In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL).
There are two possible ways to notify the CNIL of a whistleblowing system:
- request a formal authorization from the CNIL (this is quite burdensome and difficult to obtain), or
- opt for the standard whistleblowing authorization (AU-004).
The standard whistleblowing authorization (AU-004) was enacted by the French Data Protection Agency in 2005 in order to facilitate notifying the CNIL of whistleblowing systems. As long as the company undertakes to comply with the principles and scope of the standard authorization, it is automatically authorized to implement the whistleblowing system. As enacted in 2005, the types of wrongdoings that could be reported through a whistleblowing system under the standard authorization were quite broad. Companies were authorized to adopt whistleblowing systems for purposes of regulatory internal control requirements, to comply with French law requirements and the United States Sarbanes-Oxley Act, and to protect vital interests of the company or the physical or psychological integrity of its employees.
However, in 2010, the CNIL had to modify the scope of the wrongdoings which could be reported when using a standard whistleblowing authorization pursuant to a decision of the French Supreme Court dated December 8, 2009 (see our post of December 15th, 2010: https://privacylaw.proskauer.com/2010/12/articles/data-privacy-laws/french-data-protection-agency-restricts-the-scope-of-the-whistleblowing-procedures-multinational-companies-need-to-make-sure-they-are-compliant/). In order to comply with the French Supreme Court decision, the CNIL narrowed whistleblowing reporting under the standard authorization to the following types of wrongdoings:
- Companies concerned with the U.S. Sarbanes-Oxley Act, section 301(4); and
- Japanese SOX of June 6, 2006.
The scope of the standard authorization was therefore very limited, requiring companies needing a broader scope of whistleblowing reporting to obtain a formal authorization from the CNIL and therefore to face the risk of a refusal.
From 2011 to 2013, given the scope limits of the standard authorization, the CNIL has had to process a high volume of filings for formal authorizations to implement whistleblowing systems.
Given the increased volume of requests from companies, on January 30, 2014, the CNIL decided to modify again the scope of application of the standard whistleblowing authorization (AU-004) to widen it.
As a consequence, companies implementing whistleblowing systems in France within the following categories can benefit from the new standard authorization:
- Discrimination and bullying at work;
- Health and safety at work; and
- Environment protection.
In its updated standard whistleblowing authorization, the CNIL also stated its preference against anonymous whistleblowing. Anonymous whistleblowing is allowed only if:
- The facts are serious and the factual elements are sufficiently detailed; and
- The treatment of the alert is subject to particular precautions such as a prior checking before it is sent through the whistleblowing process.