Published on January 31, 2009
Suzanne Innes-Stubb Brussels Whistle-Blowing Hotlines Under EU Data Protection Law 6th Annual Privacy Law Symposium April 27, 2006
Agenda Introduction How does EU data protection law apply? CNIL’s Guidance and ‘Single Authorisation’ Article 29 Working Party Opinion 1/2006 Scope of Opinion 1/2006 and Single Authorisation Features of permitted whistle-blowing hotlines Situation in other EU Member States Conclusion April 27, 2006 2 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
1. Introduction How can companies implement whistle-blowing hotlines in compliance with EU data protection law? Problem arose in May 2005 when French Data Protection Authority (CNIL) refused to authorise hotlines proposed by French subsidiaries of McDonald’s and Exide Technologies CNIL particularly concerned about anonymous reporting and wide circulation of report within company before incriminated person informed Conflict with Sarbanes-Oxley Act in U.S. Revealed fundamental cultural differences Led to regulation in France and Opinion from Article 29 Working Party April 27, 2006 3 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
2. How Does EU Data Protection Law Apply? EU data protection law applies to individuals who are identified or identifiable from particular data Unless a whistle-blowing report is anonymous and no individual can be identified in connection with the matter raised in the report (unlikely), then ‘personal data’ will be involved Two data subjects: reporting employee and incriminated employee Obligations on the employer, as data controller, to carry out data processing lawfully, provide information to data subjects, ensure they have access to personal data, ensure security, etc. Existing legislation tends to focus on either corporate responsibility requirements (e.g. SOX) or protection of the whistle-blower (e.g. UK) CNIL wanted to ensure protection for rights of incriminated person April 27, 2006 4 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
3. CNIL’s Guidance and ‘Single Authorisation’ CNIL issued stringent Guidance in November 2005 on the conditions for implementing whistle-blowing hotlines in compliance with French data protection law ‘Single Authorisation’ issued in December 2005 Requires company to self-certify on CNIL website that its whistle-blowing scheme complies with the Single Authorisation, FAQs and Guidance CNIL sends an acknowledgement of receipt which constitutes the authorisation Schemes outside the scope of the Single Authorisation require individual CNIL authorisation (takes two months) FAQs issued in March – already updated April 27, 2006 5 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
4. Article 29 Working Party Opinion 1/2006 In other EU countries, data protection issues surrounding whistle- blowing hotlines are primarily governed by an Opinion of the Article 29 Working Party (WP 29) in February 2006 (Opinion 1/2006) WP 29 Opinion based closely on CNIL guidance WP 29 Opinion is not legally binding but represents views of all DPAs in Europe, so carries considerable authority April 27, 2006 6 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
5. Scope of Opinion 1/2006 and Single Authorisation WP 29 Opinion only applies to whistle-blowing hotlines necessary for compliance with an EU or national legal obligation in the fields of accounting, internal accounting controls, auditing matters, or the fight against bribery, banking or financial crime, or a legitimate interest (including compliance with foreign legislative requirements) in the same fields. CNIL Single Authorisation only applies to whistle-blowing hotlines required by French law in the fields of finance, accounting, banking and bribery, plus Sarbanes-Oxley, or where “the vital interest of the company or the physical or moral integrity of its employees are at stake”. April 27, 2006 7 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
6. Features of Permitted Whistle-Blowing Hotlines Must not be the primary mechanism for reporting misconduct (and, in France, at least, must be optional) Anonymity must not be encouraged Data collected must be limited to the relevant facts Personal data must be deleted within two months of completion of the investigation, unless legal or disciplinary proceedings or national archiving rules require longer April 27, 2006 8 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
7. Features (cont.) Company must tell employees: about the hotline and its purpose how it works who receives the reports how employees can access, correct and delete incorrect information that the identity of the reporting person will remain confidential that action will be taken against individuals abusing the system Company must give the incriminated person information about the report as soon as possible (once evidence has been secured if necessary) April 27, 2006 9 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
8. Features (cont.) Data must be kept securely Reports must be made through a dedicated hotline Reports must be handled by specifically trained individuals subject to specific confidentiality obligations Particular obligations apply where whistle-blowing reports are processed by third party service providers April 27, 2006 10 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
9. Features (cont.) EU data transfer rules apply when either the service provider is located outside the EEA or the report is sent to other members of the corporate group outside the EEA Works council approval is required in a number of EU countries Notification to the national DPA is required; sometime prior approval is necessary April 27, 2006 11 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
10. Situation in other EU Member States Most EU DPAs have no whistle-blowing rules or guidance and just refer to the WP 29 Opinion Irish, Latvian and Spanish DPAs have limited website comments or information WP 29 Opinion represents views of all 25 EU DPAs, but underlying differences of approach to whistle-blowing hotlines: Some countries focus more on whistle-blowers’ rights (e.g. UK legislation, Dutch bill, Norwegian provisions not yet in force) Belgium, Italy and Spain, in particular, likely to follow French approach and view anonymity with suspicion Finland has strict rules on the processing of HR personal data: not clear if data resulting from a whistle-blowing report is “directly necessary to the employee’s employment relationship”. April 27, 2006 12 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
11. Conclusion Where do companies stand now? Article 29 Working Party awaiting a response from the SEC Not clear whether SEC will accept that WP 29 Opinion, particularly regarding anonymity, will comply with Sarbanes-Oxley We recommend that European whistle-blowing hotlines follow the WP 29 Opinion as closely as possible But companies should be prepared to amend their schemes in particular countries if required by works councils or national data protection authorities. April 27, 2006 13 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
Worldwide. For Our Clients. www.whitecase.com April 27, 2006 14 WHITE & CASE LLP White & Case, a New York State registered limited liability partnership, is engaged in the practice of law directly and through entities compliant with regulations regarding the practiceth ANNUAL PRIVACY LAW SYMPOSIUM offices. 6 of law in the countries and jurisdictions in which we have
Conflict of Laws: Whistle-blowing Hotlines Under ... the application of EU data protection rules to internal whistle ... with EU Law For a whistle-blowing ...
Whistle-blowing hotline compliance issues ... although EU data privacy law has ... in relation to whistle-blowing hotlines and data protection lawyers ...
Whistleblowing hotline compliance issues in ... under EU data privacy law for ... relation to whistle-blowing hotlines and data protection ...
Ethical hotlines and whistleblowing - ensuring businesses are not in conflict ... EU Data Protection Law ... whistle blowing system
Blowing the whistle on ... that EU data protection law prevented the transfer of data ... its German subsidiary were invalid under German law3.
1. The New Data Protection Regulation Data protection law throughout the European Union (“EU”) is set to be substantially revised. There is little doubt
... CNIL has widened the scope of reporting permitted under AU-004 on whistleblowing/hotlines ... Data Protection Law ... Protection EU Data ...
... made on Practical Law ... up corporate compliance hotlines in order to fulfil obligations under ... hotlines and EU data protection ...
Law Students; Professionals; News & Events. Events; Firm News & Announcements; Client Alerts & Newsletters; Video Client Alerts; In the News; Publications ...