France: New rules on authorising staff whistleblowing schemes

Through a decision issued in December 2005, France's National Commission for Data Protection and Liberties has introduced a new system for ensuring that company "whistleblowing" schemes are in line with the law on privacy.

The National Commission for Data Protection and Liberties (Commission Nationale de l'Informatique et des Libertés - CNIL) is an independent administrative authority. It was set up in 1978 to oversee the law on privacy and the protection of personal data - a role that includes the approval of various types of data-processing carried out by companies. Through a decision adopted on 8 December 2005 (No.2005-305, published in France's Official Journal on 4 January 2006), the CNIL has set up a system whereby companies that observe certain guidelines can have "whistleblowing" schemes that they operate authorised simply and quickly by the CNIL.

The new decision on a "single authorisation for the electronic processing of personal data carried out as part of whistleblowing schemes" had been announced as part of the follow-up of an "orientation document" issued by the CNIL on 10 November 2005. This document set out the conditions that company whistleblowing schemes must comply with in order to be in line with the legislation on data protection.

Under the new system, firms are required only to send to the CNIL a declaration that their staff whistleblowing schemes observe the rules laid down in the December 2005 decision (see below). The CNIL does not perform any checking of the schemes in question, but merely sends the company a receipt by return of post. Once this receipt has arrived, the company may introduce its scheme. The new system of authorisation also applies, in certain circumstances, to the transfer of relevant data to countries outside the European Union.

If a company does not seek the new "single authorisation" from the CNIL, or if the whistleblowing scheme it wants to introduce does not fall within the framework set out in the CNIL decision, a full-scale authorisation procedure must be followed. This means the company must submit a complete dossier to be examined by a plenary session of the CNIL.

Background

The CNIL has noted the recent development in France of procedures enabling employees to report colleagues' behaviour at work that allegedly breaches the law or corporate policy - a practice known as whistleblowing (alert professionnelle). Such whistleblowing systems are neither explicitly allowed nor banned under the provisions of the French Labour Code. However, when they rely on the processing of personal data - ie the collection, registration, storage and disclosure of data that is related to an identified or identifiable person - they are subject to the provisions of the data protection law of 6 January 1978, as amended in 2004, whether the processing is automated or paper-based. When processing is automated, whistleblowing schemes are subject to a requirement of prior authorisation by the CNIL, as they are regarded as processing operations that may exclude individuals from the benefit of a right or of their employment contract.

In May 2005, the CNIL refused to authorise two specific company whistleblowing systems. It was aware that these decisions caused difficulties with regard to a recent US law on corporate governance, the Sarbanes-Oxley Act (see below), which requires the establishment of whistleblowing schemes with regard to possible financial irregularities. The commission thus launched a wide-ranging debate on these issues with the relevant US and European authorities, representatives of companies and trade unions, and various experts, which resulted in the recent orientation document and the subsequent decision.

The CNIL states that it has no objection in principle to whistleblowing schemes, provided that the rights of individuals directly or indirectly incriminated through them are guaranteed with regard to personal data protection rules. Such individuals, in addition to the rights they are granted under labour law if disciplinary action is initiated against them, are entitled to specific rights under the 1978 data protection legislation or under the 1995 EU Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, when data relating to them are processed. These are the rights: to such data being collected fairly; to being informed that such data are being processed; to be able to object to such processing for legitimate reasons; and to have any inaccurate, incomplete, ambiguous or outdated information rectified or removed.

Rules for whistleblowing

On this basis, in order to contribute to the implementation of whistleblowing schemes that comply with the principles defined by the French legislation and the EU Directive, the CNIL now recommends that companies implement a set of rules. If its whistleblowing system corresponds to these rules, then a company can benefit from the new, single authorisation scheme.

The scope of the scheme should be restricted to the financial, accounting, banking and anti-bribery areas. This includes systems relating to accounting and auditing that are put in place by companies covered by the US Sarbanes-Oxley Act. If a company wants the CNIL to authorise any scheme with a wider scope - especially those of a general nature, intended to ensure compliance with legal requirements, corporate policies or internal rules on business conduct - this will require a special examination.

Anonymous denunciations should not be encouraged. In principle, whistleblowers questioning the alleged behaviour of named individuals should identify themselves, although their identity should be kept confidential. According to the CNIL, identified reports make it easier to avoid, or at least limit, false and/or slanderous accusations, as well as to organise the protection of the whistleblower against retaliation. However, the existence of anonymous reports is "a reality" and it is "difficult for company management to ignore this type of report". Such reports should be subject to particular precautions, especially in terms of their dissemination. In any event, the organisation must not encourage the people who are to use the system to do so anonymously.

Only specified categories of personal data may be processed for whistleblowing purposes, such as: the identity, position and contact details of the whistleblower, the person accused of misbehaviour and the people dealing with the accusation; the alleged facts of the matter; information collected during the verification of the alleged facts; reports on the verification exercise; and the follow-up to the allegations. Information collected should be strictly limited to the areas covered by the whistleblowing scheme, although facts outside these areas can be communicated to the competent people in the company if the vital interest of the company or the "physical or moral integrity" of its employees are at stake. The medium in which data collected through a whistleblowing system is recorded should only mention data that are formulated in an objective manner, are directly related to the scope of the scheme and are strictly required for verifying the alleged facts. The wording used to describe the nature of the reported facts should express that the facts are alleged.

The collection and handling of reports must be entrusted to a specific organisation set up within the company to deal with these matters. The people involved in this organisation should receive personal data only to the extent that this is necessary for the performance of their role, and must be specially trained and bound by a contractually defined obligation of confidentiality. The data received through the whistleblowing system may be communicated to people with a similar role within a group of companies to which the company concerned belongs if such communication is necessary for verifying the report, or if this results from the organisation of the group. If the management of the whistleblowing system is entrusted to an external service provider, this provider may have access to personal data only to the extent required by its role. It must also agree contractually not to use the data for other reasons, to ensure confidentiality, to comply with time limits set for the storage of the data and to destroy or return personal data at the end of its contract.

If the recipient of personal data is a legal entity established in a country outside the EU that does not provide adequate protection in the same way as the 1978 French data protection law, as amended, the communications concerned must conform with the specific provisions of the French legislation on international data transfers. This requirement can also be satisfied in several other ways, notably if the foreign legal entity is a US company that has signed up to the Safe Harbor scheme and has explicitly agreed to include human resources data under the scheme. Safe Harbor is a system agreed between the US Department of Commerce and the European Commission, whereby US firms that join the scheme and implement its rules are considered to provide "adequate" privacy protection, as defined by the 1995 EU data protection Directive (the Directive prohibits the transfer of personal data to non-EU nations, including the US, that do not meet the Directive's "adequacy" standards).

The CNIL decision also:

  • regulates the period for which personal data related to a whistleblowing report may be kept;

  • requires measures to ensure the security of personal data in whistleblowing systems;

  • provides that clear and complete information on the system must be given to potential users;

  • requires that people who are the subject of reports must be informed by those responsible for the whistleblowing scheme; and

  • stipulates that people identified through the whistleblowing system may access data concerning them and request, as applicable, their correction or removal.

    Conformity with the Sarbanes-Oxley Act

    The CNIL believes that its new decision on whistleblowing is compatible with the US Sarbanes-Oxley Act. This Act (formally known as the Public Company Accounting Reform and Investor Protection Act) was adopted in 2002 and sought to reform corporate governance in the wake of a number of high-profile corporate financing scandals, such as those at Enron and WorldCom. Section 301(4) of the Act states that a company's employees must have the opportunity to directly inform the company's audit committee of their concerns relating to questionable accounting or auditing matters, while being assured that they may report such allegedly anomalous behaviour confidentially and anonymously.

    The CNIL does not consider that it is "possible to consider that the existence of a foreign legal provision in application of which a whistleblowing scheme is to be set up may be considered as a factor making the processing operations legitimate" under the terms of the French data protection legislation. However, "it is impossible to ignore the legitimate interest held by French companies listed in the US, or French subsidiaries of companies listed in the US, which must certify their accounts with the US stock market authorities, in setting up whistleblowing procedures in relation to alleged anomalous behaviour in accounting and auditing matters. Obviously, ensuring that reports on suspected account rigging which may have an impact on the financial statements of the company properly reach the board of directors is a critical concern for any public issuer." Hence the CNIL decision includes the above-mentioned provisions that accommodate the US legislation

    The CNIL notes that initiatives have also been taken in Europe that are aimed at achieving the same objective as the Sarbanes-Oxley Act, ie reinforcing the security of financial markets. Notably, on 15 February 2005, the European Commission adopted a Recommendation on the role of non-executive or supervisory directors of listed companies and on the committees of (supervisory) boards. According to the CNIL, these various texts clearly underline "the legitimate interest held by companies in setting up whistleblowing systems in the areas which they cover and, in this context, such systems must be considered as acceptable".

    On 8 December 2005, a CNIL delegation held a meeting in Washington with the Securities and Exchange Commission, the authority responsible for overseeing the application of the Sarbanes-Oxley Act, and presented its orientation document on whistleblowing. According to the CNIL, this meeting "identified no major incompatibility" between s.301(4) of the Sarbanes-Oxley Act and the orientation document. Contacts between the two organisations will be continued until the CNIL has received full assurance of compatibility.

    Finally, the CNIL reports that the "Article 29 group" of the 25 EU member states' data protection authorities has asked the French delegation, along with the group's secretariat, to draw up a working paper on the issue of whistleblowing. The CNIL's orientation document will serve as a basis for this work, and has already been well received by the group. As the matter is regarded as urgent, the group plans to reach a position on it in the first quarter of 2006.