Sarbanes Oxley and EU Data Protection and Privacy – a decade on

When the Sarbanes Oxley Act (“SOX”) was introduced over 10 years ago it brought to light a marked difference of historical perspective between the US and Europe. This difference was reflected in the laws the two continents were adopting on the subjects of whistle-blowing and privacy.  This article looks at the perspectives, the conflict of laws that resulted and how US listed companies operating in Europe have handled the conflict in the meantime.

What is the difference of historic perspective? To Americans (long used to protection by rule of law) whistle-blowing, reporting malpractice, is the heroic duty of the law abiding employee and is necessary to protect against corporate fraud. To the continental European the idea of whistle-blowing summons up an ancient anxiety namely, the night-time knock on the door after some neighbour or colleague has anonymously claimed that you are an enemy of the state or, going even further back, an enemy of God. To the British, at least of a certain generation, it also feels like “telling tales”.

How have these perspectives been reflected in law?  Since the disastrous collapse of Enron and Worldcom, US law sought to encourage whistle-blowing and protect the whistleblower. In Europe, while not ignoring the whistleblower, law makers have been more focused on protecting privacy and preventing the misuse of personal data.

The two perspectives clashed head on with SOX and European privacy and data protection rules (“DPR”). SOX requires US companies whose stock is publically traded to establish procedures (“hotlines”) to enable employees anonymously to raise concerns about accounting or audit irregularities. These hotlines have to be established for employees where ever the US company operates including, therefore Europe. It should be noted that although SOX only applies to publicly traded companies it’s whistleblowing regime has been adopted voluntarily by many US multi-nationals as best practice for their protection against fraud and malfeasance.

Meanwhile, in the European Union, under the Data Protection Directive, member states must protect their citizens’ “right to privacy”. The directive has been implemented in different ways by each member state but in essence it requires express consent to the processing of personal data and it restricts the transfer of personal data out of the European Economic Area (“EEA”) unless the transferee country has DPRs equivalent to the EU.

Compliance with both regimes for relevant US companies is a serious challenge, particularly given SOX’s requirement of anonymity (very problematic under DPR) and the fact that the US does not automatically qualify as an equivalent state for data protection purposes.

How have relevant US companies ensured compliance?  In fact, careful reading of both sets of rules produces a navigable channel between the two. This requires the multi-national company to develop a careful and considered compliance strategy.  There are a number of options available, including establishing two whistleblowing regimes: one compliant both in the US and Europe and one for the US and rest of world reflecting the broader whistleblowing aspirations of most US multi-nationals.  This appears to have been the preferred route of many US companies.  Another option is to develop a standard hotline facility and tailor it to the variations of the different EU member states so as to reflect local employment laws and values.  In any event some basic considerations apply in relation to drafting whistleblowing policies for Europe:

  • respect the European legal concept of proportionality and limit the scope of the hotline
  • align, where possible, the hotline with existing reporting structures such as works councils, trade unions or ombudsmen
  • consider outsourcing the hotline to an external provider where one is available and such arrangements are accepted by the local data protection authority
  • ensure internal compliance with rules on “sensitive personal” data processing, data security, due process for whistleblowing targets and data destruction
  • have a strategy to ensure compliance with rules relating to transmissions of data out of the EEA
  • have a trained and expert whistleblower handling team

One final thought. To date there have been very few successful prosecutions of any kind under SOX. Meanwhile, fines imposed for breaches of European DPRs have been substantial.