Title: WHISTLEBLOWING IN THE INTERNATIONAL CONTEXT
1WHISTLEBLOWING IN THE INTERNATIONAL CONTEXT
- Meeting the requirements of inconsistent
international norms - Steven A. Lauer
- Nick Ciancio
- October 7, 2009
2Lumen Legal Consulting
- Assists corporate law departments to maximize the
value that they realize from their expenditures
for outside legal service - Works with law departments on all aspects of the
management of corporate legal service, including
counsel selection and management, strategic
planning, use of technology, deployment of
internal and external resources,
compliance-program involvement
3Steven A. Lauer
- Principal Value Consultant, Lumen Legal
Consulting - Over 16 years as in-house counsel
- Ten years as consultant to law departments on
management and compliance issues - Frequent speaker and author on law department
management, relationships between in-house and
outside counsel, compliance - Vice Chair, ABA Section of Business Laws
Corporate Counsel Committee - Vice Chair, ABA Section of Business Laws
Corporate Compliance Committee - Subcommittee chair, ACC Compliance and Ethics
Committee
4GLOBAL COMPLIANCE OVERVIEW
- Global Compliance is a leading provider of
integrated Governance, Risk Management, and
Compliance (GRC) solutions with a significant
base of blue-chip clients worldwide - Our solutions include
- Expert advisory services
- Training and education
- Issue management and reporting solutions
- Insight (data) and benchmarking
- The industrys only comprehensive end-to-end
compliance solution - We are uniquely able to serve the compliance
needs of every customer - Providing mid-market and small clients with a
one-stop, on-demand compliance solution with
simple pricing and delivery - Offering global clients our issue management
software and other point solutions
5GLOBAL COMPLIANCE OVERVIEW
- Expert and most experienced
- 4,000 customers currently serviced across diverse
industries 50 of the Fortune 100 - 25 million end users supported and managed
worldwide - Global
- Over 200 countries represented by current client
portfolio - 150 language capability
- Nearly 25 of the Global 500 in long-standing
customer relationships - Fully compliant European data center
- Most comprehensive and integrated solutions
- Fully outsourced compliance program capability
- Best in class point solutions (continuously
updated) - Largest proprietary insight and benchmarking
database - 2 million Alertline hotline calls and web
reports handled, tracked and trended - Over 1,000 industry specific groups analyzed
- Hundreds of thousands of international business
ethics surveys conducted and tabulated
6Nick Ciancio
- Senior Vice President, Marketing and Business
Development. Within the ethics and compliance
industry, Nick serves on the Open Compliance and
Ethics Groups (OCEGs) Hotline Working Group
panel, and is an active participant with the
Society of Corporate Compliance and Ethics (SCCE)
as well as the Ethics and Compliance Officer
Association (ECOA). He is a frequent speaker on
U.S. and International corporate ethics and
compliance conference agendas, and he served on
the advisory committee for the Ethics Resource
Centers 2007 National Business Ethics Survey. - Nick possesses more than 20 years experience in
senior marketing and business development
positions in the telecommunications and
technology industries. Nick holds a Master of Art
in Statistics from Pennsylvania State University
and a Bachelor of Science and Master of Science
in Mathematics from the University of
Massachusetts. Nick also earned a Certificate in
Business Ethics from Colorado State University.
7U.S. perspective
- Personal information prospectively protected by
federal law only in certain contexts/industries - Healthcare (HIPAA Privacy Rule)
- Consumer finance (Gramm-Leach-Bliley)
- Social security numbers
- State security-breach laws (after the fact)
- California the first
- Massachusetts recently adopted broader
protections - Civil suits to enforce common-law rights
(invasion of privacy, etc.)
8International perspective
- Personal information protected regardless of
context - European Union Directive 95/46/EC
- APEC principles
- Canadas Personal Information Protection and
Electronic Documents Act (PIPEDA) (supplemented
by provincial statutes) - Concern over personal information transferred to
jurisdictions (like the U.S.) that do not provide
adequate protection - Historical/social concerns
9The EU legal structure -Directive 95/46/EC
- Implements the right of protection of personal
data enshrined in the Charter of Fundamental
Rights (see Art. 8) - Established jurisdictional basis for EU member
states to enact country-specific data-protection
legislation - Created Working Party on the Protection of
Individuals to contribute to the uniform
application of such national measures as
adopted by member states - As to data collection, the Directive requires
legitimacy, data quality, and proportionality
10Some relevant definitions
- Controller the natural or legal person,
public authority, agency or any other body which
alone or jointly with others determines the
purposes and means of the processing of personal
data - Processor a natural or legal person, public
authority, agency or any other body which
processes personal data on behalf of the
controller. - Data subject an identified or identifiable
natural person who can be identified, directly
or indirectly, in particular by reference to an
identification number or to one or more factors
specific to his physical, physi9ological, mental,
economic, cultural or social identity.
11EU member states
- Within the general construct established by the
Directive, member states can adopt data
protection laws with some country-specific
variation - Member states data protection authorities (DPAs)
enforce their laws - Some DPAs are more enforcement oriented than
others, utilizing audits and other investigative
techniques - Social concerns and historical perspective
12Some variations among member states (regarding
hotlines)
- Permissible scope of allegations
- Anonymity of hotline callers
- Transfer of hotline reports to outside EU
- Deletion or retention of personal information
13Permissible scope of allegations
- For most EU member states, limited to allegations
relating to accounting, auditing and internal
financial controls, with a catchall relating to
serious acts (whatever that might mean) - Spain allows allegations involving internal or
external topics or rules, the violation of which
could have an actual impact on the maintenance of
the contractual relationship between the company
and the person incriminated.
14EU Allegations
- Antitrust or Fair Trading
- Destruction of Business records
- Espionage or Sabotage
- Falsification of Financial Records
- Falsification of Travel and Expense Reports
- Gifts, Bribes or Kickbacks
- Misrepresentation of Information
- Trading on Insider Information
- Other
15Anonymity of callers
- EU member states dislike anonymous reports of
violations of law or, even more, internal codes
of conduct - The Art. 29 Working Party negotiated with the SEC
to permit a limited degree of anonymity to allow
for compliance with SOx - Spain stated that procedures guaranteeing the
confidentiality processing of reports filed
through the system must be established, so that
the existence of anonymous reports is avoided.
16EU concern regarding anonymity
- I am personally keen to underline that this
assessment must be read in the specific European
context. It is certainly useful at this stage to
recall that anonymous reporting evokes some of
the darkest times in recent history on the
European continent, whether during World War II
or during more recent dictatorships in Southern
and Eastern Europe. This historical specificity
makes up for a lot of the reluctance of EU Data
Protection Authorities to allow anonymous schemes
being advertised as such in companies as a normal
mode of reporting concerns.
Letter dated July 3, 2006, from Peter Schaar,
Chair, Art. 29 Working Party, to Ethiopis Tafara,
Director, SECs Office of International Affairs
(page 3)
17Transfer of reports outside EU
- Transfers outside the EU must satisfy the
Directive, generally through one of three
mechanisms - To a data processor registered on Safe Harbor (in
the U.S.) - By means of an acceptable data transfer agreement
(the EU has approved standard clauses) - By means of binding corporate rules
- Austria ruled that personal information in
reports can be transferred only if the reports
relate (a) to decision makers and (b) to
serious issues
18Detention or retention of data
- The Directive states that data which permits
identification of data subjects must be kept
for no longer than is necessary for the purposes
for which the data were collected or for which
they are further processed. - Art. 29 Working Party interprets this generally
as a two-month limitation - Can be kept for further proceedings in progress
(e.g., discipline, litigation)
19Satisfying the deletion requirements of EU data
protection law
20Step 1 - Search
21Step 2 Select Reports
22Step 3 Select Fields
23Step 4 Review and Sanitize
24Results
25Rights of data subjects
- Right of access to data (Art. 12)
- Confirmation of whether personal data have been
or are being processed - Rectification, erasure or blocking of
noncompliant processing - Notification of third parties to whom personal
data have been disclosed - Right to object (Art. 14) to processing of
personal data on compelling legitimate grounds
relating to his particular situation
26Controller and processor
- The controller is responsible for compliance with
the Directive and member states data protection
statutes - The controller may delegate data processing to
another, but the processing must be governed by
a contract or legal act binding the processor to
the controller - The processor shall act only on instructions
from the controller
27Problematic issues
- Personal information that is subject to discovery
in the United States (either by government
investigation or civil process) EU DPAs have
expressed concern and data subjects have rights
under the Directive - Can information received via a hotline be
privileged? - Workers rights under EU labor laws (e.g., work
councils)
28Adapting Your Awareness and Education Program
- Code of Conduct
- Program Awareness (is active promotion
allowed?) - Allegation types
- Reporting mediums (hotline, web, internal
channels, Works Councils) - Anonymity
- Whistleblower protection
- Translations / local language
- Training and certification
29Program Implementation
- Provisioning phone lines
- ITFS where available
- Country-specific, in-language greetings and
prompts - Websites
- Separate sites with country-specific text and
instructions - In-language
- Allegation Categories
- Broad versus narrowed financial-based
- Case Management
- Permission-based functionality
- Translation capabilities for case investigation
and response to reporter - Reporting
- Transactional or summary reporting
- Ability to segregate by country or enterprise-wide
30Data Management
- Ability to block / restrict closed cases
- Ability to sanitize or delete specific
information fields - Permission-based access to specific information
fields and to specific functionality within Case
Management System
31EU Countries with Data Protection Guidelines
United Kingdom France Germany Netherlands Belgium
Ireland Spain
32Responsibilities of an Outsourced Service Provider
- Providing input and feedback to regulators on
proposed guidelines and rulings - Spanish Guidelines
- Communicating information about emerging
guidelines/rulings to clients and assisting them
in understanding how their programs will be
impacted - Assisting with Certification and Authorization
processes when required - Providing clear contractual terms as to how data
is handled - Safe Harbor versus Model Clauses
- Modifying existing client programs as new
guidelines/laws are introduced - Evolving products and services to facilitate and
automate compliance with country-specific
guidelines and requirements
33Thank you.
- Questions?
- Steve Lauer 877-933-1330, ext. 520
slauer_at_lumenlegal.com - Nick Ciancio 866-434-7009 nick.ciancio_at_globalco
mpliance.com