News & Events

Whistleblower Schemes and Sarbannes-Oxley

13 March 2006

The Irish referee sets out the ground rules for compliance.

On 8^th March 2006, the Irish Data Protection Commissioner published a guidance note which will be of great relevance to US listed corporations which have significant Irish operations.

The guidance note is aimed at resolving the apparent conflict between European data protection law, and compliance by US corporations with Section 301(4) of the Sarbanes-Oxley Act of 2002 (“SOX”).

Under SOX, US-listed corporations are obliged to establish hotlines to allow employees a confidential and crucially, anonymous method of whistleblowing if questionable auditing or accounting practices are perceived to exist. The corporation’s audit committee then had the task of establishing procedures for the receipt, retention and ultimately the treatment of those complaints. 

How to implement these schemes across European affiliates of those entities became a concern, as data protection laws appear to go against the idea of keeping from a corporate Jane Doe, the fact that one of her colleagues has made such an allegation about her.

Wal-Mart (in Germany) and K-Mart (in France) both faced these issues last year. In France, CNIL (their equivalent of the Irish Data Protection Commissioner) refused to authorise McDonald’s whistleblowing scheme due to its non-compliance with French data protection law. Those laws, it held, could amount to a system of “professional denunciation” (the term has clear historical negative connotations in France) which could result in employees being defamed.

The Article 29 Working Group which is a key EU-level body, in this area, issued an opinion in early February 2006.  This, together with the new Irish guidance note gives some useful tips to US-listed corporations in how to ensure compliance.  Some of these are listed below.

• Does your scheme protect the accused, or just the accuser (remember that both may be entitled to EU data protection)?
• Does the data flow back to the US or anywhere outside the EEA? If yes, is your corporation on the “Safe Harbor” list (www.export.gov/safeharbor). If not, do you have a proper agreement with your Irish affiliate to protect the data?
• Is your scheme open to all staff or can it be limited to certain people/titles?
• Is anonymity always necessary?
• How long is the complaint data stored for, and who gets access to it?
• How have we communicated to our staff on the scheme?
• We outsource this function – how do we still ensure compliance?

Key to compliance will be following the recommendation that your scheme focuses, in the data which it creates, on the issues not the individuals. The focus of the scheme must be on auditing and accounting matters. 

The guidance notes are a useful and timely tool in testing compliance. The challenge will be for US-listed corporations to review their whistle-blowing schemes to ensure that they meet both their SOX obligations, and those existing under Irish and European data protection laws.

If you have questions on how these guidance notes impact on your SOX whistleblower scheme please contact:

Jeanne Kelly      +353 1 614 5088        jkelly@mhc.ie

John Kettle         +353 1 614 5049        jkettle@mhc.ie

This guidance note may also be downloaded as a PDF from the publications section.