WHISTLEBLOWING IN THE INTERNATIONAL CONTEXT

Meeting the requirements of inconsistent international norms

Steven A. LauerNick Ciancio

October 7, 2009

Lumen Legal Consulting

• Assists corporate law departments to maximize the value that they realize from their expenditures for outside legal service

• Works with law departments on all aspects of the management of corporate legal service, including counsel selection and management, strategic planning, use of technology, deployment of internal and external resources, compliance-program involvement

Steven A. Lauer

• Principal Value Consultant, Lumen Legal Consulting• Over 16 years as in-house counsel• Ten years as consultant to law departments on

management and compliance issues• Frequent speaker and author on law department

management, relationships between in-house and outside counsel, compliance

• Vice Chair, ABA Section of Business Law’s Corporate Counsel Committee

• Vice Chair, ABA Section of Business Law’s Corporate Compliance Committee

• Subcommittee chair, ACC Compliance and Ethics Committee

GLOBAL COMPLIANCE OVERVIEW

• Global Compliance is a leading provider of integrated Governance, Risk Management, and Compliance (GRC) solutions with a significant base of blue-chip clients worldwide

• Our solutions include:– Expert advisory services– Training and education– Issue management and reporting solutions– Insight (data) and benchmarking– The industry’s only comprehensive end-to-end compliance solution

• We are uniquely able to serve the compliance needs of every customer:– Providing mid-market and small clients with a one-stop, on-demand

compliance solution with simple pricing and delivery– Offering global clients our issue management software and other

point solutions

GLOBAL COMPLIANCE OVERVIEW

• Expert and most experienced– 4,000 customers currently serviced across diverse industries; 50% of the Fortune

100– 25+ million end users supported and managed worldwide

• Global– Over 200 countries represented by current client portfolio– 150+ language capability– Nearly 25% of the Global 500 in long-standing customer relationships– Fully compliant European data center

• Most comprehensive and integrated solutions– Fully outsourced compliance program capability – Best in class point solutions (continuously updated)

• Largest proprietary insight and benchmarking database– 2+ million Alertline® hotline calls and web reports handled, tracked and trended– Over 1,000 industry specific groups analyzed– Hundreds of thousands of international business ethics surveys conducted

and tabulated

Nick Ciancio• Senior Vice President, Marketing and Business Development.

Within the ethics and compliance industry, Nick serves on the Open Compliance and Ethics Group’s (OCEG’s) Hotline Working Group panel, and is an active participant with the Society of Corporate Compliance and Ethics (SCCE) as well as the Ethics and Compliance Officer Association (ECOA). He is a frequent speaker on U.S. and International corporate ethics and compliance conference agendas, and he served on the advisory committee for the Ethics Resource Center’s 2007 National Business Ethics Survey.

• Nick possesses more than 20 years’ experience in senior marketing and business development positions in the telecommunications and technology industries. Nick holds a Master of Art in Statistics from Pennsylvania State University and a Bachelor of Science and Master of Science in Mathematics from the University of Massachusetts. Nick also earned a Certificate in Business Ethics from Colorado State University.

U.S. perspective• Personal information prospectively protected by

federal law only in certain contexts/industries– Healthcare (HIPAA Privacy Rule)– Consumer finance (Gramm-Leach-Bliley)– Social security numbers

• State security-breach laws (after the fact)– California the first– Massachusetts recently adopted broader protections

• Civil suits to enforce common-law rights (invasion of privacy, etc.)

International perspective• Personal information protected regardless of

context– European Union Directive 95/46/EC– APEC principles– Canada’s Personal Information Protection and

Electronic Documents Act (PIPEDA) (supplemented by provincial statutes)

• Concern over personal information transferred to jurisdictions (like the U.S.) that do not provide adequate protection

• Historical/social concerns

The EU legal structure -Directive 95/46/EC

• Implements the right of protection of personal data enshrined in the Charter of Fundamental Rights (see Art. 8)

• Established jurisdictional basis for EU member states to enact country-specific data-protection legislation

• Created Working Party on the Protection of Individuals “to contribute to the uniform application of such [national] measures” as adopted by member states

• As to data collection, the Directive requires legitimacy, data quality, and proportionality

Some relevant definitions• “Controller” – “the natural or legal person, public

authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”

• “Processor” – “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”

• “Data subject” – an identified or identifiable natural person … who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physi9ological, mental, economic, cultural or social identity.”

EU member states• Within the general construct established by

the Directive, member states can adopt data protection laws with some country-specific variation

• Member states’ data protection authorities (DPAs) enforce their laws

• Some DPAs are more enforcement oriented than others, utilizing audits and other investigative techniques

• Social concerns and historical perspective

Some variations among member states (regarding hotlines)

• Permissible scope of allegations

• Anonymity of hotline callers

• Transfer of hotline reports to outside EU

• Deletion or retention of personal information

Permissible scope of allegations• For most EU member states, limited to allegations

relating to accounting, auditing and internal financial controls, with a catchall relating to “serious” acts (whatever that might mean)

• Spain allows allegations “involving internal or external topics or rules, the violation of which could have an actual impact on the maintenance of the contractual relationship between the company and the person incriminated.”

EU Allegations

• Antitrust or Fair Trading• Destruction of Business records• Espionage or Sabotage• Falsification of Financial Records• Falsification of Travel and Expense Reports• Gifts, Bribes or Kickbacks• Misrepresentation of Information• Trading on Insider Information• Other

Anonymity of callers• EU member states dislike anonymous reports of

violations of law or, even more, internal codes of conduct

• The Art. 29 Working Party negotiated with the SEC to permit a limited degree of anonymity to allow for compliance with SOx

• Spain stated that “procedures guaranteeing the confidentiality processing of reports filed through the … system must be established, so that the existence of anonymous reports is avoided.”

EU concern regarding anonymity“I am personally keen to underline that this assessment

must be read in the specific European context. It is certainly useful at this stage to recall that anonymous reporting evokes some of the darkest times in recent history on the European continent, whether during World War II or during more recent dictatorships in Southern and Eastern Europe. This historical specificity makes up for a lot of the reluctance of EU Data Protection Authorities to allow anonymous schemes being advertised as such in companies as a normal mode of reporting concerns.”

Letter dated July 3, 2006, from Peter Schaar, Chair, Art. 29 Working Party, to Ethiopis Tafara, Director, SEC’s Office of International Affairs (page 3)

Transfer of reports outside EU• Transfers outside the EU must satisfy the Directive,

generally through one of three mechanisms• To a data processor registered on Safe Harbor (in the

U.S.)• By means of an acceptable data transfer agreement

(the EU has approved “standard clauses”)• By means of “binding corporate rules”• Austria ruled that personal information in reports can

be transferred only if the reports relate (a) to “decision makers” and (b) to serious issues

Detention or retention of data

• The Directive states that data “which permits identification of data subjects [must be kept] for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.”

• Art. 29 Working Party interprets this generally as a two-month limitation

• Can be kept for further proceedings in progress (e.g., discipline, litigation)

Satisfying the deletion requirements of EU data

protection law

Step 1 - Search

Step 2 – Select Reports

Step 3 – Select Fields

Step 4 – Review and Sanitize

Results

Rights of data subjects• Right of access to data (Art. 12)

– Confirmation of whether personal data have been or are being processed

– Rectification, erasure or blocking of noncompliant processing

– Notification of third parties to whom personal data have been disclosed

• Right to object (Art. 14) to processing of personal data “on compelling legitimate grounds relating to his particular situation”

Controller and processor

• The controller is responsible for compliance with the Directive and member states’ data protection statutes

• The controller may delegate data processing to another, but the processing “must be governed by a contract or legal act binding the processor to the controller

• The processor “shall act only on instructions from the controller”

Problematic issues

• Personal information that is subject to discovery in the United States (either by government investigation or civil process) – EU DPAs have expressed concern and data subjects have rights under the Directive

• Can information received via a hotline be privileged?

• Workers’ rights under EU labor laws (e.g., work councils)

Adapting Your Awareness and Education Program

• Code of Conduct

• Program Awareness (is ‘active promotion’ allowed?)– Allegation types– Reporting mediums (hotline, web, internal

channels, Works Councils)– Anonymity

– Whistleblower protection– Translations / local language

• Training and certification

Program Implementation• Provisioning phone lines

– ITFS where available– Country-specific, in-language greetings and prompts

• Websites– Separate sites with country-specific text and instructions– In-language

• Allegation Categories– Broad versus narrowed financial-based

• Case Management– Permission-based functionality– Translation capabilities for case investigation and response to

reporter

• Reporting– Transactional or summary reporting– Ability to segregate by country or enterprise-wide

Data Management

• Ability to block / restrict closed cases

• Ability to sanitize or delete specific information fields

• Permission-based access to specific information fields and to specific functionality within Case Management System

EU Countries with Data Protection Guidelines

United KingdomFranceGermanyNetherlandsBelgiumIrelandSpain

Responsibilities of an Outsourced Service Provider

• Providing input and feedback to regulators on proposed guidelines and rulings– Spanish Guidelines

• Communicating information about emerging guidelines/rulings to clients and assisting them in understanding how their programs will be impacted

• Assisting with Certification and Authorization processes when required

• Providing clear contractual terms as to how data is handled– Safe Harbor versus Model Clauses

• Modifying existing client programs as new guidelines/laws are introduced

• Evolving products and services to facilitate and automate compliance with country-specific guidelines and requirements

Thank you.

Questions?

Steve Lauer – 877-933-1330, ext. 520; slauer@lumenlegal.com

Nick Ciancio – 866-434-7009; nick.ciancio@globalcompliance.com