Academic journal article Defense Counsel Journal

The Introduction of Whistleblower Systems in the European Union

Academic journal article Defense Counsel Journal

The Introduction of Whistleblower Systems in the European Union

Article excerpt

I. Legal Background

WHISTLEBLOWER systems are becoming increasingly popular additions to the codes of conduct of United States and European companies. Specifically, companies listed on a United States stock exchange must establish a method for employees to anonymously report concerns about financial and accounting matters (a "whistleblower system") and implement a code of ethical conduct which should support the reporting of breaches of the code of conduct. Hence, United States companies oblige their European subsidiaries to establish internal codes of conduct, including whistleblower processes. But these subsidiaries encounter problems when trying to implement a whistleblower process. Codes of conduct venture into the domain of employee privacy, which in Europe has been a cause for concern in relation to data protection laws, as some companies have gone as far as to say what employees may or may not do in their spare time. Whistleblower reporting systems may violate not only European and national law, but also touch the private sphere of the individual.

The initiation of a whistleblower system comparable to the systems often employed in the United States gives the EU cause for serious concern. For historical reasons, the European Union takes a view concerning data privacy protection and personality rights at odds with the American perspective. During the Nazi regime in Germany, the government obliged German employees, as well as employees in all countries being occupied during World War II, to disclose misconduct, in violation of social norms. There has thus been a clash between the United States perspective (in the United States, one company in eight has such a code of conduct) and European ideas regarding co-determination and personality rights through enforcing these codes. Indeed the Sarbanes-Oxley Act, enacted in the United States after the various financial scandals surrounding Enron, requires that companies failing to comply with their "whistleblower" requirements will face hefty sanctions, (1) and an EU committee set up for the purpose of examining the implementation of data protection law (the so-called Working Party) has investigated the problems of the United States requirements clashing with data protection rules in Europe. Without a resolution to this cross-border dispute over implementation of codes of conduct, companies may face heavy sanctions in both Europe and the States. The implementation of "whistleblower" schemes as a part of a code of conduct will often require the processing of personal data (that is, the collection, registration, storage, disclosure and destruction of data relating to an identifiable person) such that data protection rules will come into force. The broad law is governed under the European Directive of 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The three conditions that need to be met in order to justify the processing of personal data are transparency, legitimate purpose and proportionality.

II. European Union Background

In the European Union, data privacy protection is subject to the EU Directive on Data Privacy (2) and to national legislation. Subjects such as data quality, criteria for processing personal data, access to data and conditions of data export are regulated by the EU Directive (that is, by national laws conforming to the Directive). Workplace monitoring and questions of labor codetermination also remain subject to national laws and court rulings. The allowable extent of workplace monitoring depends on fundamental rights and freedoms enjoyed by citizens. National differences exist in detail, but the basic principles are very similar in every member state. National rules of codetermination apply to the rights of the works council or other employee representation committees; EU legislation has little impact on this.

A. Recommendations of the Article 29 Data Protection Working Party

The data protection commissioners of the European Union have developed a guideline concerning data privacy protection requirements for whistleblower systems. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.