Ethical hotlines and whistleblowing ensuring businesses are not in conflict. with EU laws 10 May James Castro-Edwards, solicitor.

Transcription

1 James Castro-Edwards, solicitor and Alexia Zuber, solicitor Data Protection & Information Law Group Ethical hotlines and whistleblowing ensuring businesses are not in conflict with EU laws 10 May 2012

2 Our team Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches We are listed in Chambers 2011 as a leading law firm for Data Protection and have advised on this area of law since 1983 We have a team of 14 lawyers dealing with data protection matters globally Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures.

3 Personal Data is at the Heart of any Business Commercial Contracts Reporting & Discovery Outsourcing PERSONAL DATA PERSONAL DATA M&A Investigations & Claims Global Presence Employment Corporate Restructuring s Social Media

4 Presenter Profile James Castro-Edwards, Solicitor, IP, Technology & Data James is a senior commercial solicitor in the IP, Technology & Commercial Group with extensive experience in data protection. James' recent work includes ownership of global data protection compliance projects for multinationals, including implementation of Sarbanes-Oxley driven whistleblower hotlines. He frequently works with senior in-house counsel, finding solutions to complex cross-border data issues and 'has a pan-european perspective on data protection compliance' according to clients. James has significant experience of the differing requirements of the many European data protection authorities particularly in relation to data transfers. He has advised clients in relation to subject access requests, acting for both data controllers and data subjects, and enabled database owners to optimise their personal data for marketing purposes while remaining in compliance with the law. James also advises online and innovative businesses looking to exploit new intellectual property. In doing so he has advised in relation to distribution, supply and licensing agreements, and regularly advises clients in relation to new online business models. James provides practical advice and commercial solutions to data hosting businesses. James frequently speaks on data protection and has been published in World Data Protection Report, Data Protection Law & Policy, Journal of Database Marketing & Customer Strategy Management, the Marketer and Journal of Intellectual Property Law & Practice. He also contributed to the Fifth Edition of Butterworths' Encyclopaedia of Forms and Precedents Volume 19(1). James.Castro-Edwards@speechlys.com +44 (0)

5 Presenter Profile Alexia Zuber, Solicitor, IP, Technology & Data Alexia is an expert in global Data Protection compliance for multinationals in sectors such as media, financial services, technology, construction and pharmaceutical. With a particular focus on global data transfer solutions, Alexia also handles ethical hotline and workplace monitoring regulations. In addition to Data Protection and Information Security, she also specialises in Intellectual Property and Commercial contracts. She speaks fluent French and Greek, good Italian and has basic knowledge of German. Recent experience also includes pan-european data audit work and the negotiation, drafting and reviewing of commercial and IP contracts. She obtained her law degree from the University of Geneva in Switzerland and her LL.M. in Corporate and Commercial Law from King's College in London. She is dual qualified in Greece and England. alexia.zuber@speechlys.com Tel +44 (0)

6 Topics Polling Questions Sarbanes Oxley Act requirements EU Data Protection Principles Conflict between Sarbanes Oxley and the EU Data Protection Law Reasons for the CNIL Decision Differing Stances of EU Member States (France, Sweden, Poland and anonymity) The Future of Hotlines Under the Draft DP Regulation How do we meet these differing requirements? Speechlys Experience

7 Polling Questions 1. Do you have a hotline which may be called by your European employees? 2. Has your hotline been registered with the European data protection authorities? 3. Does your hotline restrict the types of matter which may be reported, depending on the country from which the whistleblower calls?

8 Sarbanes Oxley Act Requirements Mandatory Code of Ethics - a confidential, anonymous reporting mechanism SOX Section 301(4) "Each audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. In practice many whistleblower policies go considerably further

9 EU Data Protection Principles An individual has a right to know what data is being processed about them Personal data has to be processed fairly and lawfully Personal data must be kept for no longer than is necessary and must be accurate and up to date Each data subject has the right to know that their personal data is being processed Personal data must be at all times kept secure and where processed by a third party managed securely Personal data should not be transferred outside the European Economic Area to any other country that does not have adequate protection for the rights of the individual

10 Differing Stances of EU Member States Cultural attitudes to hotlines Compulsion Scope limitation Notification requirements Permission to transfer personal data outside the EEA Anonymity Specific requirements for local regulators

11 Conflict Between Sarbanes Oxley and the EU Data Protection Law EU Member States Data Protection Laws - EU data protection authorities all interpret the law differently CNIL Decision of 26 May 2005 (Group McDonalds France) CNIL Decision of of 26 May 2005 (CEAC/Exide Technologies) The 5th decision of the Wuppertal Labour Court on 15 June 2005 (Wal-Mart decision)

12 Reasons for the CNIL Decisions Anonymity Scope of whistleblowing too broad Information shared too widely Unfair collection of personal data Accused not immediately notified Long retention of data Lack of proportionality NB Wal-Mart case (D) works councils

13 Differing Stances of EU Member States: France Authorisation Unique The CNIL Single Authorisation no.4 (Authorisation Unique no.4) deals with whistleblowing hotlines AU-004 only permits narrow-scope whistleblowing Scope restricted further in October 2010 where the CNIL modified AU-004 The companies benefitting from an AU-004 for whistleblowing hotlines must ensure that the scheme they operate is strictly confined to the scope of the Single Authorisation

14 Differing Stances of EU Member States: France - Future Amendments for Hotlines? Court of Appeal of Caen s decision 23 September 2011 Facts: In 2008, the French subsidiary of a US group implemented a whistleblowing system which was authorised by the CNIL as it complied with AU004 Ruling: The court suspended the implementation of the whistle blowing system Reasoning: The whistleblowing system: - was outside of the scope as defined in AU004 - was a threat to rights and liberties of employees and - had been modified without consulting the works council

15 Differing Stances of EU Member States: Sweden Notification (may impose limitations) Data Protection applies Limited to senior executives Regulatory body: Datainspektionen Published guidance is limited to the following: the system must be a complement to the company s normal internal administration and must be voluntary to use the system must be limited to serious irregularities concerning accounting, internal accounting control, auditing, the fight against bribery and banking and financial crimes; but the system may also be used for other serious irregularities concerning the company s vital interests or the life and health of individuals only key personnel may be reported

16 Differing Stances of EU Member States: Poland Difficulty faced by GIODO because of fair processing requirements of Polish Personal Data Protection Act Polish PDP also requires specific documents for compliance whether or not there is a whistleblower hotline e.g. the IT security measures document or catalogue of individual authorisations for personal data processing for each employee

17 Differing Stances of EU Member States: Anonymity Spain regulatory body: Agencia de Protection de Datos published guidelines: Portugal regulatory body: published guidelines: n.pdf pdf Finland published guidelines: Whistleblowing System in Working Life regulatory body: Data Protection Ombudsman

18 The Future of Hotlines Under the Draft DP Regulation No need to notify the DPAs Unique supervisory authority to approve scheme for all EU countries diverging approaches e.g. F/UK Change of definitions liability of data processors Transparency and express consent requirements practical challenges

19 How do we Meet these Differing Requirements? One size does not fit all Localised configuration of procedures Narrow scope of reports Country by country specifics Anonymity Retention periods Third party vendors Accept reports subject to country-specific restrictions

20 Speechlys Experience One stop shop for EU wide data protection projects Using a combination of in house foreign legal capacity, experience and network of local lawyers Awareness of issues from a pan-european perspective Due diligence on third party providers Whistleblower hotline providers Other third party processors

21 For more information on our services, please contact: James Castro-Edwards +44 (0) Alexia Zuber +44 (0) Construction & Engineering 1 November 2006 Further Information Join us on LinkedIn