Background
1. Overview of the mandatory obligations when establishing a whistleblowing system under the Amended WPA
There are two obligations with respect to whistleblowing systems to be established under the Amended WPA.
- Companies must designate personnel who are to be engaged in receiving whistleblowing reports, investigating allegations and taking corrective measures ("Personnel Responding to Whistleblowing Reports").
Personnel Responding to Whistleblowing Reports: (i) shall be subject to a confidentiality obligation with respect to information obtained in dealing with whistleblowing reports that identifies the whistleblower; and (ii) in the event such personnel divulge the aforementioned information without justifiable grounds, shall be subject to a criminal fine not exceeding JPY 300,000.
- Companies are required to establish an internal system to properly respond to whistleblowing reports.
Notably, the mandatory obligation to establish a whistleblowing system mentioned above is reduced to an obligation to "make efforts" for business operators who hire 300 or less regular employees.
In order to ensure effective enforcement of the obligation to establish a required whistleblowing system, the Consumer Affairs Agency (CAA) will be granted the authority to take certain administrative measures, including: (i) making inquiries; (ii) giving guidance or recommendations to business operators failing to meet the requirements; and (iii) publishing the name of business operators should they fail to follow the CAA's recommendations. Moreover, should a business operator fail to report following an inquiry made by the CAA, or should they make a false statement in such regard, the business operator may be subject to an administrative fine not exceeding JPY 200,000.
2. The Guidelines and the Commentary
With a view to providing guidance on several fundamental areas that companies must bear in mind when establishing whistleblowing systems under the Amended WPA, the CAA created the Guidelines and the Commentary. The areas covered in the Guidelines and the Commentary include:
- Designation of Personnel Responding to Whistleblowing Reports, including the scope of personnel covered and the manner of designation.
- Establishment of internal systems, including a consideration of the practicalities of formation of systems, the requirement for independence and elimination of conflict of interest, and steps to be taken when responding to whistleblowing reports.
- Measures to protect whistleblowers, including methods to prevent adverse treatment and avoid out-of-scope information sharing.
- Ensuring whistleblowing systems function effectively, including employee education, feedback to whistleblowers, retention of records, and establishment of internal rules.
The inherent nature of whistleblowing systems is that they may differ depending on factors such as the size of the business operator, its organizational structure, the type of business, the likelihood of potential violation of laws, the number of stakeholders, the current situation of use of the internal whistleblowing system by employees, directors and retirees, and present societal expectations. Accordingly, the Commentary clearly mentions that the Guidelines provide only an outline of the whistleblowing system to be established under the Amended WPA.
Taking the above into account, each business operator should consider independently the specific measures to be taken with reference to factors such as those noted above. Indeed, the Commentary provides views and specific examples of implementation to be used as a reference when ensuring compliance with the Guidelines, together with ideas and specific examples and recommendations that are expected to be undertaken by business operators beyond the minimum measures required to comply with the Guidelines at an operator's own behest.
3. International transfers of information contained in whistleblowing reports
As the operation of responding to whistleblowing reports usually involves handling personal data, business operators are also required to comply with relevant requirements stipulated in the Act on Protect of Personal Information (APPI).
These requirements include:
- Notification of the purpose of information utilization;
- Taking security measures; and
- Restrictions on data transfer to third parties.
In addition, particular care should be taken in cases involving a Japanese subsidiary of a foreign multinational company where responding to whistleblowing reports involves an international transfer of personal data.
Examples of situations in which personal data contained in whistleblowing reports may be transferred to a parent company outside of Japan are: (i) where the parent administers the whistleblowing system; or (ii) when a whistleblowing report is made to the contact point administered by the Japanese subsidiary and the Japanese subsidiary then shares certain content of the whistleblowing report with its parent company.
Recommended actions
Through the Amended WPA, Japan is following in the footsteps of several jurisdictions globally by creating or updating legislation aimed at increasing the protection of whistleblowers.
Given the expanded scope of the Amended WPA, business operators in Japan would be best served by ensuring that their existing whistleblowing systems comply with the requirements of the Amended WPA, in particular with reference to the Guidelines and the Commentary. Further, should business operators not have a whistleblowing system in place, they should consider the extent to which they may be required to, or wish to, establish such system.