Companies listed on U.S. stock exchanges are required under the Sarbanes-Oxley Act to establish a system for employees to internally report concerns over questionable auditing or accounting matters. These systems are often referred to as “whistleblowing hotlines”. When setting up hotlines around the globe, however, employers must be mindful of the European Union (EU) privacy regime. Previously, some EU regulatory authorities intimated that such hotlines could never be acceptable in their jurisdictions. Public company employers were left, therefore, with the unfortunate choice of foregoing the hotline and potentially violating Sarbanes-Oxley, or implementing the hotline and potentially violating EU privacy laws.
Over the past few years, however, a framework has developed, at both the EU level and among the member states, that provides guidance on how employers may lawfully implement such a hotline throughout most of the European continent. McDermott just released an article outlining a checklist of basic principles for public company employers to follow so they can stay within this framework. As explained in more detail in the article found here, these principles include:
1. Encourage “confidential” rather than “anonymous” reporting
2. Set up a filtration system
3. Ensure confidentiality and data security
4. Limit the nature and scope of the processed data
5. Ensure compliant transfers of data outside of the EEA
6. Retain and destroy data according to local requirements
7. Give employees the right of correction
8. Inform employees about the program
9. Follow authorization procedures
By observing these basic principles when setting up a whistleblowing hotline in the EU, and by following the other best practices detailed in the full article, public companies can best position themselves to mitigate the risk of an enforcement action on both sides of the pond.