Letters exchanged between the Securities and Exchange Commission and an important study group in the European Union are offering new hints to companies trying to bridge a trans-Atlantic regulatory spat over whistleblower hotlines.
The correspondence—swapped between Ethiopis Tafara at the SEC Office of International Affairs and the EU Article 29 Data Protection Working Party—addresses the year-long tensions between American regulators who want companies to have whistleblower hotlines as mandated by the Sarbanes-Oxley Act, and EU officials who deeply frown on the idea of one citizen reporting another to the authorities anonymously. Both sides have struggled to settle their differences over the issue, while U.S.-listed multinational companies twist in limbo.
The letters essentially provide a framework that companies can employ so their whistleblower hotlines pass muster with both regulatory bodies. According to Mark Schreiber, a partner at the law firm Edwards Angell Palmer & Dodge and co-chair of the privacy practice of the World Law Group, the exchange illustrates how the SEC doesn’t want anonymous complaints to be characterized pejoratively compared to those received openly. Companies considering whistleblower procedures in Europe now can incorporate that SEC view by making it clear that anonymous reporting won’t be discouraged or viewed suspiciously, he says.
“The significance of the SEC letters and Article 29 is really convergence theory at its best,” says Schreiber. “It’s a marriage of different legal principles, but there is common ground where there is concurrent compliance with both sets of laws.”
Companies have been struggling with whistleblower hotlines in EU nations for more than a year, since French authorities questioned their legality under that country’s data-protection laws. The Article 29 Data Protection Working Party, an advisory group that includes data-protection authorities at 25 EU nations, followed up with its set of guidelines in February. While Article 29 is only an opinion from the Working Party and doesn’t carry the force of law, its members have the regulatory muscle to impose fines or take other enforcement action.
The scope of Article 29 was largely limited to issues in the fields of accounting, financial audit, bribery, or banking. “Article 29 will address general whistleblowing schemes in 2007 to see whether a second opinion that would complete [the February 2006] is necessary,” Chiara Adamo, a spokesman for the EU’s Freedom, Security, and Justice Directorate, told Compliance Week via email.
What The Letters Say
The first of the three letters, sent in June by Tafara, outlined some of the SEC’s concerns with the European guidelines, including the local handling of reports, the narrow scope of the whistleblower procedures addressed in the EU guidelines, and—most importantly—the collection and use of anonymous complaints.
Article 29 instructed companies to discourage anonymity in whistleblower hotlines, and a July 3 letter by Chairman Peter Schaar explains the EU’s rationale: “[T]he possibility to file anonymous reports can only increase the risk of frivolous or slanderous reports with the intention of causing the accused damage or distress.”
In his June letter, Tafara explained the SEC’s position by citing the agency’s public release on Section 301 (the portion of SOX that requires hotlines) and how, to encourage employees to come forward, “Sarbanes-Oxley requires that whistleblower procedures afford the opportunity to make confidential, anonymous complaints.” He goes on to say, in a follow-up letter on Sept. 29, that he believes “it is possible for companies to establish procedures for the anonymous collection of data that adequately respect the privacy interests of individuals.”
The EU, in its letter, acknowledges the U.S. position, saying that its opinion “is not intended to direct companies to discourage or negatively characterize anonymous reporting when it is used to convey concerns which, if raised openly, would expose the whistleblower to unacceptable risks or retaliation.” While anonymous reporting is not to be encouraged or advertised, it may be used, the letter said.
“The signal the SEC staff is sending is that there are ways to do hotlines which will satisfy them, or at least alleviate concerns they might have,” Schreiber says. “We’re at an implementation phase as distinct from a confusion stage.”
John Heine, an SEC spokesman, says the agency will let the correspondence speak for itself.
“Both countries are making a good-faith effort to narrow the conflict between Sarbanes-Oxley and the European data protection laws,” says Russell Ryan, a partner at the law firm King & Spalding and a former SEC attorney. “I don’t see a whole lot of retreat on either side, but there is a good faith effort to find ways in which both sides can be satisfied. As long as companies operate in good faith and try to navigate this narrow ground between the two countries’ priorities, it’s doable.”
How The Hotlines Should Work
When designing a whistleblower program in Europe, Schreiber suggests including all of the requirements prescribed by the French data-protection agency, the Commission Nationale de I’Informatique et des Libertes (CNIL). That means creating a document that outlines the scope of the system, including details such as the notices to employees and any accused individual and the process by which data will be archived and transferred to the United States.
Companies should pay special attention to developing the notice to employees, Schreiber says. Once that’s organized, they should make sure each group that may be involved in the procedure agrees with the program, from IT departments to human resources to compliance officers.
A number of third-party vendors have reconfigured their electronic and hotline interfaces to comply with Article 29 and CNIL requirements, Schreiber adds. Third-party vendors and law firms also are introducing model-protocol documents for whistleblower procedures in France and elsewhere.
“We’re seeing the first generation of compliance modalities and documents, which over the next couple of years will be standard fare after a while,” he says.
Daniel Cooper, a lawyer with the law firm Covington & Burling who has been based in London for about eight years, said many companies he works with even operate separate European compliance hotlines, since U.S. hotlines are traditionally much broader in scope—reporting on issues ranging from harassment to breach of company policy—and frequently entice anonymous admissions.
“A lot of European requirements are ones that most U.S. companies, who are traditionally used to more robust and comprehensive hotlines, cannot live with, without a dramatic rethinking of how hotlines are supposed to work,” Cooper says. “Most U.S. companies are not willing to apply European standards to global hotlines.”
Companies typically receive more information from a U.S.-type hotline because it attracts more information, Cooper said. “A lot of U.S. companies look at [European standards] and think, we don’t want to apply those across the board,” he says.
Those U.S. companies that do establish separate European hotlines may outsource the operation and maintenance of them, in addition to having separate procedures for the acquisition and management of sensitive data, he says.
In addition to France, the Netherlands and Ireland have released guidance about their data-privacy laws, Cooper adds. The Netherlands’ position is even more conservative than France, with suggestions that include using compliance hotlines only to report on the infractions of senior management; Ireland largely endorsed Article 29.
“There is still a lot of ambiguity in the guidance being promulgated and how that might impact U.S. companies,” Cooper says. “There’s still uncertainty out there.”
Other countries are starting to come out with their own data laws, and many have elements that are similar to the EU, including Argentina and Japan, Schreiber says. Even China is reportedly examining a law in Hong Kong that is modeled on the EU, he said.
“The notion that the rest of the world is in accordance with the U.S. model is not entirely accurate,” he stresses. “If anything, those countries coming online with data laws either are maneuvering toward an EU model or to a middle ground.”