Sarbanes-Oxley Meets EU Data Protection
EU data protection laws are being used by data protection authorities to challenge the legitimacy of whistleblower hotlines established in accordance with the US Sarbanes-Oxley Act of 2002 (SOX).
Recent decisions in France and Germany have resulted in US-listed companies having to balance obligations under SOX with potentially inconsistent local EU data protection laws in relation to whistleblowing. French officials met on September 12 with the U.S. Securities and Exchange Commission to try to work out a solution. However, on September 15 a French court ordered a local subsidiary of an American firm to terminate a whistleblower hotline and pay approximately $1500 in damages to an employee works council and a labor union.
As a result of these decisions, some companies in Europe may be suspending their hotlines or modifying their whistleblower policies. This issue is not restricted to just France and Germany as other data protection authorities throughout the EU are considering whether whistleblowing hotlines may be contrary to their local data protection laws.