• Data Authorities Issue New Rules for Whistleblower Systems in Europe
  • March 20, 2006
  • Law Firm: Foley & Lardner LLP - Milwaukee Office
  • The EU Article 29 Working Party ("WP29") and France's data protection authority, Le Commission nationale de l'informatique et des libertes ("CNIL"), have issued guidelines and rules for lawful whistleblower systems, including anonymous systems required by U.S. law under Sarbanes-Oxley.

    The new pronouncements attempt to resolve what appeared to be a direct conflict between U.S. and EU law on the adoption and implementation of whistleblower systems. Sarbanes Oxley ("SOX") regulations and rules require companies listed on U.S. stock exchanges to adopt methods for anonymous reporting of ethical and legal violations to an audit committee of the board of directors. Many banks and finance companies are asking their non-publicly traded clients to meet the SOX rules for internal controls, even though the law does not apply to them directly.

    In July 2005, the CNIL issued two decisions declaring McDonald's and Exide's SOX-inspired global whistleblower systems to be illegal under French data protection law. The CNIL emphasized its discomfort with anonymous denouncement systems, because of historic precedents, including denouncements during World War II. After these decisions, it was unclear what would be required to have a lawful anonymous whistleblower system in the EU, or whether such systems could never be lawfully implemented there, thereby creating a direct conflict between US and EU law for multinationals.

    In November, 2005, the CNIL issued Guidelines it would follow in reviewing requests for approval of whistleblower systems. In these Guidelines the CNIL made clear its view that all such systems required advance approval prior to implementation, not just notification to the agency that such a system was intended. In December, 2005 the CNIL issued a decision that those data controllers who send a declaration containing a commitment to act in conformity with the requirements set forth in the decision, would automatically be authorized to implement such a compliant whistleblower system, but that other whistleblower systems would be reviewed under the November Guidelines.

    On February 2, 2006, the WP29 issued Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes. WP29 consists of representatives of all the EU data protection authorities. Its decisions represent the consensus of the data protection authorities' views on specific issues. WP29's views closely follow those enunciated by the CNIL in its Guidelines.

    The WP29's Op. 1/2006 identifies several factors that will be considered in evaluating the lawfulness under EU data protection law of proposed whistleblower systems. These include:

    • Limiting the number of persons entitled to report alleged improprieties or misconduct.
    • Limiting the type or number of individuals who may be incriminated.
    • Discouraging anonymous reporting, while encouraging reporting that identifies the individual making the report, while treating reports confidentially.
    • Proportionality and accuracy of data collected and processed.
    • Compliance with strict data retention periods.
    • Providing complete information about the scheme to employees.
    • Protecting the rights of incriminated persons, by notifying them of the accusations, and granting them access to the reports with a right to rectify any inaccurate or misleading information.
    • Protecting the whistleblower against disclosure of his identity and against recriminations.
    • Limiting access to the reports to individuals specially trained to handle them and who have made personal confidentiality commitments.
    • Establishment of material security measures.

    The WP29's Opinion left to individual data protection authorities the decision as to whether whistleblower systems required advance approval before implementation, as in France, or mere notification to the data protection authority.

    More detailed requirements are set forth in both the CNIL and WP29 decisions, which should be considered carefully before implementing or continuing an existing whistleblower system.

    At an international data privacy conference on March 9, 2006, Mon. Christope Pallez, secretary general of the CNIL, indicated that companies that may have already implemented whistleblower systems in France without specific prior authorization should obtain authorization now. He also indicated that he had met recently with representatives of the U.S. Securities Exchange Commission to discuss their reaction to the CNIL's rulings. As of this writing, the SEC has not issued any formal reaction to the CNIL or WP29 pronouncements.

    Entities operating in any EU Member State should review any whistleblower systems they operate or are intending to operate for compliance with these new decisions and guidelines.