Data privacy and whistleblower protection laws
Many of our customers are active internationally and have to deal with a multitude of data privacy regulations related to whistleblowing. WhistleB supports customers with their compliance responsibilities following this changing legal landscape. Below you’ll find brief information and examples on the many laws on organisational whistleblowing.
Europe
Laws requiring corporate whistleblowing
Italy with 231 Corporate Model of Compliance, France with Sapin II and the Netherlands with its House for Whistleblowers Act are examples of EU member states that have introduced laws requiring companies to have a whistleblowing system in place. In Italy, for example, the whistleblowing law obliges companies to identify specific channels to allow employees to report potential misconduct within the work place.
Laws on whistleblower protection
The EU Whistleblower Protection Directive sets out the framework of whistleblower protection, to be transposed by Member States into national law by December 2021.
Anonymity is the least complicated protection a whistleblower can be provided. Most EU countries, with the exception of Portugal allows anonymous reporting.
Laws on personal data protection:
The General Data Protection Regulation (the GDPR) as of May 2018 has a direct effect in the member states and regulates the handling of personal data also in the field of whistleblowing.
In Russia, the Personal Data Localization Law came into force in 2016. The law requires personal data of Russian citizens to first be processed and stored within Russia. Transfer to third parties located outside of Russia is permitted for secondary processing. However, the transfer must comply with appropriate agreements with the third party to ensure processing meets the data protection measures required under Russian law.
Americas
Laws requiring corporate whistleblowing
In the United States, the US Sarbanes-Oxley Act (SOX) of 2002 was the first law that required corporate whistleblowing for publicly traded companies in the USA. Furthermore, a Supreme Court decision of 2014 states that the suppliers of the publicly traded companies are also required to have a whistleblowing scheme in place. Numerous Central and Latin American countries are launching anti-corruption laws, requiring whistleblowing schemes.
Laws on whistleblower protection
In the United States, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 gives the whistleblower protection from dismissal, for example. It also gives them the right to claim financial compensation if the information submitted leads to the discovery of breaches of securities laws, such as SOX and the Foreign Corrupt Practices Act (FCPA).
Africa
Laws requiring corporate whistleblowing
In South Africa laws applicable to whistleblowing exist, they are applied differently depending on the type of entity and the type of whistleblower involved.
Tanzania’s Anti-Money Laundering Act includes whistleblowing legislation for reporting suspicions on financial transactions.
Laws on personal data protection
In Morocco, the Data Protection Act defines personal data as any information of any nature that can identify an individual person. Before collecting such data user consent is required, which makes whistleblowing hard to implement.
Asia, Australia and the Middle East
Laws on whistleblower protection
In China, corruption involving government officials has been the driving force behind legislation concerning whistleblowing. Various laws and regulations, such as Several Provisions on Protecting and Rewarding Whistleblowers for Reporting Duty Crimes, aim to provide protection for whistleblowers and incentives for submitting a whistleblowing report. Various governmental channels exist that facilitate whistleblowing.
Australia has specific whistleblower protection laws in place to encourage and protect disclosures of wrongdoing both in the public and private sectors.
Laws on personal data protection
The Chinese Cyber security Law of 2017, addresses all organisations that may be regarded as being a “network operator”. A broad application of the definitions qualifies virtually any organisation that uses a computer network for its operations in or with China as a network operator.
In India, the Information Technology Act obliges organisations to have a privacy policy published on websites at all times. The privacy policy must provide information such as what data is collected and for which purpose.
Hong Kong has a data privacy law, the Personal Data (Privacy) Ordinance in place.