The Art of Constructing Global Whistleblowing Programmes

Transcription

1 The Art of Constructing Global Whistleblowing Programmes Mark E. Schreiber Chair, Privacy & Data Protection Group Steering Committee Edwards Wildman Palmer LLP 111 Huntington Avenue Boston, MA Suzanne Rodway Group Head of Privacy Royal Bank of Scotland Legal Level 5/Premier Place 2½ Devonshire Square / EC2M, 4BA 44 (0) Suzanne.rodway@rbs.com 2013 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP

2 SOX and FCPA Hotlines SOX and U.S. stock exchange regulations require: mandatory code of conduct confidential, anonymous submission of concerns regarding questionable accounting or auditing receipt, retention and treatment of complaints apply outside U.S. to ensure reporting Variety of permissible methods to submit complaints phone or hotline, , mail, fax, drop-boxes Enhanced enforcement of FCPA, more than 100 ongoing DOJ investigations Industry wide investigations Spanning numerous countries 2

3 FCPA/SOX Hotline and Due Diligence Dilemmas FCPA hotline voluntary Often same telephone number/ as SOX ones Clash: French and German cases held U.S. company proposed whistleblowing schemes unlawful historical concern over informants numerous protections added few actual calls 3

4 General Resolution of EU Hotline Issues Political compromise reached Art. 29 Working Party issued guidelines: allows anonymous reporting under certain conditions SEC and Art. 29 letters workinggroup/wpdocs/2006-others_en.htm Prior non-compliance/ too hard to comply Now compliance possible and practical 4

5 What is the Goal? Rigorous compliance with FCPA/SOX Simultaneous compliance with E.U. data protection laws good faith compliance effort consistent with Art. 29 Working Party, CNIL and other guidelines SOX/FCPA Code of Conduct and anonymous reporting obligations Art. 29 W.P., CNIL and other E. U. country whistleblower guidelines E.U. data protection laws E.U. data protection laws 5

6 Where to Find What is Required by EU and Other Countries World Law Group Global Guide to Whistleblowing Programs, CNIL Guidelines, FAQ s CNIL on-line authorization Decision and forms (click on: Publications, Practice, Privacy) Dutch, Belgium guidelines and Spanish DPA whistleblower consult German guidelines (click on: Publications, Practice, Privacy) 6

7 Where to Find What is Required by EU and Other Countries Irish guidelines Swedish guidelines endast-chefer-och-andra-nyckelpersoner-far-anmalas-medwhistleblowing/ Danish guidelines Hungarian whistleblower law amendments Portuguese guidelines Deliberação Nº 765/2009 7

8 What Does This Process Take for Multi-National Companies? Reconfigure E.U. whistleblower mechanism new E.U. whistleblower protocol without disturbing Code of Conduct / Ethics or FCPA policy New E.U. whistleblower procedure addendum by country New E.U. employee notice of whistleblower program usually requires translation 8

9 What Will This Process Take? Procedure on pan-european basis adaptations/addendum by E.U./EEA or other country where company has operations Data Controller registration ( notification ) with Data Protection Authorities (DPAs) UK routine notifications (failure to do so is per se criminal offense) France, Belgium, Holland relatively easy Poland, Spain, Portugal, Bulgaria, Hungary more complex Russia probably Due diligence program may also require DPA notification depending on country Effect of New EU data protection regulation? 9

10 What Will This Process Take? Timelines of implementation: at least 6 months from start might take a year or more depending on number of countries draft helpline procedure and notice highlight country differences and addendum review by E.U. local counsel translation of documents, at least employee notices works council negotiations for WB programs DPA notifications appoint country data protection officers, e.g., in Germany, France, Switzerland so no DPA notification create/adjust training modules adapt investigatory procedures 10

11 What Will This Process Take? How do you handle hotline (or due diligence) in E.U. in the interim? leave on and operate? if reports, adhere to E.U. country data protection requirements in one-off events disable in all or some E.U. countries? France, Germany, Spain and elsewhere? SEC/FCPA compliance? work to adapt it? good faith efforts proof of activity companies must now address about data protection 11

12 What Will This Process Take? Who makes this decision in your company? others buy-in team in-house counsel (U.S. and E.U.) and staff, including compliance dept. outside counsel in both U.S. and E.U. countries combination 3rd Party Hotline Vendor usage mechanisms various levels of hotline interfaces and/or assistance very sophisticated already contract terms required by Art. 29, CNIL, etc. 12

13 Implementation Issues What is Required by E.C.? Narrowed SOX code proportionality audit, accounting, fraud, financial irregularities healthcare compliance FCPA example: If narrowed, in France click-through authorization no further CNIL review real policy work behind scenes like U.S. Safe Harbor if broad, in France, regular CNIL review 2 mos. unless further docs. requested Unlikely approval for employment matters 13

14 Implementation Issues What is Required by E.C.? Complaints outside scope some may be taken in on hotline but have to be immediately referred to other department and then archived or deleted serious matters / vital interests of company No longer allowed under French single authorization June 7, 2011 CNIL deadline for single authorization 004 changes physical / emotional safety (moral integrity) of employees threats of violence, assault, murder slightly better under German guidelines Austria, Portugal only allow SOX/anti-corruption subject matter 14

15 Implementation Issues What is Required by E.C.? Anonymity available not required or encouraged SEC says cannot discourage admonitions necessary careful drafting reporting availability to supervisors / managers whistleblower reporting not mandatory Spain and Portugal no anonymous complaints confidential complaints OK need for local counsel alternatives 15

16 Implementation Issues What is Required by E.C.? Notice to employees of program existence, purpose and functioning in local language, e.g., requirement in French labor code wait until program materials almost complete before translation 16

17 Implementation Issues What is Required by E.C.? Prompt notification to accused of: entity, facts accused of, departments might receive reports, how to exercise rights of access and rectification delay exception for evidence preservation, (computer back-up, imaging hard drive, etc.) applied restrictively on case by case basis how will this work in practice? not identity of whistleblower 17

18 Implementation Issues What is Required by E.C.? Right of accused to access and correct or rectify data incorrect, incomplete or inaccurate data limited access rights only about data subject may be restricted on case by case basis to ensure rights of others Data transfer to U.S. from E.U. locale disclosures within group at what level and in what country? cross-border transfer solutions not new, applies to all employee, customer and other personal data 18

19 Implementation Issues What is Required by E.C.? Data retention periods and archiving easy to say, hard to implement unsubstantiated deleted or archived immediately 2 mos. after conclusion of investigation unless discipline against accused other litigation potential SEC matters Archival / Blocking access controls on archived databases matrix of time frames by event some countries insist on deletion or destruction what does this mean in electronic context? 19

20 Implementation Issues What is Required by E.C.? Notify and/or negotiate with Works Council minimum number of employees in some countries sometimes historical or political issues Germany right of co-determination factor into lead time 20