Before implementing whistle-blowing mechanisms, companies must obtain the authorization of France's national commission for information technology and civil liberties ("la Commission nationale de l'informatique et des libertés", or the "CNIL").

In order to reduce the administrative requirements that such decisions engender for companies since the Sarbanes-Oxley Act was introduced in the United States, the CNIL has put in place a single authorisation system (AU-004[1]).

Organizations whose whistle-blowing system does not fall within the purview of the single authorization remain obliged to submit a normal authorization application to the CNIL, with no guaranteed outcome, as applications are reviewed on a case by case basis. The CNIL will then set out to establish that the information is adequate, relevant and not excessive with regards to the means for which it is collected and the way it is subsequently used.

In 2009,[2] at the request of the CGT union of metallurgical industries, the Court of Cassation found Dassault Systèmes' whistle-blowing system to be non-compliant with the requirements of the Loi dite "Loi informatique et libertés,[3] (France's information technology and civil liberties act) because it provided no personal protection or information measures.

The Labour Division pointed out that the CNIL is not alone in defending application of the information technology and civil liberties act, and that the other unions represented in the company also play a determining role in this area. The decision also states that implementation of a corporate whistle-blowing system that is subject to a compliance commitment under the single authorization must be limited to the accounting, financial, and anti-corruption arenas.

The Court clarified that the initial provisions of section 3 of the single authorization, which hold that facts that do not fall within the purview of the single authorization, but that affect the "vital interest of the organization or the physical or moral integrity of its employees" should not be interpreted as authorizing an extension of the ultimate purpose of whistle-blowing mechanisms beyond the aforementioned areas.

Using the conclusions of this Court of Cassastion decision, and mentioning that it had heard the principal players in the field, the CNIL passed by deliberation, on October 14, 2010, an amendment of the single authorization AU-004 and its scope of application.[4]

The scope of application of the single authorization AU-004 now includes facts stemming from compliance with competition rules, as well as a reference to the whistle-blowing mechanisms implemented under the Japanese Financial Instrument and Exchange Act of June 6, 2006.

On the other hand, the CNIL removed the reference to facts that do not fall into the accounting, financial, banking or anti-corruption fields, but that "[TRANSLATION] can nonetheless be communicated to the appropriate persons in the concerned organization when the vital interest of this organization or the physical or moral integrity of its employees is at stake", a reference put aside by the Court of Cassation. It stated that when in doubt, whistle-blowing systems should not be used.

Whistle-blowing in cases of discrimination or harassment remains subject to case by case examination by the CNIL. Similarly, the CNIL maintained its prohibition regarding the anonymity of such allegations. Moreover, it did not address the majority of such systems implemented by foreign companies under other legislation such as the U.S. Federal Sentencing Guidelines.

In practice, it is not necessary for organizations who have already declared a whistle-blowing mechanism to make a new declaration. If the parameters of the existing mechanism exceed the single authorization's new purview, however, the organizations in question will have six months to bring their practices into compliance.