The Challenge of Harmonizing U.S. Codes of Conduct and Sarbanes-Oxley Hotlines with EU Data Protection and Employment Laws
December 7, 2005
A vexing corporate compliance concern for multinationals with securities listed or quoted on U.S. stock markets abated somewhat in November when the French Commission nationale de l’informatique et des libertés (the National Commission for Information Technologies and Liberties, referred to below as CNIL) adopted guidelines intended to permit listed companies to comply with both:
- The Sarbanes-Oxley Act mandated requirement that audit committees of listed companies establish procedures for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters (SOX whistle-blowing procedures), and
- French data protection laws that reserve to employees certain privacy and other information rights far more expansive than prevail in the United States.
A direct conflict between these two regulatory requirements came to light last May when CNIL ruled SOX whistle-blowing procedures submitted to it for approval by companies with securities listed on U.S. stock exchanges violated France’s data protection laws. This put companies listed in the U.S. that have European operations in a dilemma as to how to effectively maintain a global compliance program.
Significantly, the guidelines (the CNIL Guidelines, available at www.cnil.fr) do resolve the stalemate between the two requirements by acknowledging that SOX whistle-blowing procedures serve a legitimate interest in assuring the accuracy of financial statements and are not per se prohibited by French data protection law, subject, however, to the equally significant proviso that in order to be valid under French law such procedures must not disproportionately infringe on the individual rights of French employees.
The CNIL Guidelines set forth general principles of various conditions CNIL will require in order for it to find that SOX whistle-blowing procedures presented to it comply with data protection laws. Among numerous conditions (summarized further below) that are framed in broad terms in the CNIL Guidelines are the following key terms:
- Matters subject to reporting must be limited in scope to financial reporting and similarly important well-established concerns,
- Anonymous reporting must be discouraged and cannot be made mandatory, and
- Employees about whom information is reported must be immediately notified.
All whistle-blower procedures involving automated processing of personal data (as opposed to paper-based processing) are subject, at least for the time being, to a requirement of prior authorization by CNIL. However, CNIL has indicated it will issue a more specific “authorization decision” consistent with the CNIL Guidelines to provide companies a “safe harbor” for compliance. Until then, CNIL indicated it will continue to evaluate whistle-blowing procedures on a case-by-case basis.
The remaining not inconsiderable challenge for U.S.-listed companies with French operations will be how to best modify their SOX whistle-blowing procedures to conform to the CNIL Guidelines, and, to the extent it is desired to use the safe harbor, the implementing authorization decision yet to be issued. Also, still to be determined is the extent to which authorities in other EU jurisdictions, some of which have begun review of the issue, follow CNIL’s lead in considering SOX whistle-blowing procedures in the context of the data protection laws of the respective EU member states, each of which have been adopted in various ways in accordance with the applicable EU directive on data protection (95/46/CE of 24 October 1995).
In addition, U.S. companies with European employees that have not recently verified compliance of their codes of conduct and ethics generally with EU data protection and other laws should consider conducting a review of these codes against European law. Many standard provisions of codes of conduct and ethics (other than just SOX whistle-blowing procedures) as adopted by U.S. companies may conflict with various EU data protection and perhaps other laws. Unlike the case with SOX whistle-blowing procedures, there is no reason to believe that concessions from EU regulators will be forthcoming as to other noncompliant provisions of codes of conduct and ethics.
With regard to their codes of conduct and ethics, multinationals should also consider in particular whether they have adequately complied with employment laws (which CNIL excluded from its analysis on the basis that it had no authority over such matters).
Summary of CNIL Guidelines on Implementation of Whistle-blower Procedures
Scope
Whistle-blowing procedures should be limited to reporting of concerns regarding auditing and accounting matters as described in section 301(4) of the Sarbanes-Oxley Act or other statutory or regulatory internal control obligations in financial, accounting, banking and antibribery areas. If the scope of the system is wider (for instance, concerning other matters related to the company's code of conduct or ethics), CNIL will examine the system on a case-by-case basis before authorizing it.
Voluntary
Using a whistle-blowing procedure may not be made compulsory for employees.
Anonymity
Anonymous reports should not be encouraged. In principle, the individual should identify himself prior to making a report. If an anonymous report is made, the processing of anonymous reports should be subject to specific precautions. In particular, the identity of any individual alleged to have engaged in wrongdoing must be processed in a confidential manner.
Confidentiality
A dedicated group or individual within the firm should be responsible for processing and handling reports. The confidentiality of personal data must be guaranteed when it is collected, disclosed or stored.
Disclosure Regarding Procedures
Potential users of the whistle-blowing system should receive clear and complete information on its procedures. In particular, they should be informed of the recipients of alerts and the absence of sanctions for employees not using the system.
Notice to Identified Individuals
An individual identified in a report should be notified as soon as the report is recorded, so as to enable this individual to use his or her rights of access, opposition and rectification. The identity of the individual who made the report should, however, be kept confidential.
Third-party Providers
In the event that management of the whistle-blowing procedure is entrusted to an external service provider, this provider must comply with a number of requirements regarding data protection, such as confidentiality and time limits for the storage of data.
Retention of Data
Data relating to a report that is found to be unsubstantiated must be immediately deleted. Complaints that are subject to an investigation must not be stored longer than two months after the end of the investigation, unless a disciplinary or judicial procedure is initiated against the person incriminated in the report.
Transfer of data from the EU to the United States is not discussed in the guidelines. In order to comply with the EU directive on data protection, companies may wish to consider adhering to the Safe Harbor Privacy Principles issued by the U.S. Department of Commerce available at http://www.export.gov/safeharbor/.
German Proceedings Regarding Wal-Mart’s Code of Business Conduct and Ethics
Concern in the employment area was highlighted by a German court decision recently affirmed by an appeals court finding that the SOX whistleblower procedures included in Wal-Mart's code of conduct violated the company’s German works councils’ rights of co-determination as to employee policies. Although these court decisions have been adjudicated in the context of employment, not data protection, law, it is anticipated that German data protection authorities may soon consider the permissibility of SOX whistle-blowing procedures generally under German data protection laws.
The legality of Wal-Mart’s SOX whistle-blowing procedures and other code of conduct provisions came into question when the works councils of Wal-Mart’s German subsidiaries challenged the validity of several aspects of a new code of business conduct and ethics. Wal-Mart did not request the agreement of the subsidiaries’ works councils, and the councils raised the issue with the Labor Court of Wuppertal.
On June 15, 2005 the Labor Court held that several provisions of the code were subject to negotiation with the works council before implementation and, since that had not occurred, were invalid. Wal-Mart appealed the Labor Court’s decision to the District Labor Court in Düsseldorf with regard to the following portions in the Wal-Mart code:
- Responsibility of employees in addressing ethical concerns,
- Prohibition on receiving gifts or other contributions,
- Restrictions on communications with news media,
- Harassment and other unacceptable behavior,
- Provisions regarding a right of inspection of personnel files, and
- Personal relationships at the workplace.
On November 14, 2005 the District Labor Court held the following portions or parts of the challenged portions of the code were invalid because the works council’s co-determination rights had been violated:
- Introduction and use of a telephone hotline,
- Prohibition on receiving gifts or other contributions, and
- Harassment and other unacceptable behavior (other than concerning violence at the worksite or on the job).
Both sides have the right to appeal to the German Federal Employment Court, and it remains to be seen whether the Wal-Mart code or other codes will be challenged on the basis of a violation of German data protection law, in particular with regard to the potential transfer of employee-related data to another country (e.g., the United States) or to an external third party.
Compliance Recommendations
In general, we recommend our publicly held clients listed in the U.S. with European operations do the following:
- Evaluate the company’s SOX whistle-blowing procedures as implemented in Europe against the CNIL Guidelines and, when available, the forthcoming more detailed “authorization decision” the CNIL is expected to issue,
- Evaluate the company’s codes of conduct and ethics generally against the requirements of the data protection and employment laws (in particular with regard to co-determination and other rights of works councils) of the respective EU countries in which the company has operations,
- Determine if the company’s SOX whistle-blowing procedures or the implementation of codes of conduct and ethics require any prior declaration or governmental approval in EU countries in which the company has operations and, if a required approval has not been obtained, determine steps for compliance and identify consequences of noncompliance, and
- Monitor further developments with regard to data protection and employment laws of each EU jurisdiction in which the company operates concerning SOX whistle-blowing procedures or other aspects of codes of conduct and ethics.
- Monitor further developments with regard to data protection and employment laws of each EU jurisdiction in which the company operates concerning SOX whistle-blowing procedures or other aspects of codes of conduct and ethics.
