| The Sarbanes-Oxley Act of 2002, adopted as a | | | | reporting service for employees to use anonymously, |
| reaction to corporate scandals, has a significant impact | | | | and 2. A Data Protection control: Data subjects must |
| on European companies. The reason is simple: | | | | learn, rectify, erase or block incorrect data about them. |
| Hundreds of European-headquartered companies are | | | | The problems |
| dually listed on two stock exchanges, one in Europe | | | | On 14 June 2005 the French Data Protection Authority |
| and the other in the United States. 470 non-US | | | | refused to authorize the use of anonymous |
| companies are listed on the New York Stock | | | | whistleblower hotlines. The French Authority's view |
| Exchange, with a combined market capitalization of | | | | was that such hotlines are "disproportionate to the |
| $3.8 trillion, 30 per cent of the total value of | | | | objectives sought and the risks of slanderous |
| capitalization of companies quoted on the exchange. | | | | denunciations and the stigmatization of employees |
| EU Data Protection DirectiveWhat is personal data | | | | who were the subjects of an ethics alert." |
| (according to EU)? Personal data can be any | | | | In a similar decision a German labor court ruled that |
| information relating to an identified or identifiable natural | | | | parts of an employee code of conduct inviting |
| person (directly or indirectly): Name, telephone number, | | | | employees to report misconduct to a whistleblowers |
| photos. Data specific to his physical, physiological, | | | | hotline breached German labor law. |
| mental, economic, cultural or social identity. What is | | | | Early indications from the UK Information |
| processing of personal data? Any operation | | | | Commissioners Office (ICO) are that they would |
| performed upon personal data whether or not by | | | | decline to follow the French and German approach. In |
| automatic means. | | | | contrast to the French and German decisions, the |
| Data Controllers must adhere to the following rules: | | | | ICO's view is that the appropriate use of such helpline |
| Data must be relevant and not excessive in relation to | | | | by organizations would not, in principle, raise data |
| the purpose for which they are processed. Data must | | | | protection concerns. However, where organizations |
| be accurate. Data controllers are required to provide | | | | misuse such anonymous hotlines for inappropriate |
| reasonable measures for data subjects to rectify | | | | information gathering purposes there may be data |
| erase or block incorrect data about them. The | | | | protection implications. |
| directive prohibits transfer of personal information to | | | | Recommendations |
| countries outside the EU, which lack adequate | | | | Companies that are publicly traded in the United States |
| protection of privacy. | | | | and also have operations in the European Union must |
| Sarbanes OxleySection 301. Public company audit | | | | be very careful with the whistleblower provisions of |
| committees: Each audit committee shall establish | | | | the U.S. Sarbanes-Oxley Act of 2002. |
| procedures for: (A) The receipt, retention, and | | | | First of all, before implementing Sarbanes Oxley hotline |
| treatment of complaints received by the issuer | | | | reporting services, companies need to ask for |
| regarding accounting, internal accounting controls, or | | | | permission from the local Data Protection Authority. |
| auditing matters; and (B) The confidential, anonymous | | | | Complaints must be processed inside the European |
| submission by employees of the issuer of concerns | | | | Union. Companies need to establish local investigation |
| regarding questionable accounting or auditing matters. | | | | procedures. The suspected person would be given the |
| The challenge | | | | opportunity to comment within two days. In the event |
| How a US company with offices throughout the EU | | | | that the investigation shows that the allegations were |
| can comply with the notice and choice principles of EU | | | | unfounded, the data must be deleted within two days |
| Data Protection laws while simultaneously complying | | | | of the case closure. If the allegations are determined to |
| with the whistle blower requirements under Sarbanes | | | | be well-founded, then the file would be kept for one to |
| Oxley? | | | | five years after the case was closed (depending on |
| How can we have both: 1. A Sarbanes Oxley hotline | | | | management level). |