U.S.-based multinational companies that have run into trouble trying to implement a provision of Sarbanes-Oxley that conflicts with French law are expected to get some guidance on the issue, according to securities experts.
That should be welcome news for some companies that—while attempting to comply with certain provisions of SOX—have run afoul foreign laws. That conflict “is putting some multinationals between a rock and a hard place,” notes Lance Myers, a partner at Holland & Knight. “You’re going to violate one law or the other. The question is, which one?”
E. Raman Bet-Mansour, managing partner of the Paris office of Debevoise & Plimpton, tells Compliance Week that the French Data Protection Agency, Commission Nationale de l’Informatique et des Libertés, is expected to issue guidance for U.S.-based multinationals on the SOX whistleblower provisions, which require that companies have an anonymous mechanism for employees to report accounting and auditing irregularities.
Bet-Mansour
The guidance, which was supposed to be issued at the end of October, “is expected any day,” Bet-Mansour tells Compliance Week. He notes that the French agency has been in discussions on the issue with the Securities and Exchange Commission.
The expected guidance comes after two decisions earlier this year, in which the CNIL refused to approve ethics or whistleblowing programs proposed by French subsidiaries of two American companies, McDonald’s France and CEAC, a division of Exide Technologies. As Compliance Week reported back in July, both companies wanted to establish ethics hotlines so they could be in compliance with the whistleblower provisions required by Sarbanes-Oxley; however, these hotlines clash with France’s privacy law. The CNIL ruled that the hotlines are prone to abuse and “likely to cause undue distress to suspected employees in case of libelous or unfounded accusations.”
McDonald’s, which originally planned to put in place an ethics hotline and a dedicated e-mail address to collect allegations and complaints, ultimately decided—after discussions with the CNIL—to use a U.S. fax number and postal address instead; complaints would be processed by the parent company’s personnel under the supervision of its ethics director. CEAC proposed a group-wide hotline and dedicated e-mail address, both operated by a subcontractor.
Tip Line Fines: 1,200 Euros
In another example of how some foreign laws are clashing with Sarbanes-Oxley mandates, a German labor court in June ruled that Wal-Mart’s proposed whistleblower process—implementing a hotline for employees to report on colleagues' violations—violated German law. Labor representatives from Wal-Mart's German stores sued after it introduced the whistleblower and other policies without their prior approval.
Miriam Wugmeister, a partner in the New York office of Morrison & Foerster, notes that a September decision by a French court in the case CE BSN-Glasspack v. BSN-Glasspack (the French subsidiary of what was formerly called Owens-Illinois) is consistent with the CNIL decisions in the McDonald’s and Exide cases.
Wugmeister
In the latest case, decided by Tribunal de Grande Instance de Libourne on Sept. 15, Wugmiester says a French council that represents workers brought a case against the company “claiming that the anonymous tip line for accounting irregularities and other unethical behavior could lead to unfair and disproportionate accusations and violated employees’ right to privacy in the work place. The court agreed and ordered the company to take down the poster advertising the hotline to pay damages of about 1,200 Euros.”
While the CNIL issued draft guidance in October, that guidance “didn’t shed much light on what companies can and can’t do, and didn’t answer the question as to how a company can comply with both its SOX obligations and its obligations as articulated by the CNIL,” says Wugmeister. “Companies want to be able to comply with both sets of laws and they feel they’re in a Catch-22.”
Richman
“The draft guidance says they want limited categories of individuals to be involved in whistleblower schemes,” says Laura Richman, a partner at Mayer, Brown, Rowe & Maw. “That may be a concern, since under Sarbanes-Oxley anyone who knows of an accounting irregularity needs to be able to report it anonymously.”
“The problem is, it isn’t really a data protection issue,” says Wugmeister. “The way the court decision is posited is that the company shouldn’t be collecting anonymous information. … There’s a strong response to anonymous tips in France.”
Holland & Knights’ Myers agrees. “In France, there’s a real antipathy toward informants,” says Myers.
Waiting For Guidance
While companies will have to wait and see what the CNIL guidance recommends, Bet-Mansour says, “I wouldn’t be surprised if it [the guidance] recommends some approach for non-French companies along [the] lines of what McDonald’s had done, which was to set up something anonymous in the U.S.”
Bet-Mansour doesn’t expect companies to run into any additional headaches related to complying with SOX. “By now, we’ve gotten over the bulk of issues that have popped up,” he says. “Things should start to get better, given the new European Union prospectus directive and implementing instructions for the different countries, including France. There’s been convergence between the SEC public disclosure requirements and the requirements for the member states of the EU.”
Since news broke of the CNIL decisions in the McDonald’s and Exide cases, Bet-Mansour says, “Many U.S. companies that have major operations in France have put their worldwide whistleblower programs in place, but they’re not enforcing them vigorously in France. They’re waiting for CNIL to issue its guidance.”
Myers
In the meantime, recommend laying low. “I wouldn’t say companies should pull their whistleblower mechanisms,” says Myers at Holland & Knight, “I would just say they shouldn’t publicize them for now.” Myers says concerned companies should also seek guidance from the SEC and from overseas regulators and other interested parties—for instance, worker councils. “Companies should seek advice from the SEC and at the same time, continue a dialogue with European regulators,” says Myers.
Once the guidance from the CNIL is issued, unified or separate procedures will need to be considered by multinationals, say experts. “Companies will want to analyze their programs to determine if there are still conflicts with the U.S. requirements,” says Richman at Mayer, Brown, Rowe & Maw, “[and] then determine if they need to have separate procedures in countries where the data protection laws require a more limited approach.”
Related coverage and documents are available from the box above, right.
No comments yet