Back in June, a German labor court ruled that Wal-Mart’s proposed whistleblower process—implementing a hot line for employees to report on colleagues' violations—violates German law, according to a published report. Labor representatives from Wal-Mart's 91 German stores sued the world’s largest retailers after it introduced the whistleblower and other policies without their prior approval.
Westman
According to Daniel Westman of Morrison & Foerster, the policies were deemed to violate employees' privacy rights because any investigation of a whistleblower complaint would be gathering information about the accused wrongdoing employee. “Some of the main differences between U.S. employment law and, for example, EU employment law, pertain to privacy of employee information, and the requirement to consult with ‘labor councils’ about changing work rules in advance of changing the rules,” said Westman.
Nearly three years after the enactment of The Sarbanes-Oxley Act of 2002, a number of U.S.-based multinational companies are starting to bump up against local laws in foreign countries, making it difficult to enact certain provisions of the landmark legislation.
Hogan
So far, most legal experts confess they aren’t aware of this development. But, a handful of experts suggest that this could become a larger problem as more companies fully implement all of the provisions of the landmark legislation. “Multinational companies are complaining about this,” asserts Joris Hogan, a partner with Milbank, Tweed, Hadley & McCloy.
In fact, in a recent report to clients, Morrison & Foerster noted that the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés, refused to approve ethics or whistleblowing programs proposed by French subsidiaries of two American companies, McDonald’s France and CEAC, a division of Exide Technologies. Both companies wanted to set up ethics hotlines so they could be in compliance with the whistleblower provisions required by Sarbanes-Oxley; however, these hotlines clash with France’s privacy law.
The CNIL ruled that the hotlines are prone to abuse and “likely to cause undue distress to suspected employees in case of libelous or unfounded accusations,” according to the MoFo report.
The law firm notes that McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead. As a result, complaints will now be processed by the parent company’s personnel under the supervision of its ethics director.
The procedure for handling the complaints underscores French concerns. The law firm notes that the suspected person would be given two days to comment. If the allegations are deemed unfounded, the data would be deleted within two days of the case’s closure. “If the allegations were determined to be well-founded, then the file would be kept for one to five years after the case was closed (depending on management level),” MoFo adds.
CEAC proposed a group-wide hotline and dedicated e-mail address, both operated by a subcontractor, MoFo notes. Records of whistle-blowing complaints would be kept for one year, the law firm notes. Under its plan, records of whistle-blowing complaints would be kept for one year. “Although the facts of the cases are slightly different, the legal reasoning presented in both cases was the same,” the MoFo report notes. “The CNIL found that it had jurisdiction because the information that might be collected in the whistle blowing hotline related to an identifiable person and the French subsidiary would be exercising some control over the information collected.”
The law firm notes that the CNIL did not address the cross-border aspect of the hotlines. It also did not address the conflict of laws issue: That U.S. public companies must have some mechanism to receive anonymous complaints.
Visceral Reactions
At this point, experts note that the implications for companies trying to comply with Sarbanes-Oxley are still unclear.
“Unfortunately, the waters remain murky,” MoFo asserts in its report. “It may take some time for the U.S. courts to clarify whether U.S.-based companies must make available to overseas employees, particularly foreign employees of foreign subsidiaries, the same Audit Committee procedures for receipt of anonymous complaints. Also, it may take time for the legal systems of other countries to address whether their laws conflict with the requirements of Sarbanes-Oxley.”
“It is an unfortunate historical fact that many countries—in Europe, Asia, Africa, South America—have had or still have repressive governments which use informants as a tool of repression,” says Westman, who along with Miriam Wugmeister, wrote the law firm’s report. “Apart from legalities, in some countries there is a strong visceral reaction against the idea of ‘informing,’ or as it is called in the French CNIL decision, ‘denouncing’ co-workers.”
The Wal-Mart, McDonald’s and Exide cases are the most high-profile examples of how foreign laws are clashing with Sarbanes-Oxley mandates.
Myers
A number of companies have been bumping up against the Data Protection Act of 1998, which requires companies in the European Union to receive employee approval before they can disclose certain types of personal information, according to Lance Myers of Holland & Knight. “There may be people trying to access information in order to be in compliance with Section 404,” he notes.
But the Act may prevent companies from detailing all of their key processes. The reasoning: Data used for SOX purposes may be used for other means that are incompatible with the purposes for which the data was originally obtained. “The member states are trying to protect their constituents,” Myers adds. “Sometimes they must deal appropriately with their local law and risk noncompliance with Sarbanes-Oxley.”
The SEC’s “gun-jumping” restrictions, which limit communication by issuers and underwriters prior to a registered public offering, have also been a source of conflict overseas. “In Western European when you do offerings, there is a whole different view of what is gun jumping,” says Myers. “They are a lot more open.”
Rules Relaxed
Donaldson
Even recently departed Securities and Exchange Commission chairman William Donaldson concedes clashing laws are a critical issue facing multi-nationals. “We recognize that cross-border listings frequently entail issuers having to navigate duplicative or even contradictory regulations in different jurisdictions,” he said in a January speech delivered in London. And while Donaldson said that the SEC is unwilling to compromise where investor protections are concerned, he conceded that some duplicative or contradictory regulations can compromise those protections and place an unnecessary burden on issuers, firms and investors. “I want to emphasize that the SEC is determined to avoid such situations, where possible,” Donaldson added. “We have demonstrated our willingness to work with foreign regulators and market participants to reduce the likelihood of this occurring and continuing uncorrected.”
Indeed, Donaldson pointed out that the SEC relaxed some rules that affect foreign issuers who list in the U.S., including regulations regarding the composition of audit committees of listed issuers. Under Sarbanes-Oxley, all members of audit committees must be independent directors. But the corporate governance laws and regulations in Germany, for instance, and a few other countries with dual board systems, require corporate audit committees to include a labor representative, he acknowledged. SEC rules do not, however, consider employees of an issuer "independent" for fear that an unscrupulous corporate officer could appoint employees to the board who were beholden to the company's management, he noted.
Following a dialogue with the European Union and others, “the SEC was reassured that in those jurisdictions with dual boards, the mandatory labor representatives on issuer audit committees were firmly independent of the company's management,” Donaldson pointed out. “The resulting final rule relating to audit committees contained an exception for these jurisdictions that would allow employees who are not officers of a company to sit on the audit committee.”
This enables the affected issuers to comply with both sets of law, said Donaldson. “And it preserves the intent of Sarbanes-Oxley—to ensure that independent directors can communicate directly with auditors without management interference,” he added.
The SEC also allows the publication of financial information presented in ways not strictly in compliance with U.S. Generally Accepted Accounting Principles. For example, the Commission included an exemption for non-GAAP communications outside the U.S., even where those communications reach the U.S. “We took this action because we did not want to interfere with the regular practices governing how foreign companies communicated with investors in non-U.S. markets,” Donaldson added.
The SEC also made some accommodations regarding the oversight of foreign audit firms. Under the Sarbanes-Oxley Act, all audit firms, including non-U.S. auditors, must be registered and inspected by the Public Company Accounting Oversight Board. “Because of potential conflicts with foreign privacy laws and blocking statutes, the PCAOB has made some adjustments in the information requested of foreign firms during the registration process,” Donaldson noted.
What should multinationals do about this conflict in general so that they can be in compliance with Sarbanes-Oxley? For one thing, “You really need very sophisticated foreign lawyers who are not just good business lawyers but sophisticated Sarbanes-Oxley lawyers as well,” Myers says. “This area is very arcane.”
No comments yet