Whistleblowing in Focus: Recent Developments, Emerging Issues, and Considerations for Companies. Part Three: Looking Ahead

Introduction

In this three-part series, we discuss recent developments relating to whistleblower programs in the United States (read here). Second, we review whistleblower initiatives in other jurisdictions over the past year (read here). Third, we consider emerging issues and considerations for companies in relation to whistleblower reports.

Part 3: Looking Ahead

As part of the ongoing discussions about regulation of artificial intelligence, there have been increasing demands for whistleblower protections for the industry. These developments, along with the expansion of whistleblower programs and protections worldwide, require continued attention to corporate internal reporting programs, as well as policies, procedures, and training relating to whistleblower reports. In addition, companies with cross-border operations may need to consider potential implications of data protection regulations on whistleblower procedures.

A. Artificial Intelligence (“AI”)

As developments in AI have drawn more attention to its potential risks, one area of focus has been whistleblower activity relating to AI technology. A group of whistleblowers filed a complaint with the U.S. Securities and Exchange Commission (“SEC”) in July alleging that OpenAI’s employment, severance, non-disparagement, and non-disclosure agreements violated the SEC’s whistleblower rules.[1] In August, the California legislature passed AI legislation, Senate Bill 1047, which was vetoed by the Governor the following month.[2] The bill would have established requirements for developers of certain AI technology relating to management of the risks of developing and operating such technologies.[3] The bill included provisions relating to anonymous reporting channels, disclosures by employees to the authorities, and anti-retaliation protections.[4] At a September hearing of the U.S. Senate Judiciary Committee on oversight of AI, witnesses called for enhanced whistleblower protections for employees of AI or technology companies, citing concerns about gaps in existing laws.[5] This issue will remain a focal point in the continuing debates about regulation of AI.

B. Corporate Compliance Program and Policy Updates

As we have discussed in Part 1 of this series, the U.S. Department of Justice’s corporate whistleblower pilot program is the latest addition to whistleblower programs in the U.S. Even if the incoming U.S. Administration de-emphasizes whistleblower rewards, individual U.S. Attorneys’ Offices and agencies will still have strong incentives not to abandon whistleblower programs, since the programs may provide valuable leads that otherwise might elude the authorities. Outside the U.S., as we have discussed in Part 2, there is growing interest in whistleblower award programs and an increasing emphasis on whistleblower protections. These developments mean that companies that operate in the U.S. or in multiple jurisdictions must continue to prioritize compliance program and policy updates.

In particular, it will be important to focus on:

• Protection of whistleblowers, including confidentiality, anonymous reporting channels, and anti-retaliation policies
• Training on:
  • Internal policies relating to the protection of whistleblowers and anti-retaliation
  • The internal reporting system
  • External anti-retaliation and whistleblower protection laws
  • External whistleblower programs and regulatory regimes
• The internal reporting system, including:
  • Advertising of the system
  • Accessibility of the system
  • Measuring use of the system
  • Testing employees’ awareness of and comfort with the system
  • Assessing employees’ willingness to make reports
  • Evaluating the impact of practices on reporting
• Whistleblower reports, including:
  • Procedures for handling reports
  • Processes for investigating reports
  • Processes for assessing reports
  • Timeliness of disposition of reports
  • Disposition of reports, including related disciplinary action
  • Recordkeeping relating to reports
• Confidentiality provisions in agreements, including carve-outs permitting voluntary communications with the authorities without restrictions

C. Data Protection

As more and more jurisdictions adopt or further develop data protection regulations, including specific provisions on protection of personal data in the context of whistleblowing, companies with cross-border operations may need to consider any potential implications of those regulations on whistleblower procedures. For example, companies may have a centralized process for reviewing all whistleblower complaints, under which a complaint submitted by an employee located in a jurisdiction with strong data protection regulations would be handled in another jurisdiction. In these circumstances, companies may be subject to different data protection regulations, including in respect of the relevant legal basis for data processing, information notices to be provided to data subjects, rights of access, data retention periods, and restrictions on data transfers. In addition, entities in a group company that share resources for receiving and handling whistleblower complaints may need to transparently define, by internal agreements, their respective responsibilities and roles for compliance with personal data protection obligations. Therefore, companies with cross-border operations should be mindful of how the structure of their whistleblower programs might be impacted by data protection regulations across the world.

[1] Letter from Kohn, Kohn & Colapinto, LLP to Gary Gensler, SEC Chair, OpenAI Violations of Rule 21F-17(a) and Implementation of E.O. 14110 (July 1, 2024), https://kkc.com/wp-content/uploads/2024/07/Confidential-Letter-to-SEC-Chair-7.1.24_Redacted-1.pdf.

[2] Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, S.B. 1047, 2023–2024 Reg. Sess. (Cal. 2024),https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB1047; Veto Message of Gavin Newsom, Governor of California (Sep. 29, 2024), https://www.gov.ca.gov/wp-content/uploads/2024/09/SB-1047-Veto-Message.pdf.

[3] Id.

[4] Id.

[5] Margaret Mitchell, Written Testimony for the U.S. Senate Comm. on the Judiciary, Subcomm. on Priv., Techn., & the Law Oversight of AI: Insiders’ Perspective (Sept. 17, 2024), https://www.judiciary.senate.gov/imo/media/doc/2024-09-17_pm_-_testimony_-_mitchell.pdf; William Saunders, Written Testimony Presented before the U.S. Senate Comm. on the Judiciary, Subcomm. on Priv., Techn., & the Law For a Hr’g on Oversight of AI: Insiders’ Perspective (Sept. 17, 2024), https://www.judiciary.senate.gov/imo/media/doc/2024-09-17_pm_-_testimony_-_saunders.pdf; Helen Toner, Written Testimony Before the U.S. Senate Committee on the Judiciary, Subcommittee on Privacy, Technology, & the Law For a Hearing on Oversight of AI: Insiders’ Perspective (Sept. 17, 2024), https://www.judiciary.senate.gov/imo/media/doc/2024-09-17_pm_-_testimony_-_toner.pdf.