European Data Protection Working Party Issues Golden “Rules of Thumb” for Whistle-Blowing Hotlines
The first Working Party Opinion of this year directly concerns American and other multinational corporations.1 It may signal the end of a long saga of threatened enforcement actions by national Data Protection Authorities (“the DPAs”) and works councils with respect to the legality of whistle-blowing schemes under European data protection law.
Earlier, in December 2005, the French DPA (“the CNIL”) adopted a Single Authorization Decision providing French-based affiliates of American and other third country corporations with a procedure to regularize their ethics-lines by means of a single authorization. While this decision and additional guidance was welcomed by some corporations, most multinationals with operations in other European countries remained in a situation of legal uncertainty with respect to their local ethics-lines.
The Opinion of the Working Party is important because it allows multinationals to develop and deploy whistle-blowing schemes that are deemed legitimate at a pan-European level. However, the Working Party's Opinion follows the CNIL's approach by limiting the scope of these schemes. As a result, international corporations that hoped to retain global, broad-based ethics hotlines will surely be disappointed with the Opinion.
The primary points from the Opinion are as follows:2
1. Schemes should be complementary in nature . Whistle-blowing should always remain ancillary to other means of communication of misconduct and should be promoted as such a solution. It is essential within an organization that whistle-blowing procedures are not promoted as preferred alternatives to other reporting channels, such as employee representatives, line management, quality control personnel, and internal auditors.
2. Schemes should be restrictive in scope . These schemes should be required (i) to meet national law requirements (e.g., banking and anti-corruption regulations), or (ii) to meet a legitimate interest that is sufficiently counter-balanced with data protection and procedural rights to ensure due process (e.g., implementation of an ethics-line to meet the Sarbanes-Oxley requirements). Currently, the Working Party views only the following as within the legitimate scope of whistle-blowing hotlines: (i) accounting matters; (ii) internal accounting controls; (iii) auditing matters; (iv) anti-bribery matters; and (v) banking and financial crimes. The Working Party's approach, like the CNIL's, does not allow companies to structure the hotline in such a way that any illegal or unethical conduct can be reported.
3. Categories of personnel who may use the schemes should be limited, i.e. reporters and reportable personnel . Although circumstances may justify a broader use of the whistle-blowing procedures, to the extent possible corporations should consider (i) assessing personnel categories eligible for reporting in light of the seriousness of the accusations; and (ii) assessing and limiting personnel categories that are reportable.
4. Schemes should promote identified and confidential reporting and avoid encouragement of anonymous reporting . Anonymous reporting need not be prohibited per se, but should rather be the exception than the rule and may be utilized only if measures have been adopted to minimize unjustifiable denouncement of employees.
5. Reportable information categories should be restricted . The types of information that may be disclosed should be clearly defined and limited to those strictly and objectively necessary to verify and investigate the allegations made.
6. Data retention programs should be deployed . Reports should be deleted within 2 months after the completion of the investigations instigated under the scheme, unless the evidence is required for disciplinary or court action, in which case statutes of limitation will be determinative. Reports that are shown to be ungrounded should be deleted immediately upon such determination.
7. Clear and complete guidance should be provided on the use of the whistle-blowing procedures . Employees should be informed about the existence, purpose and functioning of the scheme, who will receive the reported information, the employee's right of access to information regarding the complaint, rectification and deletion. It is essential that employees receive all information required to ensure due process of law. This means, inter alia, that employees be notified about the fact that they are the subject of a report, and the accusations made against them. Notification may be postponed under certain circumstances, including to prevent the destruction or alteration of evidence.
8. Rights of access and rectification should be provided . These rights are essential to European data protection law and apply also to whistle-blowing schemes. However, corporations may, on a case-by-base basis, limit access. For instance, a corporation may limit access if providing access would obstruct investigations or affect the validity of the collected evidence.
9. Sound security and confidentiality measures should be implemented . Whistle-blowing results in the processing of personal data that is intrinsically sensitive and requires investment in measures to ensure strict confidentiality and secure processing. By way of example, corporations should take measures to ensure that the identity of whistleblowers is not revealed to the employee at issue, and that individuals having access to the information are held by strict confidentiality requirements.
10. An internal organization for the management of whistle-blowing schemes should be established . An organization should employ trained personnel, dedicated to handling complaint reports. Measures should be implemented to ensure the independence of the investigators, and reporting channels should be strictly separated from other departments, such as human resources. Corporations that use external service providers, such as call centers or other service providers, to assist with the collection, compilation or the investigation of alerts should be subject to contractually-binding confidentiality and security instructions. As a general rule, reports should be dealt with at the local level and only be shared with other affiliated companies if this is necessary within or for the outcome of the investigation, and is justifiable in light of the seriousness of the allegations.
11. A legal basis to transfer personal data to the US (or other third countries) should be provided . Data transfer solutions should be adopted, such as participation to the US Safe Harbor program, the execution of data transfer agreements, or the adoption of Binding Corporate Rules in case of disclosure of reports to the US or third country based group entities or service providers.
12. Whistle-blowing schemes and their procedures should be notified with the DPAs (and authorization should be obtained, if required). These procedures generally need to be notified with the DPAs, and are in some member states subject to prior checking or a prior authorization by the DPA.
If you require more information about this important opinion, please feel free to contact us.
1 Opinion 1/2006 on the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime, 1 February 2006.
2 The Working Party Opinion reflects the requirements set forth in the CNIL papers on this issue. For an English comment see J.Dhont, “French Data Protection Authority Sets Conditions for Whistleblowing”, BNA International World Data Protection Report, Vol. 5/12, 2005.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.