Header graphic for print
Privacy Law Blog

French Data Protection Agency Restricts the Scope of the Whistleblowing Procedures: Multinational Companies Need to Make Sure They Are Compliant

Posted in Data Privacy Laws

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.

At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law.  According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act.  According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

The French Supreme Court addressed the scope of the CNIL’s deliberation in a decision dated December 8, 2009. In that decision, the French Supreme Court was asked to consider the validity of a corporate Code of Conduct that had been implemented by a listed company (Dassault Systèmes) in order to comply with the SOX Act. The French Supreme Court found that the scope of Dassault’s code of conduct was too broad, in that it invited employees to report violations relating to more than just finance, accounting and anti-corruption matters, but also intellectual property rights, confidentiality, conflict of interest, discrimination, and sexual or psychological harassment. In the eyes of the Court, the Dassault code of conduct’s whistleblowing system was invalid because it permitted whistleblowers to report violations other than those enumerated under Article 1 of the CNIL deliberation.

While companies were already required to obtain approval from CNIL for whistleblowing systems that exceeded the scope of the 2005 deliberation, the French Supreme Court’s decision helped to clarify exactly when such approval is needed. According to the Supreme Court’s decision, any whistleblowing system that allows complaints concerning conduct violations beyond those listed must be specifically authorized by the CNIL on a case-by-case basis, or risk being invalidated.

In order to align its deliberation with the Supreme Court’s decision, the CNIL modified the 2005 deliberation to limit its scope to:

  • accounting;
  • finance;
  • banking;
  • anti-corruption;
  • competition;
  • companies concerned by SOX Act section 301(4) of July 31, 2002;
  • Japanese SOX of June 6, 2006.

It also specified that:

  • alerts outside the scope of the deliberation must be destroyed or archived immediately;
  • when the alert does not give rise to a disciplinary or legal procedure, data related to the alert are destroyed or archived within two months from the end of the inquiry.

So far, 1,605 companies have complied with the CNIL’s deliberation. For companies whose systems are compliant with the new scope of the deliberation, no additional formalities are necessary. But for those others whose systems are not compliant, they have six months to bring their whistleblowing system into compliance or obtain an authorization from the CNIL.

To facilitate reporting of wrongdoings which are not encompassed within the scope of the new deliberation, the CNIL suggests informing employees that they should report them to their managers, unionists or human resources departments.

From a practical point of view, there is a strong likelihood that the CNIL will be very cautious before approving any whistleblowing system that exceeds the scope of its new deliberation, or even refuse to approve such a system. Consequently, multinational companies may want to think about restricting their whistleblowing systems to the core areas specified in the CNIL’s new deliberation so as to avoid having their systems invalidated.