Global companies based in the United States that desire to ferret out fraud in overseas operations by implementing policies inspired by Sarbanes-Oxley may find themselves at odds with the laws of other countries. This dilemma is illustrated by a recent decision of the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés ("CNIL"), which refused to approve ethics or whistle-blowing programs proposed by French subsidiaries of two American companies -- McDonald’s France and CEAC, a division of Exide Technologies. Both companies sought the CNIL’s approval for ethics hotlines they planned to establish in order to bring their organizations into compliance with the whistle-blower provisions of the Sarbanes-Oxley Act. Finding these hotlines to be contrary to French privacy law, the CNIL expressed the view that such hotlines are prone to abuse and likely to cause undue distress to suspected employees in case of libelous or unfounded accusations.

By way of background, the Sarbanes-Oxley Act requires the Audit Committees of publicly traded companies to implement procedures for receipt, handling and tracking of anonymous employee concerns about financial fraud in order to help provide reasonable assurance about the integrity of the financial statements of the public companies. In response, many publicly traded companies implemented a range of procedures for receipt of anonymous complaints, including telephone hotlines, e-mail addresses, and web-based mechanisms for submitting concerns, in addition to the more traditional mechanisms of fax numbers and post office boxes. Many U.S.-based companies with operations overseas decided to implement such procedures in a manner that made them available to overseas employees, thus bringing these procedures into potential conflict with laws of other countries.

McDonald’s originally planned to put in place an ethics hotline and a dedicated e-mail address but, after discussions with the CNIL, decided to use a U.S. fax number and postal address instead. Complaints would be processed by the U.S. parent company personnel under the supervision of its ethics director. Any complaint received pertaining to McDonald’s France personnel would be passed by the parent company to McDonald’s France management, except complaints concerning senior management in France, which would be investigated by the parent company. The suspected person would be given the opportunity to comment within two days. In the event that the investigation showed that the allegations were unfounded, the data would be deleted within two days of the case closure. If the allegations were determined to be well-founded, then the file would be kept for one to five years after the case was closed (depending on management level).

CEAC's proposed approach was to put in place a group-wide hotline and dedicated e-mail address, both of which were to be operated by a subcontractor. According to the company, the suspected person would have the opportunity to comment on the allegations "as soon as possible." Records of whistle-blowing complaints would be kept for one year.

Although the facts of the cases are slightly different, the legal reasoning presented in both cases was the same. The CNIL found that it had jurisdiction because the information that might be collected in the whistle blowing hotline related to an identifiable person and the French subsidiary would be exercising some control over the information collected.

In addition to being inherently suspicious of all whistle-blowing, the CNIL argued that whistle-blowing mechanisms are inherently "disproportionate." The CNIL reasoned that companies already have access to other anti-fraud mechanisms that are less privacy-invasive and less prone to abuse, and thus there is no justification for a whistle-blowing process. These other anti-fraud mechanisms include employee training, audits by accountants, and enforcement of labor laws by the courts.

It is interesting to note that the decision did not address the cross-border aspect of the hotlines. Rather it appears that the very concept of an anonymous complaint line is anathema to the CNIL. Thus, it is likely that the result would have been the same even if the whistle-blowing hotline were set up and entirely managed and operated within France.

The CNIL also did not address the conflict of laws issue: that U.S. public companies must have some mechanism to receive anonymous complaints. Thus, if a U.S. public company lists on its website or intranet site that it has a telephone number or email address where anonymous complaints can be received, even if that site is not addressed to or publicized in France, a French employee may still go to the site and file an anonymous complaint.

What does this mean for companies subject to Sarbanes-Oxley? Unfortunately, the waters remain murky. It may take some time for the U.S. courts to clarify whether U.S.-based companies must make available to overseas employees, particularly foreign employees of foreign subsidiaries, the same Audit Committee procedures for receipt of anonymous complaints. Also, it may take time for the legal systems of other countries to address whether their laws conflict with the requirements of Sarbanes-Oxley. In the meantime, U.S. companies are well-advised to carefully examine the laws of countries outside the United States in which they intend to implement the whistleblower aspects of Sarbanes-Oxley, before implementing any whistle-blower procedures.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved