In an article entitled “How to Launch and Operate a Legally-Compliant International Workplace Report Channel” or in compliance parlance, a hotline, author Donald Dowling of the law firm of White and Case, provided a useful guide to help navigate the challenges of setting up a multi-national whistleblower’s hotline, such as is required under the FCPA and UK Bribery Act. His article “analyzes the six categories of laws that can restrict whistleblower hotlines abroad, focusing on compliance.” The six categories are:
- Laws Mandating Whistleblower Procedures
This group of laws “comprises mandates that require setting up whistleblower hotlines in the first place.” This includes the US Sarbanes-Oxley (SOX) as well as other jurisdiction laws which generally protect whistleblowers from retaliation but do specifically require any hotlines be set up on a company wide basis. Dowling also found a couple of countries, Norway and Liberia, which require general receiving and processing of “public interest disclosures.”
- Laws Promoting Denunciations to Government Authorities
This category of laws generally related to legal requirements for the reporting of illegal acts to government authorities in two ways. First, these laws encourage whistleblowing to government which then compete with employer hotlines by enticing internal whistleblowers to divert denunciations from company compliance experts and over to outside law enforcers who indict white collar criminals. This first approach is found in Dodd-Frank, which offers bounties. Second, these “laws that require (as opposed merely to encourage) government denunciations rarely except corporate hotline sponsors. These laws therefore force hotline sponsors to divulge hotline allegations over to law enforcement.” This second approach is found in SOX which “requires an employer to offer internal hotline procedures”.
- Laws Restricting Hotlines Specifically
This category is exemplified by European data protection laws which act to restrict companies’ freedom to launch and operate reporting programs. Dowling believes that these laws are based upon the fact that Europeans “see hotlines as threatening privacy rights of denounced targets and witness”. Also this would seem to be in response to the totalitarian past from the World War II era. The author identifies what he termed “the four biggest hurdles” set up to frustrate hotlines in EU jurisdiction. They are “(1) restrictions against hotlines accepting anonymous denunciations; (2) limits on the universe of proportionate infractions on which a hotline accepts denunciations; (3) limits on who can use a hotline and be denounced by hotline; and (4) hotline registration requirements.
- Laws Prohibiting Whistleblower Retaliation
This category will be familiar to US compliance practitioners through the applications of US laws such as SOX, Dodd-Frank and numerous state whistleblower statutes. Additionally, the author lists numerous foreign jurisdictions which have such laws. But here he believes that the key is communication because in many countries and foreign jurisdictions, there is no tradition of protection of persons who make reports against superiors so that an “employer needs to overcome worker fear of reprisal for whistleblowing.”
- Laws Regulating Internal Investigations
Typically laws on internal investigation do not impact hotlines because a hotline is a “pre-investigation tool.” However, the author believes that No. 4 above, communication by the employer is critical to complying with laws that enact procedural safeguards for persons under investigation. Heavy-handed communications about a hotline could blow back against employers in claims by employees that “an employer rigged the investigation process.” So companies should ensure that communications about hotlines do not convey an “overzealous approach to complaint processing and investigations.”
- Laws Silent on, but Possibly Triggered By, Whistleblower Hotlines
Here the author recognizes that the title of this category “is necessarily vague and determining which laws fall into it is difficult.” Nevertheless, he writes that the most “likely candidates are data protection laws silent on hotlines and labor laws imposing negotiation duties and work rules.” Regarding the former, the author argues that hotlines are not databases but conduits for the transmittal of information. He acknowledges that EU data privacy laws reject this distinction and treat hotlines as if they were databases where information is stored. He does not identify other jurisdictions which yet take this aggressive approach but he believes this may become a trend. The labor law issue is also tricky and may turn on the interpretation of whether the institution of a hotline is viewed as substantive change in working conditions under a union-management labor agreement and therefore subject to collective bargaining.
There are several key inquiries you should make for your hotline. What jurisdiction are you in and what is the binding law or laws which will govern you going forward. Must you confine your hotline reporting to specific topics or is it open to all issues? Can anonymous allegations be brought forward in the jurisdiction in question. Do you have a hotline staffed in-house or do you use an external third party vendor? Finally, must you disclose hotline data to government regulators?
Three Key Takeaways
- You must understand the jurisdiction you are in and the laws which govern your hotline.
- Can you use information which is reported anonymously?
- Must you disclose any data to government regulators?