The ReportLine Difference Services Technology News Room About Us Contact Us Login
ReportLine  
News Room
Home » Resources » 
GLOBAL LEGISLATION RESOURCES

The Network, a leading provider of compliance solutions for global organizations, is dedicated to providing insight to complex issues, such as legislation surrounding data privacy and corporate governance.

This resource page was designed to provide information about regulations and legislation from around the globe that may affect your compliance program.*

United States  |  Canada  |  Japan  |  European Union
France | Spain |  Germany  |  Belgium  |  United Kingdom

The Netherlands

UNITED STATES

In July 2002, Congress passed the Sarbanes-Oxley Act to increase accountability and transparency in United States public companies in response to corporate scandals at Enron and other major U.S. organizations. Section 301 of Sarbanes-Oxley requires the audit committees of public companies to establish confidential complaint processes for the reporting of auditing and accounting irregularities.

This link provides access to the Sarbanes-Oxley Final Rule relating to Audit Committees:
http://www.sec.gov/rules/final/33-8220.htm

Frequently Asked Questions regarding Sarbanes-Oxley: http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm

In 2004, the Federal Sentencing Commission revised their Sentencing Guidelines for Corporations in light of Sarbanes-Oxley. The compliance measures that ensure more lenient sentencing for corporate wrongdoing include a recommendation for an internal confidential or anonymous complaint mechanism.
http://www.ussc.gov/2004guid/8b2_1.htm

CANADA

Canadian Securities Commission Administrators proposed a series of Multilateral Instruments to the Canadian Provinces addressing corporate governance reform following the enactment of the Sarbanes-Oxley Act in the U.S. Multilateral Instrument 52-110 covers Audit Committees, and includes an identical provision to SOX 301, which requires an anonymous complaint process. MI 52-110 has been adopted in all Canadian provinces except British Columbia.

This link grants access to the full MI 52-110 document:

http://www.gov.ns.ca/nssc/docs/mi52-110.pdf

JAPAN

In June 2006, Japan enacted its Financial Instruments and Exchange Law. Although commonly called “J-SOX,” this law does not mirror the entirety of the Sarbanes-Oxley Act; it only includes provisions similar to Sections 302 and 404 of Sarbanes-Oxley which deal with certification of internal financial controls. The Network believes that an ethics hotline is a crucial internal financial control. J-SOX is effective in all fiscal years ending after April 1, 2008.

The following is a link to Japan’s Financial Services Agency’s guidance on compliance with J-SOX: http://www.fsa.go.jp/en/news/2007/20070420.html

Other resources for understanding J-SOX:

http://www.protiviti.jp/downloads/JSOX_Insights_01E.pdf

http://www.protiviti.jp/downloads/flashreport/JSOX_FlashReport_02E.pdf

EUROPEAN UNION

Following decisions in France and Germany prohibiting two U.S. organizations from instituting SOX-mandated hotlines, and the publication of hotline guidelines by CNIL, the French government agency charged with protecting data privacy, the EU’s Article 29 Working Party issued an opinion on hotlines. Although not binding on member states, the Working Party’s opinion will be very persuasive to European government agencies looking at this issue. The Working Party Opinion is very similar to the CNIL Guidelines.

The Opinion can be found at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/
wp117_en.pdf

After the publication of the Opinion, there was an exchange of correspondence between the Working Party and the Securities and Exchange Commission, trying to reconcile the restrictions recommended by the Working Party with Section 301 of the Sarbanes-Oxley Act which mandates an anonymous employee complaint process. Here are links to the correspondence:

February 16, 2006
From: Chairman of independent EU advisory body, Peter Schaar
To: Chairman of Securities Exchange Commission, Christopher Cox
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/others/
2006-16-02-whistleblowing_en.pdf

June 8, 2006
From: Director, Office of International Affairs, Securities Exchange Commission, Ethiopis Tafara
To: Chairman of independent EU advisory body, Peter Schaar

http://www.sec.gov/about/offices/oia/oia_rulemaking/
schaar_letter_060806.pdf

July 3, 2006
From: Chairman of independent EU advisory body, Peter Schaar
To: Director, Office of International Affairs, Securities Exchange Commission, Ethiopis Tafara
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/others/
2006-07-03-reply_whistleblowing.pdf

September 29, 2006
From: Director, Office of International Affairs, Securities Exchange Commission, Ethiopis Tafara
To: Chairman of independent EU advisory body, Peter Schaar

http://www.sec.gov/about/offices/oia/oia_rulemaking/
schaar_letter_092906.pdf

Companies operating in Europe and using a U.S.-based hotline provider like The Network must comply with EU data transfer privacy rules. There are three basic methods of compliance:

  1. Safe Harbor certification: http://www.export.gov/safeharbor/
    (The Network is Safe Harbor certified; for downstream data transfer from The Network to you, we recommend that you obtain Safe Harbor certification, too.)
  2. Inclusion of EU standard contract clauses in your contract with The Network: http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/
    index_en.htm
  3. Adoption and enforcement of a global privacy policy reflecting the EU data privacy principles.

France

Commission nationale de l’informatique et des libertés (CNIL) issued guidelines for hotlines which need to be followed if a company wishes to get the CNIL’s expedited approval for a hotline in France:

CNIL final guidelines:

http://www.cnil.fr/fileadmin/documents/uk/CNIL-recommandations-whistleblowing-VA.pdf

Frequently Asked Questions on whistleblowing systems, published by the CNIL:

http://www.cnil.fr/index.php?id=1982

The Network has published a special report including an executive summary of the guidelines and some practical pointers for companies launching a hotline in France:

Hotlines in France: CNIL Publishes Application Documents

SPAIN

Although the Spanish Data Protection Agency has not issued general guidelines for hotlines, it has issued a decision in response to an application from an unnamed global pharmaceutical company to implement a hotline in Spain.

This decision relies heavily on the EU Working Party’s opinion except with regard to anonymous reports: the EU Working Party wants anonymous reports to be discouraged but does not forbid them, while the Spanish agency states that a guarantee that the complainant’s identity be kept confidential is sufficient, and anonymous reports should not be accepted.

Because of this departure, which is contrary to the requirements of Sarbanes-Oxley, The Network has provided an unofficial translation of the Spanish opinion:

http://www.tnwinc.com/downloads/SPNWhistleOpinion_ENGTranslation.pdf

Germany

Germany published hotline guidelines in April 2007. As anticipated, these follow the French CNIL Guidelines and the EU Article 29 Working Party Opinion in stating that hotlines should not encourage anonymous calls. The German guidelines, however, define the scope of hotlines more broadly to cover ethics issues beyond the purely financial and accounting issues envisaged by the French and EU guidance.

This link is directed to the English translation of the German Whistleblower Guidelines:

http://www.complianceweek.com/s/documents/german_whistling.pdf

Belgium

Like Germany, Belgium has issued hotlines guidelines that follow the principles outlined in the EU Working Party Opinion and the CNIL rules.

This link is directed to the English translation of the Belgium Whistleblower Guidelines:

Recommendation No. 1/2006 of November 29, 2006

THE NETHERLANDS

The Code of Corporate Governance in the Netherlands was revised in 2003 to require businesses to establish an employee complaint process:

"The management board shall ensure that employees have the possibility of reporting alleged irregularities of a general, operational and financial nature in the company to the chairman of the management board or to an official designated by him, without jeopardizing their legal position. Alleged irregularities concerning the functioning of management board members shall be reported to the chairman of the supervisory board. The arrangements for whistleblowers shall in any event be posted on the company’s website.”

In 2006, the Dutch Data Protection Agency issued an opinion setting guidelines for employee hotlines. These echo concerns about anonymous reports, proportionality, and the right of the accused to be informed, expressed in the EU Article 29 Working Party’s Opinion issued earlier that year, and the French CNIL guidelines. However, the Dutch opinion does not restrict the scope of the hotline to only financial matters, and advocates a two month data retention period.

United Kingdom

While the UK has not issued specific guidance for hotlines, it has revised its Combined Code for Corporate Governance in light of Sarbanes-Oxley and the financial scandals that gave rise to it by including a provision (C.3.4) for employees to report concerns in confidence.

This link provides access to the Combined Code for Corporate Governance:

http://www.fsa.gov.uk/pubs/ukla/lr_comcode2003.pdf


*The information and web links on this page are provided as a service to our hotline clients who want an introduction to some of the laws and regulations in the US and elsewhere that affect hotlines. The Network is not a law firm and does not give legal advice. We recommend that you seek the advice of counsel in the appropriate area before implementing a hotline.
In This Section
Current News
Global Legislation
News Archive
White Papers
Press Releases
Events
Media Relations
ReportLine is a service of The Network | © 2008 The Network, Inc. All rights reserved. | Terms of Use | Privacy Policy Contact Us | Call Us: 800.253.0453