The implementation of codes of conduct and whistleblowing systems is expanding at the international level. Global companies must pay attention to local law requirements when rolling out these codes in foreign countries, in order notably to comply with the rules and regulations provided by the local data protection authorities to govern data processing.

A recent decision rendered on December 8, 2009, by the French Supreme Court provides a good illustration of issues that may be raised by local laws in the implementation of whistleblowing procedures abroad.

For the first time the French Supreme Court addressed the issue of the validity of a Code of Conducts that had been implemented by a listed company (Dassault Systèmes, a French Software company) in order to comply with the Sarbanes Oxley act.

By its decision, The French Supreme Court overruled the decision of the Court of Appeal, which had declared the whistleblowing system implemented by the Code of Conduct of Dassault Systèmes compliant with the French data protection authority (CNIL) and therefore legal.

In a landmark decision rendered in 2005, the CNIL considered that the broad and anonymous whistleblowing procedures of several companies, including the McDonald’s Company, that had been adopted in order to implement the requirements of the Sarbanes-Oxley Act, were contrary to French law and in particular to the French data protection law of January 6, 1978. The CNIL held that it had no fundamental objection to that kind of system, but it expressed the opinion that whistleblowing processes should not be transformed into an organized system of professional denouncement which may jeopardize the employees’ individual rights.

In order to reach a compromise between SOX requirements and French law provisions, the CNIL issued a Deliberation on December 8, 2005. The Deliberation states that the companies are authorized to roll out their whistleblowing systems provided they formally disclose the existence of the system and they comply with the requirements of the CNIL’s Deliberation. In particular, article 1 of the Deliberation provides that only the whistleblowing systems implemented in response to French legislative or regulatory internal control requirements or the whistleblowing requirements of the Sarbanes-Oxley Act in areas such as finance, accounting, banking and anti-bribery, may be covered by this Deliberation. Article 3 of the Deliberation provides that facts which are not included in these cores areas may be covered by the whistleblowing system if the vital interest of the company or the physical or mental integrity of its members is threatened. 

If the scope of the whistleblowing process exceeds the CNIL’s Deliberation, the company is under the obligation to enter into a heavy process with the CNIL consisting in detailing the information collected, their recipients, the end-purpose of the data processing… and to get formal authorization of the CNIL. So far, the CNIL has never given its authorization when the scope of the whistleblowing system exceeds its Deliberation.

In the case at hand, Dassault had implemented a whistleblowing system under the Deliberation and a trade union challenged the validity of the system on the ground that the company should have sought a formal authorization from the CNIL because its scope exceeded the auditing and financial matters.

The Supreme Court ruled that the scope of the Code of conduct was too broad in that employees may report any breach of the Code relating to finance, accounting and anti- corruption areas but also any breach in others matters to the extent that it could threaten the vital interests of Dassault or the physical or moral integrity of an individual employee (intellectual property rights, confidentiality, conflict of interest, discrimination, sexual or psychological harassment).

The Court adopted a very narrow reading of the CNIL Deliberation because it came to the conclusion that the whistleblowing system could not be introduced under the Deliberation for a purpose other than those mentioned under the article 1 of the CNIL Deliberation.

In other words the whistleblowing system that would cover other breaches of the Code of Conduct should be authorized specifically by the CNIL on a case by case basis. Even though these breaches are material and may threaten the vital interest of the company or the physical or mental integrity of its members.

Last but not least the Supreme Court also found that Dassault’s Code of Business Conduct did not expressly mention that the individuals had a right of access to the information reported, and a right of rectification where the information is not correct.  

As from a practical point of view, there is a strong likelihood that the CNIL refuses to grant an authorization for a whistleblowing system exceeding the scope of the CNIL’s Deliberation, it seems that now companies should restrict their whistleblowing systems to the core areas mentioned in the CNIL’s decision of December 8, 2005 to avoid their process be considered as invalid.