Thank you for sharing!

Your article was successfully shared with the contacts you provided.
A U.S. corporation that becomes aware of internal wrongdoing in foreign operations and moves to investigate the allegations and take appropriate responsive measures will be faced with the difficult task of ensuring that it complies with local laws that may restrict both the investigative techniques that can be employed and the remedial steps that may be taken. This difficulty is particularly acute in the European Union in light of the strong-and disparate-data-protection laws applicable to employees’ “personal data,” a category of information that generally carries a very broad definition. This same dilemma confronts foreign corporations that are U.S. issuers and may wish to avail themselves of the benefits of internal investigation and/or voluntary disclosure. Summarized below are the principal difficulties that these laws present and an overview of justifications for steps corporations may take to avoid frustration of compliance measures and the pursuit of internal inquiries. The comprehensive, broadly applicable data-protection regime in the European Union is unlike any regulation covering businesses’ use of their employees’ data in the United States. The wordily titled “Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” which sets a standard to be applied throughout the European Union, can be a significant obstacle to the conduct of internal investigations in E.U. countries. 1995 O.J. (L 281), http:// ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm. The directive itself is not law in the European Union. Rather, E.U. member states were required to bring into force laws, regulations and administrative provisions to comply with the directive when it came into force in 1998. The law applicable in E.U. member states may have disparate requirements, or be interpreted in disparate ways by local data-protection authorities. Statutes are meant to protect individual privacy The purpose of these employee-friendly statutes is to protect individual privacy by restricting access to, and dissemination of, “personal data” contained in company records. The directive, by its terms, applies when employees’ “personal data” are “processed.” Personal data are defined as “any information relating to an identified or identifiable natural person.” Such data are “processed” when they are involved in “any operation or set of operations . . . whether or not by automatic means.” Directive, arts. 2(a), 2(b). The net effect of these proscriptions, which often can carry criminal penalties, is to place great restrictions on access to, and, as importantly, dissemination of, company records by counsel conducting an internal investigation, especially if disclosure of the results to relevant authorities is contemplated. Personal data must be processed “fairly and lawfully,” the purposes for which they are collected must be specified and they may not be used for further purposes inconsistent with those specified. Further, the consent of the data subject is required unless certain exceptions are met, among them that the processing is “necessary for the performance of a contract,” “necessary for compliance with a legal obligation to which the controller is subject” or “necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed.” Id., Art. 7. The directive also contains restrictions on “transfer” of such data. Personal data may be transferred to a nonmember state only if that state ensures “an adequate level of protection” for the data. The United States does not, in the view of the E.U., provide such adequate protection. Among the exceptions to this restriction on transfer are circum- stances in which the data subject has given consent to the transfer; the transfer is necessary or legally required on important public interest grounds or for the establishment or defense of legal claims; or adequate contractual provisions are in place under which the data controller has ensured adequate protection of the data. The European Union has approved model contractual clauses to facilitate companies’ use of this last exception. The U.S. Department of Commerce also offers a “safe harbor” program negotiated with the European Union, through which participating U.S. corporations may be deemed to provide adequate data protection to permit them to receive transfers of personal data from the European Union. Participating companies self-certify that they are compliant with the safe harbor’s provisions. Plainly, many steps taken by U.S. corporations in investigating allegations of wrongdoing involving the operations of E.U. subsidiaries or affiliates, and in taking appropriate steps to prevent or remedy such wrongdoing, will implicate these provisions. Indeed, corporations’ day-to-day activities will frequently implicate them. Two recent, controversial decisions from the French data-protection authority, the Commission Nationale de l’Informatique et des Libert�s (CNIL), illustrate the difficulties that domestic corporations face in light of E.U. data-protection laws. The Sarbanes-Oxley Act requires that companies listed on U.S. stock exchanges, and their subsidiaries, set up a method for employees to report anonymously concerns regarding accounting and financial issues to the audit committee of the board without fear of retaliation. This requirement is ordinarily satisfied by use of a phone or Internet-based hotline. The French subsidiaries of two multinational companies, McDonald’s Corp. and Exide Technologies, sought approval from CNIL for whistleblower initiatives in an effort to comply with this requirement. CNIL rejected both entreaties, however, on data-protection grounds, and on general principles of French law that disfavor anonymous accusations. Decisions 2005-110, 2005-111 (May 26, 2005). These decisions, of course, placed U.S. corporations and their subsidiaries in a difficult position. Failure to comply with Sarbanes-Oxley’s requirements may result in a Securities and Exchange Commission (SEC) enforcement action, civil penalties and potentially de-listing of the corporation. Failure to heed contrary data-protection laws, however, may also result in civil and criminal penalties. In this instance, the SEC moved quickly to open discussions with the CNIL to resolve the issue. On Nov. 10, 2005, the CNIL issued new guidelines that permit the French operations of multinational corporations to comply with the anonymous-reporting requirements without running afoul of French data-protection law. Although the CNIL approved the use of hotlines for reporting on internal financial controls, accounting or auditing issues, fraud or corruption, it suggested that future subject matters proposed to be included would be evaluated individually. Moreover, conflicts between E.U. data-protection laws and U.S. regulatory requirements are likely to continue to arise and may not always be so rapidly mitigated. Indeed, at about the same time as the CNIL decisions, a German court held WalMart Stores Inc.’s whistleblower hotline invalid on similar grounds. Clearly, the data-privacy laws complicate the tasks of compliance managers and of those conducting internal investigations. However, in implementing control measures or in responding to allegations of wrongdoing, companies and their counsel may point to several aspects of the directive, or comparable local law, as potentially justifying the steps they need to take. In an opinion issued on Feb. 1, 2006, the E.U. Working Party on Data Protection (a body set up under the directive to monitor its implementation in member states and to issue opinions concerning its operation and interpretation generally) concluded that arts. 7(c) and 7(f) may justify the establishment of whistleblower hotlines that call for the “processing” of employee data. When a legal obligation imposed by local law requires a particular measure, the Working Party noted, Art. 7(c) permits processing of employee data to comply. An obligation imposed by a foreign legal regime could not serve to justify such processing, the Working Party concluded, as foreign rules could otherwise effectively “circumvent” the E.U. rules laid down in the directive. Nevertheless, the Working Party noted, obligations, imposed under E.U. directives and/or local legislation may have the same or similar substantive content as U.S. legal requirements and thus serve to justify steps such as implementing whistleblower hotlines. Working Party’s opinion is well worth examination Moreover, the Working Party suggested that the pursuit of a “legitimate interest” by the data controller may also justify such processing under Art. 7(f), assuming that interest is not “overridden by the interests for fundamental rights and freedoms of the data subject.” Id. As the Working Party noted, the European Union has recognized the importance of good corporate governance to the effective conduct of business, the protection of stakeholders and the stability of financial markets. A corporation’s interest in such good corporate governance arguably justifies the implementation of internal systems and controls, and investigative techniques that require nonvoluntary processing of employee data. Thus, the recent opinion is well worth examination by companies and their counsel seeking legal footing to support the steps called for in response to allegations of wrongdoing in E.U. countries. With respect to the transfer of employee data, there is no corollary to Art. 7′s exceptions. The directive’s exception “for the establishment, exercise, or defense of legal claims” likely cannot be invoked in the absence of pending litigation. In sum, while the “processing” of data for investigative or other purposes in the course of responding to allegations of wrongdoing may be justified under the E.U. privacy-law regime, the “transfer” of such data in this context likely requires compliance with a recognized procedure that generally permits it.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.