While most commentators have focused on the Schrems decision around the lack of U.S. data privacy protection from government or company intrusion, for the compliance function, the decision raises serious issues on two significant areas of any best practices compliance program—hotlines and internal investigations.
Anonymous hotlines have long been problematic in the European Union, because of privacy concerns and concerns around anonymous claims of illegal conduct. Such concerns were generally satisfied via a certification that the U.S. company had met the requirements of the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from EU member countries and Switzerland. This Safe Harbor provision, however, is no longer legal, and information developed through a hotline can no longer be brought to the United States from a country that is an EU member.
