Whistleblowing systems have been a hot issue in France for several years. In a ruling dated September 23, 2011, the Court of Appeals of Caen confirmed a lower court’s decision to suspend the whistleblowing system of a U.S. company on the grounds that it did not comply with French whistleblowing law. In light of this ruling, U.S companies are advised to audit the compliance of their whistleblowing systems with French data protection law.
France’s whistleblowing rules
Normally, companies have to apply for the authorization of the French data protection authority, the CNIL, before setting up a whistleblowing system in France. But obtaining the CNIL’s authorization may be a long process.
In an effort to ease the burden on companies and cut through red tape, the CNIL adopted in 2005 a document, known as the Single Authorization No. AU-004. If a whistleblowing system meets all the requirements laid down in the Single Authorization, a company can avoid going through the standard, cumbersome authorization process and is eligible for a simplified procedure: it only has to submit a declaration of conformity to certify that its system complies with the Single Authorization.
Moreover, whistleblowing systems may not be used in France for unlimited purposes; their scope needs to be specific and limited. The 2005 version of the CNIL’s Single Authorization required that the scope of eligible systems to be limited to the financial, accounting, banking and anti-bribery areas. It nonetheless provided for the possibility to process a whistleblowing report not related to said areas when the vital interest of the company or the physical and moral integrity of its employees were at stake. Many companies had at the time incorporated such possibility in their whistleblowing procedures.
However, the Court of Cassation (French Supreme Court) thereafter found in 2009 that whistleblowing schemes providing for such possibility were not eligible for the Single Authorization and had to follow the standard authorization procedure.
To take account of the Court of Cassation’s ruling, the CNIL thus amended its Single Authorization No. AU-004 and suppressed the reference to the vital interest of the company and the physical and moral integrity of the employees (The Single Authorization No. AU-004 was also amended on October 14, 2010, to include anti-competitive practices and the Japanese Financial Instrument and Exchange Act of June 6, 2006).