EU Data Protection Act and Sarbanes Oxley - any conflicts? 470



  • I printed the discussion and brought to our attorneys. There are some things we had not considered. Great forum.



  • Where can I find information about EU data privacy laws?
    Thanks





  • You are very welcome



  • Sorry for the previous message, I forgot to log on.
    Soxworker, you are very welcome.



  • On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines.
    The French Authority’s view was that such hotlines are ‘disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert.’
    In a similar decision the following day, a German Labour Court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labour law.
    Sarbanes-Oxley law requires such anonymous complaint mechanisms.
    Early indications from the UK Information Commissioners Office (ICO) are that they would decline to follow the French and German approach. In contrast to the French and German decisions, the ICO’s view is that the appropriate use of such helpline by organisations would not, in principle, raise data protection concerns.
    However, where organizations misuse such anonymous hotlines for inappropriate information gathering purposes there may be data protection implications.
    http://www.clubukonline.co.uk/legal-update/legaldetail.asp?id=339
    Whistleblower hotlines ruled unlawful
    You may read also another document:
    Companies that are publicly traded in the United States and also have operations in the European Union must proceed with caution when complying with the whistleblower provisions of the U.S. Sarbanes-Oxley Act of 2002.
    Compliance with Sarbanes-Oxley’s whistleblower requirements may result in a breach of E.U. data protection law and labor law.
    http://www.hunton.com/files/tbl_s10News\FileUpload44\11860\Sarbanes-Oxley_EUData_Alert.pdf
    Some thoughts:
    If you have subsidiaries in EU, do you have the permission from the local Data Protection Authority? BE CAREFUL, if you implement a range of procedures for receipt of anonymous complaints, including telephone hotlines, e-mail addresses, fax numbers, post office boxes and web-based mechanisms for submitting concerns.
    Commission Nationale de l’Informatique et des Libert-and-#953;s (CNIL ), refused to approve ethics or whistle-blowing programs proposed by French subsidiaries of two American companies – McDonald’s France and CEAC, a division of Exide Technologies. Both companies sought the CNIL’s approval for ethics hotlines they planned to establish in order to bring their organizations into compliance with the whistle-blower provisions of the Sarbanes-Oxley Act. Finding these hotlines to be contrary to French privacy law, the CNIL expressed the view that such hotlines are prone to abuse and likely to cause undue distress to suspected employees in case of libelous or unfounded accusations.
    McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead.
    Complaints would be processed by the U.S. parent company personnel under the supervision of its ethics director. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management, except complaints concerning senior management in France, which would be investigated by the parent company.
    The suspected person would be given the opportunity to comment within two days. In the event that the investigation showed that the allegations were unfounded, the data would be deleted within two days of the case closure. If the allegations were determined to be well-founded, then the file would be kept for one to five years after the case was closed (depending on management level).
    CEAC’s proposed approach was to put in place a group-wide hotline and dedicated e-mail address, both of which were to be operated by a subcontractor. According to the company, the suspected person would have the opportunity to comment on the allegations as soon as possible. Records of whistle-blowing complaints would be kept for one year.
    Although the facts of the cases are slightly different, the legal reasoning presented in both cases was the same.
    The CNIL found that it had jurisdiction because the information that might be collected in the whistle blowing hotline related to an identifiable person and the French subsidiary would be exercising some control over the information collected.
    In addition to being inherently suspicious of all whistle-blowing, the CNIL argued that whistle-blowing mechanisms are inherently disproportionate. The CNIL reasoned that companies already have access to other anti-fraud mechanisms that are less privacy-invasive and less prone to abuse, and thus there is no justification for a whistle-blowing process. These other anti-fraud mechanisms include employee training, audits by accountants, and enforcement of labor laws by the courts.
    It is interesting to note that the decision did not address the cross-border aspect of the hotlines. Rather it appears that the very concept of an anonymous complaint line is anathema to the CNIL. Thus, it is likely that the result would have been the same even if the whistle-blowing hotline were set up and entirely managed and operated within France.
    The CNIL also did not address the conflict of laws issue: that U.S. public companies must have some mechanism to receive anonymous complaints. Thus, if a U.S. public company lists on its website or intranet site that it has a telephone number or email address where anonymous complaints can be received, even if that site is not addressed to or publicized in France, a French employee may still go to the site and file an anonymous complaint.
    http://www.mofo.com/tools/print.asp?/mofo_dev/news/updates/files/update02035.html



  • On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines.
    The French Authority’s view was that such hotlines are ‘disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert.’
    In a similar decision the following day, a German Labour Court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labour law.

    Quelle surprise :roll:
    McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead .
    Nice to see that there’s still a solution from a SOX point of view



  • This is a good point Denis. It was good that you pointed to this, as it would have been lost in my large message.
    There is still a reason for concern. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management except complaints concerning senior management in France, which would be investigated by the parent company.
    A would not want to be a member of this strange multinational disclosure committee …



  • There is a very interesting paper about the issues we discuss, from the Institute of Chartered Accountants in England and Wales (ICAEW), the largest professional accountancy body in Europe with over 125,000 members in 142 countries worldwide.
    icaew.co.uk/viewer/index.cfm?AUB=TB2I_84141
    ‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’
    2.18: Data collected for the purpose of specific engagements should not be used for other purposes.
    Institute of Chartered Accountants in England and Wales
    Since the establishment of the Cadbury Committee in 1991, it has played a significant role in the development of corporate governance. For example, the Turnbull Guidance on Internal Control published by the ICAEW was approved by the Securities and Exchange Commission (SEC) as a framework for compliance with Section 404 of the Sarbanes-Oxley Act.



  • Thank you George



  • You are very welcome



  • A great sourse of information about privacy and data protection issues:
    //dpalaw.info/



  • I received one email and as I promised, I write my answers here for all my friends in the list.
    QUESTIONS:

    1. ‘If we use COBIT, where is the high level control objective and where the detailed objectives for privacy?’
    2. ‘What audit work is involved?’
      ANSWERS:
    3. High-level control objective PO8, Ensure compliance with external requirements:
      Control over the IT process of ensuring compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligations is enabled by identifying and analyzing external requirements for their impact, and taking appropriate measures to comply with them and takes into consideration:
      Laws, regulations and contracts
      Monitoring legal and regulatory developments
      Regular monitoring for compliance
      Safety and ergonomics
      Privacy
      Intellectual Property
      Detailed control objective PO8.4, Privacy, intellectual property and data flow:
      Management should ensure compliance with privacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organization.
    4. AUDIT WORK:
      Ensure that data being transmitted across state and international borders does not violate local and export laws
      Ensure compliance with privacy regulations
      If encryption is used check if conform with regulations (i.e. length of the key)
      Ensure that sensitive/private information is being afforded appropriate security and privacy protection internally and externally


  • Thank you George, you have helped us



  • You are very welcome.



  • Very Interesting:
    ‘Update: European Data Protection Officials Find Conflicts with Sarbanes-Oxley Employee Hotlines’
    fulbright.com/images/publications/Corporate Update - European Data Protection - October 20051.pdf
    BE CAREFUL :idea:
    In EU, Data collected and used for Sarbanes Oxley purposes MUST NOT be used for other means that are incompatible with the purposes for which the data was originally obtained



  • Brilliant. I’m writing a thesis on whistleblowers protection in holland and as I am looking for information on the subject of SOx and the european data-protection directive I find this forum. Thanks for the information.
    Am I right to have understood that the problem is, kind of, solved? The American Court of Appeals has ruled tha SOx rules do not apply to foreign whistleblowers working outside the US. across the ocean the ‘group article 29 (EU 95/46)’ has advised in the matter and concluded that (national) legal obligations may breach the data-protection directive. If the obligation for a whistleblowers procedure comes from overseas, it may still be allowed, as long as it is proportionally right.
    Is this the end of it?
    Diederik Diercks
    Amsterdam


Log in to reply