Last month's Global HR Hot Topic summarized law in the nine European Union jurisdictions that have issued written guidance on Sarbanes-Oxley § 301 whistleblower hotlines. That guidance in hand, a SOX-regulated multinational can tailor a trans-Atlantic hotline strategy by taking three steps.
Challenge: Sarbanes-Oxley § 301 mandates anonymous whistleblower hotlines, but laws in Europe impose surprisingly high barriers to them. SOX-regulated multinationals feel caught in a bind among inconsistent, even contradictory laws on workplace whistleblower hotlines.
The Sarbanes-Oxley § 301 anonymous hotline-in-Europe conflict can seem an intractable problem for SOX-regulated multinationals operating in the European Union. Fortunately, there is a way out. While we have no "magic bullet," there is a three-step process by which any company can tailor its own unique solution: First, assess the company's position as to each of the EU data protection law issues in play. Those issues appear below in a checklist. Second, select one of five possible strategy options. Those options appear below, after the checklist. Third, where required, consult with employee representatives.
Step 1: Assess the company's position on EU data protection law issues
These are the data protection law issues relevant to whistleblower hotlines in Europe:
- Limit hotline topics: Put aside the US "best practice" of opening a hotline to whistleblowing about any workplace misconduct. Contain the universe of hotline-reportable offenses to comply with the so-called "proportionality" doctrine.
- Align "alternate reporting channels": Integrate EU hotlines into the structures, committees, representatives and protocols that proliferate in European workplaces.
- Discourage anonymity: Actively encourage whistleblowers to self-identify. In France and Spain, keep silent about hotline anonymity.
- Reject mandatory reporting rules: Do not require rank-and-file European employees to report fellow workers' misdeeds.
- List due process rights: In communicating a hotline, spell out the robust due process rights (and presumption of innocence) that protect a European whistleblower's target.
- Disclose/get permission: Heed mandates of local data privacy agencies ("Data Protection Authorities") requiring employers to disclose, and in some cases get permission for, workplace hotlines.
- Translate: Reject the "English is our company language" approach. Translate hotline communications. Offer local-language call operators.
- Heed outsourcing restrictions: Some EU states discourage outsourcing hotlines to call center vendors. Comply with rules requiring in-house hotline oversight.
- Insulate data transmissions outside the EU: Check that hotline calls (and call reports) routed outside the EU comply with rules restricting data sent abroad. Never rely entirely on a hotline call center vendor's "safe harbor" certification.
- Comply with "sensitive data" rules: "Sensitive data" include information about "offences or security measures" — common issues in hotline calls. Comply with the tough EU data laws that restrict processing and transmitting "sensitive data."
- Secure hotline data: EU data laws require good data security. Impose tough controls.
- Rein in internal investigations: "Europeanize" internal investigations of hotline complaints. Offer whistleblowers' targets, and named witnesses, full and early access to name-redacted investigation files.
- Destroy files promptly: Purge notes and files on hotline reports as soon as a matter becomes inactive.
Pointer: There is no "magic bullet," but there is a three-step process for tailoring a way out.
Step 2: Select one of the five strategy options
After assessing each issue on the above checklist, the next step is to tailor a European strategy for the company's own SOX § 301 hotline. There are five theoretical strategy options, although they are not all equally viable:
- Strategy option #1 — No EU Hotline: Shut down the hotline in Europe or mold it completely to local rules, taking the position that SOX does not require hotlines outside the US Cf. Carnero v. Boston Scientific, 433 F.3d 1 (1st Cir. 2006), cert. den. 126 S. Ct. 2973 (2006)(SOX § 806 whistleblower law does not reach outside the US). But this strategy may not be viable, as few SOX-regulated companies find it tolerable.
- Strategy option #2 — One Global Hotline: Launch, worldwide, a single SOX § 301 hotline that complies with EU rules. But this strategy may not be viable, as it requires imposing a restricted European-style hotline in the US (and elsewhere), which few US multinationals want.
- Strategy option #3 — Two Hotlines: Launch two hotlines — one European-style hotline for Europe and one American-style hotline for operations elsewhere. This strategy may be an emerging global "best practice."
- Strategy option #4 — Tailored Hotlines: Craft a single hotline template, then tailor it to each local EU jurisdiction that imposes restrictions. This strategy allows for the tightest fit with rules in individual EU member states, and so is an ideal "full-compliance" approach.
- Strategy option #5 — Informal Report "Procedures" in Europe: Fall back on low-tech, low-key, under-the-radar "reporting procedures" in the EU, rather than a full-blown hotline. But this strategy might raise compliance challenges.
Step 3: Inform/consult/co-determine
Where mandated, inform and consult, or co-determine, with worker representatives about the strategy the company selects, before roll-out.
This is a broad overview. Each of these three steps requires far more detailed explanation. That more detailed explanation appears in a paper White & Case has available. For a copy, e-mail firstname.lastname@example.org and ask for our "SOX/EU hotline full article."