Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws

Transcription

1 Ethical hotlines and whistleblowing ensuring businesses are not in conflict with local laws 16 January 2014 Robert Bond, CCEP Partner and Notary Public

2 Our Team Speechly Bircham is an ambitious, full-service law firm headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors We have offices in Paris, Luxembourg, Zurich and Geneva and a network of preferred law firms in most jurisdictions Our Data Protection & Information Law team provide a range of legal and consultancy on data privacy assessments, compliance, risk management, information security and data breaches We are listed in Chambers 2014 and Legal 500 as a leading law firm for Data Protection and have advised on this area of law since 1983 What I liked was the fact that the team was very willing for us to see it as an extension of our existing inhouse team. I like the way it integrated members sat alongside and guided us. That was what impressed. Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures. 2

3 Robert Bond A Solicitor, Notary and Certified Compliance & Ethics Professional, Robert has specialised in data protection since 1983 and is listed in the top 20 Best Privacy Advisers in a survey published in Computer World. In 2012 Robert was appointed an Ambassador for Privacy by Design by Commissioner Ann Cavoukian of Ontario. a brilliant lecturer, a meticulous lawyer and responsive if you contact him, you know he ll get back to you within the hour Chambers, 2008 He has advised many multinationals on transborder data flows and global data protection compliance since 1997, co-authored the ICC BCR Report in 2006, the ICC Guidelines on Basel II and Data Protection in 2007 and the ICC UK Cookies Guide in Robert is the author of many books, including Negotiating International Software Licenses and Data Transfer Agreements (Sweet & Maxwell) and Negotiating Software Contracts (Bloomsbury). Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Study, an Honorary Member of the Institute of Export and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. Robert is listed in Legal Experts 2013 and The Who s Who of International Internet & E-Commerce Lawyers. Robert is listed as Notable Practitioner for Data Protection in Chambers UK 2014 to 2010 describing him as an esteemed figure in the field. He has an impressive reputation for his work on cross-border data compliance and cutting-edge IT data privacy issues within the digital, online and social media spheres. Sources say: He continues to impress year on year. His spark of imagination and ability to grasp the technology are amazing. "He is up for anything and incredibly knowledgeable," report clients. "Everyone gravitates towards him. A very good communicator and very generous with his time. 3

4 Topics SOX 301(4) and EU Laws 2004 to today Anti-Bribery laws and data protection compliance Compliance requirements The cost of non-compliance

5 Sarbanes Oxley Act requirements SOX mandatory Code of Ethics A confidential, anonymous reporting mechanism SOX Section 301(4) states that "Each audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.

6 E.U. data protection principles an individual has a right to know what data is being processed about them; personal data has to be processed fairly and lawfully and with consent; personal data must be kept for no longer than is necessary and must be kept accurate and up to date; personal data must be, at all times, kept secure and where processed by a third party be managed securely; and personal data should not be transferred outside the European Economic Area to any other country that does not have adequate protection for the rights of the individual.

7 Conflict between SOX and EU Data Protection Laws EU member states data protection laws E.U. data protection authorities - All interpret the law differently CNIL Decision of 26 May 2005 (Group McDonald s France) CNIL Decision of 26 May 2005 (CEAC/Exide Technologies) The 5th Division of the Wuppertal Labour Court on 15 June 2005 (Wal-Mart Decision) Appeal dismissed too

8 CNIL reasons for their decision Anonymity Whistleblowing on too wide basis Information shared too widely Unfair collection of personal data Accused not immediately notified Rather long retention of data Lack of proportionality Fundamental data protection concerns

9 Compliance circle Roll out/training Policy Hotline vendor control Works Council Reporting restrictions Local laws Registration 9

10 UK Bribery Act and EU Data Protection Bribery is to dishonestly persuade (someone) to act in one s favour by a gift of money or other inducement The Act came into force on 1 st July 2011 and applies to those who give or receive a bribe in relation to a business in the UK Advice from the UK Government is that businesses should put in place antibribery policies and procedures including training to all officers and staff and any agents and suppliers Businesses that then implement reporting mechanisms such as ethical hotlines need to be aware of EU restrictions on such hotlines

11 Where do we find what is required by EU? CNIL, Art. 29 Working Party issued guidelines Allows anonymous reporting under certain conditions SEC and CNIL letters CNIL Guidelines, FAQ s CNIL on-line authorization Decision and forms Other member states have guidance (Spain, Germany, Austria) Local advice

12 French law amended for hotlines The CNIL Unique Authorisation no. 4 (authorisation unique no.4) deals with whistleblowing hotlines This authorisation only deals with whistleblowing relating to reports with regard to serious breaches in the accounting, financial, and banking sectors as well as anti-bribery The CNIL adopted a new deliberation in October 2010 modifying its AU-004. The aim was to avoid the confusion previously created by its art. 3 which included facts damaging the vital interests of the undertaking or to the physical or moral integrity of its employees The companies benefitting from an AU-004 for whistleblowing hotlines not strictly confined to the new text of the authorisation have a six-month deadline to ensure they comply with AU-004. There is no need to submit a new authorisation request

13 Differing stances of EU member States Compulsion Scope limitation Notification requirements Permission to transfer personal data outside the EEA Anonymity Specific requirements of local regulators Labor law requirements

14 Sweden - Notification (may impose limitations) - Data Protection applies - Limited to senior executives - Regulatory body: Datainspektionen - Published guidelines: guidance is limited to the following: - the system must be a complement to the company s normal internal administration and must be voluntary to use - the system must be limited to serious irregularities concerning accounting, internal accounting control, auditing, the fight against bribery and banking and financial crimes. The system may also be used for other serious irregularities concerning the company s vital interests or the life and health of individuals - only key personnel may be reported

15 Anonymity Spain regulatory body: Agencia de Protection de Datos - published guidelines: - Portugal regulatory body: - published guidelines: pdf Finland published guidelines: Whistleblowing System in Working Life regulatory body: Data Protection Ombudsman

16 Poland Difficulty faced by GIODO because of fair processing requirements of Polish Personal Data Protection Act PDP also requires specific documents for compliance whether or not there is a whistleblower hotline

17 Hungarian whistleblower guidance The Guidelines follow the Article 29 Guidelines..but Reports must be limited to grave violations of company policies The system must not be used to control work performance Reports cannot be made by staff directly to the parent company They must be reported to the local company The local company must manage the system and any contract with the service provider An employee that transfers personal data direct to the parent company may be liable to criminal and civil actions

18 Bulgaria Decision of the Data Protection Authority on a whistleblowing hotline Approved the use of a third party provider in the US Scheme included sensitive personal data The opinion was positive because the processing operation: - Has the necessary safeguards to protect the data - Allows for employees rights - The transfer is made to a Safe Harbor certified processor 18

19 Ethical hotlines: How do you achieve compliance? One size does not fit all ethical hotlines must be tailored to meet local requirements Reconfigure procedures Narrow scope of reports Remember country by country specifics Anonymity should be a last resort Retention periods should be observed Third party vendors need to be contractually controlled and guided

20 Potential Fines

21 Potential Imprisonment

22 Recent enforcement for breaches

23 EU General Data Protection Regulation - Data transfers Simplifying legitimising conditions - Binding Corporate Rules - European Data Protection Seal - Model clauses 23

24 THE COST OF NON-COMPLIANCE Other costs Reputational damage and loss of public trust Share price, turnover, profits Legal advice to prevent future loss Forensic examination Technological Compensation and responding to those affected Greater marketing push to improve public image Business disruption => Prevention is easier (and cheaper) than cure EU General Data Protection Regulation Fines of up to 100 million or 5% of annual worldwide turnover (whichever is greater) Notification without undue delay (72 hour notification period) 24

25 FURTHER INFORMATION For more information please contact: Robert Bond +44 (0)