Decision Said to Accommodate U.S. Law But Leave EU Compliance Unclear
France’s data protection agency completed rules to help U.S.-listed companies, including communications services providers, comply with the anonymous whistleblower requirements of the Sarbanes-Oxley Act while respecting French privacy laws. The Dec. guidelines from the Commission nationale de l'informatique et des libertes (CNIL) appear to signal a “serious effort to compromise and accommodate the goals” of the U.S. law, said Alan Raul, an attorney with Sidley Austin Brown & Wood LLP. Nevertheless, multinationals eyeing whistleblower hotlines still face a patchwork of European data protection laws, said Axel Spies, a European attorney with Swidler Berlin.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Sarbanes-Oxley requires companies listed on a U.S. stock exchange to establish whistleblower channels by phone, or other hotlines for anonymous reporting of violations of corporate accounting and auditing laws. Recently, French companies, too, have begun setting procedures for reporting breaches of law and corporate policy, CNIL noted in a Nov. 10 guideline document. Whistleblowing systems “are neither allowed nor banned” under French law, but any such procedures must comply with the country’s data protection act.
CNIL guidelines reiterated in the “unique authorization” issued last month seek to limit the scope of whistleblower reporting. For whistleblowing systems to be approved, companies doing business in France must agree to several conditions. They must be restricted to cases involving alleged internal financial wrongdoing or bribery. Anonymous reports must be handled restrictively, so a whistleblower’s identity remains confidential, and employees mustn’t be encouraged to report anonymously. Reports must contain only relevant data, which should be deleted immediately if found to be unsubstantiated, or held no more than 2 months after verification unless disciplinary or legal proceedings are begun. Anyone incriminated must be notified of the allegations and given access to the information for correction or removal, if appropriate.
The guidance signals a sea change for CNIL, which in May rejected 2 multinationals’ whistleblower proposals, Raul said. But despite CNIL’s assertion that it’s no longer opposed to anonymous hotlines, “it continues to harbor concerns,” leading to the restrictions in the guidance. U.S. companies doing business in France should tailor their whistleblowing channels to CNIL’s decision, he said.
In formulating its rules, CNIL conferred with the SEC. A Dec. 8 meeting with SEC staffers failed to identify “any major incompatibility” between the guidance and Sarbanes-Oxley, CNIL said. But Spies said “there is no official word from the SEC whether these rules are in line with U.S. law.”
There’s also no European Union (EU)-wide solution, and other EU members states may have different data protection rules, said Spies: “This poses quite a challenge for U.S. multinationals seeking to have worldwide whistleblower hotlines.” Raul urged U.S. companies to “review national obligations on a country-by- country basis.” They should bear in mind that transfer of personal information to the U.S. and outside the European Economic Area in connection with internal investigations under Sarbanes-Oxley or otherwise “remain subject to the EU Data Protection Directive and national privacy laws.” Safe Harbor membership, model contracts or binding corporate rules for data exchange could be adequate to legitimate whistleblower data transfers, he said.
The EU Art. 29 Data Protection Working Party is considering a pan-European approach to whistleblower reporting based on the CNIL decision, the agency said. The document was well received at the last meeting of the European data protection officials, and “conscious of the urgency,” the group intends to take a position on the issue Q1 2006, CNIL said. Nevertheless, said Spies, “it remains unclear what the outcome will be and how the EU member states will implement the recommendations.”