DP whistleblowing schemes

22 March 2006

Kristina Walles

Seminar on data protection issues in Stockholm

On 14 February 2006 Bird & Bird’s Data Protection Group in Stockholm held a seminar on data protection issues, with specific focus on the transfer of personal data to third countries (outside EU and EEA), binding corporate rules and data protection issues in relation to whistle-blowing schemes – a hot topic currently being discussed and debated throughout Europe, particularly in France.

The Article 29 Data Protection Working Party’s opinion 1/2006

Conveniently, the Article 29 Data Protection Working Party published its opinion 1/2006 (adopted on 1 February 2006) on the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters and the fight against bribery, banking and financial crime, the day before the seminar was held (the “WP29 Opinion”).

The WP29 Opinion can be found here

The Sarbanes-Oxley-Act and whistle-blowing schemes

The Sarbanes-Oxley Act (“SOX”) was adopted by the US Congress in 2002 as a consequence of several financial scandals. SOX requires publicly held US companies and any of its subsidiaries or affiliates, as well as companies established outside US, but listed on one of the US stock markets, to establish “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matter; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”. The SOX further provides for regulations intended to ensure the protection of employees of publicly traded companies, which provide evidence of fraud from acts of reprisal taken against them for complying with the whistle-blowing scheme. These provisions are mirrored in the rules of the New York and the Nasdaq Stock Exchanges. Companies which are non-compliant with the regulations may be heavily sanctioned by the New York Stock Exchange, Nasdaq or the Securities and Exchange Commission, which is the supervisory authority of SOX.

Whistle-blowing schemes and processing of personal data

Whistle-blowing schemes could be described as an additional system to a company’s regular information and reporting channels, for employees to report misconduct and even criminal behavior. In most cases, the implementation of a whistle-blowing system will require the processing of personal data and consequently rules on data protection will be applicable. This means that the legitimacy of whistle-blowing schemes must be assessed in relation to applicable rules on data protection. A whistle-blowing scheme must of course also be compliant in relation to other kinds of legislation, such as employment law. This article will, however, only focus on data protection issues. Section 9 in the Swedish Data Protection Act sets forth fundamental requirements for the processing of personal data, for example, that:

  • the controller of the personal data shall ensure that the personal data is processed only if it is lawful;
  • the personal data is collected only for specific, explicitly stated and justified purposes;
  • the personal data is not processed for any purpose that is incompatible with that for which the information was collected;
  • the personal data is adequate and relevant in relation to the purpose of the processing;
  • no more personal data is processed than is necessary having regard to the purpose of the processing;
  • the personal data that is processed is correct, and if necessary, up to date;
  • all reasonable measures are with taken to correct, block or erase incorrect or incomplete personal data having regard to the purpose of processing; and
  • personal data is not kept for a longer period than necessary having regard to the purpose of the processing.

The application of data protection rules in relation to whistle-blowing schemes also involves issues such as, provision of clear and complete information about the scheme, rights of the incriminated person, security of processing, management of whistle-blowing schemes, international transfers of data, requirements of notification and prior authorisation by a national data protection authority.

The WP29 Opinion proposes a number of measures and limitations to be incorporated into a whistle-blowing scheme, in order to increase the possibilities for such a scheme to be compliant with the EU Data Protection regulation, such as limiting the number of persons eligible for reporting alleged misconducts through the whistle-blowing scheme, limiting the number of persons who may be reported through the scheme, promotion of identified and confidential reports opposed to anonymous reports, proportionality and accuracy of personal data controlled and processed, compliance with strict data retention periods.

Compliance with such principles and measures suggested in the WP29 Opinion will undoubtedly help companies to ensure the proper functioning and compliance by a whistle-blowing scheme of applicable data protection rules. Since an implemented whistle-blowing scheme at all times must be in compliance with the Directive 95/46/EC and relevant data protection rules on a national basis each whistle-blowing scheme should therefore always be reviewed and assessed in relation to applicable rules on data protection in each specific case, before any implementation.

Notifying requirements and prior authorisation provisions by the competent national supervisory authority

The WP29 Opinion also points out the fact that companies which set up whistle-blowing schemes have to comply with requirements of notification to, or prior authorisation by, the applicable national data protection authorities. This could, for example, be the case when national law allows the processing of data relating to suspected criminal offences solely under specific circumstances or if the national data protection authority deems the processing of personal data to exclude any reported individuals from a right, benefit or contract.

According to the main rule under the Swedish Data Protection Act, all processing of personal data must be notified to the Swedish Data Protection Authority (the “Swedish DPA”), except in the case of specifically stated exceptions. However, if the data controller has notified and registered a data protection officer with the Swedish DPA, the data controller is not obliged to notify processing of personal data undertaken by the data controller, but the data protection officer is instead obliged to keep records of all processing of personal data being made by the data controller.

According to section 21 in the Swedish Data Protection Act it is prohibited for parties other than public authorities to process personal data concerning legal offences involving crime, judgments in criminal cases, coercive penal procedural measures or administrative deprivation of liberty. According to the preparatory works of the Swedish Data Protection Act, information that someone has or may have committed a crime shall be deemed to be information concerning legal offences; even though there is no legal ruling regarding the crime in question. It is not possible for the data subject to consent to the data controller's processing of data concerning legal offences involving crime etc.

It seems obvious that there is a large potential risk that data concerning legal offences involving crime may be reported and processed under a whistle-blowing scheme. Such processing would be in breach of the above section of the Swedish Data Protection Act. The Swedish DPA may, however, on the application of a data controller, in individual cases decide on an exemption from this prohibition. The Swedish DPA has so far only decided on such exemptions in a limited number of cases, but according to our understanding the number of applications for exemption from this rule has also been fairly limited.

The Swedish DPA (Sw. Datainspektionen) and conclusions

Except for being a member of the Article 29 Working Party and thereby standing behind the opinions issued on the subject of whistle-blowing schemes in relation to data protection rules, the Swedish DPA has not made any public statements or identified any specific issues or problems relevant to whistle-blowing schemes in relation to the Swedish Data Protection Act.

One thing we can be quite sure of is that Swedish subsidiaries or affiliates of publicly held US companies, as well as Swedish companies listed on any of the US stock markets, already have or will have to implement whistle-blowing schemes. Such implementation will of course have to be made in accordance with applicable rules on data protection. It shall be interesting to see if the Swedish DPA will be proactive in order to make an example in relation to one or several companies when it comes to compliance with the Swedish Data Protection Act in this respect, or if they will take a more defensive stance, awaiting questions and applications from companies trying to comply with applicable data protection rules when implementing whistle-blowing schemes, before making any statements or taking any actions.