Whistleblower Programs: Challenges for Multinational Companies

skadden

Katherine D. Ashley, Gary DiBianco, Dana H. Freyer, Matthias Horbach, Pierre Servan-Schreiber of Skadden, Arps, Slate, Meagher & Flom LLP put together a nice article addressing the challenges of exporting the whistleblower requirements under Section 301 of Sarbanes-Oxley to operations in the European Union: Whistleblower Programs: Challenges for Multinational Companies

Section 301 of the Sarbanes-Oxley Act of 2002 created a requirement that public company audit committees establish procedures for the “confidential, anonymous submission by employees of the company of concerns regarding questionable accounting or auditing matters.” Most companies have expanded the use of this hotline to include any violation of law or violation of company policy.

On the other side of the Atlantic, European labor and data protection laws offer more protection and rights to the whistleblower’s target. It is struggle to get a whistleblower hotline that works around the world. The folks at Skadden offer some suggestions in their article.

See also:

CNiL Information on Whistleblower Systems

To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.

CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).

According to the FAQ on whistleblowing systems a whistleblower system must be limited to

serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.

Examples :

  • Accounting and account auditing disorders,
  • False entries,
  • Tax evasion,
  • Fictitious personnel employment,
  • Bribery of public agents …

Specific examples in the banking area:

  • Terrorism funding,
  • Money laundering…

The whistleblower system may also be used to gather reports on facts

that affect the vital interests of the company or it its employee’s physical or mental integrity
Examples:

  • Threat to the safety of another employee,
  • Moral harassment,
  • Sexual harassment,
  • Discrimination,
  • Insider trading,
  • Conflict of interests,
  • Serious environmental breaches or threats to public health,
  • Disclosure of a manufacturing secret,
  • Serious risks to the company’s information system security …

CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not.  CNiL provides this example language for the scope of a whistleblower system:

The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.

French Data Protection Authority Blocks SOX Whistleblower Programs

As a follow-up to the Whistleblowers in France, John B. Reynolds, III and Amy E. Worlton of Wiley Rein LLP offer more insight to the programs and decisions.

CNIL found that employees’ ability to lodge anonymous complaints would increase the likelihood of malicious false reports. CNIL also found that the two companies’ plans would not provide implicated individuals with sufficient access to the records generated by the anonymous tips. Thus, these individuals would not have a sufficient opportunity to challenge accusations. Finally, CNIL held that neither of the companies’ proposals was the least restrictive means of ensuring a responsible corporate culture: employee education or improved auditing standards could achieve the same results without creating and processing personal data about company executives.

See newsletter from Wiley Rein LLP: French Data Protection Authority Blocks SOX Whistleblower Programs.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?