France: Blowing The Whistle Across The Atlantic: Playing By The Rules

Last Updated: 12 December 2008
Article by Philippe Desprès

The spread of multinationals across the globe necessarily involves compliance with foreign legal systems in order for companies to not only continue to operate in different jurisdictions, but to thrive and develop their business interests in the international arena. This delicate balancing act between different legal systems and cultures is evident in relation to the whistleblowing procedures between the United States (the "US") and France over recent years, which requires companies to play by the whistleblowing rules set by the national authorities.

The Name of the Game

In order to ensure that a company is not being subverted from within its own ranks, a company's management may wish to implement a system of reporting to management of possible misconduct that violates a law or poses a threat to the public or company interest, such as fraud or corruption. This system of whistleblowing is of particular interest in the US, where the Securities and Exchange Commission ("SEC") sought to prevent large-scale financial embezzlements and accounting frauds, like Enron, from occurring again by relying upon the provision of insider information from employees. By implementing a reporting system, companies seek to prevent the risk or issue, which is potentially detrimental to their interests, from ever eventuating. This early warning system alerts management to issues within the workplace that may go unnoticed until serious damage to the business, reputation and financial losses have occurred, including fraud, criminal activity and concealment of errors. Furthermore, it provides legal protection to employees who may not be compelled to raise issues of fraud out of fear of having their employment terminated "at will" and their severance payments in jeopardy. When one considers the delicate balance between the nature of the US labor market, which is premised upon "at will" employment, and the European, specifically French labor market, which places extremely high value upon job protection and security, it is obvious to see why the issue of whistleblowing has been of such importance and has sparked such contention.

Two Sets of Rules Collide

Following the Enron financial scandal, the Sarbanes-Oxley Act (the "SO Act") was voted in July 2002, mandating that all listed US companies and their foreign subsidiaries implement anonymous hotline reporting systems that enable employees to report any financial offence that they are aware of and that could be liable to endanger the company's financial stability. The scope of such systems included accounting frauds or embezzlements liable to endanger the company. Resultantly, many US-based companies implemented these mechanisms in their international operations, without considering their applicability or inconsistency with foreign jurisdictions. This was the case with regard to French affiliates of US listed companies, which were subject to the SO Act, the French legal principles surrounding privacy and the Data Protection and Civil Liberties Act. These two systems were in direct divergence of one another and it did not take long to realize that it would be impossible for these two systems to ensure compliance and mutually co-exist.

In May 2005, the French administrative authority responsible for ensuring that data protection law is applied to the collection, storage, and use of personal data, the Commission nationale de l'informatique et des libertés ("CNIL"), refused to approve two systems of professional integrity set up by two US companies - McDonald's France and the Compagnie européenne d'accumulateurs (whose parent company was Exide Technologies Inc.,) - to comply with the requirement under Section 301(4) of the SO Act on corporate governance. In the McDonald's case1, the CNIL considered that an employer's implementation of a system designed to gather personal data from employees on facts that violate norms (be it professional rules of conduct and/or law) could lead to an organized system of professional denunciation. The CNIL expressed disfavor for a system that allows for anonymous accusations against individuals. In this respect, the CNIL held that the restrictions to personal employee rights and liberties underlying the whistleblowing initiative - which are not justified by the nature of the job to be performed and proportionate to the contemplated goal - could be in violation of Article L.1121-1 of the French Labor Code (formerly, Article L.120-2 of same).

The CNIL also stated its belief that the scope of the SO Act had the potential to be extended to any sort of actions that may undermine ethics or entail non-compliance with accounting or auditing procedures of a more general nature. Furthermore, the CNIL considered that the anonymity of such a system would only reinforce the risk of malicious denunciations occurring. As such, the use of an ethics alert system was seen to be disproportionate to the objectives sought and not necessary due to the existence of other avenues of redress available to companies, including training and informing employees through awareness programs, audits and alerts by statutory auditors and the referral of matters to the Labor Inspector or relevant courts, whilst still adhering to legal provisions and company rules.

However, this posed a problem for multinational companies that were required to adhere to the SO Act and therefore potentially be in violation of the French laws. Resultantly, discussions were held between the SEC and the CNIL, in order to discuss a regime that would allow compliance with both legal systems of the US and France. Following these discussions, on November 10, 2005, the CNIL devised Guidelines that set out a new framework for professional/corporate whistleblowing systems in France, which would allow multinational companies to comply with the anonymous hotline requirement of the SO Act without being incompatible with the French Data Protection Act of January 6, 19782. In releasing these Guidelines, the CNIL established that it is not opposed to whistleblowing regimes per se, but rather, that it is concerned about protecting the privacy rights of individuals identified through the whistleblowing process. Thus, various restrictions and controls on the collection and processing of information were required.

How to Play by the Rules in the new CNIL Code

On December 28, 2005, the CNIL published on its website Decision n°2005-305 (AU-004) dated December 8, 20053, which imposed a number of key requirements that mirrored the Guidelines and specifically dealt with the procedures relating to gaining authorization for a whistleblowing system. Given the definitive nature of the Decision and Guidelines, it is essential to highlight the main issues of interest that US multinationals should consider in order to ensure compliance when implementing such an initiative in France.

1. Whistleblowing not mandatory

Professional whistleblowing systems can be used by companies in France. However, the CNIL specifically states that the employees' use thereof should be optional and not mandatory. In fact, the French Ministry of Labor and Social Affairs recommended that usage "should not be compulsory, but merely encouraged... Making reporting mandatory would result in transferring to employees the employer's duties to ensure compliance with the company's internal rules of procedure. It may also be argued that a compulsory reporting requirement would breach Article L.1121-1 of the Labor Code as a requirement out of proportion with its objective".4

2. Anonymity and Discipline

As explained above, the CNIL does not consider that "anonymous" whistleblowing should be encouraged, as it is difficult to investigate the matter and, from a social perspective, it may generate a hostile working environment where employees may make false or slanderous reports. Instead, the CNIL prefers "confidential reporting" where users are offered the facility to provide their information on an anonymous basis. However, it should be noted that the practice of anonymous reporting is not specifically prohibited. The CNIL also specifies in its Guidelines that: if a person reveals his/her identity, it must be kept confidential and not communicated to the person(s) accused of wrongdoing, and that it is the provision of information on facts that should be encouraged, as opposed to information concerning (and potentially denouncing) people.

The CNIL also mandates that no disciplinary action will be taken against individuals who do not report at all or who "blow the whistle in good faith". Therefore, any retaliation, such as dismissal, will not be considered by a Court to be based on real and serious grounds and therefore the employee will be entitled to claim damages for the loss sustained. However, should there be any abuse of the reporting procedure, the employer may impose a disciplinary measure.

3. Collection of Information

It could be argued that perhaps the CNIL fears that widespread availability and encouragement of whistleblowing regimes, particularly anonymous ones, could lead to a flood of abusive or inflated claims against employees. As such, it limited the scope of the subjects upon which reporting is permitted, legitimizing whistleblowing with respect to areas for which there are precise obligations relating to internal corporate controls, for example, regarding a company's internal accounting or auditing matters, corruption or fraud. Whistleblowing systems limited to the above-defined scope will benefit from a single authorization from the CNIL, subject to compliance with other rules recommended thereby. On the other hand, for systems not based on statutory or regulatory obligations of internal control in the financial, accounting, banking and anti-bribery areas, the CNIL will carry out a case-by-case assessment of the legitimacy of the purposes and the proportionality of the whistleblowing system envisaged, in the context of its authorization powers. So as to avoid the improper use of whistleblowing systems to report facts unrelated to such pre-determined areas, data controllers must clearly indicate that these systems are strictly reserved for such areas, and must refrain from investigating reports related to other areas, unless the vital interest of the company or the physical or moral integrity of its employees are at stake. Data relating to a report found to be unsubstantiated by the entity in charge of processing such reports must be deleted immediately. Data relating to alerts giving rise to an investigation must not be stored for more than two months from the close of the verification operations, unless a disciplinary procedure or legal proceedings are initiated against the person incriminated in the report or the author of the abusive alert.

Any information that is provided to the whistleblowing initiative must be collected in a fair, objective and appropriate manner, and must not only fall within the scope of the company's whistleblowing system, but must also be limited to those details necessary to verify and investigate the alleged issue.

The sole categories of data that may be processed are as follows:

  • identity, functions and contact information relating to the whistleblower;
  • identity, functions and contact information relating to the person subject to the whistleblowing;
  • identity, functions and contact information relating to the people intervening in the collection or processing of the whistleblowing procedure;
  • facts disclosed;
  • elements collected during the investigations on the denounced practice;
  • investigation reports;
  • actions implemented further to the confirmation of the information disclosed by the whistleblower.

The works council and the Health, Safety and Working Conditions Committee (CHSCT) must be consulted and informed of these issues, as provided for in the Labor Code (Articles L.1222-4 and L.2323-13), prior to the implementation of the initiative. Information should also be provided that specifies: the entity responsible for the hotline; its purpose and scope; and that employees have the right to access and correct information about themselves if required.

Finally, it is mandated that employees who are suspected following an internal inquiry should be informed of the facts against them "as soon as the evidence has been preserved".

4. External Providers and Data Retention

The CNIL mandates that whistleblowing systems must be conducted by a dedicated group of specially trained professionals, who may be trusted to handle confidential information. It is important to note that external providers may be used to collect reports, so long as there is compliance with French and European data protection principles and rules. This includes rules relating to data retention, which provide that if a report is outside the scope of the system it should be deleted or archived immediately.

If a report does fall within the scope of the system (i.e. relating to harassment, conflicts of interests, bribery, breaches of confidentiality, etc.), it must be investigated internally and findings are to be provided within 2 months. After this, an employer must decide to initiate disciplinary action or judicial procedure (in which case data can be kept until the end of the procedure) or to not follow up on the report (in which case data must be deleted or archived immediately). Archived data may only be kept for a maximum of 30 years, and access is limited to those people in the company responsible for handling the reports.

5. Transfer of personal data outside the EU

Under French laws, any transfer of personal data to a third party, notably where the third party is located in a country that is not deemed to offer an "adequate" level of protection (such as the US), is a processing operation that requires prior authorization from the CNIL, in order to assess the safeguards that would be envisaged by the Company or any of its subsidiaries in the processing of the data transferred to the third country or more generally outside the EU.

As an exception, such authorization is automatically granted to any applicant who subscribes to the provisions specified in the Decision. The applicant must however demonstrate that:

  • the recipient located in the US, for example, previously applied for the Safe Harbor mechanism controlled by the U.S. Federal Trade Commission5;
  • the French company sending the data and the recipient located outside the EU have concluded a data flow transfer agreement based on the European Commission's standard contracts6. This "standard contract" solution offers the opportunity for EU and non-EU countries to transfer data by entering into a specific type of contract in which certain clauses are drafted by the European Commission7; or
  • a company's internal rules relating to data processing have previously been approved by the CNIL.

Scouting, Drafting and CNIL Authorization

Simplified Authorization

As mentioned earlier, whistleblowing systems have to be authorized by the CNIL prior to implementation. If a company wishes to implement a system that is directly in line with the contents of the CNIL decision, then a unilateral commitment to comply with that decision should be completed online, in French, on the CNIL website This simplified authorization requires the organization seeking to implement a whistleblowing scheme to:

  • indicate its legal nature;
  • provide the name, address and contact details of the entity responsible for the implementation, as well as of the person(s) responsible for compliance in general;
  • the name, address and contact details of the person whom the CNIL can contact, and a purpose section, which requires the organization to indicate which software is used, how many persons are concerned by the whistleblowing system, the year of its implementation, and whether data will be transferred to countries outside the EU (if so, the countries concerned have to be specified in a list).

An acknowledgment receipt ("récépissé") is then sent to the organization by normal mail and the company can implement the whistleblowing scheme without having to submit the scheme to scrutiny. It constitutes an authorization of the notified system as well as, if relevant, an authorization of the international data transfers taking place in the context of running the whistleblowing system. It should be noted that the December 8, 2005 Decision provides for, in certain conditions, an authorization to transfer data to a non-EU country.

Therefore, if a company confines its whistleblowing regime to the alerting of financial irregularities, it will be able to receive a single authorization from the CNIL for all of its French operations.

Normal Authorization

However, if the organization wishes to implement a system that is not strictly in line with the December 8, 2005 Decision, it should file a request to the CNIL for an individual authorization, pursuant to Article 25-I (4°) of the French Data Protection Act of January 6, 1978. This application for authorization should specify inter alia: the identity of the data processor, the characteristics and objectives of the data processing, the type and origin of the processed data, the recipients of the data and the duration of storage. In addition, the file should contain information relating to access rights by data subjects, and the measures taken to ensure the security and confidentiality of the data.

The file must also specify whether or not the data is to be transferred abroad, in which case a form should be complemented with an appendix relating to international data transfers8, which would then remain subject to a second request for authorization. As with the simplified authorization, any data transferred to a third country, which does not provide an "adequate" level of protection, should be subject to:

  1. prior adherence by the recipient of the data to the Safe Harbor principles (only applicable to US recipients); or
  2. the conclusion of specific agreements based on the standard contracts drafted by the European Commission; or
  3. a company's internal rules relating to the processing previously approved by the CNIL.

This formality is to be completed in French only. The request for individual authorization will be reviewed in a plenary session of the CNIL within two months following its filing, provided no additional information is requested from the organization.


Companies should consider a number of issues when setting up whistleblowing schemes in the EU and, in particular, France. Firstly, the scope of whistleblowing schemes should be limited to complaints relating to accounting, auditing, banking and financial corruption, as specified in the SO Act. Secondly, a company should notify employees about the details of the whistleblowing scheme and encourage employees to identify themselves whilst protecting the confidentiality of their identities. Thirdly, appropriate contracts with providers of reporting services must be entered into, so as to ensure information is collected through a dedicated channel where the confidentiality of information collected is prioritized and reports are securely deleted or archived when required.

Obviously, it is difficult to adopt a "standard, one size fits all" whistleblowing policy when subsidiaries across different countries have multifaceted compliance obligations. However, in order to operate a whistleblowing scheme in the EU, which complies with the SO Act, the CNIL Guidelines and Decision, as well as the WP29 Opinion, must be followed.

It therefore seems preferable to adapt a whistleblowing scheme rather than simply apply it as is. Adapting the scheme to the local specificities proves indispensable.

Furthermore, ethics alert systems are and must remain complementary to the information and alert channels already in place within the company: hierarchic channel, staff representatives and statutory auditor.

Far from being the ideal solution, if such ethics alert systems appropriately adapted and monitored can however make it possible to expose infractions and frauds, and put an end thereto through the adoption of the optimal strategy for companies, they will have proven their utility.


1. Decision n°2005-110 dated May 26, 2005, McDonald's France.

2. As amended in August 2004 by the law 2004-801

3. Published in the French Official Gazette on January 4, 2006.-

4. CNIL, "FAQs on Whistleblowing Systems",

5. In this respect, a specific "Privacy" officer should be appointed by the recipient to follow up with the FTC on the compliance of this recipient entity with the Safe Harbor principles.

Such an application would require time (between 6 months and 1 year) and the intervention of US lawyers to achieve this procedure.


7. In fact, the Council and European Parliament gave the Commission the power to decide that certain standard contractual clauses offer sufficient safeguards with respect to the protection of privacy and personal data processing. Thus, the European Commission adopted three decisions setting out three sets of standard contractual clauses that depend on the parties entering into the contract:

  • DC to DC: Standard cross-border contract "Data Controller to Data Controller" issued by the Commission in a decision dated June 15, 2001;
  • DC to DP: Standard cross-border contract "Data Controller to Data Processor" issued by the Commission in a decision dated December 27, 2001;
  • DC to AC: Standard cross-border contract "Data Controller to Affiliated Companies" issued by the Commission in a decision dated January 7, 2005.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions