The French data protection authority has extended the scope of whistleblowing protections to employment and discrimination claims.
The purpose of whistleblowing programs, which are mandatory for public US companies under the Sarbanes-Oxley Act, is to enable employees to report behaviour that violates legal or company rules without having to go through the traditional management reporting line. In November of 2005, the French data protection authority (the CNIL) adopted procedures that allowed French subsidiaries of US companies to implement their required whistleblowing programs in France.
These French subsidiaries, and other companies operating in France that implemented whistleblowing protections and procedures, were governed by the Single Authorization No.4 (the Autorisation Unique), and these companies believed that any whistleblowing program implemented under the Autorisation Unique complied with French data protection laws. However, since the 2005 Autorisation Unique only applied to whistleblowing for finance, accounting, banking and anti-corruption, many of these companies technically breached French data privacy laws with regard to whistleblowers who reported employment discrimination or harassment.
Autorisation Unique Extended
To resolve this issue, on February 11, 2014 the CNIL published Deliberation #2014-042, which extends the scope of the Autorisation Unique. The Autorisation Unique now covers not only whistleblowing reports relating to finance, accounting, banking, anti-corruption, and unfair competition added in 2010, but also extends to whistleblowing reports of employment discrimination and harassment and of health, hygiene, safety, and environmental issues. As a result, companies now may process personal data within the scope of the Autorisation Unique, as long as the use of the data relates to a legal obligation or a legitimate interest under the Autorisation Unique.
Deliberation #2014-042 also clarified the rules for anonymous reports by whistleblowers. Generally, in France a whistleblower still must disclose his or her identity, but his or her identity may be kept confidential within the company processing the report. However, Deliberation #2014-042 clarified that a whistleblower may remain anonymous and not disclose his or her identify if both:
- The reported facts are sufficiently detailed and the facts establish a possibly serious violation; and
- The processed report triggers specific precautions, e.g., the recipient must make a decision whether or not to follow up on the report.
For both companies and employees, Deliberation #2014-042 is a pragmatic step forward and better reflects the actual operations and needs of international companies operating in France.
Any company that operates in France will need to review and modify its whistleblowing protocols and procedures to reflect Deliberation #2014-042. For further information and advice on Deliberation #2014-042, please contact your customary McDermott attorney or one of the listed authors.