The introduction of whistleblower systems in the European Union.

• Author: Wisskirchen, Gerlind

I. Legal Background

WHISTLEBLOWER systems are becoming increasingly popular additions to the codes of conduct of United States and European companies. Specifically, companies listed on a United States stock exchange must establish a method for employees to anonymously report concerns about financial and accounting matters (a "whistleblower system") and implement a code of ethical conduct which should support the reporting of breaches of the code of conduct. Hence, United States companies oblige their European subsidiaries to establish internal codes of conduct, including whistleblower processes. But these subsidiaries encounter problems when trying to implement a whistleblower process. Codes of conduct venture into the domain of employee privacy, which in Europe has been a cause for concern in relation to data protection laws, as some companies have gone as far as to say what employees may or may not do in their spare time. Whistleblower reporting systems may violate not only European and national law, but also touch the private sphere of the individual.

The initiation of a whistleblower system comparable to the systems often employed in the United States gives the EU cause for serious concern. For historical reasons, the European Union takes a view concerning data privacy protection and personality rights at odds with the American perspective. During the Nazi regime in Germany, the government obliged German employees, as well as employees in all countries being occupied during World War II, to disclose misconduct, in violation of social norms. There has thus been a clash between the United States perspective (in the United States, one company in eight has such a code of conduct) and European ideas regarding co-determination and personality rights through enforcing these codes. Indeed the Sarbanes-Oxley Act, enacted in the United States after the various financial scandals surrounding Enron, requires that companies failing to comply with their "whistleblower" requirements will face hefty sanctions, (1) and an EU committee set up for the purpose of examining the implementation of data protection law (the so-called Working Party) has investigated the problems of the United States requirements clashing with data protection rules in Europe. Without a resolution to this cross-border dispute over implementation of codes of conduct, companies may face heavy sanctions in both Europe and the States. The implementation of "whistleblower" schemes as a part of a code of conduct will often require the processing of personal data (that is, the collection, registration, storage, disclosure and destruction of data relating to an identifiable person) such that data protection rules will come into force. The broad law is governed under the European Directive of 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The three conditions that need to be met in order to justify the processing of personal data are transparency, legitimate purpose and proportionality.

II. European Union Background

In the European Union, data privacy protection is subject to the EU Directive on Data Privacy (2) and to national legislation. Subjects such as data quality, criteria for processing personal data, access to data and conditions of data export are regulated by the EU Directive (that is, by national laws conforming to the Directive). Workplace monitoring and questions of labor codetermination also remain subject to national laws and court rulings. The allowable extent of workplace monitoring depends on fundamental rights and freedoms enjoyed by citizens. National differences exist in detail, but the basic principles are very similar in every member state. National rules of codetermination apply to the rights of the works council or other employee representation committees; EU legislation has little impact on this.

1. Recommendations of the Article 29 Data Protection Working Party

   The data protection commissioners of the European Union have developed a guideline concerning data privacy protection requirements for whistleblower systems. This guideline is now regulated by the Article 29 Data Protection Working Party (the "Article 29 Group"). (3) The Article 29 Group aims to help EU-subsidiaries of U.S. companies to establish whistleblower systems in compliance with the Sarbanes-Oxley Act, as well as to support the embodiment of such systems in compliance with the data privacy protection laws and rules of EC Data Privacy Protection Directive. (4) Pursuant to Article 29 of the EU Directive, the legitimacy of a whistleblower system is dependent on strict requirements. For example, the EU Directive assumes that data collection is only necessary to comply with a legal requirement to which the data collecting party is subject and that the employer's agenda is to realize a legitimate interest, which is safeguarded by the data collecting party or the third party. The Article 29 Group assumes that a company may have a legitimate interest in processing data by means of a whistleblower hotline. This interest of the company must outweigh the interest and the fundamental rights of the data subject. The Article 29 Group acknowledges that large international organizations such as the European Union (5) and the OECD (6) consider "good" corporate governance an important aspect of a "well" functioning corporation. Good governance principles established by the EU and the OECD aim at a maximum level of transparency and stable accounting and finance systems in order to protect vested interests, such as shareholders, and market stability in general. In this context, the Article 29 Group recognizes the legitimate interest of companies to implement systems enabling the employees to report irregularities. Article 29 also considers the obligation to implement a whistleblower system arising from the Sarbanes-Oxley Act to be an opportunity to increase stability of financial markets and improve protection of shareholders. In this respect, the Article 29 Group believes that the interest of a company required to implement a whistleblower system under the Sarbanes Oxley Act is legitimate.

   These employer interests in the data must be balanced proportionately to the rights of the data subject. Because of that, the Article 29 Group has implemented the following rules:

   1. Limit on the number of persons to report through whistleblower system

      The Article 29 Group restricts the number of whistleblowers in order to implement the principle of proportionality. The number of persons who may act as whistleblowers varies, depending on the branch of business concerned. A whistleblower must be verified in every case to be included in the Group.

   2. Limit on the number of persons who may be incriminated through a whistleblower system

      The Article 29 Group has determined it sufficient to limit the number of persons who may be discovered through a whistleblower system, but on the other hand, the Article 29 Group also recommends measures to obviate false accusations from launching an investigation and data processing.

   3. Encouraging identified and confidential reports instead of anonymous reports

      The Article 29 Group deals with the problem of whether a whistleblower may remain anonymous or should be identified, under conditions of confidentiality. They have provided the following arguments against anonymous whistleblowers:

      * The company cannot guarantee to the whistleblower that his identify will be kept secret because his identify can always investigated in some other way.

      * The company may not be able to verify accusations without follow-up questions.

      * Anonymous whistleblowers can be detrimental to the working climate because it creates a culture of denunciation. Every employee is aware that anonymous reports concerning them may be presented to the company at any time.

      Accordingly, the Article 29 Group proposes that whistleblowers should be identified in order to assure fair practice in data collection. In specific cases, there may be exceptions to this rule. For example, in the event that a company requires employees to disclose their identity when they give information about a colleague via a whistleblower "hotline", the company must ensure that the whistleblower's report will be treated strictly confidentially and carefully. The company may not provide this confidential information to a third party. The company also must ensure that the report will be treated confidentially throughout the whistleblower process. Nevertheless, the company must indicate to the whistleblower that his name will be divulged eventually to all persons who are involved in the further investigation.

   4. Data processing only for the purpose of processing the report

      The EU Directive concludes that data collection is only allowed for specified and lawful purposes. (7) Data may not be collected for any other reason in contradiction to these purposes. The company must exercise care in implementing a whistleblower system, to match the process of data collection with the above named purposes. Therefore the system should accept reports from all areas of the firm via the hotline, not merely from trouble areas like accounting, banking and financial crime.

   5. Compliance with data retention periods

      The company must delete personal data without delay, no later than two months after completion of the investigation. The company may only keep data for a longer period of time if it decides to take further legal action against the whistleblower or against the incriminated person.

   6. Clear information about the whistleblower system

      The company must inform the employees about the introduction of the whistleblower system, because employees are the potential data subjects. Further, the company should inform employees that while the whistleblower's identity will be treated confidentially during the investigation process, legal action may be taken against the...