result of discussions at the 7th Annual Meeting of the Spanish and Portuguese data protection agencies in December 2006, regulators agreed a set of principles to govern the operation of hotlines in those two countries. The Spanish regulator has since published its own more detailed opinion, which is outlined below. However, the general set of principles are useful to gain an understanding of the position of whistleblowing hotlines in Portugal. In summary, the main principles oblige companies to:
Ensure prior notification of the hotline to the relevant national data privacy authority.
Define the precise scope of the hotline and, preferably, limit that scope to reporting suspected improper auditing or accounting matters.
Ensure that complaints are held in confidence, and discourage the submission of anonymous complaints.
Ensure that reports are only submitted by employees of the organisation and, to the extent persons are named in a complaint, ensure those persons are in an employment relationship with the organisation.
Take steps to keep secure any data submitted via the hotline.
The Spanish Data Protection Agency (“SDPA”) has published its view regarding the use of whistleblowing systems. The SDPA document takes the form of a reply to a formal request from an international pharmaceutical company, and so it is not an official set of guidelines. However, it does give a good indication of the SDPA’s approach. The opinion states that reporting schemes are lawful provided that the processing involved relates to the parties in a contract (an employer and employee relationship is sufficient) and is necessary for the maintenance of that contract. The report states that the whistleblowing scheme should guarantee the confidentiality of the subject of the report and not include the possibility of anonymous reporting.
Other points include:
Data relating to the incriminated individual shall not be kept for more time than necessary to proceed to the relevant internal audit, or at most the period necessary to conduct any judicial proceedings that may stem from the investigation.
The subject of the report must be informed of its existence as soon as possible, and in any event within three months.
The company should employ security measures that satisfy the “high” level of security set forth in Spain’s Royal Decree 994/1999 (which forms part of the Spanish data protection regime implementing the 1995 Directive and lays down the technical and organisational measures necessary to guarantee the security of automated files, processing centres, premises, equipment, systems, programs and the persons involved in the automated processing of personal data), as it is not possible to know in advance what types of data will be processed by the hotline and so it is conceivable that sensitive personal data will be processed. However, security will not need to be implemented at the highest level if the reporting system could not involve the processing of sensitive data.
If employees are part of a trade union, the company should inform the union of any proceedings against its members.
Companies are obliged to notify the SDPA of the processing of personal data and must ask for authorisation if they intend to transfer the data to an affiliate in a country that does not provide equivalent levels of data security.
Daniel P Cooper is of counsel in Covington & Burling LLP's London office, where he is head of the privacy and security practice.