US companies with subsidiaries or operations in France have until 7 June 2011 to make any required amendments to their whistleblower programs in France in order to comply with new data protection rules there. As French authorities have also recently announced their intention to conduct more company audits, including of data transfers to the US, adherence to these new procedures is prudent.
As a result of earlier court cases, significant modifications to the authorization regime in France for whistleblower programs are about to come into effect. In December 2010, the French data protection authority, the Commission Nationale de L’ informatique et des Libertés (“CNIL”) issued new rules, giving companies a six month grace period to comply. In particular, the scope of whistleblower programs must now be narrowed so as to exclude matters which fall within the previously permitted category of matters in the “vital interests” of the company or its employees’ physical or mental integrity; these other serious matters could earlier be reported in the hotline system but had to be referred to another department like Human Resources and dealt with there. This category arguably included, for example, reports of threats of violence, harassment, discrimination, environmental violations, violations of workplace safety rules and disclosures of trade secrets.
Many US multi-national companies have implemented whistleblower programs, which permit employees, customers and service providers to report allegations of fraud, infractions of codes of conduct or similar complaints. For US public companies, such programs are a required part of compliance with the Sarbanes-Oxley Act of 2002 (“SOX”), and, increasingly, Foreign Corrupt Practices Act (FCPA) issues can be reported on the same hotline number or web system.
Implementing such programs in E.U. countries gives rise to certain data protection issues, which must be given constant and updated consideration. In some countries, amendments must be made to the reporting procedure in order to comply with local laws or guidelines. Many E.U. countries require notification of whistleblower programs to the relevant data protection authority prior to operation, and some require advance approval.
In November 2005, the CNIL published guidelines to assist companies in the introduction of whistleblower programs which are compliant with both SOX and French law. Since then, the CNIL has had a two-tier system of authorization in place, under which whistleblower programs may be authorized by either:
- self-certifying to the CNIL through an automated on-line process that a whistleblower program complies with certain specified parameters (the “AU-004 authorization”); or
- seeking the CNIL’s formal approval, which involves a longer review process and often company document submissions.
Under the 2005 guidelines, in order to meet the requirements for the online AU-004 authorization, the scope of the whistleblower program in France had to be limited to concerns about accounting, financial, banking or corruption matters or like concerns, with the provision that other serious matters in the “vital interests” of the company or its employees’ physical or mental integrity could be admitted into the hotline intake but had to be routed to the appropriate other department, like Human Resources. This approach was a welcome compromise for US multi-national companies which preferred a broader scope of hotline reporting to include other categories in their codes of conduct beyond financial, accounting and fraud matters.
In a decision of the French Supreme Court in December 2009 concerning the French company Dassault Systèmes, it was held that the AU-004 authorization should be restricted to whistleblower programs which excluded these other serious “vital interests” matters. Where the scope of reporting in a whistleblower program operating in France was more expansive, it was held that it should be submitted to the CNIL for formal approval.
As a result, in late 2010, the CNIL issued revised guidance for the AU-004 authorization, but extending the compliance deadline for six months. Companies wishing to qualify must now restrict the whistleblower program scope to concerns about accounting, financial, banking, anti-competitive or corruption matters. The category of matters in the “vital interests” of the company or its employees’ physical or mental integrity is no longer permitted in the online AU-004 authorization. Such concerns, of course, could still be reported though normal labor channels, including to supervisors or managers, which are separate from the hotline and outside the CNIL’s rules.
Companies that have filed an AU-004 authorization have until 7 June 2011 to make any required amendments to their whistleblower programs to comply with the CNIL’s revised guidance. Going forward, hotline reports which relate to these other serious “vital interests” matters should not be submitted. If the reporting scope in France is limited as such, and reflected in the company’s hotline procedure, it is not necessary to file a new AU-004 authorization. Whistleblower programs that do not meet the revised AU-004 authorization requirements must be submitted to the CNIL for formal approval under the new process.
Employees should be notified of changes to whistleblower programs in order that they are aware that these other serious “vital interests” matters should no longer be reported through the hotline. Employee bodies, including works councils, should also be notified of the changes, where appropriate.