Data Protection Directive and Compliance

| Sarbanes Oxley Training  Basel ii Training Data Protection Directive  Information Security  Privacy/Legal  Contact Us  |
   
Data Protection Awareness and Training

Sarbanes Oxley and Data Protection Directive

Be careful: 

Compliance with Sarbanes-Oxley’s whistleblower requirements may result in a breach of E.U. data protection law and labor law.

1. In EU, Data collected and used for Sarbanes Oxley purposes MUST NOT be used for other means that are incompatible with the purposes for which the data was originally obtained

2. If you have headquarters or even subsidiaries in EU, you need permission from the local Data Protection Authority in order to collect and process data. There is a serious problem with the whistleblower procedures - receipt of anonymous complaints, including telephone hotlines, e-mail addresses, fax numbers, post office boxes and web-based mechanisms for submitting concerns.

The UK’s Institute of Chartered Accountants states that UK companies which complete item 8.1 of the registration form for Sarbanes-Oxley are abusing data protection rights. In the UK, companies must get consent from employees to disclose certain items of information, but they cannot be sure that the consent will be given.

On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines.

The French Authority's view was that such hotlines are "disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert."

Commission Nationale de l’Informatique et des Libertιs (“CNIL”), refused to approve ethics or whistle-blowing programs proposed by French subsidiaries of two American companies -- McDonald’s France and CEAC, a division of Exide Technologies. Both companies sought the CNIL’s approval for ethics hotlines they planned to establish in order to bring their organizations into compliance with the whistle-blower provisions of the Sarbanes-Oxley Act. Finding these hotlines to be contrary to French privacy law, the CNIL expressed the view that such hotlines are prone to abuse and likely to cause undue distress to suspected employees in case of libelous or unfounded accusations.

McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead.

Complaints would be processed by the U.S. parent company personnel under the supervision of its ethics director. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management, except complaints concerning senior management in France, which would be investigated by the parent company.

The suspected person would be given the opportunity to comment within two days. In the event that the investigation showed that the allegations were unfounded, the data would be deleted within two days of the case closure. If the allegations were determined to be well-founded, then the file would be kept for one to five years after the case was closed (depending on management level).

CEAC's proposed approach was to put in place a group-wide hotline and dedicated e-mail address, both of which were to be operated by a subcontractor. According to the company, the suspected person would have the opportunity to comment on the allegations “as soon as possible.” Records of whistle-blowing complaints would be kept for one year.
Although the facts of the cases are slightly different, the legal reasoning presented in both cases was the same.

The CNIL found that it had jurisdiction because the information that might be collected in the whistle blowing hotline related to an identifiable person and the French subsidiary would be exercising some control over the information collected.


In addition to being inherently suspicious of all whistle-blowing, the CNIL argued that whistle-blowing mechanisms are inherently “disproportionate.” The CNIL reasoned that companies already have access to other anti-fraud mechanisms that are less privacy-invasive and less prone to abuse, and thus there is no justification for a whistle-blowing process. These other anti-fraud mechanisms include employee training, audits by accountants, and enforcement of labor laws by the courts.


It is interesting to note that the decision did not address the cross-border aspect of the hotlines. Rather it appears that the very concept of an anonymous complaint line is anathema to the CNIL. Thus, it is likely that the result would have been the same even if the whistle-blowing hotline were set up and entirely managed and operated within France.

The CNIL also did not address the conflict of laws issue: that U.S. public companies must have some mechanism to receive anonymous complaints. Thus, if a U.S. public company lists on its website or intranet site that it has a telephone number or email address where anonymous complaints can be received, even if that site is not addressed to or publicized in France, a French employee may still go to the site and file an anonymous complaint.

In a similar decision the following day, a German Labor Court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labor law.

Early indications from the UK Information Commissioners Office (ICO) are that they would decline to follow the French and German approach. In contrast to the French and German decisions, the ICO's view is that the appropriate use of such helpline by organizations would not, in principle, raise data protection concerns.

However, where organizations misuse such anonymous hotlines for inappropriate information gathering purposes there may be data protection implications.

BE CAREFUL

 

Return to Index

Our Web Sites

 

 

 Sarbanes Oxley Training Basel ii TrainingData Protection Directive  Information Security  Privacy/Legal  |  Contact Us  |

 

© 2006 Copyright Compliance LLC