Whistleblowing: the pressure mounts: The cross-border dimension

At a glance:

• More countries introducing whistleblower requirements
• EU protects whistleblowers under draft Trade Secrets Directive
• US Dodd-Frank bounty regime attracts whistleblowers from 83 countries
• Data protection issues for multinationals

Growing international recognition

The importance of whistleblowers as a source of information for the authorities is increasingly being recognised around the world. Australia, Ireland, Slovakia, Canada, South Korea and India have all passed new legislation since 2010, improving the protection of whistleblowers from retaliation. Other nations are likely to follow suit in the next few years, in particular, there is expected to be a new EU Trade Secrets Directive which would go some way to protecting whistleblowers from suits alleging trade secrets violations in all the EU Member States. 

While the general direction of all this new legislation is the same, there are important differences between jurisdictions as to what disclosures will qualify for protection and what that protection involves. Compensation for whistleblowers who are discriminated against varies widely, as does the level of punishment for those who break the law in allowing such discrimination. Knowledge of local law and culture is therefore essential, and any organisation operating in multiple jurisdictions will need to ensure that its whistleblowing policies and procedures comply with all relevant local rules, which may require regional variations.

EU Whistleblower Protection under Draft Trade Secrets Directive

Introduction

In December 2015, a draft Trade Secrets Directive text was agreed. Whilst we cannot be sure that it will be passed, once the “Trilogue” - representative members of the Council, the Commission, and the EU Parliament - has agreed on a text, we would expect that the law will be passed in the not too distant future, and without significant amendments from the current text.

Even once the Directive is passed it will not have “direct effect” in the national law of the Member States: each country will have to bring in implementing legislation within two years after the Directive becomes law. With the uncertainty as to when the Directive will be enacted, and the two year lag after that for implementation, the full effect of the Directive’s provisions remains some time away.

As an important caveat, the Trade Secrets Directive will only deal with the disclosure of information which has the following three properties:

• The information is secret, that is, it is not known or readily accessible to persons within the circles which usually deal with the information. This can include a particular configuration or organisation of information not be known or readily accessible.
• The information is valuable because it is secret.
• The trade secret holder has taken steps to ensure that it is kept secret.

In many, if not most, whistleblower cases, the employment contract will have specified that the employee was under a duty to keep the information secret, and so the third condition will be satisfied. Whether the first condition is satisfied may be the subject of dispute. What the standard is will almost certainly be the subject of references to the Court of Justice in due course. Similarly, it may be a matter of dispute as to what “valuable” means in the first criterion: is a piece of mismanagement or illegality “valuable” because it is not known by others?

Will all whistleblowers fall foul of the Trade Secrets Directive?

Employers will not be able to bring a claim for breach for unlawful use of a trade secret against employees in certain circumstances. One such circumstance is whistleblowing: Recital 12(a) (as it is currently numbered in the draft Directive) provides a definition for what is meant by whistleblowing:

Measures, procedures and remedies provided for under this Directive should not restrict whistleblowing activity. Therefore, the protection of trade secrets should not extend to cases in which disclosure of a trade secret serves the public interest, insofar as directly relevant misconduct, wrongdoing or illegal activity is revealed. This latter should not be seen as preventing the competent judicial authorities from allowing an exception to the application of measures, procedures and remedies where the respondent had all the reasons to believe in good faith that his conduct met the appropriate criteria set out in the Directive.

Article 4(b) codifies this exception in the Directive itself: actions for breaches of a trade secret shall be dismissed if the disclosure alleged was made “for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the public interest.”

Article 4(c) provides that a worker can disclose a trade secret to their (union) representatives if such disclosure “was necessary” for the representative to perform its function.

Article 4(d) is a catch-all exception, permitting the disclosure of a trade secret “for the purpose of protecting a legitimate interest recognised by Union or national law”.

Journalists are also protected from suit if they are exercising their right to freedom of expression under the EU Charter of Rights.

It is important to recognise that whilst each Member State will have a national definition for many of these concepts (eg, what is a “purpose” here? Primary purpose? Sole purpose?), the Trade Secrets Directive would make these concepts autonomous features of EU law. These concepts will (almost certainly) require uniform interpretation across the Union. It is important to be careful when reading this draft text, therefore, not to read this law as if it were a national text. No doubt there will be substantial litigation up to the Court of Justice interpreting these exceptions.

How will a court deal with a whistleblower claim in a trade secret action?

Any suit brought under legislation implementing the Trade Secrets Directive should be “dismissed” if the conduct fits under one of the exceptions listed above.

The long arm of Dodd-Frank

Even in jurisdictions with few or no requirements for the protection of whistleblowers, there are good reasons to have such policies in place. The US Dodd-Frank Whistleblower Programme invites reports from whistleblowers anywhere in the world relating to breaches of securities laws by companies that issue securities in the US. Such offences are broad enough to catch bribery, financial reporting irregularities or price manipulation. Whistleblowers stand to gain between 10% and 30% of any penalties ultimately recovered from those convicted, provided these exceed US$1m. The largest award to date was of US$30m, to a whistleblower who reported what the SEC described as “information of an ongoing fraud that otherwise would have been very hard to detect”.

Notably, the recipient of that US$30m award was from outside the US. Since the beginning of the programme, the SEC has received information from whistleblowers in 83 countries outside the US. Indeed, US lawyers are now using Chinese language TV adverts to offer their services in China to assist whistleblowers in making a report. China represented the fourth greatest source of foreign whistleblower reports to the SEC in 2014, with 32 reports. The UK is the biggest source of reports from outside the US, with 70 in 2014, while India is close behind with 69.

Given the international reach of the Dodd-Frank Whistleblower Programme, companies need to bear in mind the potential benefit to an employee or other insider of reporting any wrongdoing they discover to the SEC. Employees with audit or compliance responsibilities are not prevented from making reports to the SEC, but will only be eligible for payments under the programme if they have reported the matter internally and then waited 120 days. This underlines the need for companies to address whistleblower concerns promptly and seriously. Where an issue is being addressed internally and the whistleblower treated well, they may be less likely to report externally. Where an investigation reveals breaches of securities laws, the company will need to consider reporting to the relevant authorities in order to get the benefit of a voluntary disclosure, which generally requires the information to be unknown at the time of reporting.

Data protection and whistleblowing

Whistleblowing hotlines inevitably involve the processing of data, often sensitive personal data relating to the alleged wrongdoer, and this will often engage local data protection legislation. Companies operating in the EU may need to notify the relevant Data Protection Authorities in the Member States in which they operate of the existence of any whistleblowing procedure. They will also need to check what forms of disclosures can be reported via a hotline and whether anonymous reporting is required, allowed or prohibited, as the law varies across the EU.

The setting up of a whistleblowing hotline should be preceded by the conduct of a data protection impact assessment to ensure that the privacy impact of the hotline is understood and actions are taken to mitigate any adverse privacy implications for individuals.

The conduct of the hotline should be subject to a whistleblowing policy that should, amongst other things, set rules on how data collected may be used and the security measures that should be adopted to protect data provided from unauthorised access or distribution. If the whistleblowing procedure involves personal data being transferred to locations outside the EU, it will be necessary to ensure that there is adequate protection for the data in the relevant non-EU countries. That protection can be provided for in a variety of ways depending on the circumstances. In addition, it may be necessary to make notifications concerning or obtain approval for the ex-EU transfers to relevant Data Protection Authorities in Europe.

All of this means that a single whistleblowing policy implemented across the globe is unlikely to comply with all relevant laws.

It is worth noting that the EU is currently in the process of formulating a major revision to its existing data protection law through the passing of a new Data Protection Regulation. The Regulation is intended to create a more unified data protection regime within the EU and it had been hoped that it would create a “one stop shop” approach to data protection regulation and enforcement whereby a Member State’s Data Protection Authority would have EU-wide jurisdiction over companies based in its territory.

Whatever the unifying effect of the Regulation it will have a significant impact on the operation of whistleblowing hotlines as it provides for more onerous obligations in relation to the conduct of impact assessments and documenting of data processing activities. It also proposes changes to the form and substance of consent and notice wording that must be used amongst a variety of other changes. Finally, but most importantly, the enforcement threat associated with breach of the rules looks set to increase materially with the current proposals looking at maximum fines of the greater of €100m or 5% of annual worldwide turnover.