Multi-national companies with subsidiaries or operations in France had until 7 June 2011 to make any required amendments to their whistleblower programs in France in order to comply with new data protection rules there. Companies which missed the deadline or have yet to address hotline obligations there should still take appropriate compliance steps after the June 7 date.
As French authorities have also recently announced their intention to conduct more company audits, including of data transfers to the US, adherence to these new procedures is prudent.
As a result of earlier court cases, significant modifications to the authorization regime in France for whistleblower programs have come into effect. In December 2010, the French data protection authority, the Commission Nationale de L’ informatique et des Libertés (“CNIL”) issued new rules, giving companies a six month grace period to comply. In particular, the scope of whistleblower programs must now be narrowed so as to exclude matters which fall within the previously permitted category of matters in the “vital interests” of the company or its employees’ physical or mental integrity; these other serious matters could earlier be reported in the hotline system but had to be referred to another department like Human Resources and dealt with there. This category arguably included, for example, reports of threats of violence, harassment, discrimination, environmental violations, violations of workplace safety rules and disclosures of trade secrets.
Many US multi-national companies have implemented whistleblower programs, which permit employees, customers and service providers to report allegations of fraud, infractions of codes of conduct or similar complaints. For US public companies, such programs are a required part of compliance with the Sarbanes-Oxley Act of 2002 (“SOX”), and, increasingly, Foreign Corrupt Practices Act (FCPA) and Dodd-Frank issues can be reported on the same hotline number or web system. The new UK Anti- Bribery Act coming into force adds additional impetus to hotline reporting.
Implementing such programs in EU countries gives rise to certain data protection issues, which must be given constant and updated consideration. In some countries, amendments must be made to the reporting procedure in order to comply with local laws or guidelines. Many EU countries require notification of whistleblower programs to the relevant data protection authority prior to operation, and some require advance approval. Local counsel assistance, including in France, is necessary to understand and implement these filings, protocols and country practices.
In November 2005, the CNIL published guidelines to assist companies in the introduction of whistleblower programs which are compliant with both SOX and French law. Since then, the CNIL has had a two-tier system of authorization in place, under which whistleblower programs may be authorized by either:
- self-certifying to the CNIL through an automated on-line process that a whistleblower program complies with certain specified parameters (the “AU-004 authorization”); or
- seeking the CNIL’s formal approval, which involves a longer review process and often company document submissions.
Under the 2005 guidelines, in order to meet the requirements for the online AU-004 authorization, the scope of the whistleblower program in France had to be limited to concerns about accounting, financial, banking or corruption matters or like concerns, with the provision that other serious matters in the “vital interests” of the company or its employees’ physical or mental integrity could be admitted into the hotline intake but had to be routed to the appropriate other department, like Human Resources. This approach was a welcome compromise for US multinational companies which preferred a broader scope of hotline reporting to include other categories in their codes of conduct beyond financial, accounting and fraud matters.
In a decision of the French Supreme Court in December 2009 concerning the French company Dassault Systèmes, the court decided that the AU-004 authorization should be restricted to whistleblower programs which excluded these other serious “vital interests” matters. Where the scope of reporting in a whistleblower program operating in France was more expansive, it was held that it should be submitted to the CNIL for formal approval.
As a result, in late 2010, the CNIL issued revised guidance for the AU-004 authorization, but extending the compliance deadline for six months. Companies wishing to qualify must now restrict the whistleblower program scope to concerns about accounting, financial, banking, anti-competitive or corruption matters. The category of matters in the “vital interests” of the company or its employees’ physical or mental integrity is no longer permitted in the online AU-004 authorization. Such concerns, of course, could still be reported though normal labor channels, including to supervisors or managers, which are separate from the hotline and outside the CNIL’s rules.
Companies that have filed an AU-004 authorization had until 7 June 2011 to make any required amendments to their whistleblower programs to comply with the CNIL’s revised guidance. Going forward, hotline reports which relate to these other serious “vital interests” matters should not be submitted in France under the AU-004 notification. If the reporting scope in France is limited as such, and reflected in the company’s hotline procedure, it is reportedly not necessary to file a new AU-004 authorization. Whistleblower programs that are broader in scope or otherwise do not meet the revised AU-004 authorization requirements must be submitted to the CNIL for formal approval under the new process.
Employees should be notified of changes to whistleblower programs in order that they are aware that these other serious “vital interests” matters should no longer be reported through the hotline in France. Employee bodies, including works councils, should also be notified of the changes, where appropriate. Obtaining local French counsel advice is often critical to such undertakings, labor issues and CNIL practice.