While a recent
U.S. Court of Appeals for the First Circuit decision in
Carnero v. Boston Scientific Corp. found that
Sarbanes-Oxley did not apply extraterritorially, the
worldwide implementation of standardized Codes of Conduct
including whistleblowing procedures remains problematic as
the responsibilities remain uncertain overseas and the SOX
requirements are likely to clash with many international
laws. This is mainly due to cultural and historical
reasons. Because of the European history of forced
whistleblowing during the Second World War, attempts to
require employees to report misconduct conflict European
countries’ history and social norms.
Consequently,
one should not be surprised to hear that at the time President Bush described
Sarbanes-Oxley Act as the "the most far-reaching reform
of American business practices since the time of Franklin
Delano Roosevelt”, court decisions
in several E.U. countries, including France, opposed the
extra-territoriality of the SOX provisions as providing
a “carte blanche”
for malicious false accusations and vindictive reports.
More
particularly, by two decisions dated May 26, 2005, the
French Data Protection Agency, which is responsible for
authorizing automated (i.e., not paper-based)
whistleblowing procedures in France, denied McDonald’s
France and the CEAC (Compagnie Européenne d’Accumulateurs)
the authorization to implement whistleblowing procedures
that would have allowed their French employees to report,
through anonymous employee hotlines, any suspected or
unethical conduct in the workplace. The French Data
Protection Agency objected to the fact that the employees
concerned by the denunciation would not be immediately
informed of the collection of data questioning their
professional integrity and would not be in a position to
oppose such collection, which would be in violation of the
French Data Protection Act dated January 6, 1978. The
French Data Protection Agency also put forward that there
are other means available to French employers to secure the
enforcement of legal provisions and the company’s rules. In
particular, the Agency pointed out that useful means to
ensure corporate governance enforcement included providing
adequate information and training to the staff, and
involving the company’s auditors, the French Labor
Inspection or Labor Courts.
One must note
that the schemes set up by McDonald’s France and CEAC both
exceeded the mere accounting and auditing controls since
they concerned any infringement to French legal provisions
and to the companies’ codes of ethics. Commentators
analysed these two decisions of May 26, 2005 as a
condemnation on principle by the French Data Protection
Agency of any whistleblowing system whatever its form.
The position
adopted by the French Data Protection Agency could not
really be criticized as it was in line with the French Data
Act of January 6, 1978 relating to data processing, data
files and individual liberties, amended by the Act of August
6, 2004 relating to the protection of individuals with
regard to the processing of personal data, whether the
processing is automated or paper-based. Failure to comply
with any of these requirements may be punishable by a
maximum five-year imprisonment and a fine of up to 300,000
euros.
Later on, in a
ruling dated September 15, 2005, the French Labor Court of
Libourne held that a note requiring employees to report
cases of fraud or embezzlement by calling an ethic hotline
had to be removed from the workplace because:
-“when simply reading the note, it becomes clear
that information that may be provided anonymously through a
free telephone line includes, but is not limited to,
accounting fraud or embezzlement (which, by the way, are
violations of law that can hardly be detected by employees)
and can also refer to all facts “violating ethical
principles, such as fraud or theft, or the non-compliance of
accounting regulations of a more general nature;
-irrespective of
the way the data collected in this process are actually
treated later on, such a service regulation involves the
risk for the employees who might be anonymously denounced of
having to face an internal investigation entailing possible
sanctions, without being able to exercise their right to
defend themselves;
-furthermore,
the procedure in dispute and the risk of calumnious
denunciation it involves seem disproportionate to its
purpose and unfit to prevent possible embezzlement;
-the individual
liberties of those employees who fall victim of anonymous
denunciations are at risk”.
Again, this
court decision could not easily be challenged given that it
was consistent with the French legislation and in particular
with Article L.120-2 of the French labor Code, which
provides that “employers may not impose restrictions to
individual liberty that are not justified by the nature of
the task to be achieved or proportionate to the aims pursued”.
As a result of
the above, a real brain-storming started for the French
subsidiaries of US companies on how to comply with SOX
provisions without violating French law. After
discussions with the SEC and the European Commission, as
well as various US hotline providers and other professional
organizations, the French data protection Commission issued,
on November 30, 2005, recommendations for whistleblowing
procedures, in which it provides a certain number of
guidelines. Furthermore, on December 8, 2005, the
French data protection Commission rendered a decision that
seems to offer, together with the November 30, 2005
recommendations, a compromise between US and French legal
requirements, provided that companies agree to comply with
the following principles:
·The
whistleblowing system must be designated as complementary to
other reporting systems:
according to the French Data Protection Agency, normal means
exist to report anomalous behaviours (employees reporting to
their managers, employee reps., account auditors …). The
implementation of whistleblowing systems may only be
justified by the assumption that these communication
channels may sometimes not function.
·The
whistleblowing system must be set up pursuant to a French
legal obligation or be justified by the company’s legitimate
interest: companies being
under the obligation to have their financial records and
statements certified by the SEC have strong grounds for
ensuring that no irregularities are present in their
accounts.
·The
whistleblowing system must be explained to employees: this
information/consultation must be done pursuant to article
L.432-2-1 of the French Labor Code, which provides that “the
employer shall inform and consultthe works council
on the means and technologies permitting a control of the
employees’ activities before deciding on their
implementation”. More particularly, members of the
works council must be informed of the organisation
responsible for the system, the objectives pursued and the
matters concerned, the optional nature of the system, the
absence of retaliation for employees using the system, the
names of the recipients of whistleblowing alerts as well as
the existence of a right of access and rectification for
persons concerned by an alert. In addition, employees must
be individually informed about the implementation of a
whistleblowing scheme pursuant to article L.121.8 of the
French Labor Code, which provides that: “no personal
information on an employee can be collected if the employee
has not previously been informed”. They must also be
informed that any abuse of the systems may result in
disciplinary action and judicial proceedings against the
author of the abuse.
·Matters that
can be reported are limited to the
whistleblowing systems based on French statutory or
regulatory obligations of internal control in the financial,
accounting, banking and anti-bribery areas, as well as to
the whistleblowing systems implemented in the accounting and
auditing sectors by companies falling under the SOX
regulation. However, matters that do not fall within the
scope of the whistleblowing scheme may also be reported if
they affect the vital interests of the company or the
employees’ physical or mental integrity.
·Discouraging
anonymous denunciations: the
whistleblower must identify himself/herself but his/her
identity is kept confidential by the organization handling
whistleblower alerts. This requirement is justified by the
fact that the possibility of filing anonymous reports may
increase the risk of slanderous reports.
·The data that
may be processed must be limited to:
-
the identity, job title and contact information of the
whistleblower, the persons incriminated and the persons
involved with the collection and/or processing of such
alerts;
-
the reported
facts;
-
elements collected to verify the reported facts;
-
account or summary of the verifications made;
-
the action taken in response to the alert.
The collected
data must be objectively formulated: they must relate to
facts rather than persons.
·The processed
data must be entrusted to specialists: the collection
and the handling of reports must be entrusted to a specific
organisation set up within the company for the specific
purpose of dealing with these matters. A limited number of
persons must be assigned to handling these reports. They
must be specially trained and bound by a contractually
defined obligation of confidentiality. Data collected
through a whistleblowing scheme may be communicated within
the group if such communication is necessary to the
verification of the whistleblower’s alert. In such case,
data must be confidentially and safely communicated to the
competent organisation of the recipient legal entity
providing equivalent guarantees of confidentiality. If the
whistleblowing system is entrusted to an external service
provider, this provider must contractually undertake to
ensure confidentiality and comply with the time limits set
for the storage of the data. As a data controller, the
company will in any event remain liable for the data
processing carried out by the processor on its behalf.
·Transfer of
personal data outside the E.U.:
Personal data may be transferred to non-EU countries
providing “adequate protection” as defined in the French
Data Protection Act of January 6, 1978 and in the EU
Directive 95/46/EC of October 24, 1995 relating to
international data transfers. As the U.S. was considered by
the EU Authorities as not providing “adequate protection”,
the U.S. Department of Commerce in consultation with the
European Commission developed a “Safe Harbor” framework
providing for several privacy principles. Since 2000, U.S.
companies certifying to the Safe Harbor are considered as
providing “adequate protection” as defined in the French
Data Protection Act and the EU Directive 95/46/EC. U.S.
companies having not certified to the Safe Harbor shall be
considered as providing for “adequate protection” if they
enter into a transfer contract providing for the model
clauses issued by the European Commission, or if they adopt
internal regulation previously approved by the French data
protection Commission as affording an adequate level of
protection of privacy and fundamental rights.
·Limited
duration of data storage: the storage of
the data contained in the whistleblower’s alert, which is
deemed to be outside the scope of the whistleblowing system,
should be destroyed or archived immediately. Data contained
in a whistleblower’s alert giving rise to verification
should be destroyed or archived by the organization
responsible for managing such whistleblower’s alerts within
two months from the closing of verification operations if no
disciplinary procedure or legal proceedings are initiated.
Once disciplinary actions or legal proceedings are initiated
against the person incriminated in the alert or against the
author of an abusive alert, the organization responsible for
managing alerts must keep the data relating to such alert
until the end of the said actions or proceedings. Data that
must be archived should be kept in a separate and distinct
informational system with restricted access, for a period
not to exceed the statute of limitations for bringing legal
action.
·The identity of
the whistleblower should remain confidential
to prevent retaliation.
·Any abuse of
the whistleblowing system may result in disciplinary
as well as legal action against the abusive whistleblower.
Good faith use of the whistleblowing system, even if the
facts are later proven inaccurate or are not acted upon,
will not expose the whistleblower to any disciplinary
sanctions.
·Employees
concerned by the denunciation
should be notified of the information retained
by the person responsible for the whistleblowing system as
soon as their personal data is recorded, so as to allow them
to oppose the processing of such data. This notification,
which is to be provided in such a way as to ensure proper
delivery to the relevant employees, must specify the entity
responsible for the whistleblowing system, the acts of which
they are accused, the departments that may receive the
alert, as well as how these employees may exercise their
right to access personal data to correct or delete any
inaccurate, incomplete, misleading or outdated data. The
incriminated persons may not, under any circumstances, rely
on their right to access to obtain information concerning
the identity of the whistleblower.
Whistleblowing
schemes, which strictly comply with the above mentioned
requirements, must be notified to the Data Protection
Agency. In this case, the acknowledgement of receipt by the
Agency is equivalent to an authorization to implement the
scheme. If the whistleblowing scheme is not in compliance
with the said requirements, the company will have to file a
formal application to be authorized to implement it. This
application is supposed to be reviewed in plenary session by
the Agency within the next two months following its filing.
Whistleblowing
schemes are also to be reviewed by the French labor
Authorities, who may require the removal or amendment of any
provisions that does not comply with legal requirements.
