The spread of multinationals across the globe necessarily involves compliance with foreign legal systems in order for companies to not only continue to operate in different jurisdictions, but to thrive and develop their business interests in the international arena. This delicate balancing act between different legal systems and cultures is evident in relation to the whistleblowing procedures between the United States (the "US") and France over recent years, which requires companies to play by the whistleblowing rules set by the national authorities.
The Name of the Game
In order to ensure that a company is not being subverted from within its own ranks, a company's management may wish to implement a system of reporting to management of possible misconduct that violates a law or poses a threat to the public or company interest, such as fraud or corruption. This system of whistleblowing is of particular interest in the US, where the Securities and Exchange Commission ("SEC") sought to prevent large-scale financial embezzlements and accounting frauds, like Enron, from occurring again by relying upon the provision of insider information from employees. By implementing a reporting system, companies seek to prevent the risk or issue, which is potentially detrimental to their interests, from ever eventuating. This early warning system alerts management to issues within the workplace that may go unnoticed until serious damage to the business, reputation and financial losses have occurred, including fraud, criminal activity and concealment of errors. Furthermore, it provides legal protection to employees who may not be compelled to raise issues of fraud out of fear of having their employment terminated "at will" and their severance payments in jeopardy. When one considers the delicate balance between the nature of the US labor market, which is premised upon "at will" employment, and the European, specifically French labor market, which places extremely high value upon job protection and security, it is obvious to see why the issue of whistleblowing has been of such importance and has sparked such contention.
Two Sets of Rules Collide
Following the Enron financial scandal, the Sarbanes-Oxley Act (the "SO Act") was voted in July 2002, mandating that all listed US companies and their foreign subsidiaries implement anonymous hotline reporting systems that enable employees to report any financial offence that they are aware of and that could be liable to endanger the company's financial stability. The scope of such systems included accounting frauds or embezzlements liable to endanger the company. Resultantly, many US-based companies implemented these mechanisms in their international operations, without considering their applicability or inconsistency with foreign jurisdictions. This was the case with regard to French affiliates of US listed companies, which were subject to the SO Act, the French legal principles surrounding privacy and the Data Protection and Civil Liberties Act. These two systems were in direct divergence of one another and it did not take long to realize that it would be impossible for these two systems to ensure compliance and mutually co-exist.
In May 2005, the French administrative authority responsible for ensuring that data protection law is applied to the collection, storage, and use of personal data, the Commission nationale de l'informatique et des libertés ("CNIL"), refused to approve two systems of professional integrity set up by two US companies - McDonald's France and the Compagnie européenne d'accumulateurs (whose parent company was Exide Technologies Inc.,) - to comply with the requirement under Section 301(4) of the SO Act on corporate governance. In the McDonald's case1, the CNIL considered that an employer's implementation of a system designed to gather personal data from employees on facts that violate norms (be it professional rules of conduct and/or law) could lead to an organized system of professional denunciation. The CNIL expressed disfavor for a system that allows for anonymous accusations against individuals. In this respect, the CNIL held that the restrictions to personal employee rights and liberties underlying the whistleblowing initiative - which are not justified by the nature of the job to be performed and proportionate to the contemplated goal - could be in violation of Article L.1121-1 of the French Labor Code (formerly, Article L.120-2 of same).
The CNIL also stated its belief that the scope of the SO Act had the potential to be extended to any sort of actions that may undermine ethics or entail non-compliance with accounting or auditing procedures of a more general nature. Furthermore, the CNIL considered that the anonymity of such a system would only reinforce the risk of malicious denunciations occurring. As such, the use of an ethics alert system was seen to be disproportionate to the objectives sought and not necessary due to the existence of other avenues of redress available to companies, including training and informing employees through awareness programs, audits and alerts by statutory auditors and the referral of matters to the Labor Inspector or relevant courts, whilst still adhering to legal provisions and company rules.
However, this posed a problem for multinational companies that were required to adhere to the SO Act and therefore potentially be in violation of the French laws. Resultantly, discussions were held between the SEC and the CNIL, in order to discuss a regime that would allow compliance with both legal systems of the US and France. Following these discussions, on November 10, 2005, the CNIL devised Guidelines that set out a new framework for professional/corporate whistleblowing systems in France, which would allow multinational companies to comply with the anonymous hotline requirement of the SO Act without being incompatible with the French Data Protection Act of January 6, 19782. In releasing these Guidelines, the CNIL established that it is not opposed to whistleblowing regimes per se, but rather, that it is concerned about protecting the privacy rights of individuals identified through the whistleblowing process. Thus, various restrictions and controls on the collection and processing of information were required.
How to Play by the Rules in the new CNIL Code
On December 28, 2005, the CNIL published on its website Decision n°2005-305 (AU-004) dated December 8, 20053, which imposed a number of key requirements that mirrored the Guidelines and specifically dealt with the procedures relating to gaining authorization for a whistleblowing system. Given the definitive nature of the Decision and Guidelines, it is essential to highlight the main issues of interest that US multinationals should consider in order to ensure compliance when implementing such an initiative in France.
1. Whistleblowing not mandatory
Professional whistleblowing systems can be used by companies in France. However, the CNIL specifically states that the employees' use thereof should be optional and not mandatory. In fact, the French Ministry of Labor and Social Affairs recommended that usage "should not be compulsory, but merely encouraged... Making reporting mandatory would result in transferring to employees the employer's duties to ensure compliance with the company's internal rules of procedure. It may also be argued that a compulsory reporting requirement would breach Article L.1121-1 of the Labor Code as a requirement out of proportion with its objective".4
2. Anonymity and Discipline
As explained above, the CNIL does not consider that "anonymous" whistleblowing should be encouraged, as it is difficult to investigate the matter and, from a social perspective, it may generate a hostile working environment where employees may make false or slanderous reports. Instead, the CNIL prefers "confidential reporting" where users are offered the facility to provide their information on an anonymous basis. However, it should be noted that the practice of anonymous reporting is not specifically prohibited. The CNIL also specifies in its Guidelines that: if a person reveals his/her identity, it must be kept confidential and not communicated to the person(s) accused of wrongdoing, and that it is the provision of information on facts that should be encouraged, as opposed to information concerning (and potentially denouncing) people.
The CNIL also mandates that no disciplinary action will be taken against individuals who do not report at all or who "blow the whistle in good faith". Therefore, any retaliation, such as dismissal, will not be considered by a Court to be based on real and serious grounds and therefore the employee will be entitled to claim damages for the loss sustained. However, should there be any abuse of the reporting procedure, the employer may impose a disciplinary measure.
3. Collection of Information
It could be argued that perhaps the CNIL fears that widespread availability and encouragement of whistleblowing regimes, particularly anonymous ones, could lead to a flood of abusive or inflated claims against employees. As such, it limited the scope of the subjects upon which reporting is permitted, legitimizing whistleblowing with respect to areas for which there are precise obligations relating to internal corporate controls, for example, regarding a company's internal accounting or auditing matters, corruption or fraud. Whistleblowing systems limited to the above-defined scope will benefit from a single authorization from the CNIL, subject to compliance with other rules recommended thereby. On the other hand, for systems not based on statutory or regulatory obligations of internal control in the financial, accounting, banking and anti-bribery areas, the CNIL will carry out a case-by-case assessment of the legitimacy of the purposes and the proportionality of the whistleblowing system envisaged, in the context of its authorization powers. So as to avoid the improper use of whistleblowing systems to report facts unrelated to such pre-determined areas, data controllers must clearly indicate that these systems are strictly reserved for such areas, and must refrain from investigating reports related to other areas, unless the vital interest of the company or the physical or moral integrity of its employees are at stake. Data relating to a report found to be unsubstantiated by the entity in charge of processing such reports must be deleted immediately. Data relating to alerts giving rise to an investigation must not be stored for more than two months from the close of the verification operations, unless a disciplinary procedure or legal proceedings are initiated against the person incriminated in the report or the author of the abusive alert.
Any information that is provided to the whistleblowing initiative must be collected in a fair, objective and appropriate manner, and must not only fall within the scope of the company's whistleblowing system, but must also be limited to those details necessary to verify and investigate the alleged issue.
The sole categories of data that may be processed are as follows:
- identity, functions and contact information relating to the whistleblower;
- identity, functions and contact information relating to the person subject to the whistleblowing;
- identity, functions and contact information relating to the people intervening in the collection or processing of the whistleblowing procedure;
- facts disclosed;
- elements collected during the investigations on the denounced practice;
- investigation reports;
- actions implemented further to the confirmation of the information disclosed by the whistleblower.
The works council and the Health, Safety and Working Conditions Committee (CHSCT) must be consulted and informed of these issues, as provided for in the Labor Code (Articles L.1222-4 and L.2323-13), prior to the implementation of the initiative. Information should also be provided that specifies: the entity responsible for the hotline; its purpose and scope; and that employees have the right to access and correct information about themselves if required.
Finally, it is mandated that employees who are suspected following an internal inquiry should be informed of the facts against them "as soon as the evidence has been preserved".
4. External Providers and Data Retention
The CNIL mandates that whistleblowing systems must be conducted by a dedicated group of specially trained professionals, who may be trusted to handle confidential information. It is important to note that external providers may be used to collect reports, so long as there is compliance with French and European data protection principles and rules. This includes rules relating to data retention, which provide that if a report is outside the scope of the system it should be deleted or archived immediately.
If a report does fall within the scope of the system (i.e. relating to harassment, conflicts of interests, bribery, breaches of confidentiality, etc.), it must be investigated internally and findings are to be provided within 2 months. After this, an employer must decide to initiate disciplinary action or judicial procedure (in which case data can be kept until the end of the procedure) or to not follow up on the report (in which case data must be deleted or archived immediately). Archived data may only be kept for a maximum of 30 years, and access is limited to those people in the company responsible for handling the reports.
5. Transfer of personal data outside the EU
Under French laws, any transfer of personal data to a third party, notably where the third party is located in a country that is not deemed to offer an "adequate" level of protection (such as the US), is a processing operation that requires prior authorization from the CNIL, in order to assess the safeguards that would be envisaged by the Company or any of its subsidiaries in the processing of the data transferred to the third country or more generally outside the EU.
As an exception, such authorization is automatically granted to any applicant who subscribes to the provisions specified in the Decision. The applicant must however demonstrate that:
- the recipient located in the US, for example, previously applied for the Safe Harbor mechanism controlled by the U.S. Federal Trade Commission5;
- the French company sending the data and the recipient located outside the EU have concluded a data flow transfer agreement based on the European Commission's standard contracts6. This "standard contract" solution offers the opportunity for EU and non-EU countries to transfer data by entering into a specific type of contract in which certain clauses are drafted by the European Commission7; or
- a company's internal rules relating to data processing have previously been approved by the CNIL.
Scouting, Drafting and CNIL Authorization
As mentioned earlier, whistleblowing systems have to be authorized by the CNIL prior to implementation. If a company wishes to implement a system that is directly in line with the contents of the CNIL decision, then a unilateral commitment to comply with that decision should be completed online, in French, on the CNIL website www.cnil.fr. This simplified authorization requires the organization seeking to implement a whistleblowing scheme to:
- indicate its legal nature;
- provide the name, address and contact details of the entity responsible for the implementation, as well as of the person(s) responsible for compliance in general;
- the name, address and contact details of the person whom the CNIL can contact, and a purpose section, which requires the organization to indicate which software is used, how many persons are concerned by the whistleblowing system, the year of its implementation, and whether data will be transferred to countries outside the EU (if so, the countries concerned have to be specified in a list).
An acknowledgment receipt ("récépissé") is then sent to the organization by normal mail and the company can implement the whistleblowing scheme without having to submit the scheme to scrutiny. It constitutes an authorization of the notified system as well as, if relevant, an authorization of the international data transfers taking place in the context of running the whistleblowing system. It should be noted that the December 8, 2005 Decision provides for, in certain conditions, an authorization to transfer data to a non-EU country.
Therefore, if a company confines its whistleblowing regime to the alerting of financial irregularities, it will be able to receive a single authorization from the CNIL for all of its French operations.
However, if the organization wishes to implement a system that is not strictly in line with the December 8, 2005 Decision, it should file a request to the CNIL for an individual authorization, pursuant to Article 25-I (4°) of the French Data Protection Act of January 6, 1978. This application for authorization should specify inter alia: the identity of the data processor, the characteristics and objectives of the data processing, the type and origin of the processed data, the recipients of the data and the duration of storage. In addition, the file should contain information relating to access rights by data subjects, and the measures taken to ensure the security and confidentiality of the data.
The file must also specify whether or not the data is to be transferred abroad, in which case a form should be complemented with an appendix relating to international data transfers8, which would then remain subject to a second request for authorization. As with the simplified authorization, any data transferred to a third country, which does not provide an "adequate" level of protection, should be subject to:
- prior adherence by the recipient of the data to the Safe Harbor principles (only applicable to US recipients); or
- the conclusion of specific agreements based on the standard contracts drafted by the European Commission; or
- a company's internal rules relating to the processing previously approved by the CNIL.
This formality is to be completed in French only. The request for individual authorization will be reviewed in a plenary session of the CNIL within two months following its filing, provided no additional information is requested from the organization.
Companies should consider a number of issues when setting up whistleblowing schemes in the EU and, in particular, France. Firstly, the scope of whistleblowing schemes should be limited to complaints relating to accounting, auditing, banking and financial corruption, as specified in the SO Act. Secondly, a company should notify employees about the details of the whistleblowing scheme and encourage employees to identify themselves whilst protecting the confidentiality of their identities. Thirdly, appropriate contracts with providers of reporting services must be entered into, so as to ensure information is collected through a dedicated channel where the confidentiality of information collected is prioritized and reports are securely deleted or archived when required.
Obviously, it is difficult to adopt a "standard, one size fits all" whistleblowing policy when subsidiaries across different countries have multifaceted compliance obligations. However, in order to operate a whistleblowing scheme in the EU, which complies with the SO Act, the CNIL Guidelines and Decision, as well as the WP29 Opinion, must be followed.
It therefore seems preferable to adapt a whistleblowing scheme rather than simply apply it as is. Adapting the scheme to the local specificities proves indispensable.
Furthermore, ethics alert systems are and must remain complementary to the information and alert channels already in place within the company: hierarchic channel, staff representatives and statutory auditor.
Far from being the ideal solution, if such ethics alert systems appropriately adapted and monitored can however make it possible to expose infractions and frauds, and put an end thereto through the adoption of the optimal strategy for companies, they will have proven their utility.
1. Decision n°2005-110 dated May 26, 2005, McDonald's France.
2. As amended in August 2004 by the law 2004-801
3. Published in the French Official Gazette on January 4, 2006.- http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=CNIX0508957X
4. CNIL, "FAQs on Whistleblowing Systems", http://www.cnil.fr/index.php?id=1982&print=1
5. In this respect, a specific "Privacy" officer should be appointed by the recipient to follow up with the FTC on the compliance of this recipient entity with the Safe Harbor principles.
Such an application would require time (between 6 months and 1 year) and the intervention of US lawyers to achieve this procedure.
7. In fact, the Council and European Parliament gave the Commission the power to decide that certain standard contractual clauses offer sufficient safeguards with respect to the protection of privacy and personal data processing. Thus, the European Commission adopted three decisions setting out three sets of standard contractual clauses that depend on the parties entering into the contract:
- DC to DC: Standard cross-border contract "Data Controller to Data Controller" issued by the Commission in a decision dated June 15, 2001;
- DC to DP: Standard cross-border contract "Data Controller to Data Processor" issued by the Commission in a decision dated December 27, 2001;
- DC to AC: Standard cross-border contract "Data Controller to Affiliated Companies" issued by the Commission in a decision dated January 7, 2005.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.