French Data Authority to Update Guidelines
On Whistle-blower Hotlines, Attorney Says
By Rick Mitchell
PARIS--The French data protection authority (CNIL) plans to update its 2005 guidelines on the use of whistle-blowing hotlines by companies based here, expanding them to include reporting anticompetitive practices within a group and tightening the scope of the guidelines in other areas, a Brussels-based attorney told BNA Nov. 30.
BNA obtained a draft copy of CNIL's deliberation No. 2010-369 of Oct. 14, 2010, which modifies previous guidance for publicly traded firms seeking to comply with the Sarbanes Oxley Act's whistle-blower provisions without violating French data protection law. The previous guidance was authorization No. 2005-305 of Dec. 8, 2005, No. AU-004.
According to the draft document, the CNIL tightened language in the existing guidelines to comply with a 2009 ruling by France's highest court striking down parts of them as too broad. In business consultations with the CNIL following that ruling, companies requested modifications to increase their legal security, it said.
Olivier Proust, a Brussels-based attorney at Hunton & Williams LLP, said the update will—in addition to responding to the high court decision—make it easier for companies operating in France to simultaneously comply with French and EU antitrust laws and privacy laws, which often have conflicting provisions.
He added that the changes make it easier for companies operating in France to use the whistle-blowing hotline as an internal mechanism for reporting facts or acts that go against the company's rules and policies implemented to comply with French and EU antitrust laws.
Destruction of Irrelevant Data
According to the draft deliberation, the revised article 3 of the guidelines states that whistle-blowing data determined to be irrelevant must be destroyed or archived promptly.
Proust said that the CNIL 2005 authorization already addressed the issue of transferring whistle-blower data outside the European Union, and those sections have not changed.
He said he expected the CNIL to publish the deliberation in early December. Companies will have six months from the publication date to implement its new requirements.
Response to SOX Dispute
The Sarbanes Oxley Act of 2002, among other things, required publicly listed U.S. companies and their foreign subsidiaries to implement codes of conduct to fight against corruption, conflict of interest and insider trading, and to establish a mechanism for whistle-blowers to anonymously report violations. It also prohibited retaliation against whistle-blowers.
France's 1978 Law on Information Technology and Liberties (78-17 of 1978, updated 2004) requires organizations to report to CNIL any system that processes personal data, including codes of conduct and whistle-blowing systems.
Although EU subsidiaries of U.S. companies had to comply with SOX, in 2005 French and European Union officials still balked at allowing companies to implement whistle-blower rules.
The CNIL in June 2005 refused to authorize proposed whistle-blower initiatives at two American firms' French subsidiaries, one of which was McDonalds. After drawn-out talks between U.S. and French authorities, the CNIL's AU-004 guidelines were seen as an effort to resolve the transatlantic dispute.
Two Methods Under Guidelines
The 2005 guidelines required companies to get their whistle-blower hotlines approved by the CNIL in one of two ways, self-certification or a much longer detailed review by the CNIL, which requires a formal request, Proust said.
He said the guidelines encouraged companies to go the easier route of self-certification, which required companies to formally declare that their hotlines complied with AU-004 conditions. In particular these conditions limited hotlines' use to the areas of finance, accounting, banking, the fight against corruption, and compliance with Sarbanes Oxley in the United States.
However, the AU-004 authorization also included an exception allowing companies to use self-certified hotlines for reporting things not on the limited list if the company's vital interests or the moral or physical integrity of the employees were at stake.
It was this language, in AU-004's article 2, that the labor chamber of the Court of Cassation, France's highest court, struck down in a December 2009 decision. In that case, Dassault Systèmes had obtained CNIL clearance for its standard whistle-blowing system but had then expanded it to require reporting such things as sexual or other harassment or intellectual property violations.
The court said the scope of self-certified hotlines could not be expanded to breaches beyond the areas of finance, accounting or banking traditionally considered within both the scope of the SOX whistle-blower hotline requirement and allowed under French law.
To expand hotlines beyond those areas would require explicit authorization by CNIL it said. The draft document said that the CNIL responded by removing the exception from AU-004.
Other Changes
The draft document said that in the course of its consultations with business, companies asked the CNIL to modify AU-004 to increase their legal certainty. AU-004's revised article 1 now also refers to compliance with Japanese Financial Instrument and Exchange Act, the so-called Japanese SOX.
In the existing 2005 guidelines, a section states that if companies have put in place “adequate mechanisms,” such as contractual clauses, binding corporate rules, or have certified in the Safe Harbor program, then the authorization AU-004 also covers CNIL authorization on the transfer of whistle-blowing data outside of the EU, he said.
The EU Article 29 Working Party issued its own guidelines on the whistle-blowing hotlines in 2006.
Proust said France already had some of the most stringent provisions on whistle-blower hotlines among the EU 27. “France has often taken the lead on whistle-blowing issues within the Article 29 Working Party. I wouldn't be surprised if the CNIL's revision could be broadened to other EU jurisdictions or lead to further discussion with the Art. 29 group,” he said.
Companies elsewhere in Europe may also adapt their whistle-blowing schemes to the new French rules, to be in compliance with the strictest rules in EU even if they are not in France, he said.
Proust emphasized that companies in France that have whistle-blowing systems that are not authorized by the CNIL run the risk of criminal penalties. “Now is the time for companies to assess or reassess whether there is a need to make any changes or to amend their internal whistle-blowing schemes,” he said.
(Dec. 6, 2010)
