Uncertainty Persists For Overseas Hotlines

Overseas whistleblower hotlines still flummox corporate compliance officers on both sides of the Atlantic, nearly a year after French authorities first questioned the legality of the hotlines in that country and sent a cornerstone of Sarbanes-Oxley compliance into jurisdictional limbo.

In particular, some tensions still appear to exist between French data protection laws and whistleblower requirements under SOX, which has prompted French authorities to provide additional guidance on the issue. The Securities and Exchange Commission and the European Union, meanwhile, are still giving their own guidance on how to comply both with SOX and European data privacy rules.

Experts say the French guidance should help companies resolve some of the remaining issues. As reported previously by Compliance Week, France’s data protection agency, the Commission Nationale de l’Informatique et des Libertés, imposed in November detailed requirements on multinational companies that are required by U.S. law to implement whistle blowing procedures in France (see extensive related coverage at right).

The requirements and subsequent guidance stem from the CNIL’s refusal last summer to approve ethics or whistleblowing programs proposed by French subsidiaries of two American companies, McDonald’s France and CEAC, a division of Exide Technologies. CNIL found the hotlines, aimed at bringing the companies into compliance with SOX, contrary to French privacy law.

In light of numerous questions from many U.S.-listed multinationals about the guidelines and a related authorization process issued by CNIL in December, CNIL recently posted a list of 20 Frequently Asked Questions on the subject (see box at right). Addressing whether its guideline document and its unique authorization are compatible with SOX, CNIL said that it “is not responsible for deciding on the compatibility of its decisions with the Sarbanes-Oxley Act,” but noted that it is “regularly in contact with the SEC.”

According to the FAQ, the SEC in August emphasized the “flexibility of the American law in this matter and stated its intention to work with the CNIL to discuss the conditions in which such systems could be acceptable under French and American laws. Constructive talks have taken place between the CNIL and the SEC on this matter.”

CNIL said its talks with the SEC and comments from companies subject to SOX were considered in preparing its guideline document and authorization process. The CNIL added that those comments were taken into consideration by the Article 29 Working Party, a European advisory body that includes the 25 European data protection authorities, in preparing its opinion, issued in February.

“The CNIL trusts that the SEC will soon be in a position to send a positive signal to such companies in order to reassure them on their situation,” according to the FAQ posted in late March.

Ethiopis Tafara, director of the SEC’s Office of International Affairs, confirmed that the SEC has communicated with CNIL and said the agency expects to communicate with the Working Party, whose opinion said whistleblower systems and codes of conduct should be tailored to comply with each European nation’s data privacy laws. While Article 29 is only an opinion from the Working Party and doesn’t carry the force of law itself, the data-protection agencies in EU member states that comprise its membership have the regulatory muscle behind them to impose fines or take other enforcement action.

“We’ve heard that this has been a thorny issue for both U.S. and foreign private companies,” Tafara says. “Our objective has been to inform the CNIL and will be to inform the Working Party on some of the principles underlying the whistleblower procedures, with the hope that that will lead to guidance that allows companies to comply with EU privacy laws as well as Section 301 of SOX.”

Getting A Clear Signal

Berkowitz

Alan Berkowitz, an employment lawyer at the Bingham McCutchen law firm, says uncertainty still exists about how companies can set up whistleblower schemes in Europe so they’re not challenged. “Companies are reading everything that comes out and trying to see ways they can comply with both laws,” he says. While the CNIL guidance was some help, he says, it also “illustrates some points of differences.”

COMPATIBILITY

The excerpt below is from a list of 20 "frequently asked questions, published by the Commission Nationale de l’Informatique et des Libertés:

QUESTION 4:

Are the guideline document and the unique authorisation compatible with the Sarbanes-Oxley Act?

ANSWER:

The CNIL is not responsible for deciding on the compatibility of its decisions with the Sarbanes-Oxley Act.

However, the CNIL is regularly in contact with the Securities and Exchange Commission (SEC), the American regulator in charge of supervising the implementation of the Sarbanes-Oxley Act. Back in the month of August 2005, the SEC emphasised the flexibility of the American law in this matter and stated its intention to work with the CNIL to discuss the conditions in which such systems could be acceptable under French and American laws. Constructive talks have taken place between the CNIL and the SEC on this matter.

The CNIL took such talks with the SEC into consideration while preparing the guideline document and the unique authorisation. It also took into consideration the practical comments from many companies subjected to the requirements of the Sarbanes-Oxley Act. All such comments were also taken into consideration by the Article 29 Working Party in preparing its opinion 1/2006 on the matter (see question 5 [reprinted below]: What about the European work ?).

The CNIL trusts that the SEC will soon be in a position to send a positive signal to such companies in order to reassure them on their situation.

QUESTION 5:

What about the European work?

ANSWER:

The Article 29 Working Party, which includes the twenty five European data protection authorities, issued an opinion on the issue on February 1, 2006 (click here for the opinion.

The main lines of the opinion are in line with those of the CNIL’s guideline document.

The Working Party’s opinion deals with the following points:

Possibility to limit the categories of persons entitled to report alleged improprieties or misconduct, as well as the categories of persons who may be reported through a whistleblowing scheme;

Promotion of identified and confidential reports as opposed to anonymous reports;

Proportionality and accuracy of data collected and processed;

Compliance with strict data retention periods ;

Provision of clear and complete information about the system;

Rights of the reported person ;

Security and confidentiality of processing operations ;

Management of the scheme (creation of a dedicated internal organisation ; possibility to use third party service providers ; transfers of data to non EU countries subject to conditions) ;

Requirements for transfers to third countries ;

Need to comply with duties of prior notification to the supervisory authorities.

Source

FAQs On Whistleblowing Systems (Commission Nationale de l’Informatique et des Libertés)

Still, he adds, the hurdles to comply with both laws are not insurmountable. “I think companies can look at what each entity wants and come up with a whistleblower scheme that will pass muster,” he says. “I think [the agencies] are getting closer together on some of the issues. Expected guidance from the SEC could bridge the remaining gaps.”

A Bingham McCutchen legal bulletin notes that the two agencies appear to differ on several areas of the CNIL Guidelines, among them the scope of the whistle blowing scheme and data processing and retention (see box above, right, for Bingham's bulletin).

While the SEC says a whistleblower scheme should allow all employees to raise any concern related to accounting or auditing matters, CNIL’s position is narrower: whistleblowing systems must be limited to facts relating to serious risks to the company in the fields of accounting, financial audit, bribery or banking. While other “serious” matters “affecting the vital interests of the company or its employees’ physical or mental integrity” may be reported through the whistleblowing system, whether a matter is considered “serious” is evaluated on a case by case basis. Reports outside the permitted scope of the whistleblowing system and analyzed as not particularly serious must be rapidly destroyed or archived.

“EU countries don’t want whistleblower schemes to be wide open for people to report anything that bothers them,” Berkowitz says. “They want them to be restricted to things covered by Sarbanes-Oxley and they want anything reported that doesn’t fall under SOX deleted.” As long as the hotline covers the reporting of the issues specified by Sarbanes-Oxley, Berkowitz says, “There’s no reason companies shouldn’t be able to comply simply by disregarding or archiving reports on things that aren’t SOX related issues.”

The SEC insists the audit committee, wherever it is located, should be able to receive and review all data gathered through the hotlines and is entitled to hire an outside adviser to review the data. CNIL has expressed a preference for in-house processing of data, although it hasn’t forbidden the use of external providers to collect reports and process data. External hotline providers must, however, agree by contract to comply with French and European data protection rules and comply with the terms of its client’s authorized whistleblowing scheme. External providers can’t use the data for any other purpose, must adhere to strict confidentiality principles, and must return or destroy all data at termination of the contract. Agreements providing for the transfer of data to a provider outside the EU must require the protection of the data by use of model contract clauses established by the European Commission.

Berkowitz notes that companies using external data collection providers located in the U.S. need to evaluate whether the transfer of information to third-party providers is consistent with French data protection laws, especially rules concerning cross-border transfers.

Record retention could also prove “troublesome,” he adds. CNIL guidelines say that companies can hold on to information reported for two months and then it should be destroyed; irrelevant information must be deleted or archived immediately. “There may not be enough information initially to act on a report, but destroying information that might become relevant later is problematic,” Berkowitz says. “Perhaps if the information is archived but is retrievable, that might satisfy both entities. We don’t know that yet. That’s one thing I hope the SEC will address.”