France: The French CNIL Publishes Guidelines on Whistle-Blowing

On November 10, 2005, further to its decision of May 2005 to prohibit whistle-blowing practices, the French Data Protection Agency (Commission nationale de l’informatique et des libertés, or "CNIL") issued its guidelines with respect to the context in which such whistle-blowing practices would be deemed legal in France and thus authorized.

It should be noted that the CNIL is pursuing its discussions with the SEC and the NYSE in order to provide more detailed guidelines in this connection and in particular with respect to other U.S. laws providing whistle-blowing obligations such as the Federal Sentencing Guidelines. In addition, the CNIL is shortly going to implement an automatic procedure to declare whistle-blowing practices and obtain appropriate authorizations for them. This procedure will take the form of a "sole authorization" enabling companies that comply with the guidelines adopted by the CNIL to file a standard declaration of compliance with the CNIL and avoid having to request a case-by-case authorization. The CNIL has not yet given a timeline as to the issuance of such a "sole authorization" template form.

Limitation of Whistle-Blowing Practices to Accounting, Auditing of Accounts, Internal Auditing of Banks, and Anti-Corruption Practices. Whistle-blowing practices limited to accounting, auditing of accounts, internal auditing of banks, and anti-corruption practices may be implemented by way of the simplified declaration procedure of "sole authorization." In such a case, companies will be authorized to implement the whistle-blowing practices as soon as they have declared that they are in compliance with the guidelines adopted by the CNIL and have submitted their declaration in accordance with the requirements of a "sole authorization" template form soon to be issued by the CNIL.

Whistle-blowing practices outside the above-mentioned areas would not benefit from the "sole authorization" procedure and would need to be authorized on a case-by-case basis by the CNIL before being implemented. Such would be the case in particular for general and broad whistle-blowing practices involving noncompliance with applicable laws and regulations, the internal regulation of a company or internal ethics policies. In such a case, we want to stress that, on the basis of available information, the CNIL will most likely refuse to authorize such broad whistle-blowing practices unless they were justified by exceptional circumstances, such as in situations that it would consider life-threatening for either the company or the employees.

Limitation of Whistle-Blowing Practices to Certain Categories of Personnel. Because of the limited scope mentioned above, the category of personnel, officers, or directors to which the whistle-blowing practices should apply must be precisely defined by the employer, and the inclusion of such persons in such category must be legitimate in view of the reasons justifying the whistle-blowing practices.

Limitation of the Risk of False Accusations: Confidentiality as Opposed to Anonymity. As a rule, the authors of an alert that involves behaviors attributed to designated individuals must identify themselves in order to limit the risk of false accusations and the CNIL advocates whistle-blowing practices ensuring confidentiality as opposed to those providing anonymity. However, the CNIL recognizes that anonymous accusations are a reality for many companies. The processing of such anonymous accusations and/or whistle-blowing practices must be handled with the utmost care. Public disclosure of these practices by the company should avoid encouraging anonymous denunciations and should encourage the use of formal pre-existing channels of communication such as the employees’ supervisors or employee representatives.

Limitation to a Dedicated Organization of the Gathering and Processing of Information Obtained Through Whistle-Blowing Practices. The gathering and processing of whistle-blowing alerts must be entrusted to a specific organization located inside and/or outside the company and dedicated to the processing of the alerts. The individuals and/or organization dedicated to this activity must be bound by a strict obligation of confidentiality. The dissemination of the information gathered in the context of a whistle-blowing procedure must remain very limited, as must its communication to nondedicated staff.

Informing the Individual Affected by the Denunciation as Soon as the Information/Evidence Supplied has been Safeguarded. The individual affected by the whistle-blowing must be informed as soon as the alert has been registered in order to enable him/her to exercise his/her right to oppose it, to have access to it, or to have it rectified. However, this informing should not take place before the adoption of conservatory measures to prevent the destruction of the evidence necessary to process the alert.

In view of the above, we recommend withdrawing any statement or mention of any whistle-blowing practice from the current ethics policy in force in France. We also suggest implementing a specific internal whistle-blowing policy in France that would allow the company to merely fill in the "sole authorization" template form, which will soon be provided by the CNIL.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.