In France it is difficult to implement whistle-blowing schemes and ethics hotlines. Up until 2005, for example, the French data protection authority (the CNIL) generally refused to authorise such schemes, even though they were not prohibited by law. It was forced to change its position in light of the significant problems this caused French companies whose shares were traded on the US Stock Exchange (or French subsidiaries of US companies who were also listed) and which were therefore required to have whistle-blowing schemes in place to comply with their legal obligations under the US Sarbanes-Oxley Act (SOX).
In 2005 the CNIL published (i) guidelines on whistle-blowing and confirmed that the implementation of such a scheme requires prior authorisation by the CNIL; and (ii) what is known as a “blanket authorisation”. Companies wishing to operate a whistle-blowing scheme could benefit from the CNIL’s blanket authorisation by simply certifying that it complied with the strict conditions set out in the authorisation. Over 1600 companies signed up for this simplified procedure. Those companies whose schemes did not comply with the blanket authorisation had to continue to apply for prior authorisation by the CNIL, a sometimes lengthy and cumbersome process.
The sole aim of the blanket authorisation was to enable companies to comply with their legal obligations in terms of financial transparency. A scheme therefore would only be covered if it was limited to the reporting of financial, accounting, banking and anti-corruption matters. The wording of the blanket authorisation did, however, seem to allow the reporting of information that affected “the vital interests of the business or the physical or moral integrity of employees”. Some employers took this to mean that they could broaden the scope of matters that could be reported under a whistle-blowing scheme to include such things as infringement of intellectual property rights, insider trading, discrimination and sexual harassment. In December 2009, however, the Employment Chamber of the French Supreme Court ruled that these additional reporting matters fell outside the scope of the blanket authorisation.
In light of this ruling the CNIL issued a revised version of the blanket authorisation towards the end of last year which made it clear that it does not cover such “vital interest” matters and that any information reported through a hotline which falls outside the scope of the blanket authorisation should be immediately destroyed or archived, almost however important to the broader wellbeing of the business. This means that any employee reports relating to harassment, etc. must be made via the normal HR channels or via trade union officials.
However, since the amendment to the blanket authorisation the CNIL has issued authorisations that re-open the door to wider reporting possibilities. On 3 March 2011, the CNIL authorised two whistle-blowing schemes bearing on discrimination for the purposes of implementing in such companies a new French regulation on diversity that includes internal reporting schemes. This authorisation has been granted under the standard authorisation procedure. Even though this procedure is more burdensome, it shows that it is possible to obtain an authorisation from the CNIL for reporting that goes beyond the scope of the blanket authorisation – provided there is a legitimate purpose. It is worth bearing in mind, however, that with the exception of SOX, “foreign” laws are not considered to constitute a legitimate purpose.
It is also worth mentioning that the revised blanket authorisation widened its scope to cover anticompetitive practices and reporting obligations under Japanese Financial Legislation, sometimes known as the “Japanese SOX”.
Finally, as a result of these changes, it is important that employers that have filed their scheme under the blanket authorisation ensure their whistle-blowing provisions are compliant with these new rules by 8 June 2011.