Corporate compliance hotlines, or whistle-blowing hotlines, enable employees to report suspicions of violations of corporate rules, financial misconduct and other infractions on a confidential and sometimes also anonymous basis. They are considered by many corporations to be necessary to support good corporate governance and an aid in the fight against bribery, corruption and financial crime. They are a required compliance step under the US Sarbanes-Oxley Act.
Whistle-blowing hotlines are often rolled out on a global basis. However, many companies headquartered outside the EU (or in the UK where the law relating to data protection is comparatively relaxed) may fail to appreciate that the implementation of a hotline will be caught by EU data privacy laws. Why? Use of such a hotline necessarily involves the personal data of both the reporter (name, role, site and the fact that he made the report, for example) and the “reportee” (name, allegation, etc.). Moreover, processing that data may have significant adverse repercussions for either or both parties if the allegation is true on the one hand or made in bad faith on the other.
As a result, introducing such a scheme in Europe will require a number of specific regulatory compliance steps to be taken before the hotline is rolled out. Furthermore, although EU data privacy law has been harmonised to some extent by an EU Directive, there are still differences in the laws of each EU member state and, perhaps more importantly, in the interpretation of these laws and their enforcement by the local data privacy authorities. As a result the level and nature of the compliance required from state to state can vary substantially. This is not an area where adopting an “EU average” approach to compliance is likely to be successful.
Data privacy is taken extremely seriously in many EU states and a number of these territories view whistle-blowing hotlines with a strong element of suspicion for historical, social and cultural reasons. It is very much a “live” issue at present, especially in light of the PRISM scandal in the US (see our post on the impact of PRISM on Czech data transfers to the US) and of the proposed new EU Regulation which is currently under discussion.
The way in which your international hotline is structured can have an appreciable effect on the type and extent of compliance that is required, and (in some of the stricter jurisdictions) on whether the hotline is permitted at all. It is therefore important to seek expert local advice at the planning stage to minimize the compliance burden and the risk of substantial delays or liabilities being caused further down the line.
Our Data Protection & Privacy Practice Group includes lawyers based in Europe, the US and Asia Pacific. The Group is highly experienced in managing substantial data privacy compliance projects, coordinating the provision of specialist advice from our lawyers located around the globe, substantially reducing the regulatory and administrative burden which would otherwise reside with our clients’ in-house counsel. We have specialist, up-to-date knowledge and experience in dealing with the data privacy compliance required in relation to whistle-blowing hotlines and data protection lawyers resident in more than a dozen countries.
Failure to take the required compliance measures can result in the imposition of substantial penalties and/or civil or even criminal liability for responsible officers of the company in certain EU territories, plus considerable negative publicity. There also are a number of non-EU countries, such as Russia, that impose strict data privacy requirements.