The Art of Constructing
Global Whistleblowing
Programmes
Mark E. Schreiber
Chair, Privacy & Data Protection Group Steering Committee
Edwards Wildman Palmer LLP 111 Huntington Avenue
Boston, MA 02199 617-239-0585
mschreiber@edwardswildman.com
Suzanne Rodway
Group Head of Privacy
Royal Bank of Scotland Legal Level 5/Premier Place
2½ Devonshire Square / EC2M, 4BA 44 (0) 20 7672 7064
SOX and FCPA Hotlines
♦ SOX and U.S. stock exchange regulations require:
♦ mandatory code of conduct
♦ confidential, anonymous submission of concerns regarding questionable accounting or auditing
♦ receipt, retention and treatment of complaints
♦ apply outside U.S. to ensure reporting
♦ Variety of permissible methods to submit complaints
♦ phone or hotline, email, mail, fax, drop-boxes
♦ Enhanced enforcement of FCPA, more than 100 ongoing DOJ
investigations
♦ Industry wide investigations
FCPA/SOX Hotline and Due Diligence
Dilemmas
♦ FCPA hotline voluntary
♦ Often same telephone number/email as SOX ones
♦ Clash: French and German cases
♦ held U.S. company proposed whistleblowing schemes unlawful
♦ historical concern over informants
♦ numerous protections added
General Resolution of EU Hotline Issues
♦ Political compromise reached
♦ Art. 29 Working Party issued guidelines: http://europa.eu.int
♦ allows anonymous reporting under certain conditions
♦ SEC and Art. 29 letters
http://ec.europa.eu/justice_home/fsj/privacy/ workinggroup/wpdocs/2006-others_en.htm
♦ Prior non-compliance/“too hard to comply” ♦ Now compliance possible and practical
What is the Goal?
♦ Rigorous compliance with FCPA/SOX
♦ Simultaneous compliance with E.U. data protection laws
♦ good faith compliance effort consistent with Art. 29 Working Party, CNIL and other guidelines
E.U. data protection laws E.U. data protection laws SOX/FCPA Code of Conduct and anonymous reporting obligations
Art. 29 W.P., CNIL and other
E. U. country whistleblower
Where to Find What is Required by EU and
Other Countries
♦ World Law Group Global Guide to Whistleblowing Programs, 2012 www.theworldlawgroup.com
_________________________________________________
♦ CNIL Guidelines, FAQ’s – www.cnil.fr
♦ CNIL on-line authorization Decision and forms –
www.theworldlawgroup.com
(click on: Publications, Practice, Privacy)
♦ Dutch, Belgium guidelines and Spanish DPA whistleblower consult
center.html
♦ German guidelines
www.theworldlawgroup.com (click on: Publications, Practice, Privacy)
Where to Find What is Required by EU and
Other Countries
♦ Irish guidelines
http://www.dataprotection.ie./viewdoc.asp?DocID=303
♦ Swedish guidelines
http://www.datainspektionen.se/press/nyhetsarkiv/2008/ endast-chefer-och-andra-nyckelpersoner-far-anmalas-med-whistleblowing/
♦ Danish guidelines
http://www.datatilsynet.dk/blanketter/vejledninger/whistleblower
♦ Hungarian whistleblower law amendments http://www.magyarkozlony.hu/pdf/2187
♦ Portuguese guidelines
What Does This Process Take for
Multi-National Companies?
♦ Reconfigure E.U. whistleblower mechanism
♦ new E.U. whistleblower protocol
♦ without disturbing Code of Conduct / Ethics or FCPA policy
♦ New E.U. whistleblower procedure
♦ addendum by country
♦ New E.U. employee notice of whistleblower program
What Will This Process Take?
♦ Procedure on pan-European basis
♦ adaptations/addendum by E.U./EEA or other country where company has operations
♦ Data Controller registration (“notification”) with Data Protection
Authorities (DPAs)
♦ UK – routine notifications (failure to do so is per se criminal
offense)
♦ France, Belgium, Holland – relatively easy
♦ Poland, Spain, Portugal, Bulgaria, Hungary – more complex ♦ Russia – probably
♦ Due diligence program may also require DPA notification depending on country
What Will This Process Take?
♦ Timelines of implementation: at least 6 months from start
♦ might take a year or more depending on number of countries
♦ draft helpline procedure and notice
♦ highlight country differences and addendum
♦ review by E.U. local counsel
♦ translation of documents, at least employee notices
♦ works council negotiations for WB programs
♦ DPA notifications
♦ appoint country data protection officers, e.g., in Germany, France, Switzerland – so no DPA notification
♦ create/adjust training modules
What Will This Process Take?
♦ How do you handle hotline (or due diligence) in E.U. in the interim?
♦ leave on and operate?
♦ if reports, adhere to E.U. country data protection requirements in
one-off events
♦ disable in all or some E.U. countries?
♦ France, Germany, Spain and elsewhere?
♦ SEC/FCPA compliance?
♦ work to adapt it?
♦ good faith efforts
♦ proof of activity
What Will This Process Take?
♦ Who makes this decision in your company?
♦ others’ buy-in ♦ team
♦ in-house counsel (U.S. and E.U.) and staff, including compliance dept.
♦ outside counsel
♦ in both U.S. and E.U. countries
♦ combination
♦ 3rd Party Hotline Vendor usage
♦ mechanisms – various levels of hotline interfaces and/or
assistance
♦ very sophisticated already
Implementation Issues – What is Required
by E.C.?
♦ Narrowed SOX code – proportionality
♦ audit, accounting, fraud, financial irregularities
♦ healthcare compliance
♦ FCPA
♦ example: If narrowed, in France click-through authorization
♦ no further CNIL review
♦ real policy work behind scenes – like U.S. Safe Harbor ♦ if broad, in France, regular CNIL review
♦ 2 mos. unless further docs. requested
Implementation Issues – What is Required
by E.C.?
♦ Complaints outside scope
♦ some may be taken in on hotline
♦ but have to be immediately referred to other department and then archived or deleted
♦ serious matters / vital interests of company
♦ No longer allowed under French single authorization
♦ June 7, 2011 CNIL deadline for single authorization 004 changes
♦ physical / emotional safety (moral integrity) of employees
♦ threats of violence, assault, murder
♦ slightly better under German guidelines
♦ Austria, Portugal only allow SOX/anti-corruption subject matter
Implementation Issues – What is Required
by E.C.?
♦ Anonymity available
♦ not required or encouraged
♦ SEC – says cannot discourage ♦ admonitions necessary
♦ careful drafting
♦ reporting availability to supervisors / managers
♦ whistleblower reporting not mandatory
♦ Spain and Portugal – no anonymous complaints ♦ confidential complaints OK
♦ need for local counsel
Implementation Issues – What is Required
by E.C.?
♦ Notice to employees of program
♦ existence, purpose and functioning
♦ in local language, e.g., requirement in French labor code
♦ wait until program materials almost complete before translation
Implementation Issues – What is Required
by E.C.?
♦ Prompt notification to accused of:
♦ entity, facts accused of, departments might receive reports, how to exercise rights of access and rectification
♦ delay exception for evidence preservation, (computer back-up, imaging hard drive, etc.)
♦ applied restrictively on case by case basis
♦ how will this work in practice?
Implementation Issues – What is Required
by E.C.?
♦ Right of accused to access and correct or rectify data
♦ incorrect, incomplete or inaccurate data
♦ limited access rights – only about data subject
♦ may be restricted on case by case basis to ensure rights of others
♦ Data transfer to U.S. from E.U. locale
♦ disclosures within group
♦ at what level and in what country?
♦ cross-border transfer solutions
♦ not new, applies to all employee, customer and other personal data
Implementation Issues – What is Required
by E.C.?
♦ Data retention periods and archiving
♦ easy to say, hard to implement
♦ unsubstantiated – “deleted” or archived immediately ♦ 2 mos. after conclusion of investigation
♦ unless discipline against accused
♦ other litigation
♦ potential SEC matters
♦ “Archival” / “Blocking”
♦ access controls on archived databases
♦ matrix of time frames by event
♦ some countries insist on “deletion” or “destruction” ♦ what does this mean in electronic context?
Implementation Issues – What is Required
by E.C.?
♦ Notify and/or negotiate with Works Council
♦ minimum number of employees in some countries
♦ sometimes historical or political issues
♦ Germany – right of co-determination ♦ factor into lead time