The blanket authorization under which companies located in France may process personal data related to whistleblowing measures was recently widened to include additional matters.
Employers in France may self-certify compliance with the French Data Protection Authority’s (“CNIL”) requirements concerning employee whistleblowing procedures, as provided in a blanket authorization adopted in 2005 (so-called Autorisation Unique n°AU-004 of December 8, 2005) as a result of the enactment of the Sarbanes-Oxley provisions in the United States. If an employer in France does not qualify for self-certification, it must request a specific authorization from the CNIL; this is a much more cumbersome process and chances of obtaining such an authorization are uncertain.
The 2005 blanket authorization was recently modified by a CNIL decision dated 30 January 2014 to provide for wider coverage.
In reaction to the Sarbanes-Oxley Act, the scope of whistleblowing measures in France was originally limited to the areas of accounting, financial audit and the fight against anti-money laundering or bribery. In 2010, the scope was widened to include reports related to antitrust and competition law infringements.
Pursuant to the 30 January 2014 decision, the scope of self-certification has been further widened to incorporate a number of new areas: workplace health, hygiene and safety; discrimination; and harassment, as well as environmental protection. Considering that most corporate codes of conduct - in particular in the US - included these areas in their provisions, the revision of the scope of the blanket authorization can be seen as a logical and welcome development.
Furthermore, the decision has clarified the reporting procedure. The obligation for the whistleblower to identify him/herself remains and employers must treat employee personal data confidentially and not encourage anonymous reports. In this regard, the CNIL approach differs from the Sarbanes-Oxley Act which provides that employee reports of concern regarding questionable accounting or auditing matters must be anonymous. However, the CNIL decision sets out strict conditions under which anonymous reports may, exceptionally, be allowed: (i) if the reported facts are serious enough, provided that the factual evidence is sufficiently detailed, and (ii) if the processing of the reporting is undertaken with great care (such as determination by the first recipient as to the opportunity to disclose the reporting within the whistleblowing system).
Although employers having previously self-certified compliance under the blanket authorization need not submit a new declaration of compliance to the CNIL, it is nevertheless necessary for them to inform employees of the newly widened scope of whistleblowing procedures prior to their enforcement if the employers opt to widen the scope.
In application of Article L.2323-32 of the French Labor Code, works councils must also be consulted as a prerequisite to the introduction of the new measures insofar as these measures provide oversight of the employees’ activity. If the widened scope modifies the code of conduct or the code of ethics, the procedure applicable to the modification of internal regulations must also be observed (i.e. consultation of the works council and the Hygiene, Safety, and Work Conditions Committee (so-called “CHSCT”) and filing of the modified code with the clerk of the labor court and the labor inspector).