EU Data Protection Act and Sarbanes Oxley - any conflicts? 470



  • Denis,
    I understand that it looks silly, but corporate data is not the same in common law countries and in civil law:
    If you have some time, see my presentation at HiverCon
    redbrick.dcu.ie/~biteme/hivercon/html/talk-lekatis.htm
    Data Protection Directive - 95/46/EC europa.eu.int/comm/internal_market/privacy/index_en.htm
    What is personal data (according to EU)?
    Personal data can be any information relating to an identified or identifiable natural person (directly or indirectly): Name, telephone number, photos
    Specific to his physical, physiological, mental, economic, cultural or social identity
    What is processing of personal data?
    Any operation performed upon personal data whether or not by automatic means

    What is sensitive personal data?
    Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life.
    Sensitive data Member states must prohibit the processing of these sensitive personal data
    Restrictions apply

    The EC Data Protection Directive covers the following areas:
    Information to be given to the data subject
    The data subject’s right to object
    Transfer of personal data to third countries
    Supervisory authorities
    Data Controllers must adhere to the following rules:
    Data must be relevant and not excessive in relation to the purpose for which they are processed.
    Data must be accurate.
    Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
    The directive prohibits transfer of personal information to countries that lack adequate protection of privacy
    There are derogations’ - exceptions
    It may be necessary to take special precautions
    The solutionmay be a contract
    The object of such a contract would be to provide for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals
    How could it be a law?

    Again a couple of thoughts

    1. EU data protection makes an exception for criminal law - Sarbox is isn’t it? Any compulsion by the SEC to provide data to them would surely be covered by this exception?
    2. The EU does not treat the US as a country that lacks adequate protection of privacy 8O So no problem there.
    3. Sarbox is concerned with Financial Statements (compiled from Corporate Data) and I still fail to see any significant conflict between EU data protection and Sarbox.
    4. Any personal data required to prepare financial statements should have already been compiled in accordance with data protection legislation.
    5. Sarbox did not create any new disclosures in financial statements


  • Denis,
    You wrote:

    1. EU data protection makes an exception for criminal law - Sarbox is isn’t >it? Any compulsion by the SEC to provide data to them would surely be covered by this exception?
      Data Protection Directive:
      *Does not apply to areas such public security, defense or criminal law enforcement ( but SOX needs ‘processing’ of data for all employees, without any criminal case, subpoenas etc.)
      *EU has not jurisdiction also over many governmental uses of personal data. EU governments are free from the directive to collect all personal information. Example: The new Regulation of Investigatory Powers Act in
      You wrote
    2. The EU does not treat the US as a country that lacks adequate >protection of privacy So no problem there.
      Here is the problem. It is difficult to believe, but EU does treat the US as a country that lacks adequate protection of privacy.
      If you visit the US department of commerce: http://www.export.gov/safeharbor/
      you will read about the Safe Harbor Agreement
      Click Safe Harbor Overview,
      http://www.export.gov/safeharbor/sh_overview.html
      Surprise:
      ‘The European Commission’s Directive on Data Protection went into effect in October, 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European ‘adequacy’ standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.’
    3. Any personal data required to prepare financial statements should have already been compiled in accordance with data protection legislation.
      Data Protection, Article 6
    1. Member States shall provide that personal data must be:
      (a) processed fairly and lawfully;
      (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
      © adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
      You collect data. Sox is ‘another purpose’. You need consent from employees or permission from your country’s data protection authority.

    Denis, I know that is difficult to believe. Ask the lawyers. I have been involved in compliance with EU data protection directive in Europe for some years and there are a lot of surprises out there…



  • You need consent from employees or permission from your country’s data protection authority.
    FOR WHAT?
    I still fail to see what data you need employee consent for.
    There is no new ‘disclosure’ out of SOX. Pre-SOX EU companies with a US listing filed a 20-F, post-SOX they still file a 20-F. The only addition to the 20-F is a statement on internal controls.



  • The only addition to the 20-F is a statement on internal controls
    In many companies, there were fewer controls. Because of SOX, we had a lot of new internal controls In real world it means better’ monitoring and collection of every kind of data. They process these data for another reason (Sarbanes Oxley compliance), so they need consent. Looks silly? It is, but it is the law
    But, it is true: Compliance and security are apparently leaving little breathing space for privacy.



  • In many companies, there were fewer controls. Because of SOX, we had a lot of new internal controls In real world it means better’ monitoring and collection of every kind of data. They process these data for another reason (Sarbanes Oxley compliance), so they need consent. Looks silly? It is, but it is the law

    I would go back to my original comment that this is a bit tenuous.
    If improving your internal controls results in additional data collection or processing then perhaps there would be a potential data protection implication. However, I don’t think this is going to be the normal situation - are you really going to be capturing additional data regarding employees or indeed customers, vendors or other counterparties that you are not already capturing as part of the transaction? You should have consent for this already and if you don’t your problem does not originate from SOX.
    I would also argue against Sarbanes-Oxley compliance being the reason for any data collection or processing, as the real reason would be internal control over financial reporting i.e. something the company is doing internally.



  • Do you remember Sec. 806: Protection for employees of publicly traded companies who provide evidence of fraud%0A(WHISTLEBLOWER PROTECTION FOR EMPLOYEES OF PUBLICLY TRADED COMPANIES%0ANo company or any officer, employee, contractor, subcontractor, or agent of such company, may discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee%0A(1) to provide information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation%0A(2) to file, cause to be filed, testify, participate in, or otherwise assist in a proceeding filed or about to be filed (with any knowledge of the employer) relating to an alleged violation or any provision of Federal law relating to fraud against shareholders)%0AAs our friend Jon has remarked in his email:%0A ‘I am specifically interested in how a US company with%0Aoffices throughout the EU can comply with the notice%0Aand choice principles of EU Data Protection laws while%0Asimultaneously complying with the whistle blower%0Arequirements under SARBOX.%0A %0ABy way of example, an EU company subject to SARBOX%0Aestablishes a hotline reporting service for employees%0Ato use anonymously or they can agree to identify%0Athemself, to report corporate malfeasance or a%0Asimilar matter. The reporting service is set up by the%0Aemployer in order to comply with with the SARBOX%0Awhistle blowing requirements. During the report, the%0Aemployee shares personal information about one of his%0Acolleagues. The colleague has not consented to the%0Asharing of this personal information - why would he -%0Asomone is complaining about something he did? %0ATo add a further wrinkle, assume the information is%0Abeing shared with a third party in the United States%0Awho has been hired by the employer to collect this%0Ainformation and prepare reports summarizing the%0Acomplaint so that it can be investigated by the%0Aemployer.’ %0AI want to be clear. It is impossible to comply with both, SOX and EU data protection directive. The good news: The data protection directive is not so strictly enforced in EU. %0AWhat you can do:%0A> …specifically interested in how a US company with%0A> offices throughout the EU can comply with the notice%0A> and choice principles of EU Data Protection laws while%0A> simultaneously complying with the whistle blower%0A> requirements under SARBOX.%0AIt is really difficult to comply with both. What you must do:%0A1. Safe Harbor agreement%0A2. Consent of employees%0A> whistle blowing requirements. During the report, the%0A> employee shares personal information about one of his%0A> colleagues. The colleague has not consented to the%0A> sharing of this personal information - why would he -%0A> somone is complaining about something he did?%0AYou need:%0A1. A policy and the functional procedures%0A2. A security awareness / policy compliance training %0A3. Give one month to everyone for questions and explanations%0A4. Signature of all employees that they agree (we call it consent)%0A> This seems like a very difficult and sticky situation%0AIt is.%0A>Maybe they have to provide notice to all%0A> their employees before setting up the reporting%0A> service and advise that certain personal information%0A> could be shared through the reporting service?%0AThey have to do that - otherwise it is 100% illegal, to process personal information without notice. %0AThe big problem also is that data controllers are required to provide reasonable measures for data subjects to learn, rectify, erase or block incorrect data about them. %0AWe must have both:%0A 1. SOX: a hotline reporting service for employees to use anonymously AND %0A 2. Data Protection: Data subjects to learn, rectify, erase or block incorrect data about them.%0ATHE WORST CASE SCENARIO: EMPLOYEES DO NOT GIVE CONSENT. WE CAN NOT FIRE THEM BECAUSE THEY CAN DO IT (CHOICE) %0ASo, we exercise due care, we prove due diligence meeting the standards in our industry, and do our best to have consent of our employees.



  • I printed the discussion and brought to our attorneys. There are some things we had not considered. Great forum.



  • Where can I find information about EU data privacy laws?
    Thanks





  • You are very welcome



  • Sorry for the previous message, I forgot to log on.
    Soxworker, you are very welcome.



  • On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines.
    The French Authority’s view was that such hotlines are ‘disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert.’
    In a similar decision the following day, a German Labour Court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labour law.
    Sarbanes-Oxley law requires such anonymous complaint mechanisms.
    Early indications from the UK Information Commissioners Office (ICO) are that they would decline to follow the French and German approach. In contrast to the French and German decisions, the ICO’s view is that the appropriate use of such helpline by organisations would not, in principle, raise data protection concerns.
    However, where organizations misuse such anonymous hotlines for inappropriate information gathering purposes there may be data protection implications.
    http://www.clubukonline.co.uk/legal-update/legaldetail.asp?id=339
    Whistleblower hotlines ruled unlawful
    You may read also another document:
    Companies that are publicly traded in the United States and also have operations in the European Union must proceed with caution when complying with the whistleblower provisions of the U.S. Sarbanes-Oxley Act of 2002.
    Compliance with Sarbanes-Oxley’s whistleblower requirements may result in a breach of E.U. data protection law and labor law.
    http://www.hunton.com/files/tbl_s10News\FileUpload44\11860\Sarbanes-Oxley_EUData_Alert.pdf
    Some thoughts:
    If you have subsidiaries in EU, do you have the permission from the local Data Protection Authority? BE CAREFUL, if you implement a range of procedures for receipt of anonymous complaints, including telephone hotlines, e-mail addresses, fax numbers, post office boxes and web-based mechanisms for submitting concerns.
    Commission Nationale de l’Informatique et des Libert-and-#953;s (CNIL ), refused to approve ethics or whistle-blowing programs proposed by French subsidiaries of two American companies – McDonald’s France and CEAC, a division of Exide Technologies. Both companies sought the CNIL’s approval for ethics hotlines they planned to establish in order to bring their organizations into compliance with the whistle-blower provisions of the Sarbanes-Oxley Act. Finding these hotlines to be contrary to French privacy law, the CNIL expressed the view that such hotlines are prone to abuse and likely to cause undue distress to suspected employees in case of libelous or unfounded accusations.
    McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead.
    Complaints would be processed by the U.S. parent company personnel under the supervision of its ethics director. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management, except complaints concerning senior management in France, which would be investigated by the parent company.
    The suspected person would be given the opportunity to comment within two days. In the event that the investigation showed that the allegations were unfounded, the data would be deleted within two days of the case closure. If the allegations were determined to be well-founded, then the file would be kept for one to five years after the case was closed (depending on management level).
    CEAC’s proposed approach was to put in place a group-wide hotline and dedicated e-mail address, both of which were to be operated by a subcontractor. According to the company, the suspected person would have the opportunity to comment on the allegations as soon as possible. Records of whistle-blowing complaints would be kept for one year.
    Although the facts of the cases are slightly different, the legal reasoning presented in both cases was the same.
    The CNIL found that it had jurisdiction because the information that might be collected in the whistle blowing hotline related to an identifiable person and the French subsidiary would be exercising some control over the information collected.
    In addition to being inherently suspicious of all whistle-blowing, the CNIL argued that whistle-blowing mechanisms are inherently disproportionate. The CNIL reasoned that companies already have access to other anti-fraud mechanisms that are less privacy-invasive and less prone to abuse, and thus there is no justification for a whistle-blowing process. These other anti-fraud mechanisms include employee training, audits by accountants, and enforcement of labor laws by the courts.
    It is interesting to note that the decision did not address the cross-border aspect of the hotlines. Rather it appears that the very concept of an anonymous complaint line is anathema to the CNIL. Thus, it is likely that the result would have been the same even if the whistle-blowing hotline were set up and entirely managed and operated within France.
    The CNIL also did not address the conflict of laws issue: that U.S. public companies must have some mechanism to receive anonymous complaints. Thus, if a U.S. public company lists on its website or intranet site that it has a telephone number or email address where anonymous complaints can be received, even if that site is not addressed to or publicized in France, a French employee may still go to the site and file an anonymous complaint.
    http://www.mofo.com/tools/print.asp?/mofo_dev/news/updates/files/update02035.html



  • On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines.
    The French Authority’s view was that such hotlines are ‘disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert.’
    In a similar decision the following day, a German Labour Court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labour law.

    Quelle surprise :roll:
    McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead .
    Nice to see that there’s still a solution from a SOX point of view



  • This is a good point Denis. It was good that you pointed to this, as it would have been lost in my large message.
    There is still a reason for concern. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management except complaints concerning senior management in France, which would be investigated by the parent company.
    A would not want to be a member of this strange multinational disclosure committee …



  • There is a very interesting paper about the issues we discuss, from the Institute of Chartered Accountants in England and Wales (ICAEW), the largest professional accountancy body in Europe with over 125,000 members in 142 countries worldwide.
    icaew.co.uk/viewer/index.cfm?AUB=TB2I_84141
    ‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’
    2.18: Data collected for the purpose of specific engagements should not be used for other purposes.
    Institute of Chartered Accountants in England and Wales
    Since the establishment of the Cadbury Committee in 1991, it has played a significant role in the development of corporate governance. For example, the Turnbull Guidance on Internal Control published by the ICAEW was approved by the Securities and Exchange Commission (SEC) as a framework for compliance with Section 404 of the Sarbanes-Oxley Act.



  • Thank you George



  • You are very welcome



  • A great sourse of information about privacy and data protection issues:
    //dpalaw.info/



  • I received one email and as I promised, I write my answers here for all my friends in the list.
    QUESTIONS:

    1. ‘If we use COBIT, where is the high level control objective and where the detailed objectives for privacy?’
    2. ‘What audit work is involved?’
      ANSWERS:
    3. High-level control objective PO8, Ensure compliance with external requirements:
      Control over the IT process of ensuring compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligations is enabled by identifying and analyzing external requirements for their impact, and taking appropriate measures to comply with them and takes into consideration:
      Laws, regulations and contracts
      Monitoring legal and regulatory developments
      Regular monitoring for compliance
      Safety and ergonomics
      Privacy
      Intellectual Property
      Detailed control objective PO8.4, Privacy, intellectual property and data flow:
      Management should ensure compliance with privacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organization.
    4. AUDIT WORK:
      Ensure that data being transmitted across state and international borders does not violate local and export laws
      Ensure compliance with privacy regulations
      If encryption is used check if conform with regulations (i.e. length of the key)
      Ensure that sensitive/private information is being afforded appropriate security and privacy protection internally and externally


  • Thank you George, you have helped us


Log in to reply