United States: France Departs From Prior Opposition To Sarbanes-Oxley Hotlines

France has modified the Catch-22 it previously set for multinational companies who were forced to choose between violating French privacy law or the U.S. Sarbanes- Oxley whistleblower provisions. On November 10, 2005, France’s Commission Nationale de l’Informatique et des Libertés (CNIL), the country’s national data protection authority, devised guidelines to enable multinational companies located in France to comply with the anonymous hotline requirement of the Sarbanes-Oxley Act (SOX), Pub. L. No. 107-204 (2002). In its new position paper, the CNIL sets forth various restrictions on the treatment of information obtained through whistleblowing channels. By observing these parameters,multinationals may fulfill their SOX obligations without running afoul of French data protection laws.

The CNIL’s new position is a departure from two controversial decisions issued earlier this year in which the Agency rejected whistleblower initiatives proposed by two multinational companies on the ground that the programs violated French data protection principles. While the compromise crafted by the CNIL ostensibly affects only companies operating in France, the Agency’s approach could have a significant influence over both national and EU-wide data protection authorities that are currently considering how to resolve the whistleblowing issue.

Under SOX, which was passed in the wake of several high-profile U.S. corporate accounting scandals, companies listed on a U.S. stock exchange and their affiliates are required to establish whistleblower channels, such as telephone hotlines or other means of communication, to enable employees to report anonymously on violations of law related to a company’s accounting or auditing practices or internal accounting controls. Id. § 301(4). In an effort to comply with this requirement, the local subsidiaries of two multinational companies, McDonald’s and CEAC, a division of a U.S. technology firm (Exide), sought to obtain CNIL approval for proposed corporate whistleblowing initiatives. In May 2005, the CNIL rejected these proposals, citing privacy concerns and taking particular note of principles of French law that disfavor anonymous accusations against individuals.

In the aftermath of those decisions, the CNIL began intensive discussions with U.S. Securities and Exchange Commission (SEC) officials, European authorities, and business representatives in an effort to arrive at a compromise. Those discussions culminated in the release of the CNIL’s new position paper.

The position paper begins by affirming that European data protection principles apply to personal information collected through whistleblowing channels. Importantly, the CNIL states that it is not opposed to whistleblowing initiatives in principle, provided the privacy rights of those individuals identified through whistleblowing channels are protected. Specifically, EU and French data protection principles dictate that information concerning employees who are the subject of a whistleblowing accusation must be collected in a fair and appropriate manner, that these individuals be informed that personal data about them are being processed, that these individuals be permitted to object to this processing if they have a legitimate basis for doing so, and that they be provided with the right to access and correct inaccurate data.

Despite the CNIL’s assertion that it is no longer strictly opposed to whistleblowing initiatives, the position paper reveals that the Agency continues to harbor a number of concerns about the whistleblowing process. As a result, the paper emphasizes the importance of imposing various restrictions and controls on the collection and processing of information through whistleblowing channels.

Citing the risk that whistleblowing channels may be used to lodge abusive or inflated claims against employees, the CNIL concludes that the scope of subjects on which whistleblowing is permitted must be limited. According to the CNIL, whistleblowing is legitimate only with respect to those subject areas for which there are specific legislative or regulatory obligations related to internal corporate controls in precisely defined areas. While the CNIL questions whether foreign laws such as SOX have the authority to create such obligations for companies located in France, the Agency recognizes that U.S.-listed companies have a legitimate interest in ensuring the integrity of their accounting and auditing practices. Moreover, in light of the fact that several European legal authorities echo the objectives of SOX, the CNIL has determined that the use of whistleblowing channels to report on a company’s internal financial controls, accounting or auditing matters, or incidents of fraud or corruption, is legitimate. Any whistleblowing initiatives that propose to address subjects outside these limited areas will be evaluated on a case-by-case basis, with the CNIL taking care to ensure that the initiative’s goals are legitimate and that the scope of the initiative is appropriately tailored to those goals.

Recognizing that SOX secures to employees the right to use whistleblowing channels anonymously, the CNIL’s position paper does not prohibit this practice. In keeping with proscriptions in French law against anonymous denunciations of individuals, however, the CNIL guidelines specify that:

• Anonymous reporting must not be encouraged, including in any publicity campaigns about whistleblowing hotlines.
• The identities of those whistleblowers who reveal their names to hotline operators must be kept confidential. In particular, whistleblowers’ identities must not be revealed to individuals accused of wrongdoing.
• To the extent possible, whistleblowers should be encouraged to provide information on facts, rather than on individuals.
• To further contain the risks associated with whistleblowing, companies must ensure that employees’ use of whistleblowing channels is strictly voluntary.

In addition to the above restrictions, the CNIL guidelines set forth several other parameters for legitimate whistleblowing programs.

• Companies must provide clear and complete information on the functioning of the whistleblowing system, including by informing employees of the following:

• Whistleblowing communications may be transmitted only via dedicated information channels, to minimize the risk of breaching security or confidentiality.
• Data collected through whistleblowing channels must be recorded in an objective manner,must be within the scope of the whistleblowing initiative, and must not exceed that amount which is necessary to verify the facts alleged.
• The collection and processing of whistleblower communications must be conducted by a dedicated group of specially trained individuals that is limited in size and constrained to preserve confidentiality.
• Where necessary to an investigation, whistleblowing communications may be disclosed among the individuals in the group responsible for processing these communications.
• All transmissions of whistleblowing communications to individuals or entities outside the EU must be conducted in accordance with the safeguards established for international transfers of personal data.
• Where a company delegates the operation of whistleblowing channels to third parties, the company remains responsible for those parties’ actions, and must secure contractual guarantees that the data will be treated appropriately.
• Data related to a whistleblowing allegation that is ultimately deemed unfounded must be expeditiously destroyed.
• Data related to an allegation that is under investigation must be destroyed within two months after the investigation has concluded, unless preservation of the data is necessary to an ongoing disciplinary or legal proceeding.
• Once steps have been taken to prevent the destruction of evidence, individuals accused through whistleblowing channels must be promptly notified that their personal data have been collected in order to provide them with an opportunity to contest the processing of that data.

The CNIL intends to issue more detailed guidelines in the future that will assist companies in establishing whistleblower channels that conform to the principles set forth in the November 10 position paper.

In addition to the CNIL, national data protection authorities of other EU member states are currently reviewing the whistleblowing issue. The EU’s Article 29 Data Protection Working Party, an advisory body composed of national data protection experts that is charged with implementing the EU’s Data Protection Directive, is also discussing the prospect of devising EU-wide guidelines on the issue. As the CNIL has taken a leading role in the negotiations between EU and U.S. officials over whistleblowing hotlines, the CNIL’s position paper is likely to have a considerable impact on how other EU authorities will treat this issue. In devising programs to fulfill their compliance obligations under U.S. law, companies should monitor developments in relevant EU member states.

Finally, it should be noted that, notwithstanding the new guidelines, the CNIL requires that all transmissions of whistleblowing communications to individuals or entities outside the EU must be conducted in accordance with the safeguards established for international transfers of personal data. With respect to information transmitted to the United States, such international data protection safeguards could entail execution of "model contracts" between the relevant U.S. and EU entities, adoption of "binding corporate rules," or membership in the U.S.-EU Safe Harbor. A copy of the CNIL’s position paper is available, in French, at http://www.cnil.fr/fileadmin/documents/La_CNIL/actualite/CNILdocori- 10112005.pdf

This article has been prepared by Sidley Austin Brown & Wood LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Readers should not act upon this without seeking professional counsel.