Nearly two years after a German court ruled that Wal-Mart’s proposed whistleblower process violated German law, creating headaches for U.S. multinationals trying to implement whistleblower systems to comply with Sarbanes-Oxley, Germany has finally published its own set of guidelines for companies to impose such systems without violating local laws.
Since the Wal-Mart case and two similar ones in France, U.S. companies have struggled with how to establish anonymous hotlines overseas that do comply with SOX but do not violate European privacy or labor laws.
After the cases in Germany and France drew international attention to the conflict between SOX and local laws, French regulators in 2005 issued guidelines for implementing whistleblower hotlines in that country. Shortly thereafter, the European Union’s Article 29 Data Protection Working Party, comprised of data protection agencies in EU member states, issued its own pan-European guidelines (see related coverage and resources at right).
Runte
The German guidelines were published April 23 by the Düsseldorfer Kreis, a working group comprised of members of Germany’s 16 state data protection authorities. The guidelines actually were drafted more than nine months ago, says Christian Runte, an attorney at the law firm CMS Hasche Sigle in Munich; they were formally ratified now only because the working group meets twice a year.
Runte says the guidelines were adopted as originally proposed back in August, but they only became available online at the end of April.
“A lot of people have been waiting for Germany—since they were the other country where the court struck down a code that included a whistleblower program—to issue its guidelines,” says Mark Schreiber, a partner at the law firm Edwards Angell Palmer & Dodge and a specialist in international privacy laws. “There was some expectation, because of some of the peculiarities of German data protection law, that perhaps the guidelines might be more severe or have more detailed obligations, but that doesn’t generally seem to be the case.”
Runte says the guidelines are largely the same as those of the Article 29 Data Protection Working Party, which were published in a document titled WP 117. Like those guidelines, the German rules allow for anonymous reporting, but don’t encourage it.
The Article 29 Working Party doesn’t carry the force of law, but has the regulatory muscle to impose fines or take other enforcement action. In an opinion published last year, it said that whistleblower systems and codes of conduct should be tailored to comply with each EU nation’s data privacy laws. Since then, other EU countries, including Belgium and Holland, have issued their own guidelines for putting whistleblower hotlines in place.
GERMAN RULES
Below is an English translation of Germany's new data privacy rules for whistleblower hotlines, as translated by the World Law Group.
Principles
Personal data must be collected for fixed, clear purposes and may not be further processed or used in a manner not already agreed. The data processed must also correspond to the purposes for which it is collected and/or processed, be necessary and may not exceed requirements. The structure and selection of data processing systems must be geared towards collecting, processing or using as little personal data as possible. In particular, the information must be recorded anonymously or pseudonymously in as far as possible and the time spent must be in due proportion to the intended purpose. The controller must ensure that inappropriate or incomplete data are erased or rectified. Clear, unambiguous information must be provided relating to the purposes pursued by a whistleblowing hotline. To avoid misunderstandings, not every irregularity, including slight or presumed irregularities, should be reported. It must be clear that there is no value in [having] unspecified incriminating reports ...
Anonymous Or personal Reference
The Article 29 Data Protection Group recommends accepting anonymous reports (i.e., also information) only in exceptional cases. Anonymity contradicts the principle of transparency, and - compared with identifying names - promotes misuse and denunciations. A person who is the subject of anonymous whistleblowing is not able to defend himself/herself against defamation in formal and constitutional proceedings. On the other hand, a system based on the collection of personal data from [only identified reporters] has the disadvantage [that some reports] are deterred, even though the desired information is obtained. This should be weighed against anonymous information, especially as anonymous information can be given at any time without a whistleblowing hotline. Special emphasis should be placed upon appropriate guarantees for the protection of the whistleblowers from discriminatory or disciplinary measures.
When weighing the said interests, the following procedure is to be recommended: whistleblowing procedures should ensure that the identity of the whistleblower is kept confidential. A person who would like to make a report under such a whistleblowing scheme should know that he/she will not be adversely affected by making this report. This is why the whistleblower must be informed on the first contact with the system that his/her identity will be treated confidentially during all stages of the procedure.
Notification And Information Duties
If personal data is collected from the data subject, the responsible body must state the particular purpose of the collection, processing or use of personal data provided the data has not been obtained elsewhere. If works agreements have been concluded relating to whistleblowing procedures with provisions relating to the processing of personal data, the company shall interpret this to mean that all employees, even the newly hired ones, are able to become familiar with the content without great difficulty.
Source
Dusseldorfer Kreis Working Group (April 20, 2007)
Runte notes that Germany’s guidance goes beyond WP 117—which is largely limited to accounting, financial audit, bribery, or banking issues—to include some information about violations of ethical conduct. “It’s a helpful of set of guidelines that are consistent with the Article 29 guidelines that will further assist U.S. companies in implementing whistleblower systems in Germany,” Schreiber says.
He says the German guidelines are “less specific and less detailed” than the French guidelines. Also unlike the French rules, Germany does not require a company to register with its local data protection agency.
“In some sense it will be easier for U.S. companies in Germany if they’ve already produced procedures and documents consistent with the French guidelines, at least on the data protection side,” Schreiber says.
More difficult for U.S. companies will be cooperating with local German “works councils.” The United States has no exact equivalent, but works councils are somewhat akin to trade unions. Under the new German rules, companies will have to consult with their works council on what’s in the whistleblower program and how it works, Schreiber notes.
Under German labor law, the employer and the works council each have a right of codetermination, which means each has an equal say in determining work condition necessities and discipline in the work place.
Schreiber
But Schreiber notes, if a U.S. company has already established a whistleblower system that passes muster in the much more convoluted French system, “those same kinds of programs are applicable in Germany, and the works council probably wouldn’t have a great deal of difficulty approving or not objecting to a whistleblower program there.”
Both Runte and Schreiber also caution that the German guidelines don’t provide a clear answer on one important question: the international transfer of data to third parties. EU regulations prohibit such transfers—say, of personal information about a German manager to compliance officers in U.S. headquarters—without the information owner’s consent.
Indeed, the guidelines seem to include conflicting provisions regarding the transfer of personal data to third parties. One provision states that the transfer of data to third parties is not allowed except in the case of a criminal proceeding, while another provision in the guidelines implies that the transfer data within a group of companies is permissible.
“There's no information in the guidelines that gives any clarity,” Runte says. “There’s no guidance on how it can be done.”
While Schreiber agrees that the transfer of personal data to third parties is an issue that “needs clarification,” he says it’s an issue “that will eventually get worked out.”
“It’s not an impediment to implementing a whistleblower hotline in Germany,” he says.
No comments yet