A New Framework For US-EU Hotline Issues

Letters exchanged between the Securities and Exchange Commission and an important study group in the European Union are offering new hints to companies trying to bridge a trans-Atlantic regulatory spat over whistleblower hotlines.

The correspondence—swapped between Ethiopis Tafara at the SEC Office of International Affairs and the EU Article 29 Data Protection Working Party—addresses the year-long tensions between American regulators who want companies to have whistleblower hotlines as mandated by the Sarbanes-Oxley Act, and EU officials who deeply frown on the idea of one citizen reporting another to the authorities anonymously. Both sides have struggled to settle their differences over the issue, while U.S.-listed multinational companies twist in limbo.

The letters essentially provide a framework that companies can employ so their whistleblower hotlines pass muster with both regulatory bodies. According to Mark Schreiber, a partner at the law firm Edwards Angell Palmer & Dodge and co-chair of the privacy practice of the World Law Group, the exchange illustrates how the SEC doesn’t want anonymous complaints to be characterized pejoratively compared to those received openly. Companies considering whistleblower procedures in Europe now can incorporate that SEC view by making it clear that anonymous reporting won’t be discouraged or viewed suspiciously, he says.

Schreiber

“The significance of the SEC letters and Article 29 is really convergence theory at its best,” says Schreiber. “It’s a marriage of different legal principles, but there is common ground where there is concurrent compliance with both sets of laws.”

Companies have been struggling with whistleblower hotlines in EU nations for more than a year, since French authorities questioned their legality under that country’s data-protection laws. The Article 29 Data Protection Working Party, an advisory group that includes data-protection authorities at 25 EU nations, followed up with its set of guidelines in February. While Article 29 is only an opinion from the Working Party and doesn’t carry the force of law, its members have the regulatory muscle to impose fines or take other enforcement action.

The scope of Article 29 was largely limited to issues in the fields of accounting, financial audit, bribery, or banking. “Article 29 will address general whistleblowing schemes in 2007 to see whether a second opinion that would complete [the February 2006] is necessary,” Chiara Adamo, a spokesman for the EU’s Freedom, Security, and Justice Directorate, told Compliance Week via email.

What The Letters Say

The first of the three letters, sent in June by Tafara, outlined some of the SEC’s concerns with the European guidelines, including the local handling of reports, the narrow scope of the whistleblower procedures addressed in the EU guidelines, and—most importantly—the collection and use of anonymous complaints.

Article 29 instructed companies to discourage anonymity in whistleblower hotlines, and a July 3 letter by Chairman Peter Schaar explains the EU’s rationale: “[T]he possibility to file anonymous reports can only increase the risk of frivolous or slanderous reports with the intention of causing the accused damage or distress.”

In his June letter, Tafara explained the SEC’s position by citing the agency’s public release on Section 301 (the portion of SOX that requires hotlines) and how, to encourage employees to come forward, “Sarbanes-Oxley requires that whistleblower procedures afford the opportunity to make confidential, anonymous complaints.” He goes on to say, in a follow-up letter on Sept. 29, that he believes “it is possible for companies to establish procedures for the anonymous collection of data that adequately respect the privacy interests of individuals.”

LETTER

An excerpt from the July 3, 2006, letter from Peter Schaar of the Article 29 Working Party to the SEC.

[Y]our comments requested clarification on whether the Opinion would discourage “confidential, anonymous reports” regarding questionable accounting or auditing matters, which would allegedly contradict the express requirement of Rule 10A-3 (ii).

The Opinion indeed deals at length with the question of whether whistleblowing schemes should make it possible to make a report anonymously rather than openly (i.e., in an identified manner, and in any case under conditions of confidentiality).

Article 6(a) of Directive 95/46/EC provides that “personal data must be processed fairly and lawfully.” This requirement for fair processing applies in particular to the collection of personal data. In determining for the purposes of this principle whether personal data are collected and processed fairly, regard is to be had to the method by which they are obtained. A risk exists, in this context, that anonymous collection of data is qualified as unfair collection of data. At any rate, the possibility to file anonymous reports can only increase the risk of frivolous or slanderous reports with the intention of causing the accused damage or distress …

However, neither data protection rules generally nor this Opinion specifically prevent anonymous reports from being filed through whistleblowing schemes. The Working Party further acknowledges, as the Opinion makes clear, that remaining anonymous might sometimes be the only available possibility for a whistleblower to raise a concern, who would otherwise risk being exposed to unacceptable physical or mental retaliation.

In this respect, the Working Party finds that it may take up the analysis made in a decision handed down by the U.S. District Court of Columbia in April 2005 on the respective disadvantages and risks resulting from the possibility of a claimant initiating court proceedings under a pseudonym. While the Court found that filing a request in an open manner “is an indication that the litigant’s request is not frivolous and gets the case moving quickly,” it also found that “a plaintiff’s desire merely to avoid the annoyance and criticism that may attend any litigation is not sufficient to justify pseudononymous proceedings.” However, the Court also considered that in some cases “the need for anonymity outweighs … the risk of unfairness to the opposing party” and that “such critical or unusual cases may include those in which identification creates a risk of retaliatory physical or mental harm, those in which anonymity is necessary to preserve privacy in a matter of a sensitive and highly personal nature, and those in which the anonymous party would be compelled to admit criminal behavior or be subject to punishment by the state.”

This is precisely the logic behind Section IV.2.iii of the Opinion, which is intended to reduce the cases in which anonymity might be used to convey slanderous or frivolous allegations on a specific person. The Opinion provides that “companies should not advertise the fact that anonymous reports may be made through the scheme.” This implies that when first getting in touch with the scheme, a whistleblower should not be instantly offered the possibility to remain anonymous, but rather the confidential nature of the scheme and the benefits of confidential reporting should be explained to them first. However, the report should still be taken by the scheme if this person wishes to remain anonymous, even after the advantages of identifying oneself have been explained to them.

Source

Letter from EU Article 29 Working Party To SEC

(July 3, 2006)

The EU, in its letter, acknowledges the U.S. position, saying that its opinion “is not intended to direct companies to discourage or negatively characterize anonymous reporting when it is used to convey concerns which, if raised openly, would expose the whistleblower to unacceptable risks or retaliation.” While anonymous reporting is not to be encouraged or advertised, it may be used, the letter said.

“The signal the SEC staff is sending is that there are ways to do hotlines which will satisfy them, or at least alleviate concerns they might have,” Schreiber says. “We’re at an implementation phase as distinct from a confusion stage.”

John Heine, an SEC spokesman, says the agency will let the correspondence speak for itself.

Ryan

“Both countries are making a good-faith effort to narrow the conflict between Sarbanes-Oxley and the European data protection laws,” says Russell Ryan, a partner at the law firm King & Spalding and a former SEC attorney. “I don’t see a whole lot of retreat on either side, but there is a good faith effort to find ways in which both sides can be satisfied. As long as companies operate in good faith and try to navigate this narrow ground between the two countries’ priorities, it’s doable.”

How The Hotlines Should Work

When designing a whistleblower program in Europe, Schreiber suggests including all of the requirements prescribed by the French data-protection agency, the Commission Nationale de I’Informatique et des Libertes (CNIL). That means creating a document that outlines the scope of the system, including details such as the notices to employees and any accused individual and the process by which data will be archived and transferred to the United States.

Companies should pay special attention to developing the notice to employees, Schreiber says. Once that’s organized, they should make sure each group that may be involved in the procedure agrees with the program, from IT departments to human resources to compliance officers.

A number of third-party vendors have reconfigured their electronic and hotline interfaces to comply with Article 29 and CNIL requirements, Schreiber adds. Third-party vendors and law firms also are introducing model-protocol documents for whistleblower procedures in France and elsewhere.

“We’re seeing the first generation of compliance modalities and documents, which over the next couple of years will be standard fare after a while,” he says.

Cooper

Daniel Cooper, a lawyer with the law firm Covington & Burling who has been based in London for about eight years, said many companies he works with even operate separate European compliance hotlines, since U.S. hotlines are traditionally much broader in scope—reporting on issues ranging from harassment to breach of company policy—and frequently entice anonymous admissions.

“A lot of European requirements are ones that most U.S. companies, who are traditionally used to more robust and comprehensive hotlines, cannot live with, without a dramatic rethinking of how hotlines are supposed to work,” Cooper says. “Most U.S. companies are not willing to apply European standards to global hotlines.”

Companies typically receive more information from a U.S.-type hotline because it attracts more information, Cooper said. “A lot of U.S. companies look at [European standards] and think, we don’t want to apply those across the board,” he says.

Those U.S. companies that do establish separate European hotlines may outsource the operation and maintenance of them, in addition to having separate procedures for the acquisition and management of sensitive data, he says.

Beyond France

In addition to France, the Netherlands and Ireland have released guidance about their data-privacy laws, Cooper adds. The Netherlands’ position is even more conservative than France, with suggestions that include using compliance hotlines only to report on the infractions of senior management; Ireland largely endorsed Article 29.

“There is still a lot of ambiguity in the guidance being promulgated and how that might impact U.S. companies,” Cooper says. “There’s still uncertainty out there.”

Other countries are starting to come out with their own data laws, and many have elements that are similar to the EU, including Argentina and Japan, Schreiber says. Even China is reportedly examining a law in Hong Kong that is modeled on the EU, he said.

“The notion that the rest of the world is in accordance with the U.S. model is not entirely accurate,” he stresses. “If anything, those countries coming online with data laws either are maneuvering toward an EU model or to a middle ground.”