Whistle - Blowing Hotlines Under EU Data Protection Law

1,863 views

Published on

Whistle - Blowing Hotlines Under EU Data Protection Law

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,863
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
61
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Whistle - Blowing Hotlines Under EU Data Protection Law

  1. 1. Suzanne Innes-Stubb Brussels Whistle-Blowing Hotlines Under EU Data Protection Law 6th Annual Privacy Law Symposium April 27, 2006
  2. 2. Agenda Introduction How does EU data protection law apply? CNIL’s Guidance and ‘Single Authorisation’ Article 29 Working Party Opinion 1/2006 Scope of Opinion 1/2006 and Single Authorisation Features of permitted whistle-blowing hotlines Situation in other EU Member States Conclusion April 27, 2006 2 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  3. 3. 1. Introduction How can companies implement whistle-blowing hotlines in compliance with EU data protection law? Problem arose in May 2005 when French Data Protection Authority (CNIL) refused to authorise hotlines proposed by French subsidiaries of McDonald’s and Exide Technologies CNIL particularly concerned about anonymous reporting and wide circulation of report within company before incriminated person informed Conflict with Sarbanes-Oxley Act in U.S. Revealed fundamental cultural differences Led to regulation in France and Opinion from Article 29 Working Party April 27, 2006 3 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  4. 4. 2. How Does EU Data Protection Law Apply? EU data protection law applies to individuals who are identified or identifiable from particular data Unless a whistle-blowing report is anonymous and no individual can be identified in connection with the matter raised in the report (unlikely), then ‘personal data’ will be involved Two data subjects: reporting employee and incriminated employee Obligations on the employer, as data controller, to carry out data processing lawfully, provide information to data subjects, ensure they have access to personal data, ensure security, etc. Existing legislation tends to focus on either corporate responsibility requirements (e.g. SOX) or protection of the whistle-blower (e.g. UK) CNIL wanted to ensure protection for rights of incriminated person April 27, 2006 4 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  5. 5. 3. CNIL’s Guidance and ‘Single Authorisation’ CNIL issued stringent Guidance in November 2005 on the conditions for implementing whistle-blowing hotlines in compliance with French data protection law ‘Single Authorisation’ issued in December 2005 Requires company to self-certify on CNIL website that its whistle-blowing scheme complies with the Single Authorisation, FAQs and Guidance CNIL sends an acknowledgement of receipt which constitutes the authorisation Schemes outside the scope of the Single Authorisation require individual CNIL authorisation (takes two months) FAQs issued in March – already updated April 27, 2006 5 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  6. 6. 4. Article 29 Working Party Opinion 1/2006 In other EU countries, data protection issues surrounding whistle- blowing hotlines are primarily governed by an Opinion of the Article 29 Working Party (WP 29) in February 2006 (Opinion 1/2006) WP 29 Opinion based closely on CNIL guidance WP 29 Opinion is not legally binding but represents views of all DPAs in Europe, so carries considerable authority April 27, 2006 6 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  7. 7. 5. Scope of Opinion 1/2006 and Single Authorisation WP 29 Opinion only applies to whistle-blowing hotlines necessary for compliance with an EU or national legal obligation in the fields of accounting, internal accounting controls, auditing matters, or the fight against bribery, banking or financial crime, or a legitimate interest (including compliance with foreign legislative requirements) in the same fields. CNIL Single Authorisation only applies to whistle-blowing hotlines required by French law in the fields of finance, accounting, banking and bribery, plus Sarbanes-Oxley, or where “the vital interest of the company or the physical or moral integrity of its employees are at stake”. April 27, 2006 7 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  8. 8. 6. Features of Permitted Whistle-Blowing Hotlines Must not be the primary mechanism for reporting misconduct (and, in France, at least, must be optional) Anonymity must not be encouraged Data collected must be limited to the relevant facts Personal data must be deleted within two months of completion of the investigation, unless legal or disciplinary proceedings or national archiving rules require longer April 27, 2006 8 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  9. 9. 7. Features (cont.) Company must tell employees: about the hotline and its purpose how it works who receives the reports how employees can access, correct and delete incorrect information that the identity of the reporting person will remain confidential that action will be taken against individuals abusing the system Company must give the incriminated person information about the report as soon as possible (once evidence has been secured if necessary) April 27, 2006 9 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  10. 10. 8. Features (cont.) Data must be kept securely Reports must be made through a dedicated hotline Reports must be handled by specifically trained individuals subject to specific confidentiality obligations Particular obligations apply where whistle-blowing reports are processed by third party service providers April 27, 2006 10 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  11. 11. 9. Features (cont.) EU data transfer rules apply when either the service provider is located outside the EEA or the report is sent to other members of the corporate group outside the EEA Works council approval is required in a number of EU countries Notification to the national DPA is required; sometime prior approval is necessary April 27, 2006 11 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  12. 12. 10. Situation in other EU Member States Most EU DPAs have no whistle-blowing rules or guidance and just refer to the WP 29 Opinion Irish, Latvian and Spanish DPAs have limited website comments or information WP 29 Opinion represents views of all 25 EU DPAs, but underlying differences of approach to whistle-blowing hotlines: Some countries focus more on whistle-blowers’ rights (e.g. UK legislation, Dutch bill, Norwegian provisions not yet in force) Belgium, Italy and Spain, in particular, likely to follow French approach and view anonymity with suspicion Finland has strict rules on the processing of HR personal data: not clear if data resulting from a whistle-blowing report is “directly necessary to the employee’s employment relationship”. April 27, 2006 12 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  13. 13. 11. Conclusion Where do companies stand now? Article 29 Working Party awaiting a response from the SEC Not clear whether SEC will accept that WP 29 Opinion, particularly regarding anonymity, will comply with Sarbanes-Oxley We recommend that European whistle-blowing hotlines follow the WP 29 Opinion as closely as possible But companies should be prepared to amend their schemes in particular countries if required by works councils or national data protection authorities. April 27, 2006 13 WHITE & CASE LLP 6th ANNUAL PRIVACY LAW SYMPOSIUM
  14. 14. Worldwide. For Our Clients. www.whitecase.com April 27, 2006 14 WHITE & CASE LLP White & Case, a New York State registered limited liability partnership, is engaged in the practice of law directly and through entities compliant with regulations regarding the practiceth ANNUAL PRIVACY LAW SYMPOSIUM offices. 6 of law in the countries and jurisdictions in which we have

×