New International Guidance On Whistleblower Programs

U.S.-based multinational companies bewildered about how to implement a provision of Sarbanes-Oxley that conflicts with French data protection laws now have new guidance on the issue. However, while the guidance will enable companies to comply with both laws, experts warn that doing so will still be a struggle.

As Compliance Week recently reported, U.S.-based multinationals with significant operations in France have been awaiting final guidance from the French Data Protection Agency, Commission Nationale de l’Informatique et des Libertés, on implementing the whistleblower provisions under SOX.

While Sarbanes-Oxley requires that companies have an anonymous mechanism for employees to report accounting and auditing irregularities, some U.S.-based companies have run into trouble in meeting that obligation in France, where the data protection laws differ significantly.

Earlier this summer, the CNIL refused to approve ethics or whistleblowing programs proposed by the French subsidiaries of McDonald’s and CEAC—a division of Exide Technologies—because those hotlines clashed with France’s privacy laws. As Compliance Week reported, the rulings left many U.S. multinationals scratching their heads about how to meet their SOX obligations without breaking French laws, and the earlier draft guidance left many companies with a lot of unanswered questions.

A Workable Compromise

Experts say the final guidance from the CNIL is a vast improvement over the draft guidance issued in mid-October.

Bond

“Before the revised guidelines were issued, we had a situation where it was almost impossible to advise companies in France on how to stay on the right side of both French and U.S. law,” said Robert Bond, partner and data protection expert at London-based Faegre & Benson, and co-chair of the “Privacy Matters” practice of the World Law Group, which advised on the guidance. “Overall, the amendments to the guidelines are encouraging and it will be much easier to advise clients on meeting their SOX requirements in France.”

“The bottom line is that companies now have a way to comply [with both SOX and French data protection laws],” says Mark Schreiber, a partner at Edwards Angell Palmer & Dodge. “It’s just going to take some real work—more work than most U.S. companies originally contemplated.” Adds Schrieber, who also co-chairs the Privacy Matters practice of The World Law Group—which is a network of independent law firms—“But I think it is doable in most cases.”

At press time, CNIL hadn’t yet published its own English version of the Nov. 10 guidance. However, several law firms have issued English translations of the guidance (an English version of the final guidance, provided by the World Law Group—Privacy Matters practice, can be found in the box above, right).

“The guidance fashions a workable compromise,” says Schreiber. “The French acknowledged that whistleblower schemes were a reality even if they didn’t like the informer nature of them. That is a key concession, given the historical issue about informants going back to World War II.”

He also notes that while the draft guidance had restricted the whistleblower schemes to certain individuals, “The final guidance is broader as to who can be included in a whistleblower scheme.”

EXCERPT

The excerpt below is from The World Law Group's "English Translation of CNIL Guidelines for the Implementation of Whistleblowing Schemes under the French Data Protection Act". The excerpt has not been edited or altered in any fashion; please refer to the link below for the full document:

...In order to contribute to the implementation of whistleblowing schemes that comply with the principles set forth by the law and the directive, the CNIL recommends that companies adopt the following guidelines, which only pertain to the enforcement of such law and directive, excluding any questions over which the CNIL has no jurisdiction.

1) Impact of whistleblowing schemes: complementary nature, limited scope, non-mandatory use

Any normally operated organization requires that an alert concerning any professional problem, concerning any area, should reach management through the natural channel of the line of command or by open alerting methods involving personnel representatives or account auditors, the latter enjoying appropriate protection and independence under French law, for that matter.

The implementation of a whistleblowing program may be justified under the assumption that other reporting channels may not work in certain circumstances. However, companies should not perceive such a program to be a normal method in which to signal operating difficulties of the company itself, as equivalent to other reporting methods involving persons whose duties or powers consist precisely to the location and processing of information concerning such difficulties. As such, the whistleblowing programs must be seen as merely complementary to other methods of alert within the company.

In order to take into account its intrinsic complementary nature, a whistleblowing program must have a limited scope. Schemes with a general and indiscriminate scope (such as those intended to ensure compliance with legal requirements, corporate policies or internal rules on business conduct, for instance) raise an automatic difficulty with regard to the Data Protection Act due to the risk of abusive or disproportionate incrimination of the professional, or even personal integrity of the employees concerned.

As such, article 7 of the January 6, 1978 Act, as amended, provides that whistleblowing programs may only be considered legitimate because of the existence of a legal obligation (legislative or regulatory) requiring the implementation of such programs (article 7-1°), or because of the legitimate interest of the data controller responsible for the processing, once such interest is established and “under the reservation that the fundamental rights and liberties of the person concerned are respected” (article 7-5°).

This legitimacy is established by virtue of article 7-1° of the January 6, 1978 Act when whistleblowing programs were implemented for the sole purpose of meeting French legal or regulatory requirements aimed at establishing internal control procedures in precisely defined areas. Such a requirement clearly results, for instance, from provisions relating to the internal auditing of credit institutions and investment companies (order dated March 31, 2005 amending the Banking and Financial Policy Committee (“Comité de réglementation bancaire et financière”) regulation n° 97-02 dated February 21, 1997).

But the mere existence of a foreign legal provision by virtue of which a whistleblowing program would be implemented would not seem to allow the legitimization of the processing of personal data as defined in article 7-1°. This specifically applies to the provisions of Section 301(4) of the Sarbanes Oxley Act, which provide that the employees of an issuer may raise any concern with the audit committee as to questionable accounting controls or auditing matters while being assured that their reports will be processed under conditions of confidentiality and anonymity.

On the other hand, in this case, one cannot disregard the legitimate benefits, within the meaning of article 7-5° of the January 6, 1978 Act, of implementing whistleblowing schemes concerning possible issues concerning financial and accounting matters to French companies directly listed in the United States or to French subsidiaries of US companies listed in the United States, which must accordingly comply with a requirement to certify their accounts to the US national securities exchanges. Obviously, ensuring that information or suspicions relating to financial embezzlement and account rigging that could have an impact on the company’s financial results properly reaches the Board of directors is a critical concern for any issuer.

Far from being limited to the United States, initiatives were also taken in Europe (including the recent European Commission recommendation of 15 February 2005 on the role of non-executive or supervisory directors of listed companies and on the committees of the (supervisory) board), which are aimed at achieving the same objective as the Sarbanes-Oxley Act, i.e. reinforcing the safety of financial markets. These different texts define a company’s legitimate interests, within the meaning of article 7-5° of the January 6, 1978 Act, in implementing whistleblowing programs in the sectors that they cover, and, in this context, such programs must therefore be considered acceptable.

For the same reasons, whistleblowing systems whose purpose is to combat bribery, e.g. of foreign public officials in international business transactions (OECD convention dated December 17, 1997, ratified by Act Nr.99-424 dated May 27, 1999), are legitimate.

Whistleblowing programs limited in scope, as previously defined, will receive a single authorization from the CNIL, provided that other rules recommended by the CNIL are respected. But programs not based on legal or regulatory requirements concerning internal controls in the financial, accounting and banking sectors and concerning the combat of bribery, the CNIL, as the authorizing body, will conduct a case-by-case analysis on the legitimacy of the purposes sought as well as the proportionality of the whistleblowing program contemplated.

In order to prevent a whistleblowing scheme from being abused into reporting facts unrelated to such specific pre-determined areas, the data controller responsible for the scheme should clearly state that its use is strictly reserved for such areas and should refrain from following on an alert made on facts that fall outside its scope, except if the company’s vital interest or the physical or moral integrity of its employees is at stake.

More generally, using a whistleblowing scheme that may be deemed as legitimately put into operation should not be made compulsory for employees. Indeed the French Department for Employment, Labor and Professional Integration (“ministère de l’emploi, du travail et de l’insertion professionnelle”) has stated, in a letter sent to the CNIL, that « the use of whistleblowing systems should be not a requirement, but only be encouraged. (…) Making reporting mandatory would result in passing on to employees employers’ duties in terms of ensuring compliance with corporate policy. It can be argued also that the reporting requirement would breach article L120-2 of the Labor Code as a requirement out of proportion with its objective »...

Source:

The World Law Group: English Translation Of CNIL Guidelines For The Implementation Of Whistleblowing Schemes Under The French Data Protection Act

While they now have guidance where none existed previously, Schreiber and others note that companies still face considerable challenges in fashioning their whistleblower mechanisms in a way that will make them acceptable under the CNIL guidelines. “I think at the outset, the issue for companies is going to be adjusting or titrating their codes of conduct to be somewhat narrower for their whistleblower mechanism,” says Schreiber.

Still A Tension

Schreiber

The guidelines requires whistleblower schemes to be limited in scope to address legal or regulatory requirements concerning controls in the financial, accounting and banking sectors or to combat bribery. While he says codes of conduct can often cover as many as 15 different categories, Schreiber notes that only two or three have relevance to the accounting and financial controls area. “Most U.S. companies hadn’t thought through how to tailor their codes of conduct or whistleblower mechanisms to the data protection laws of EU countries,” he says. “CNIL said companies have to make their whistleblower schemes proportionate to what they’re intended to do…they can’t cover anything under the sun.”

Companies must also adhere to requirements for processing the reported information, including requirements governing the retention of collected information and the number of people involved in processing the reports, notes Laura Richman, a partner at Mayer, Brown, Rowe & Maw in Chicago. “The CNIL guidelines provide a framework that makes it easier for multinational companies to comply with both U.S. and French law,” says Richman. However, she says, companies may need to establish different programs in different counties. For example, “A U.S.-style whistleblower program providing a 24/7 hotline to call to report any violation of a company’s code of conduct or other policies is too broad to fall within the [CNIL] guidelines,” says Richman.

“The narrower the code of conduct or whistleblower feature concerns, the more likely the company will have their anonymous whistleblower mechanism approved,” says Schreiber.

Richman

While Richman adds that, “The good news is that the CNIL guidelines recognize that anonymous and confidential whistleblowing is required for certain legal and regulatory purposes,” she admits there is a still a tension. “The CNIL guidelines acknowledge that the existence of anonymous reporting is a reality, but envision a process whereby such reports are subject to a preliminary evaluation by its recipient regarding the circulation of the report,” she says.

While the guidelines specify that the whistleblower’s identity shouldn’t be disclosed to an incriminated individual, “the guidelines contemplate that whistleblowing procedures should be designed in such a way that employees will be asked to identify themselves when they provide data related to facts rather than data related to persons,” says Richman. “Even if the identity of the person making the report is not included in the information passed on to management or the audit committee, this may not necessarily be the same as complete anonymity.”

“There is no definitive guidance as to whether this form of anonymity fulfills the Sarbanes-Oxley mandate that audit committees establish procedures for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters,” adds Richman. “Therefore, it is open to interpretation as to whether the form of whistleblower anonymity contemplated by the CNIL guidelines is sufficient to completely satisfy the Sarbanes Oxley requirement.”

“The issue of anonymity is still there,” says Lance Myers, a partner at Holland & Knight. However, he says, “I think there can be some kind of compromise between the U.S. and other jurisdictions whereby they limit the ability of others to find out the identity of the whistleblower.

“I think the guidance gives companies a better understanding,” of how to comply, adds Myers. “The problem the SEC still has to figure out is, what is the anonymity of whistleblowers and to what degree is it required under Sarbanes-Oxley.”

Data Issues

Myers

Myers suggests that U.S. companies with a significant number of employees in France “should have a dialogue with the SEC and see if they can get some guidance from the staff.”

The CNIL guidelines provide that anonymous reporting of problems shouldn’t be made compulsory and that companies should have systems in place for employees to openly report concerns. “The organization should not encourage individuals likely to use the whistleblowing program to do so anonymously and the publicity made of such program should take this into account,” according to the World Law Group English translation of the guidance.

“While many U.S. companies take pride in emphasizing the procedures that they have implemented to permit confidential, anonymous submissions of concerns, it would be relatively easy for companies that are subject to Sarbanes-Oxley to clarify in their employee publications, if they do not already do so, that they also provide other means to report compliance issues,” says Richman. “This can be done without either encouraging or discouraging anonymous reporting, accommodating French legal concerns without undermining Sarbanes-Oxley compliance.”

Another aspect of the guidance that experts say is still be problematic for U.S. companies is the limited data retention periods. Under the guidance, data related to an “unsubstantiated” report should be deleted immediately and “data relating to reports that required verification shouldn’t be kept more than two months after the verification work is closed.”

In addition, if data related to a report under a whistleblowing scheme must be transferred outside of France, Schreiber notes that “there are cross border data transfer mechanisms which will have to be met. A lot of companies have ignored this or were not aware of this up until now.” For instance, a data protection agreement and the consent of the accused individual may be required.

The rules also specify that the accused individual must be told about a report made. “[U.S. companies] are not quite used to doing that,” says Schreiber. That requirement also raises the issue of, ‘What do you tell, and when?’ since there needs to be exclusion period to prevent the destruction of evidence, says Schreiber.

The bottom line, says Schreiber, is that companies will still need to get their whistleblower programs in France approved by the CNIL.

“It’s not a slam dunk,” says Schreiber. “This requires a rigorous analysis. Companies have to jump through the hoops and go to CNIL to get it approved. It’s not necessarily going to be easy, but I think it’s a doable task.”