The blanket authorization under which companies located in France may process personal data related to whistleblowing measures was recently widened to include additional matters. 

Employers in France may self-certify compliance with the French Data Protection Authority’s  (“CNIL”) requirements concerning employee whistleblowing procedures, as provided in a blanket  authorization adopted in 2005 (so-called Autorisation Unique n°AU-004 of December 8, 2005) as a  result of the enactment of the Sarbanes-Oxley provisions in the United States. If an employer in  France does not qualify for self-certification, it must request a specific authorization from the  CNIL; this is a much more cumbersome process and chances of obtaining such an authorization are  uncertain. 

  The 2005 blanket authorization was recently modified by a CNIL decision dated 30 January 2014 to  provide for wider coverage. 

In reaction to the Sarbanes-Oxley Act, the scope of whistleblowing measures in France was  originally limited to the areas of accounting, financial audit and the fight against anti-money  laundering or bribery. In 2010, the scope was widened to include reports related to antitrust and  competition law infringements. 

Pursuant to the 30 January 2014 decision, the scope of self-certification has been further widened  to incorporate a number of new areas: workplace health, hygiene and safety; discrimination; and  harassment, as well as environmental protection. Considering that most corporate codes of conduct  - in particular in the US - included these areas in their provisions, the revision of the scope of the  blanket authorization can be seen as a logical and welcome development. 

Furthermore, the decision has clarified the reporting procedure. The obligation for the  whistleblower to identify him/herself remains and employers must treat employee personal data  confidentially and not encourage anonymous reports. In this regard, the CNIL approach differs from  the Sarbanes-Oxley Act which provides that employee reports of concern regarding questionable  accounting or auditing matters must be anonymous. However, the CNIL decision sets out strict conditions under which anonymous reports may, exceptionally, be allowed: (i) if the reported facts  are serious enough, provided that the factual evidence is sufficiently detailed, and (ii) if the  processing of the reporting is undertaken with great care (such as determination by the first  recipient as to the opportunity to disclose the reporting within the whistleblowing system). 

Although employers having previously self-certified compliance under the blanket authorization  need not submit a new declaration of compliance to the CNIL, it is nevertheless necessary for them  to inform employees of the newly widened scope of whistleblowing procedures prior to their  enforcement if the employers opt to widen the scope. 

In application of Article L.2323-32 of the French Labor Code, works councils must also be consulted  as a prerequisite to the introduction of the new measures insofar as these measures provide  oversight of the employees’ activity. If the widened scope modifies the code of conduct or the code  of ethics, the procedure applicable to the modification of internal regulations must also be  observed (i.e. consultation of the works council and the Hygiene, Safety, and Work Conditions  Committee (so-called “CHSCT”) and filing of the modified code with the clerk of the labor court  and the labor inspector).