France: Blowing The Whistle Across The Atlantic: Playing By The Rules

Last Updated: 12 December 2008
Article by Philippe Desprès

The spread of multinationals across the globe necessarily involves compliance with foreign legal systems in order for companies to not only continue to operate in different jurisdictions, but to thrive and develop their business interests in the international arena. This delicate balancing act between different legal systems and cultures is evident in relation to the whistleblowing procedures between the United States (the "US") and France over recent years, which requires companies to play by the whistleblowing rules set by the national authorities.

The Name of the Game

In order to ensure that a company is not being subverted from within its own ranks, a company's management may wish to implement a system of reporting to management of possible misconduct that violates a law or poses a threat to the public or company interest, such as fraud or corruption. This system of whistleblowing is of particular interest in the US, where the Securities and Exchange Commission ("SEC") sought to prevent large-scale financial embezzlements and accounting frauds, like Enron, from occurring again by relying upon the provision of insider information from employees. By implementing a reporting system, companies seek to prevent the risk or issue, which is potentially detrimental to their interests, from ever eventuating. This early warning system alerts management to issues within the workplace that may go unnoticed until serious damage to the business, reputation and financial losses have occurred, including fraud, criminal activity and concealment of errors. Furthermore, it provides legal protection to employees who may not be compelled to raise issues of fraud out of fear of having their employment terminated "at will" and their severance payments in jeopardy. When one considers the delicate balance between the nature of the US labor market, which is premised upon "at will" employment, and the European, specifically French labor market, which places extremely high value upon job protection and security, it is obvious to see why the issue of whistleblowing has been of such importance and has sparked such contention.

Two Sets of Rules Collide

Following the Enron financial scandal, the Sarbanes-Oxley Act (the "SO Act") was voted in July 2002, mandating that all listed US companies and their foreign subsidiaries implement anonymous hotline reporting systems that enable employees to report any financial offence that they are aware of and that could be liable to endanger the company's financial stability. The scope of such systems included accounting frauds or embezzlements liable to endanger the company. Resultantly, many US-based companies implemented these mechanisms in their international operations, without considering their applicability or inconsistency with foreign jurisdictions. This was the case with regard to French affiliates of US listed companies, which were subject to the SO Act, the French legal principles surrounding privacy and the Data Protection and Civil Liberties Act. These two systems were in direct divergence of one another and it did not take long to realize that it would be impossible for these two systems to ensure compliance and mutually co-exist.

In May 2005, the French administrative authority responsible for ensuring that data protection law is applied to the collection, storage, and use of personal data, the Commission nationale de l'informatique et des libertés ("CNIL"), refused to approve two systems of professional integrity set up by two US companies - McDonald's France and the Compagnie européenne d'accumulateurs (whose parent company was Exide Technologies Inc.,) - to comply with the requirement under Section 301(4) of the SO Act on corporate governance. In the McDonald's case1, the CNIL considered that an employer's implementation of a system designed to gather personal data from employees on facts that violate norms (be it professional rules of conduct and/or law) could lead to an organized system of professional denunciation. The CNIL expressed disfavor for a system that allows for anonymous accusations against individuals. In this respect, the CNIL held that the restrictions to personal employee rights and liberties underlying the whistleblowing initiative - which are not justified by the nature of the job to be performed and proportionate to the contemplated goal - could be in violation of Article L.1121-1 of the French Labor Code (formerly, Article L.120-2 of same).

The CNIL also stated its belief that the scope of the SO Act had the potential to be extended to any sort of actions that may undermine ethics or entail non-compliance with accounting or auditing procedures of a more general nature. Furthermore, the CNIL considered that the anonymity of such a system would only reinforce the risk of malicious denunciations occurring. As such, the use of an ethics alert system was seen to be disproportionate to the objectives sought and not necessary due to the existence of other avenues of redress available to companies, including training and informing employees through awareness programs, audits and alerts by statutory auditors and the referral of matters to the Labor Inspector or relevant courts, whilst still adhering to legal provisions and company rules.

However, this posed a problem for multinational companies that were required to adhere to the SO Act and therefore potentially be in violation of the French laws. Resultantly, discussions were held between the SEC and the CNIL, in order to discuss a regime that would allow compliance with both legal systems of the US and France. Following these discussions, on November 10, 2005, the CNIL devised Guidelines that set out a new framework for professional/corporate whistleblowing systems in France, which would allow multinational companies to comply with the anonymous hotline requirement of the SO Act without being incompatible with the French Data Protection Act of January 6, 19782. In releasing these Guidelines, the CNIL established that it is not opposed to whistleblowing regimes per se, but rather, that it is concerned about protecting the privacy rights of individuals identified through the whistleblowing process. Thus, various restrictions and controls on the collection and processing of information were required.

How to Play by the Rules in the new CNIL Code

On December 28, 2005, the CNIL published on its website Decision n°2005-305 (AU-004) dated December 8, 20053, which imposed a number of key requirements that mirrored the Guidelines and specifically dealt with the procedures relating to gaining authorization for a whistleblowing system. Given the definitive nature of the Decision and Guidelines, it is essential to highlight the main issues of interest that US multinationals should consider in order to ensure compliance when implementing such an initiative in France.

1. Whistleblowing not mandatory

Professional whistleblowing systems can be used by companies in France. However, the CNIL specifically states that the employees' use thereof should be optional and not mandatory. In fact, the French Ministry of Labor and Social Affairs recommended that usage "should not be compulsory, but merely encouraged... Making reporting mandatory would result in transferring to employees the employer's duties to ensure compliance with the company's internal rules of procedure. It may also be argued that a compulsory reporting requirement would breach Article L.1121-1 of the Labor Code as a requirement out of proportion with its objective".4

2. Anonymity and Discipline

As explained above, the CNIL does not consider that "anonymous" whistleblowing should be encouraged, as it is difficult to investigate the matter and, from a social perspective, it may generate a hostile working environment where employees may make false or slanderous reports. Instead, the CNIL prefers "confidential reporting" where users are offered the facility to provide their information on an anonymous basis. However, it should be noted that the practice of anonymous reporting is not specifically prohibited. The CNIL also specifies in its Guidelines that: if a person reveals his/her identity, it must be kept confidential and not communicated to the person(s) accused of wrongdoing, and that it is the provision of information on facts that should be encouraged, as opposed to information concerning (and potentially denouncing) people.

The CNIL also mandates that no disciplinary action will be taken against individuals who do not report at all or who "blow the whistle in good faith". Therefore, any retaliation, such as dismissal, will not be considered by a Court to be based on real and serious grounds and therefore the employee will be entitled to claim damages for the loss sustained. However, should there be any abuse of the reporting procedure, the employer may impose a disciplinary measure.

3. Collection of Information

It could be argued that perhaps the CNIL fears that widespread availability and encouragement of whistleblowing regimes, particularly anonymous ones, could lead to a flood of abusive or inflated claims against employees. As such, it limited the scope of the subjects upon which reporting is permitted, legitimizing whistleblowing with respect to areas for which there are precise obligations relating to internal corporate controls, for example, regarding a company's internal accounting or auditing matters, corruption or fraud. Whistleblowing systems limited to the above-defined scope will benefit from a single authorization from the CNIL, subject to compliance with other rules recommended thereby. On the other hand, for systems not based on statutory or regulatory obligations of internal control in the financial, accounting, banking and anti-bribery areas, the CNIL will carry out a case-by-case assessment of the legitimacy of the purposes and the proportionality of the whistleblowing system envisaged, in the context of its authorization powers. So as to avoid the improper use of whistleblowing systems to report facts unrelated to such pre-determined areas, data controllers must clearly indicate that these systems are strictly reserved for such areas, and must refrain from investigating reports related to other areas, unless the vital interest of the company or the physical or moral integrity of its employees are at stake. Data relating to a report found to be unsubstantiated by the entity in charge of processing such reports must be deleted immediately. Data relating to alerts giving rise to an investigation must not be stored for more than two months from the close of the verification operations, unless a disciplinary procedure or legal proceedings are initiated against the person incriminated in the report or the author of the abusive alert.

Any information that is provided to the whistleblowing initiative must be collected in a fair, objective and appropriate manner, and must not only fall within the scope of the company's whistleblowing system, but must also be limited to those details necessary to verify and investigate the alleged issue.

The sole categories of data that may be processed are as follows:

  • identity, functions and contact information relating to the whistleblower;
  • identity, functions and contact information relating to the person subject to the whistleblowing;
  • identity, functions and contact information relating to the people intervening in the collection or processing of the whistleblowing procedure;
  • facts disclosed;
  • elements collected during the investigations on the denounced practice;
  • investigation reports;
  • actions implemented further to the confirmation of the information disclosed by the whistleblower.

The works council and the Health, Safety and Working Conditions Committee (CHSCT) must be consulted and informed of these issues, as provided for in the Labor Code (Articles L.1222-4 and L.2323-13), prior to the implementation of the initiative. Information should also be provided that specifies: the entity responsible for the hotline; its purpose and scope; and that employees have the right to access and correct information about themselves if required.

Finally, it is mandated that employees who are suspected following an internal inquiry should be informed of the facts against them "as soon as the evidence has been preserved".

4. External Providers and Data Retention

The CNIL mandates that whistleblowing systems must be conducted by a dedicated group of specially trained professionals, who may be trusted to handle confidential information. It is important to note that external providers may be used to collect reports, so long as there is compliance with French and European data protection principles and rules. This includes rules relating to data retention, which provide that if a report is outside the scope of the system it should be deleted or archived immediately.

If a report does fall within the scope of the system (i.e. relating to harassment, conflicts of interests, bribery, breaches of confidentiality, etc.), it must be investigated internally and findings are to be provided within 2 months. After this, an employer must decide to initiate disciplinary action or judicial procedure (in which case data can be kept until the end of the procedure) or to not follow up on the report (in which case data must be deleted or archived immediately). Archived data may only be kept for a maximum of 30 years, and access is limited to those people in the company responsible for handling the reports.

5. Transfer of personal data outside the EU

Under French laws, any transfer of personal data to a third party, notably where the third party is located in a country that is not deemed to offer an "adequate" level of protection (such as the US), is a processing operation that requires prior authorization from the CNIL, in order to assess the safeguards that would be envisaged by the Company or any of its subsidiaries in the processing of the data transferred to the third country or more generally outside the EU.

As an exception, such authorization is automatically granted to any applicant who subscribes to the provisions specified in the Decision. The applicant must however demonstrate that:

  • the recipient located in the US, for example, previously applied for the Safe Harbor mechanism controlled by the U.S. Federal Trade Commission5;
  • the French company sending the data and the recipient located outside the EU have concluded a data flow transfer agreement based on the European Commission's standard contracts6. This "standard contract" solution offers the opportunity for EU and non-EU countries to transfer data by entering into a specific type of contract in which certain clauses are drafted by the European Commission7; or
  • a company's internal rules relating to data processing have previously been approved by the CNIL.

Scouting, Drafting and CNIL Authorization

Simplified Authorization

As mentioned earlier, whistleblowing systems have to be authorized by the CNIL prior to implementation. If a company wishes to implement a system that is directly in line with the contents of the CNIL decision, then a unilateral commitment to comply with that decision should be completed online, in French, on the CNIL website This simplified authorization requires the organization seeking to implement a whistleblowing scheme to:

  • indicate its legal nature;
  • provide the name, address and contact details of the entity responsible for the implementation, as well as of the person(s) responsible for compliance in general;
  • the name, address and contact details of the person whom the CNIL can contact, and a purpose section, which requires the organization to indicate which software is used, how many persons are concerned by the whistleblowing system, the year of its implementation, and whether data will be transferred to countries outside the EU (if so, the countries concerned have to be specified in a list).

An acknowledgment receipt ("récépissé") is then sent to the organization by normal mail and the company can implement the whistleblowing scheme without having to submit the scheme to scrutiny. It constitutes an authorization of the notified system as well as, if relevant, an authorization of the international data transfers taking place in the context of running the whistleblowing system. It should be noted that the December 8, 2005 Decision provides for, in certain conditions, an authorization to transfer data to a non-EU country.

Therefore, if a company confines its whistleblowing regime to the alerting of financial irregularities, it will be able to receive a single authorization from the CNIL for all of its French operations.

Normal Authorization

However, if the organization wishes to implement a system that is not strictly in line with the December 8, 2005 Decision, it should file a request to the CNIL for an individual authorization, pursuant to Article 25-I (4°) of the French Data Protection Act of January 6, 1978. This application for authorization should specify inter alia: the identity of the data processor, the characteristics and objectives of the data processing, the type and origin of the processed data, the recipients of the data and the duration of storage. In addition, the file should contain information relating to access rights by data subjects, and the measures taken to ensure the security and confidentiality of the data.

The file must also specify whether or not the data is to be transferred abroad, in which case a form should be complemented with an appendix relating to international data transfers8, which would then remain subject to a second request for authorization. As with the simplified authorization, any data transferred to a third country, which does not provide an "adequate" level of protection, should be subject to:

  1. prior adherence by the recipient of the data to the Safe Harbor principles (only applicable to US recipients); or
  2. the conclusion of specific agreements based on the standard contracts drafted by the European Commission; or
  3. a company's internal rules relating to the processing previously approved by the CNIL.

This formality is to be completed in French only. The request for individual authorization will be reviewed in a plenary session of the CNIL within two months following its filing, provided no additional information is requested from the organization.


Companies should consider a number of issues when setting up whistleblowing schemes in the EU and, in particular, France. Firstly, the scope of whistleblowing schemes should be limited to complaints relating to accounting, auditing, banking and financial corruption, as specified in the SO Act. Secondly, a company should notify employees about the details of the whistleblowing scheme and encourage employees to identify themselves whilst protecting the confidentiality of their identities. Thirdly, appropriate contracts with providers of reporting services must be entered into, so as to ensure information is collected through a dedicated channel where the confidentiality of information collected is prioritized and reports are securely deleted or archived when required.

Obviously, it is difficult to adopt a "standard, one size fits all" whistleblowing policy when subsidiaries across different countries have multifaceted compliance obligations. However, in order to operate a whistleblowing scheme in the EU, which complies with the SO Act, the CNIL Guidelines and Decision, as well as the WP29 Opinion, must be followed.

It therefore seems preferable to adapt a whistleblowing scheme rather than simply apply it as is. Adapting the scheme to the local specificities proves indispensable.

Furthermore, ethics alert systems are and must remain complementary to the information and alert channels already in place within the company: hierarchic channel, staff representatives and statutory auditor.

Far from being the ideal solution, if such ethics alert systems appropriately adapted and monitored can however make it possible to expose infractions and frauds, and put an end thereto through the adoption of the optimal strategy for companies, they will have proven their utility.


1. Decision n°2005-110 dated May 26, 2005, McDonald's France.

2. As amended in August 2004 by the law 2004-801

3. Published in the French Official Gazette on January 4, 2006.-

4. CNIL, "FAQs on Whistleblowing Systems",

5. In this respect, a specific "Privacy" officer should be appointed by the recipient to follow up with the FTC on the compliance of this recipient entity with the Safe Harbor principles.

Such an application would require time (between 6 months and 1 year) and the intervention of US lawyers to achieve this procedure.


7. In fact, the Council and European Parliament gave the Commission the power to decide that certain standard contractual clauses offer sufficient safeguards with respect to the protection of privacy and personal data processing. Thus, the European Commission adopted three decisions setting out three sets of standard contractual clauses that depend on the parties entering into the contract:

  • DC to DC: Standard cross-border contract "Data Controller to Data Controller" issued by the Commission in a decision dated June 15, 2001;
  • DC to DP: Standard cross-border contract "Data Controller to Data Processor" issued by the Commission in a decision dated December 27, 2001;
  • DC to AC: Standard cross-border contract "Data Controller to Affiliated Companies" issued by the Commission in a decision dated January 7, 2005.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions