Sarbanes Oxley In Europe: The Eu Data Protection Directive Vs. Sarbanes Oxley Whistleblower Protection

By George Lekatis

The Sarbanes-Oxley Act of 2002, adopted as a reaction to corporate scandals, has a significant impact on European companies. The reason is simple: Hundreds of European-headquartered companies are dually listed on two stock exchanges, one in Europe and the other in the United States. 470 non-US companies are listed on the New York Stock Exchange, with a combined market capitalization of $3.8 trillion, 30 per cent of the total value of capitalization of companies quoted on the exchange.

EU Data Protection Directive

What is personal data (according to EU)? Personal data can be any information relating to an identified or identifiable natural person (directly or indirectly): Name, telephone number, photos. Data specific to his physical, physiological, mental, economic, cultural or social identity. What is processing of personal data? Any operation performed upon personal data whether or not by automatic means

Data Controllers must adhere to the following rules: Data must be relevant and not excessive in relation to the purpose for which they are processed. Data must be accurate.

Data controllers are required to provide reasonable measures for data subjects to rectify erase or block incorrect data about them. The directive prohibits transfer of personal information to countries outside the EU, which lack adequate protection of privacy.

Sarbanes Oxley

Section 301. Public company audit committees: Each audit committee shall establish procedures for:


(A) The receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and

(B) The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters

The challenge

How a US company with offices throughout the EU can comply with the notice and choice principles of EU Data Protection laws while simultaneously complying with the whistle blower requirements under Sarbanes Oxley?

How can we have both:

1. A Sarbanes Oxley hotline reporting service for employees to use anonymously, and

2. A Data Protection control: Data subjects must learn, rectify, erase or block incorrect data about them.

The problems

On 14 June 2005 the French Data Protection Authority refused to authorize the use of anonymous whistleblower hotlines. The French Authority’s view was that such hotlines are “disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an ethics alert.”

In a similar decision a German labor court ruled that parts of an employee code of conduct inviting employees to report misconduct to a whistleblowers hotline breached German labor law.

Early indications from the UK Information Commissioners Office (ICO) are that they would decline to follow the French and German approach. In contrast to the French and German decisions, the ICO’s view is that the appropriate use of such helpline by organizations would not, in principle, raise data protection concerns.

However, where organizations misuse such anonymous hotlines for inappropriate information gathering purposes there may be data protection implications.


Companies that are publicly traded in the United States and also have operations in the European Union must be very careful with the whistleblower provisions of the U.S. Sarbanes-Oxley Act of 2002.

First of all, before implementing Sarbanes Oxley hotline reporting services, companies need to ask for permission from the local Data Protection Authority.

Complaints must be processed inside the European Union. Companies need to establish local investigation procedures. The suspected person would be given the opportunity to comment within two days. In the event that the investigation shows that the allegations were unfounded, the data must be deleted within two days of the case closure. If the allegations are determined to be well-founded, then the file would be kept for one to five years after the case was closed (depending on management level).

Can EU really protect employees from the whistleblower provisions?

No. If a U.S. public company lists on its website or intranet site that it has a telephone number or email address where anonymous complaints can be received, even if that site is not addressed to or publicized in EU, an employee in Europe may still go to the site and file an anonymous complaint.

About the Author: George Lekatis is a senior risk and compliance consultant and trainer.


Permanent Link: