The whistleblower hotline quandary: diverse whistleblower systems around the globe--and hotlines deemed illegal in France--are creating problems for companies seeking to operate uniform, global systems. Three attorneys review the issues and discuss possible solutions.

• Author: Sotto, Lisa
• Position: Governance

A section of the Sarbanes-Oxley Act, signed into law in the U.S. in 2002, mandates that audit committees of public companies establish procedures intended to provide employees with the opportunity to submit (confidentially and anonymously) concerns regarding questionable accounting or auditing matters without fear of retaliation.

Companies have typically responded to this requirement (Section 301) by establishing an employee whistleblower hotline (either telephone- or web-based). Conversely, the French Data Protection Authority (known as "CNIL") recently deemed such hotlines to be illegal. The conflict between Sarbanes-Oxley and French data protection law presents a compliance conundrum for non-U.S. entities, forcing them to weigh the risk of noncompliance with Sarbanes-Oxley against that of an enforcement action in France for running afoul of data protection law.

Section 301 does not mandate specific procedures, but allows audit committees wide discretion in developing a suitable system. Companies are free to decide who should receive complaints, how to ensure anonymity and how to effectively communicate the existence of the system to employees.

Hotline Decisions in the EU

In both France and Germany, administrative bodies and courts have addressed the implementation of whistleblower systems designed to comply with Sarbanes-Oxley by European subsidiaries of U.S. companies, but some provisions differ from those in the U.S.

In France, two recent decisions by the CNIL prohibiting the use of anonymous whistleblower hotlines exemplify the conflict between the U.S whistleblower provisions and data protection law. The CNIL indicated that employee whistleblower hotlines are governed by the French Data Protection Act (the Act) regulating "data controllers."

Pursuant to the Act, two American-headquartered companies--McDonald's France and Compagnie Europeenne d'Accumulateurs (CEAC), a subsidiary of Exide Technologies--sought prior authorization from the CNIL to operate their whistleblower hotlines. Despite efforts by both companies to reduce the discriminatory potential of the hotlines, the CNIL determined that the hotlines "could result in an organized system of workplace denouncements."

Because CNIL concluded that the hotlines could lead to erroneous or slanderous workplace denunciation, it took the view that whistleblower hotlines are, in effect, illegitimate. The fact that the whistleblower systems could have been used to report practices that are illegal pursuant to French law--and not only under U.S. law--would likely not have had an impact on the CNIL's decision.

CNIL also found that the hotlines could lead to the stigmatizing of employees. It pointed out that other means exist to comply with law and...