In a decision dated September 23, 2011, the Court of Appeal of Caen suspended the implementation of a whistleblowing system that had been previously authorized by the French Data Protection Agency (CNIL) because, in the court’s view, the system infringed on the individual and collective rights and liberties of the company’s employees.
In the case at hand, the French subsidiary of a U.S. group had, in 2008, implemented a whistleblowing system to comply with SOX requirements in the United States. After various modifications, the CNIL authorized the French subsidiary to implement the system because the program complied with the CNIL’s simplified filing procedure for whistleblowing systems.
Our readers will remember that pursuant to rules in existence since 2010, see our post of December 15, 2010, companies are able to take advantage of the CNIL’s simplified filing procedure for whistleblowing systems as long as the whistleblowing system does not encourage whistleblowers to remain anonymous and is limited in scope to conduct violations in the following areas:
- companies concerned by SOX Act section 301 (4) of July 31, 2002;
- Japanese SOX of June 6, 2006.
Here, despite the CNIL’s approval of the French subsidiary’s whistleblowing system, the employees’ representatives brought a lawsuit against the subsidiary in the Caen Tribunal of First Instance because they believed the system to be flawed in a number of ways, including the following:
- the scope of complaints which could be made through the whistleblowing system was too broad: employees could file complaints on any kind of wrongdoings or problems;
- any Internet user could report wrongdoings about a French employee of that company even if those wrongdoings were outside the scope of the CNIL’s simplified filing procedure;
- contrary to the simplified filing procedure issued by the CNIL, the whistleblowing system encouraged the whistleblower to remain anonymous; and
- employees were not sufficiently informed about their access and rectification rights with respect to the data about them.
The Court of Appeal of Caen ruled that the claims made by the employees’ representatives were well-founded for the following reasons:
- the whistleblowing system was outside the scope defined by the French Data Protection Agency, in large part because it permitted complaints of all kinds;
- the whistleblowing system had been modified unilaterally by the company without the works council and the health and safety committees being informed and consulted prior to any changes being made.
In light of this new decision, companies implementing whistleblowing systems in France need to make sure that (i) the scope of their whistleblowing systems does not exceed the scope defined by the CNIL in its simplified filing procedure and (ii) they inform and consult employees’ representative bodies prior to making any changes to such systems. Failure to do so may lead to challenges by employees or their representative bodies that will halt the implementation of the offending whistleblowing system in France. This, in turn, may raise various issues in the United States, in particular with respect to SOX compliance, that could have significant legal consequences, since according to Section 301 of SOX, audit committees of listed multinationals have to launch hotlines for the confidential, anonymous submission of employees’ complaints or concerns regarding questionable auditing or accounting matters.