Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies: Compliance with E.U. Data Protection Laws

Transcription

1 The Practitioner s Guide to the Sarbanes-Oxley Act, Volume II by the American Bar Association. Reproduced with permission. All rights reserved. This information or any any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. CHAPTER 9 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies: Compliance with E.U. Data Protection Laws Mark E. Schreiber, Jeffrey M. Held, Robert T. J. Bond, Raphael Dana, Christian Runte, and Kate Flower TABLE OF CONTENTS Introduction 3 U.S. Requirements 7 Accounting-Related Complaint Procedures 7 Hotlines and Anonymity 7 Code of Conduct or Ethics 8 Control Systems 9 E.U. Overview and French Response 9 French Guidelines 11 CNIL Single Authorization (Au 004) Online Process 11 General Compliance Techniques 12 Individual E.U. Member State Analysis/Solutions 19 Germany 19 Wal-Mart Decision 20 The Works Council and the Right of Co-Determination 21 Data Protection Laws 22 Conclusions for Germany 23 France 23 Summary of Recent CNIL Decisions 23 Data Protection Laws 24 Historical Context 25 V-9-1

2 V-9-2 Corporate Governance United Kingdom 25 Rights of Subject Access 26 Complaints 26 Minimizing the Risk 27 Conclusions for U.K. 28 Conclusion 29

3 The Practitioner s Guide to the Sarbanes-Oxley Act, Volume II by the American Bar Association. Reproduced with permission. All rights reserved. This information or any any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. CHAPTER 9 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies: Compliance with E.U. Data Protection Laws Mark E. Schreiber, Jeffrey M. Held, Robert T. J. Bond, Raphael Dana, Christian Runte, and Kate Flower* INTRODUCTION Many U.S. companies maintain subsidiaries and employees in the European Union where Sarbanes-Oxley anonymous hotlines and other reporting mechanisms are now in place or are being implemented; those same companies must now consider data protection, labor and human rights legislation in the E.U. and perhaps other countries in the design or redesign of their programs. For example, internal company investigations resulting from whistleblower reports must now also take into account E.U. and other country data protection laws when such investigations involve the acquisition or transfer of personal data to the U.S. or taking adverse personnel action in that E.U. country. The U.S. Sarbanes-Oxley Act of 2002 ( SOX ) requires an anonymous method for employees to report concerns related to accounting and financial matters 1 and the adoption of a code of ethical conduct designed to promote prompt reporting of code violations. 2 These *Earlier versions in article form by these same authors were published under the titles, Company Global SOX Compliance Made Easier: Update on CNIL Whistleblower Guidelines and New Online Authorization Process, BNA International World Data Protection Report, January, 2006, and Anonymous Sarbanes-Oxley Hotlines in the E.U.: Practical Compliance Guidance for the Global Companies, BNA International World Data Protection Report, August, This chapter includes significant revisions, additional material and a discussion of the new E.U. Article 29 Working Party Guidelines, Feb Section 301 of the Sarbanes-Oxley Act of 2002; SEC Rule 10A-3(b)(3) promulgated under the Securities Exchange Act of 1934; NASDAQ Rule 4350(d)(3); and NYSE Listed Company Manual Section 303A(6). 2. Section 406 of the Sarbanes-Oxley Act of 2002; SEC Item 406 of Regulation S-K; NASDAQ Rule 4350(n) and NYSE Listed Company Manual Section 303A(10). V-9-3

4 V-9-4 Corporate Governance requirements are fundamental to SOX s main principles, namely that ethics are valued within an organization and potential issues are surfaced to the right supervisors and even management to deal with them as soon as they arise. Congress intended to provide an environment where fraud and accounting impropriety would be discouraged and whistleblowers encouraged or at least not dissuaded in coming forward. In the wake of scandals at companies like Enron and Worldcom, Congress and regulatory authorities sought to restore confidence in the financial statements of public companies and the markets generally. Decisions in mid-2005 in France 3 and Germany 4 that anonymous employee whistleblowing hotlines, without certain precautions, are invalid or unlawful in those countries has justifiably caused concern for many multi-national public companies that must comply with SOX and related U.S. rules. 5 The French data protection authority decisions and court cases in France and Germany reflect the historical unease in many E.U. countries over the concept of encouraging individuals to inform against others anonymously and without an immediate opportunity for the accused person to respond. Multi-national companies with operations in the E.U. sought clarification on the issues raised by these decisions. Subsequently, in late 2005, the French data protection authority, referred to as the CNIL, issued guidelines that, if followed, permit SOX-styled hotlines and codes of conduct to coexist in compliance with French data protection laws ( CNIL Guidelines ). 6 Shortly thereafter in February 2006, the E.C. Article 29 Data Protection Working Party, the independent policy arm of the European Commission, issued its own detailed pan-european guidance on whistleblower programs 3. Decision of May 26, 2005 (Group McDonald s France) and CNIL Decision of May 26, 2005 (Exide Technologies). <English translation>. English translations (unofficial) available at: and There was also a French court decision with similar holdings in a case styled CE BSN- Glasspack v. BSN-Glasspack (the French subsidiary of what was formerly called Owens-Illinois). 4. The 5 th Division of the Wuppertal Labour Court on June 15, Arbeitsgericht Wuppertal, Court Order dated June 15, 2005, 5 BV 20/05; English translation available at: 5. Public Company Accounting and Investor Protection Act Guidelines document adopted by the Commission national de l informatique et des libertés (CNIL) on 10 November 2005 for the implementation of whistleblowing systems in compliance with the French Data Protection Act of 6 January 1978, and amended in August 2004, relating to information technology, data filing systems and liberties. < All references herein to the CNIL Guidelines are to the CNIL-provided English translation available on the CNIL website, < and the link above, with the itemized points referred to therein as No. with the page number following.

5 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-5 ( Art. 29 Guidelines ). 7 The CNIL issued new, very detailed FAQs on March 1, 2006 ( CNIL FAQs ), which more fully explain the implementation specifics. 8 Both the CNIL and Art. 29 Guidelines are similar and permit whistleblowing schemes, including SOX-styled ones, provided that E.U. data protection principles are followed. The Art. 29 Guidelines acknowledged that such guidance was urgently needed, especially because companies subject to the extra-territorial provisions of SOX need to be in a position to comply with specific SOX whistleblowing provisions. 9 The CNIL Guidelines made clear that it had no objection in principle to such programs, as long as French data protection requirements were respected, including that the rights of the incriminated person(s) were protected. 10 The French approach includes narrowing the scope of hotline mechanisms, requiring submission of hotline plans to the data authority for approval in advance unless the hotline meets a recently published online safe harbor, 11 and disclosure of personal data results to the accused person once security or evidence preservation has been accomplished. 12 The Art. 29 Guidelines were similarly focused on SOXrequired subject matter such as accounting, internal auditing controls and auditing matters, and require precautions generally comparable to that of the French. 13 According to the CNIL, the CNIL Guidelines were discussed at a meeting with the SEC staff on December 8, 2005, and no major inconsistencies with SOX were identified, implying that the SEC has blessed 7. Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime, Article 29 Data Protection Working Party, WP 117, 00195/06/EN, 1 February 2006, ( Art. 29 Guidelines ) Website: 8. FAQ sur les dispositifs d alert professionelle available in French on CNIL website Informal English translations are at (Publications, then Practice, then Privacy Matters). The scope of these FAQs is beyond the scope of this chapter but is consistent with the CNIL s earlier position and the Art. 29 Guidelines. 9. Art. 29 Guidelines, at p CNIL Guidelines, p Decision n dated December 8, 2005 authorizing the processing of personal data implemented through a whistleblowing system. ( CNIL Decision ). The CNIL s official French version is at: and the World Law Group s unofficial English translation is at: The unofficial English translations of these and other French documents may be found on the World Law Group site: (Publications, then Practice, then Privacy Matters). 12. Art. 29 Guidelines, at p See discussion of CNIL Guidelines in General Compliance Techniques, infra at pp , this chapter.

6 V-9-6 Corporate Governance the French process. 14 These developments, however, highlight the choices U.S. and other companies operating in France and elsewhere in the E.U. will now need to make to satisfy data protection authorities. These include whether to adopt a narrow SOX-type code of conduct and whistleblower mechanism or a broader one containing subject matter beyond that required by SOX. The former is subject to the quick online CNIL single authorization process with no further CNIL review, while the latter will take more time and require the standard CNIL review process. These choices may mean that a company will need to decide whether to implement a code of conduct and whistleblower vehicle for branches in France or in the E.U. as a whole, different or scaled down from that in the U.S. The French model has larger European implications. Other E.U. countries are reportedly considering the same issues and may follow suit. The Art. 29 Working Party originally designated the French CNIL as the lead agency for its guideline report and the similarities show. Each of the 25 E.U. member and accession states have relatively homogeneous data protection laws. Beyond that, more than 30 other countries also now have data protection or privacy laws in one form or another, 15 often fashioning theirs after the E.U. data protection framework. As other countries data protection authorities or courts begin to acknowledge SOX and other whistleblower mechanisms, but impose constraints on them, U.S. companies will need to adjust their compliance strategy. Increasingly, the dilemma appears to be one of company-specific compliance strategy and implementation decisions, not of conflict of laws, as even the CNIL and the Art. 29 Working Party have acknowledged and begun to provide implementation options consistent with SOX. What should U.S. multi-nationals do? The remainder of this chapter offers a review of applicable U.S. laws and E.U. data protection laws, as well as guidance on steps companies may wish to consider or take to minimize the risks in E.U. and other countries while still complying with SOX whistleblower and code of conduct obligations. 14. As the CNIL had not yet received that assurance from the SEC, both parties were continuing to liaise until such an assurance is received. CNIL Introduction to Single Authorization AU-004, December 28, 2005, p. 2 ( CNIL Introduction ). The official French version is at: and the WLG s informational English translation is at: Introduction.doc. 15. See World Law Group Worldwide Data Protection Chart (updated January, 2006), available at:

7 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-7 U.S. REQUIREMENTS ACCOUNTING-RELATED COMPLAINT PROCEDURES SOX and the related Securities and Exchange Commission ( SEC ) and stock exchange regulations require audit committees of companies listed on a stock exchange to establish procedures for the: confidential, anonymous submission by employees of that company of concerns regarding questionable accounting or auditing; and receipt, retention, and treatment of complaints received by that company relating to accounting, internal accounting controls, or auditing matters. 16 No particular complaint submission method is prescribed; companies can, therefore, provide for a variety of employee reporting methods, such as phone, , mail, fax, and/or a complaint drop-box, provided that at least one confidential, anonymous method is available to employees. Companies subject to SOX that fail to meet these requirements may potentially face SEC enforcement action, SEC civil penalties and/or in the extreme de-listing from the stock exchange on which their securities are traded. HOTLINES AND ANONYMITY Many companies outsource the reporting function to a third-party service provider using a confidential hotline, web service or other vehicle so that individuals can register complaints. An array of potential complaint categories is common, and a mechanism is created for complaints to be routed to the appropriate person/department. For example, information concerning accounting or the financial statements would generally end up delivered to the audit committee. Matters that are labor-related or employment misconduct, such as allegations of sexual harassment, might be sent to the local director of human resources or regional vice president. The purpose of the confidential and anonymous requirement is to encourage employees to come forward without fear of reprisal. This mechanism was meant to assist bringing the information to the right levels within the company, including, if required, the board of directors. Accordingly, employees who blow the whistle on financial improprieties under the provisions of SOX not only have protection from retaliation 16. Section 301 of the Sarbanes-Oxley Act of 2002; SEC Rule 10A-3(b)(3) promulgated under the Securities Exchange Act of 1934; NASDAQ Rule 4350(d)(3); and NYSE Listed Company Manual Section 303A(6).

8 V-9-8 Corporate Governance but also have a complaint mechanism under Sec. 806 through the U.S. Dept. of Labor, 17 and a later right to file suit. This right of individual redress at the DOL and to file suit in the U.S. has been held inapplicable to whistleblowers outside the U.S., at least in the First Circuit. 18 The limitation on extra-territoriality of individual rights under Sec. 806 does not appear to affect the extra-territoriality of code of conduct or whistleblower requirements under Sec. 301 and 406 described below, as the latter sections clearly seem to apply to multinational companies subject to such provisions, including the international operations of such companies. Put another way, the fact that a foreign national residing in a foreign country may not be allowed to sue in the U.S. does not mean that global public companies can avoid their SOX whistleblower and code of conduct obligations in other countries where they operate. CODE OF CONDUCT OR ETHICS The SEC also requires that public companies disclose in their proxy statements whether or not they have adopted a code of ethics for certain of their senior executives that meets specified minimum requirements. The stock exchanges have affirmative requirements to maintain such a code of ethics (which they have expanded to apply to all employees, directors, and officers), and require that the code contain an enforcement mechanism. Under SEC regulations, code of ethics must be reasonably designed to promote ethical conduct and handling of conflicts of interest, timely and accurate public disclosures, and compliance with laws. In addition, the code must promote prompt internal reporting of, and contain an enforcement mechanism for, code violations. 19 These requirements essentially mandate some form of reporting mechanism, including for foreign issuers registered on U.S. exchanges. Codes of conduct are typically broad in scope and allow employees or others to make complaints about topics such as fraud, financial matters, conflicts of interest, sexual or other harassment, employment, environmental, intellectual property, and other matters using the same hotline or other reporting mechanisms implemented for accountingrelated complaints. Many companies view it as advisable to permit numerous matters to be included in the code and reporting mechanism, regardless of whether the subject matter is related to accounting, financial controls, or fraud issues, or required by SOX. 17. Section 806 of the Sarbanes-Oxley Act of Carnero v. Boston Scientific Corp.,433 F.3d 1, 87 Empl. Proc. Dec. P 42, 193, 23 IER Cases 1505 (1 st Cir. 2006). 19. Section 406 of the Sarbanes-Oxley Act of 2002; SEC Item 406 of Regulation S-K; NASDAQ Rule 4350(n) and NYSE Listed Company Manual Section 303A(10).

9 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-9 CONTROL SYSTEMS In addition, maintaining effective global control systems is important to companies subject to U.S. law to ensure that possible code of ethics violations, misconduct, and fraud are reported promptly. SOX demands that companies have control systems in place to ensure they can make timely and truthful public disclosures as required by applicable securities laws and issue accurate financial statements. 20 This in turn necessitates adequate reporting or, whistleblowing procedures, in order to detect fraud, permit proper information flow, and identify issues that could impact the veracity of the financial statements. A company s independent auditors will audit these controls and publicly disclose the results of that audit. The absence of a proper control environment can cause a company to fail an evaluation of its controls. E.U. OVERVIEW AND FRENCH RESPONSE Rulings by the French data protection agency (CNIL) against McDonald s and CEAC/Exide Technologies and a German labor court against Wal-Mart prevented these companies from implementing hotlines in those countries in the form proposed, at least without further precautions. The German decision held that the Wal-Mart hotline was illegal because it had been implemented by Wal-Mart without addressing the Section 87 Right of Co-Determination under the German Works Council Constitution Act. 21 In other words, Wal-Mart might have been able to implement a satisfactory hotline if it had first consulted with the works council, which has a right of co-determination in matters relating to the rules of operation of the establishment and conduct of employees. The CNIL decisions in France were not based on labor law but rather on aspects of data protection and the fundamental principles of individual rights to privacy, human rights, and human dignity. Specific mention was made in the CNIL decision that the [making of] an ethics alert in an anonymous manner could only reinforce the risk of slanderous denunciations. Moreover, the commission considers that the system was disproportionate to the objectives 20. Section 404 of the Sarbanes-Oxley Act of 2002; SEC Rules 13a-15 and 15d-15 promulgated under the Securities Act of German Works Council Constitution Act (Betriebsverfassungsgesetz BetrVG).

10 V-9-10 Corporate Governance sought and the risks of slanderous denunciations and the stigmatization of employees who are the subject of an ethics alert. 22 In addition, a Report by Public Concerns at Work, a U.K. not for profit organization on behalf of the European Commission, stated that the commission consider[ed], finally, that the employee [that] is subject to [the hotline] alert would not be, by definition, informed as soon as the data questioning their professional or personal integrity is recorded, and as such they would not have the means to contest the processing of such data. 23 The implementation of whistleblowing hotlines in the E.U. raises issues of anonymity and the regulatory infrastructure within which such hotlines are implemented. E.U. data protection principles, embodied in each of those E.U. countries data protection laws 24 require, among other things, that in relation to personal data: an individual has a right to know what data is being processed about them; personal data has to be processed fairly and lawfully; personal data must be kept for no longer than is necessary and must be accurate and up-to-date; personal data must be, at all times, kept secure and where processed by a third party be managed securely; and personal data should not be transferred outside the European Economic Area (EEA) to any other country that does not have adequate data protection for the rights of the individual. In many of the current implementations of whistleblowing hotlines, compliance with the above fundamental E.U. data protection rights may not have been adequately addressed or may not have been addressed at all. For example, E.U. individuals need to be notified what data will or may be collected about them. Without a detailed statement and policy concerning whistleblowing, this principle may be violated. 22. See n. 3; English translation (unofficial) available at: newsletter/details.asp?id= Whistleblowing, Fraud & The European Union ISBN (95/46/EC).

11 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-11 FRENCH GUIDELINES The final CNIL Guidelines, issued November 10, 2005 and posted on the CNIL website on November 15, clearly acknowledged the legitimacy of whistleblower mechanisms, 26 including SOX ones. It provided a pragmatic and practical approach, allowing U.S. and other companies operating in France a specific framework for dual compliance. Scope limitations, non-mandatory reporting, emphasis on confidentiality, individual subject notice and access rights, cross-border transfer precautions, and other typical conditions of E.U. data protection law were incorporated. At the end of December 2005 the CNIL published a Decision (Single Authorization AU-004) consistent with the CNIL Guidelines, such that if the CNIL Guidelines and the CNIL Decision are followed, it will grant an online single authorization to an organization that commits to implementing a compliant whistleblowing scheme. The CNIL Decision itself has a number of key requirements, which mirror the CNIL Guidelines. 27 The CNIL Decision implements the CNIL Guidelines with a web-based compliance mechanism and the CNIL FAQs explain in more explicit detail. CNIL SINGLE AUTHORIZATION (AU 004) ONLINE PROCESS The standard CNIL authorization process requires the filing of a complete application that must be examined at a plenary session of the CNIL within two months of such filing, provided no additional information is requested by the CNIL. The single authorization is much simpler and quicker, and is achieved by completing an on-line declaration. 28 The CNIL then issues an acknowledgement of filing, anticipated within a week or two, and the company can then implement the whistleblowing scheme immediately and without having to submit the scheme to further CNIL scrutiny or review. Additionally, under certain conditions, this acknowledgment allows cross-border transfers of personal data within the whistleblowing scheme CNIL Guidelines, supra n.6 this chapter. 26. CNIL Guidelines, pp The CNIL documents have been translated into English and are available on the WLG website (under Publications, Practice, Privacy Matters). 28. The CNIL s online single authorization form is at index.php?id=1758 and the WLG s informational English translation and explanation featuring web snapshots of same is at cgibin/pubs/forms.doc 29. Id. at p. 6, WLG s informational translation of CNIL forms document (

12 V-9-12 Corporate Governance If the company wishes to implement a program that does not precisely match the requirements of the Guidelines and Decision, then it may still complete an application but this will be subject to examination by the CNIL as provided by the CNIL s standard authorization process. 30 The on-line declaration requires the organization implementing the whistleblowing scheme to indicate its legal nature, the name, address, and contact details of the entity responsible for implementation, the name, address, and contact details of the person responsible for compliance in general, of the person responsible for the right to access personal data, of the person whom the CNIL can contact, and a purpose section that requires the organization to indicate which software is used, how many persons are concerned by the whistleblowing system, the year of its implementation, and whether data will be transferred to countries outside the E.U. (if so, the countries concerned have to be specified in a list). The specifics of the CNIL Guidelines and CNIL Decision are summarized in the next section on General Compliance Techniques. GENERAL COMPLIANCE TECHNIQUES Possible options, either individually or taken together, that appear to be responsive to concerns of French, German or other E.U. Member States data protection or labor authorities in respect of reporting mechanisms are described below. Some parts of the CNIL Guidelines and CNIL Decision and Art. 29 Guidelines such as confidentiality of report processing, limited internal disclosures, and clear communication to employees of the whistleblower program will be easy for U.S. companies to implement if they have not already done so. Other requirements regarding scope limitations, data retention periods and notice to accused persons will likely take further adjustment. 1. Limiting or adjusting the scope of the hotline or reporting program (and possibly the scope of the company code of conduct) in that country to SOX or other required provisions like audit, accounting, fraud, or financial irregularity issues and not other matters such as general labor, harassment, employment, or environment ones. Titrating or limiting hotline, web or other reporting modalities to SOX or other required subjects, like fraud, financial, accounting, and auditing matters, would help satisfy E.U. country data protection authorities and perhaps even E.U. country labor officials or courts. The CNIL 30. CNIL Introduction at p. 2. The official French version is at index.php?id=1915 and the WLG s informational English translation is at

13 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-13 Guidelines and Decision state that whistleblower programs limited in scope to SOX or other required subject matter will be permitted under the single authorization from the CNIL. 31 Programs which are not so narrowed will be subject to a case by case review by the CNIL as to legitimacy of the program s purposes and proportionality of the contemplated program. 32 The Art. 29 Guidelines are likewise focused on whistleblower programs related to accounting, internal accounting controls, auditing matters, anti-bribery, and financial and banking crimes, 33 which are viewed by them as having a legitimate basis in legal obligations for a company to implement a whistleblowing program. 34 This option can be implemented consistent with SOX obligations because the accounting and auditing hotline or reporting mechanism required by Section 301 of SOX is permissible under the CNIL Guidelines and Decision, and broad codes of conduct which encompass many additional substantive areas, some of which may not be specifically required by SOX, can be amended to be more limited in scope and then submitted to the CNIL for approval. Code of ethics and conduct under SOX must include provisions that require prompt reporting of code violations, and, at a minimum, the code must deal with the following topics: ethical conduct, conflicts of interest, SEC disclosure matters, violations of law and other improprieties that in some cases impact financial statements and accounting. All of these topics, for instance, are clearly permissible subject matter under the CNIL and Art. 29 Guidelines and are spelled out in the CNIL FAQs. 35 Non-financial or non-sox matters, such as labor, employment, or sexual harassment subjects, the French indicate, ought to be dealt with in a more traditional manner of reporting, such as chain-of-command, including reporting to Human Resources. This narrowed subject matter approach, nevertheless, may be viewed as impractical from an overall compliance perspective by some companies; it is seen as unnecessarily limiting reports on non-financial matters using the hotline or unduly restricting fraud investigations. Perhaps to anticipate this dilemma and resolve it, the CNIL FAQs permit serious complaints outside of the scope of the whistleblower system to be considered and forwarded within the organization. 36 This must be done on a case-by-case basis, provided these matters affect the vital interests of the company or the physical or emotional integrity of employees. Examples of such serious matters, according to the CNIL 31. CNIL Guidelines at No. 1, p. 3, and Introduction, p. 1; CNIL Decision, Art. 1, p Id. at p Art. 29 Guidelines, at p. 4. Not addressed in the Art. 29 Guidelines were whistleblower programs for workers health and safety, environmental damage, and commission of other offenses. Id. at p Id. at pp CNIL FAQ, No CNIL FAQ, No. 9.

14 V-9-14 Corporate Governance FAQs, are endangerment of another employee, emotional or mental harassment, sexual harassment, discrimination, serious harm to the environment or to public health, divulging a business secret, and serious risk to computer security of the company. 37 If it is not a required SOX topic, whether to eliminate a substantive area from a code of conduct hotline is not a SOX matter, but a largely company-specific strategic choice. It would then be up to the entity on a case by case basis to convince the CNIL that its program of a broader scope is compliant with the other principles of the CNIL Guidelines, especially the legitimacy of the program s purposes and proportionality. 2. Making anonymity available, but not requiring it of reporting individual, and/or asking the reporting individual if his/her name may be used in the report. This approach would avoid some anonymous reporting and appears to be acceptable within the SOX framework, as long as at least one anonymous reporting mechanism is made available. Under these conditions, voluntary disclosure by the reporting individual of his/her name would not appear to violate or undermine SOX requirements. If the reporting individual insists on anonymity, this of course must be respected under SOX. Anonymity would be allowed, even by the CNIL and under the Art. 29 Guidelines, as long as it is not made compulsory and not actively encouraged by the company and the individual has a choice of how to report. 38 The fine line, it seems, for U.S. company dual compliance is to make available anonymous reporting but not encourage or discourage it. Third party service providers assisting publicly traded companies offer a menu of options in this regard. The CNIL FAQs itemize the contractual and other obligations of third party providers in doing so. 39 The CNIL Guidelines indicate that such whistleblowing schemes should not be made mandatory for employees and reflect the CNIL s notion that an identified alert assures better processing of such reports. 40 The Art. 29 Guidelines also do not view anonymity as a good solution, but allow it, suggesting that such reports perhaps ought to be investigated with even greater dispatch due to the perceived risk of misuse. 41 Prior to accepting an anonymous report, the Art. 29 Guidelines indicate that the whistleblower should be informed that he/she will not suffer or be retaliated against for the report, and that his/her identity will be kept confidential and not disclosed to third parties such as the incriminated person and the employee s line supervisor Id. 38. CNIL Guidelines at No. 1, p. 2 4; CNIL Decision, Art. 2, pp CNIL FAQ, No CNIL Guidelines at Nos. 1 and 3, p Art. 29 Guidelines, at p Id.

15 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V Non-mandatory reporting for E.U.-based employees. The CNIL Guidelines and Decision, as noted, indicate that a whistleblowing scheme should not be made compulsory for employees. Such limitations would help satisfy the CNIL and labor courts in Germany and perhaps elsewhere. Many SOX-inspired codes of conduct, however, require employees to report violations and risk discipline if they do not report obvious or known violations. It is not clear how U.S. companies will react to this suggestion as it potentially presents a lesser level of reporting obligations for E.U. versus U.S. employees on critical topics. One possible compromise is not to require reporting, but instead state that companies expect violations to be reported. 4. Either keep the personal data of the accused or other persons in the E.U. member country, or adhere to E.U. cross-border data transfer obligations if personal data is transmitted outside of the E.U. member country to the U.S. As to labor, employment, or non-sox issues or matters not material to accounting matters and financial statements, keeping E.U. personal data in the E.U. may well work under SOX, or at least not impinge on its purposes. As respects any reports that involve financial statements, fraud, auditing, or any material matter, this may not be a practical option for companies whose nerve center is in the United States; these reports will need to be forwarded immediately, and (as to financial matters) generally sent to the chairman of the audit committee in the U.S.. SOX rules require audit committees to receive, handle, and treat complaints within their subject matter area. Publicly traded companies need to maintain a system of controls that permit rapid analysis, investigation, and remedial action as to events or occurrences that are potentially disclosable and/or which could materially impact their financial statements. This option of keeping personal data in the E.U. country, as noted, may be possible for routine employment or related matters not within the purview of the audit committee, such as labor or employment issues that do not implicate financial statements or accounting. The difficulty with this approach is that many matters that could have a potential impact on accounting or financial statements also involve individual behavior. E.U. personal data transfer to the U.S. headquarters or elsewhere outside of the European Economic Area ( EEA ) is perfectly permissible under E.U. data protection laws if appropriate cross-border data protections are employed. The Art. 29 Guidelines and the CNIL Guidelines and Decision also require this. 43 Personal data transfer outside of the E.U. to countries like the U.S. do require special procedures and precautions, but these do not implicate SOX. This is a fundamental 43. Art. 29 Guidelines, at 17, CNIL Guidelines at No. 7, p. 6; CNIL Decision, Art. 5, p 4.

16 V-9-16 Corporate Governance precept of E.U. data protection law and is imbedded in every E.U. member state data protection statute. If personal data is transmitted, for example from the E.U. branch office or an employee reporting from the E.U. country, the U.S. entity recipient should have in place an appropriate cross-border transfer solution: either consent of the individual affected (sometimes impractical), a data protection agreement (the E.C. provides model data processor and data controller clauses) or have certified for the U.S. Safe Harbor (administered by the U.S. Dept. of Commerce and enforced by the FTC). More sophisticated transfer methods such as global privacy policies or binding corporate rules may also be approved by the E.C. in coming years. There are certain limited exceptions to E.U. data transfer obligations to other countries outside the E.U., which should be evaluated on a case-by-case basis. Many U.S. companies are seemingly not aware of E.U. crossborder transfer obligations or on occasion appear to ignore them. The U.S. Safe Harbor, laboriously negotiated by the U.S. and E.U., is an effective, increasingly utilized vehicle for U.S. company compliance, but does carry with it FTC oversight authority of relevant company privacy policy implementation. The new E.C. data controller clauses, approved 27 December 2004 by the E.C., (fashioned after the ICC proposal) for data protection agreements are a pragmatic and relatively easy alternative. Even the prior E.C. model clauses of 2001 are quite manageable for friendly, intra-company data transfers. 5. Prompt notification to the person accused or reported on of the details of the accusation, once security or evidence preservation has been done. Prompt notice or disclosure of complaint details to the accused or reported-on individual is an important factor in having U.S.-styled hotlines approved by E.U. data protection authorities, at least in France, if not elsewhere. Such disclosures would not violate or impact SOX laws unless notification to the accused individual materially compromises the company s control environment. The Art. 29 Guidelines and the CNIL Guidelines and Decision provide that the incriminated person must be notified by the person in charge as soon as data is collected about him or her. 44 There is a delay exception where indispensable protective measures need to be taken, such as to prevent destruction of evidence. 45 This includes, where appropriate, securing, copying, or backing-up computer data of the accused individual or others, or taking other measures to protect or secure evidence and prevent its destruction. 44. Art. 29 Guidelines, at p. 13; CNIL Guidelines at No. 10, pp. 6 7; CNIL Decision, Art. 9, p Id.

17 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-17 As a matter of investigatory best practices, it may be viewed by some as imprudent to disclose to the accused person the details of the complaint before certain parts of an investigation have been accomplished, particularly in fraud matters. The delay exclusion for disclosure ought to mitigate this concern. Notice to a data subject, however, is a basic principle in data protection laws in all E.U. countries, and will require at least some disclosures to the incriminated person, most likely sooner than later. 6. Provide accused individual right to respond/contest or rectify information. A fundamental right of E.U. data protection laws is to allow an individual identified in a whistleblowing report to access his or her data and request rectification or even deletion of it (under French data protection law droit d opposition, the right to refuse collection of personal data). The Art. 29 Guidelines and the CNIL Guidelines and Decision emphasize this, but note that such access rights do not include entitlement to information about third parties, such as the whistleblower s identity. 46 Under French data protection law, subject access rights can be denied, however, if the access request is blatantly abusive. 7. Limiting reporting to mail, drop-box or non-automated means. If a company wishes to limit its whistleblower mechanism to mail or a hand drop-box, and not track complaints electronically, it can probably avoid CNIL oversight and approval altogether. CNIL prior authorization only applies to data collection mechanisms undertaken by automated means. 47 While that term is not adequately defined, it would seem to exclude regular mail, a drop-box, and perhaps individual e- mail complaints as long as there was no internal company database to identify, sort, store, facilitate, and/or monitor reports, investigation progress, or results. Given the nearly ubiquitous electronic nature and storage of hotline, web, and e-reporting, not to mention internal company tracking and/or forwarding of such complaints, most whistleblower schemes with the exception of pure mail or drop box (with no electronic logging) will be considered automated in France. The French Data Protection Act of 6 January 1978, as amended in 2004, applies to both automated and non-automated means, and thus hard copy data collection is still subject to data protection principles, according to CNIL FAQ 8, regardless of no CNIL oversight. 46. Art. 29 Guidelines, at p. 14; CNIL Guidelines at No. 11, p. 7; CNIL Decision, Art. 10, p CNIL Guidelines at Introduction.

18 V-9-18 Corporate Governance 8. Monitoring or controlling data retention from whistleblower reports. This aspect may prove to be among the most problematic for U.S. companies. The Art. 29 Guidelines and the CNIL Guidelines and Decision, for example, provide that a whistleblower complaint found by the entity to be unsubstantiated should be deleted immediately. 48 What that means for or web recorded complaints is unclear. If made inaccessible, segregated, or archived is what is intended, then various security features, encryption, or access controls should be adequate. (Otherwise, somewhat more sophisticated data scrubbers or related software tools would need to be employed for actual or comprehensive e-record deletion.) The Art. 29 Guidelines and the CNIL Guidelines and Decision further state that personal data related to whistleblower reports should not be kept more than two months after closure of the investigation (or verification ) unless discipline procedures against the accused person are undertaken or there is other legal or court action against the incriminated person or the author of an abusive alert. 49 After the twomonth period if disciplinary proceedings are initiated, the report can be kept until the end of the disciplinary procedure; if the employer does not act upon the report, relevant data in France is to be either destroyed or archived. 50 The problem with this formulation is that statute of limitations or regulatory obligations in the U.S. may necessitate a longer interval. One alternative that has been suggested is to keep the investigation open to the extent necessary, where appropriate, delaying the two-month period required for personal data deletion. Archival is permitted for certain data unrelated to or beyond the required whistleblower program scope, including in the CNIL Guidelines and Decision if it affects the physical safety of others or vital interests of the company. 51 Archival data can be kept up to 30 years, according to the CNIL FAQs. 52 The Art. 29 Guidelines also note that national rules regarding archiving data remain applicable, 53 which may specify the purposes for access, categories of persons who may have access, and other relevant security rules Art. 29 Guidelines, at p. 12; CNIL Guidelines at No. 9, p. 6; CNIL Decision, Art. 6, pp Id. 50. CNIL FAQ, No CNIL Decision, Art. 3 and 6, pp CNIL FAQ, No Art. 29 Guidelines, at p Id.

19 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V Negotiate with the Works Council if the employer has one. If subject to an E.U. Works Council requirement, the employer could voluntarily try to negotiate the scope of a mutually acceptable hotline, reporting, and code of conduct terms, especially for labor or employment related matters, or encompassing the items discussed above. Success in this regard would also help with local data protection authority issues. As noted above, a reduced version addressing only SOX or other required standards may not be preferable or acceptable to some U.S. companies. 10. Plan strategy and notification to E.U. data protection authorities based on the E.U. countries in which the entity operates. Britain, Ireland, and Poland appear more receptive to hotlines and reporting than France, Germany, Belgium, and probably Spain, Portugal, Italy, and others. Where the company operates in the E.U. may determine its risk profile, and a pan-european strategy may even be necessary. Many E.U. countries require an entity collecting personal data to register or notify the data protection authority in that country or region of its data activities. This is normally a pro-forma function, but failure to do so may constitute a criminal offense in some E.U. countries, like the U.K. Likewise, the Art. 29 Guidelines note that whistleblowing schemes may require notification and/or approval of data protection authorities, 55 as in France. INDIVIDUAL E.U. MEMBER STATE ANALYSIS/SOLUTIONS GERMANY From a German legal perspective, the implementation of a whistleblower hotline and binding codes of ethics and conduct involves both privacy and labor law issues. The recent decision of the Labor Law Court of Wuppertal 56 focused almost entirely on the labor law aspects and left aside possible data protection issues. However, both aspects have to be taken into account when implementing code of conducts and whistleblower hotlines in Germany. 55. Art. 29 Guidelines, at p Labour Court (Arbeitsgericht ArbG) Wuppertal, decision dated 15 June 2005, court reference: 5 BV 20/05; English translation available at: newsletter/details.asp?id=

20 V-9-20 Corporate Governance Wal-Mart Decision In its Wal-Mart decision the Labor Law Court of Wuppertal held that major parts of Wal-Mart s code of conduct were invalid and that Wal- Mart had to stop providing its whistleblower hotline for German Wal- Mart employees until an agreement with the works council of Wal-Mart is reached. According to the decision, 57 Wal-Mart tried to implement a German language version of its global code of conduct and obligated the employees of the German subsidiaries to adhere to its provisions. The code of conduct in particular contained guidelines on the prevention and handling of conflict of interests, confidentiality, fair conduct of daily business and the protection of company assets. All employees were obligated to report any possible violations of the code to the company. In order to do so, Wal-Mart offered a toll-free telephone hotline which would treat information provided by whistleblowers on an anonymous basis. The works council of the German subsidiary of Wal-Mart was not involved in the drafting and implementing of the code of conduct. The works council subsequently took the German subsidiary of Wal-Mart to court and argued that the implementation of the code of conduct in Germany would be subject to a co-determination right according to the German Works Council Constitution Act. Wal-Mart s works council asked the court to establish that: the implementation of the code of conduct as a whole; alternatively, the individual guidelines of the code of conduct; and the operation of the telephone hotline would be subject to a codetermination right and therefore would require the consent of the Wal-Mart works council. The Labor Law Court of Wuppertal held that the implementation of a code of conduct as a whole does not require the consent of the works council per se. In fact, the Court stated that some of the provisions of the code can be implemented without the consent of the works council, including those pertaining to financial integrity and accounting, insider trading, confidentiality and trade secrets, supplier/ customer relationships, anti-discrimination, and the use of company property. However, the implementation and operation of the telephone hotline and provisions relating to presents and gifts, media statements, harassment, inappropriate behavior, private relationships, access to employee files, and alcohol and drug abuse, would be subject to the consent of the works council. In addition, some of these provi- 57. Id.

21 Anonymous Sarbanes-Oxley Hotlines for Multi-National Companies V-9-21 sions, such as those relating to personality rights (i.e., private relations with co-workers, private life issues, and the like), would likely be unenforceable even if approved by the works council under existing German law. Wal-Mart appealed the case and in November 2005 the higher labor court of Duesseldorf upheld all relevant parts of the decision of the Labor Law Court of Wuppertal. 58 A further leave to appeal from this has now reportedly been granted to Wal-Mart by the Federal Labor Court. Although the decision is not yet legally final, there is some likelihood that the decision will be upheld upon further appeal. This does not mean however, that a whistleblower hotline or the implementation of a code of conduct and ethics would not be feasible in Germany. To do so, it is necessary, however, to give some additional consideration to German data protection issues and labor law. The Works Council and the Right of Co-Determination The Wal-Mart decision is based on a particularity of German labor law, namely the right of co-determination which is contained in the Works Council Constitution Act. The Act stipulates that works councils must be established in all companies that have five or more regular employees. The function of the works council is to protect the collective labor rights of the employees of the company. In the Works Council Constitution Act, works councils in Germany are given extensive rights of information, consultation, and co-determination. In particular, the works council is granted an explicit set of co-determination rights on matters where the work council has actual joint decision-making authority. These rights are only granted if the employees choose to actually elect a works council. Examples of those areas in which a works council has joint decision-making authority with management are not only the regulation of overtime and reduced working hours but also the introduction and operation of technical devices to monitor the behavior or performance of the employees (section 87 No. 6 German Works Council Constitution Act), and matters relating to the rules of operation of the establishment and the conduct of employees in the establishment (section 87 No. 1 German Works Council Constitution Act). In the Wal- Mart decision the court held that the introduction of binding rules and a hotline, where the employees were obligated to adhere to rules that had no direct connection to the performance of the contractual obligation of the employee, were subject to co-determination rights of both 58. Higher Labour Court (Landesarbeitsgericht LarbG) Dusseldorf, decision dated 14 November 2005, court reference: 10 TaBV 46/05.