The CNIL has recently updated the "autorisation unique" [single authorisation] in regards to whistleblowing thus extending the system to include anti-competitive practices and integrating the "Japanese Sox" regulation. Companies that had declared their whistleblowing systems to be compliant with the single authorisation now have six months to adjust.

Background

  • On 8 December 2005, the CNIL published a single authorisation (no. AU-004) to deal with the rising number of obligations with which companies must comply in terms of financial transparency. Under this system, companies obtained approval for their internal whistleblowing procedures simply by undertaking to comply with the single authorisation.
  • Over 1,600 companies signed up for the simplified procedure.
  • In principle, these systems were only intended to cover financial, accounting, banking and anti-corruption matters (Article 1).
  • Nevertheless, the CNIL allowed companies a certain degree of flexibility by permitting them to receive and transmit whistleblowing reports relating to other facts undermining "the vital interests of the organisation or the physical or moral integrity of its employees" (Article 3).
  • On 8 December 2009, the Cour de cassation ruled against this approach and decided that corporate whistleblowing systems had to remain within the scope of Article 1.

The new scope of the single authorisation no. AU-004

In light of the Cour de Cassation decision and based on past experience, the CNIL modified its single authorisation (deliberation no.2010-369 of 14 October 2010, published in the Journal Officiel [French official gazette] on 8 December 2010) to specify the areas to which internal whistleblowing procedures could apply and specify how data must be archived.

  • Extension of the single authorisation system to competition matters

The CNIL has now added anti-competitive practices to the list of areas covered by its single authorisation, no. AU-004. Henceforth, the single authorisation will only apply to data processing carried out in response to a legal or regulatory obligation pertaining to internal control in the following areas: finance, accounting, banking, anti-corruption and now anti-competitive practices.

The extension of the authorisation to anti-competitive practices was made further to multiple requests from companies and is derived from a consultation undertaken by the French competition authority, the Autorité de la Concurrence1. The authorisation now refers specifically to "the prevention of anti-competitive practices", linking it directly to Title 2 of the French Commercial Code [Code de Commerce] on anti-competitive practices.

  • Extension of the single authorisation system to obligations derived from the "Japanese Sox".

The CNIL has also now recognised that the obligation to introduce a whistleblowing procedure may be derived from the Japanese Financial Instrument and Exchange Law dated 6 June 2006, known as the "Japanese Sox", and not only from French law and the US Sarbanes-Oxley Act dated 31 July 2002.

  • End of the flexibility afforded under Article 3

Article 3 has been amended to take into account the Cour de Cassation's decision.

Henceforth, all reports relating to facts undermining the vital interests of a company or the physical or moral integrity of its employees will need to be made via the usual hierarchical channels, human resources or possibly union representatives.

  • Clarifications on data retention periods

The CNIL has taken this opportunity to clarify the conditions under which reports are to be archived: the processing manager must destroy or archive all data pertaining to a given report within two months if no resulting disciplinary or legal action is taken, even where certain data have not been verified.

How will the changes affect companies?

  • Do I need to submit a new declaration that my whistleblowing procedure complies with the single authorisation no. AU-004?

No, there is no need to submit a new declaration.

Companies concerned by the measures must ensure that their data processing systems comply with the new rules before 8 June 2011.

  • How do I ensure that my whistleblowing procedure is compliant?

Those concerned by the measures should ensure that:

  • the rules applicable in their companies (e.g. code of ethics defining the scope of the procedure and aimed at employees, amendment to company rules and/or IT charter) are modified;
  • all data that have already been collected and that no longer fall within the scope of the procedure are destroyed: this means data relating to facts undermining the vital interests of the company or the physical or moral integrity of its employees;
  • their IT system is updated (if applicable) to prevent data that no longer fall within the scope of the procedure from being processed or to allow reports to be filtered and to include the new measure on anti-competitive practices;
  • all of the new rules on data retention are integrated.
  • Do I need to inform the employees and works council?

When updates are made, the following steps must be taken:

  • the employees must be informed of the new scope of the whistleblowing procedure and reminded that they must use more traditional reporting channels for matters not covered by the single authorisation (line management, union representatives or HR);
  • bodies representing the company's employees, possibly including the comité d'hygiène de sécurité et des conditions de travail [committee for health, safety and working conditions], must be consulted on the new rules.
  • What about external service providers?

If data processing has been entrusted to an external provider, the provider must be informed of the update and the company must ensure that the provider complies with the new rules and obtain a guarantee that the services provided do comply with the rules.