As I have noted in prior posts (most recently here), the current coronavirus outbreak presents corporate boards with a number of challenging issues. In the following guest post, Nick Goldin, Eric Swedenburg and Brad Goldberg of the Simpson Thacher law firm review the considerations that corporate boards should take into account as their companies grapple with the challenges that the pandemic poses. The authors extend their appreciation to Sarah Eichenberger for her substantial contributions to this piece. A version of this article previously was published as a Simpson Thacher client memorandum. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article. Continue Reading Guest Post: Considerations for Corporate Directors As Their Companies Confront COVID-19

Frank Hülsberg
Burkhard Fassbach

In the following guest post, Frank Hülsberg, partner and member of the board of directors of Grant Thornton Germany, and Burkhard Fassbach, a D&O-lawyer in private practice in Germany, take a look at key whistleblower considerations relating to GDPR compliance. I would like to thank Frank and Burkhard for allowing me to publish their article. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.

 

******************

 

Employee data protection in whistleblowing procedures inevitably leads to a conflict of interest between whistleblower protection and the right of the accused to information. Data protection in the context of internal whistleblower systems is like a combat zone. On the one hand, the protection of the whistleblower and the employer’s interest in secrecy, on the other hand, the accused employee’s interest in information. In this context, a weighing of interests must always be carried out based on the concrete circumstances of the individual case. The article provides practical advice for data protection officers and persons responsible for GDPR compliance.

 

Introduction

Whistleblowing is an indispensable element of a functioning compliance management system. According to the EU Whistleblower Directive adopted on October 7, 2019, all companies with more than 50 employees as well as financial service providers and municipalities with more than 10,000 inhabitants will in future be obliged to set up whistleblower systems.

 

According to the EU Directive, whistleblower reporting channels must be designed, set up and operated in such a secure manner that the confidentiality of the identity of the whistleblower and third parties mentioned in the report is maintained and unauthorized employees are prevented from accessing them. The Directive leaves it up to Member States to decide whether companies are obliged to receive and follow up anonymous reports. Even without a legal obligation to set up anonymous reporting channels, these will continue to be used in practice in the future. Whistleblowers who cannot rely on their anonymity being maintained will very rarely report legal infringements (“wall of silence”).

 

The whistleblower’s understandable need for protection is counterbalanced by an equally understandable interest of the accused, who naturally wants to know the accusations in detail for his defence and always has at least as great an interest in the question “from which corner this comes”. This area of tension has been investigated by the data protection authorities of the German Federal Government and the States and has been provided with guidance on some questions; almost at the same time, the Regional Labour Court of Baden-Württemberg handed down a highly regarded judgment on the right of an accused employee to information.

 

In the following, the main findings from the meeting of the data protection authorities and the ruling will be examined and recommendations for practice will be derived from them.

 

Guidance from data protection authorities

On November 14, 2018, the Conference of the Independent Data Protection Authorities of the Federal and State Governments published an orientation guide on whistleblowing hotlines. The notification of breaches of obligations of conduct goes hand in hand with the processing of personal data. The groups of persons affected are primarily the whistleblowers and the persons accused. Whistleblowing systems are procedures in which, in accordance with Art. 38 (1) GDPR, the data protection officers must be properly and promptly involved in all matters relating to the protection of personal data.

 

Insofar as a person wishes to make a whistleblowing report, he or she should be informed in advance, when first contacting the system, that his or her identity will be treated confidentially, but also that the accused person must in principle be informed of the identity of the whistleblower no later than one month after the report (Art. 14 (3) lit. a GDPR). If the whistleblower wishes to disclose his or her identity in spite of this information, the consent of this person is possible. Therefore, before giving consent, the person concerned must be informed of his or her right under Art. 7 (2) GDPR to revoke consent, but this is only effectively possible up to one month after notification.

 

According to Art. 14 GDPR, the accused person must be informed of the storage, nature of the data, the purpose, processing and identity of the controller and, if applicable, the whistleblower. If the risk were significant that such information would jeopardise the company’s ability to effectively investigate the allegation or collect the necessary evidence, the information to be provided to the accused person may be postponed for as long as this risk exists. The basis for this is Art. 14 (5) lit. b GDPR, according to which the information need not be provided if the achievement of the objectives of the processing would at least be seriously impaired. Permanent secrecy should be ruled out in view of a possible impairment of the personal rights of the accused person and his or her rights of defence. As a measure to protect the legitimate interests of the accused person, the information must then be provided as soon as the reason for postponement no longer applies.

 

According to Art. 15 GDPR, the accused person has the right to be informed of the data stored about him or her, including insofar as these relate to the origin and recipient. However, there is no obligation to provide information under Section 29 (1) sentence 2 Federal Data Protection Act (BDSG) if the information would disclose information which must be kept secret because of the overriding legitimate interests of a third party.

 

Recitals 84 and 85 of the EU Whistleblower Directive also deal with this issue. According to these recitals, the Member States shall ensure the effectiveness of the Directive and, to this end, are also to be able to restrict the data protection rights of the persons concerned in accordance with Article 23 GDPR by means of legislative measures. This is intended to prevent attempts to establish the identity of whistleblowers or to obstruct reports.

 

If the information provided by a whistleblower gives rise to conclusive suspicions of violations of the law, the management must initiate internal investigations. The investigations are usually conducted by independent investigators. These are best placed to assess whether the information provided to the accused person or a claim for information would jeopardise the investigation. Persons responsible should obtain the investigator’s opinion for the weighing of interests. According to the guidance of the data protection authorities, data should in principle be deleted within two months of the conclusion of the investigation. Storage beyond this period is only permissible for the duration of clarification of necessary further legal steps such as disciplinary proceedings or the initiation of criminal proceedings. With regard to guidance, it should be critically noted that investigations can also be reopened, for example, by new evidence.

 

Balancing of interests under data protection law

The concrete interest of the accused employee in the provision of information must be determined in each individual case and weighed against the employer’s operational interest in refusing to provide information or the legitimate interests of third parties. In its judgment of 20 December 2018, the Higher Labor Court of Baden-Württemberg (Landesarbeitsgericht Baden-Württemberg) made the following considerations for the weighing of interests under data protection law:

 

It can be a legitimate interest in the confidentiality of a source of information if the employer guarantees anonymity to whistleblowers for the purpose of clarifying internal misconduct. If the company has assured whistleblowers of anonymity, information that allows conclusions to be drawn about the whistleblower’s identity may not be included in the file or must be blacked out. If such information does become part of the file or the case, it must be disclosed to the person concerned.

 

However, the employer cannot make a general reference to the need for protection of whistleblowers. If the right to information is denied with reference to the interests of third parties worthy of protection, the employer is responsible for the relevant circumstances. It is sufficient and necessary to state to which precise information the overriding legitimate interest in secrecy should relate.

 

In the specific case of the Regional Labor Court, this was a completed process of an internal investigation. A threat to the success of the investigation could be excluded.

 

As a result, the State Labour Court of Baden-Württemberg ordered the employer to provide the accused employee “with a copy of his personal performance and conduct data which are the subject of the processing carried out by it”. The appeal is pending before the Federal Labour Court.

 

In this regard, it is critically noted in the literature that the wording of Article 15 (3) sentence 1 GDPR can be understood to mean that a copy of every e-mail that the person concerned has ever written or received must be returned to him. Every document, every note and every annotation in which the person concerned is mentioned by name can be subsumed under the wording of Article 15 (3) sentence 1 GDPR.

 

Data protection authorities also oppose an excessively broad interpretation of Article 15 (3) sentence 1 GDPR. The Bavarian State Office for Data Protection (BayLDA) writes in its Activity Report 2017/2018: “The right of access to stored personal data does not establish a general right to copies of documents or files”. In this respect, the BayLDA refers to the wording of Art. 15 GDPR and to the relevant case law of the European Court of Justice. Other German data protection authorities hold similar views.

 

Ensuring anonymity through digital platforms and ombudsman

Practical solutions for employee data protection in whistleblowing cases can only be derived from the modality of the reports. A distinction must be made between open, confidential and anonymous whistleblowing. In the case of open whistleblowing, the whistleblower reveals his or her own identity from the outset. In the case of confidential whistleblowing, the addressee of the report should not share this with third parties. In anonymous whistleblowing, the whistleblower keeps his or her own identity secret from all parties involved.

 

In the case of anonymous reports by telephone or by post, feedback with the whistleblower is not possible. Internet-based whistleblower systems, on the other hand, allow the whistleblower to be involved in the further course of the investigation without having to reveal his identity. Whistleblowers and case handlers access the server from their respective locations. Only the content of the reports is stored, but not the IP address or other metadata. A technical tracing of the tip based on the stored data is therefore impossible. The data transfer between user and server is encrypted, but beyond that it is not subject to the technology provider’s sphere of influence, which is why the user should take special care to make his requests from a secure terminal. Anonymous communication between whistleblowers and case handlers takes place via a protected mailbox. To set up the mailbox, the whistleblower only needs to select a pseudonym and a password. The whistleblower himself must ensure that he does not disclose any information that might allow conclusions to be drawn about his person.

 

In organisational terms, the whistleblowing channel can also be directed to external lawyers as ombudsman. As attorneys of confidence appointed by the company, they accept these reports and check plausibility and validity. The guarantee of anonymity by lawyers of confidence was called into question by a decision of the Bochum Regional Court on 16 March 2016. The court allowed the public prosecutor’s office to confiscate the information from the ombudsperson for the purpose of investigating the identity of a whistleblower. There is no mandate or quasi-mandate relationship between the whistleblower as witness and the ombudsperson. According to the prevailing opinion, the prohibition of seizure only protects the relationship of trust between the person entitled to refuse to testify and the accused in the specific criminal proceedings. The Federal Constitutional Court confirmed this view in the “Jones Day” decision of 27 June 2018.

 

Conclusion

In summary, some practical advice for those responsible: It is advisable to link the ombudsperson’s institute with an internet-based anonymous whistleblower system. The ombudsperson himself does not obtain knowledge of the identity of the whistleblower, but can, if necessary, clarify unjustified accusations in advance and be a confidant for the whistleblower in case of justified accusations worth pursuing. If the allegations are pursued, it should be noted that the persons responsible will make the weighing of interests under data protection law after obtaining a statement from the investigator and a recommendation from the data protection officer and that the decision based on the weighing of interests will be documented in writing.

Much has changed since I published my first coronavirus-related post a month ago. The number of confirmed cases and of deaths has soared. Much of the country is now on lockdown. School, work, business — so much of basic social and economic activity has stopped. Much has changed in the D&O arena as well. There have been both claims and underwriting developments, and a number of trends have emerged. In the post below, I discuss some of these developments and trends. I recognize that my observations are limited by my own personal perspective; it is my hope that others will share their observations about the current environment using the comment feature to add their views to this post. Continue Reading Coronavirus and D&O Insurance: An Interim Update

Three weeks ago, as part of a Professional Liability Underwriting Society (PLUS) series of recorded discussions on the professional liability insurance implications of the COVID-19 Coronavirus outbreak, I participated in a short recorded conversation on the viral outbreak’s D&O insurance implications with my good friends Carl Metzger of the Goodwin Procter law firm and Rob Yellen of Willis Towers Watson. Because so much has happened since that prior session just three short weeks ago, earlier this week Carl, Rob, and I recorded an updated session in which we took a look at our prior predictions, reviewed what we are currently seeing in the D&O insurance marketplace and what we are telling our clients about it, and also projected ahead for what might be coming soon. The recording, which is informal, conversational, and relatively brief (approximately 30 minutes), can be found here.

As the number and rate of securities class action lawsuit filings has remained at historically high levels over the past three years, there have been renewed calls for securities class action litigation reform, as I have detailed in prior post (for example, here). According to a March 25, 2020 paper by the U.S. Chamber Institute of Legal Reform (ILR), the “broken securities class action system continues out of control” and the need for securities litigation reform remains urgent.  On April 1, 2020, I participated in an ILR event, along with ILR President Harold Kim and Andrew Pincus of the Mayer Brown law firm, entitled “An Update on Securities Litigation,” in which we discussed key recent securities litigation developments and the continuing case for securities litigation reform. The paper can be found here and a video recording of the ILR event can be found here. Continue Reading The Continuing Case for Securities Litigation Reform

Francis Kean

One of the questions for companies facing financial difficulties both in the U.S. and in the UK is the extent to which the boards of the companies owe duties to creditors to try to avoid creditors’ losses as the companies approach insolvency. I discussed the state of the law in Delaware regarding these issues in a recent post. In the following guest post, Francis Kean, a partner in the financial lines team at McGill and Partners, takes a look at the recent suspension in the UK of “wrongful trading’ legislation   A version of Francis’s article previously was published on LinkedIn. I would like to thank Francis for allowing me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly of you would like to submit a guest post. Here is Francis’s article. Continue Reading Guest Post: UK’s Wrongful Trading Laws Suspended: Good News for Company Directors?  

David Topol

Private investments funds (hedge funds, PE firms, venture capital funds and the like) are a significant part of the U.S. economy. From a management liability insurance perspective, private investment funds present unique underwriting and claims issues. In the following guest post, David Topol, takes a detailed look at these kinds of enterprises, and considers the relevant claims and insurance issues. David is a partner in the insurance practice at Wiley.  He has substantial experience over the past fifteen years representing insurers as monitoring counsel and in coverage litigation on policies issued to investment advisers, private funds and broker-dealers.  A version of this article will be published in a forthcoming issue of the Wiley law firm’s Executive Summary blog. I would like to thanks David for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is David’s article. Continue Reading Guest Post: Private Investment Fund Claims from an Insurance Perspective

The current disruption to normal business operations across the country means that many businesses will soon be under significant financial pressure, if they are not there already. As their companies edge toward insolvency, directors are going to have to make significant decisions about the companies and their operations. Boards may be concerned, as they make critical and difficult decisions, that creditors or others may later attempt to claim that they violated their legal duties.  This concern in turn leads to the question about exactly what duties directors face as their companies approach insolvency. Continue Reading Cash-Crunched Companies Face Insolvency; Will Directors Face Claims?

In yet another significant #MeToo-related development, the parties to the Signet Jewelers securities class action lawsuit have agreed to settle the case for $240 million. There are a number of interesting features to the settlement, as discussed below; among other things, over $200 million of the settlement amount is to be funded by insurance. The settlement is subject to court approval. The plaintiff’s March 26, 2020 letter to the court regarding the settlement can be found here. The parties’ stipulation of settlement can be found here. Continue Reading Signet Jewelers Settles #MeToo-Related Securities Suit for $240 Million

Priya Cherian Huskins

As I have noted in prior posts (most recently here), there have already been at least two coronavirus-related securities class action lawsuits filed. In the following guest post, Priya Cherian Huskins, takes a look at these first pandemic-related cases and compares and contrasts them with general securities litigation filings patters. She also takes a look at the implications of the cases for coronavirus-related company disclosures.  Priya is a Senior Vice President and Partner at Woodruff Sawyer. A version of this article previously appeared in the D&O Notebook. I would like to thank Priya for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Priya’s article. Continue Reading Guest Post: Coronavirus: An Update on Securities Suits and on Updating Company Disclosures