French courts clarify rules governing implementation of whistleblowing systems

Two recent decisions issued by a French Tribunal of First Instance (Caen Tribunal of First Instance, Interim Decision, 5 November 2009) and by the French Supreme Court (

, 8 December 2009) have brought whistleblowing and the implementation of ethics helplines in French companies to the forefront of the nation’s conversation on data protection.

In France, any processing of personal data has to be either declared to or authorized by the French data protection authority, the

(CNIL). In most instances, a mere declaration of the processing is sufficient, but in cases where processing involves sensitive data or can result in data subjects being deprived of a right, contract, or benefit, French data protection legislation requires that the data controller obtain a prior authorization from the CNIL.

In consideration of the potential sanctions resulting from alleged misconducts reported by employees, whistleblowing systems, therefore, fall into the category of personal data processes subject to prior authorization.

This matter only came into discussion in France in 2005, when the CNIL denied the authorization requests for the launch of ethical helplines submitted by two French subsidiaries of U.S.-listed groups (McDonald’s France and Compagnie Européenne d’Accumulateurs, a subsidiary of Exide Technologies). The entities had submitted the requests in order to ensure their groups’ compliance with the provisions of section 301 (4) of the 2002 Sarbanes-Oxley Act (SOX).

The French data protection authority, however, considered that the systems allowed for the anonymous reporting of a large variety of alleged breaches, either to law or to internal codes of conduct which could lead to an “organized system of denunciation."

This position raised concerns for French subsidiaries of U.S.-listed groups, which were impeded from complying with the SOX obligations. Aware of this difficulty, in November 2005 the CNIL issued guidelines aimed at clarifying both its perception of whistleblowing systems and the conditions under which such systems could be authorized.

Also, use of the systems requires:

In addition to these guidelines, in December 2005 the CNIL issued a decision whereby it authorized the implementation of all whistleblowing systems matching the terms of this decision (the Standard Authorization). French legislation authorizes the CNIL to adopt standard authorizations of this nature, simplifying the obligations of data controllers, which are then only required to register mere undertakings of compliance with the terms of the standard authorization in question. Systems not fitting strictly within the provisions of a standard authorization (e.g. broader scope of data processed, different purpose, etc.) have to be submitted to a specific authorization application.

As mentioned above, the Standard Authorization strictly defines the purposes of authorized whistleblowing systems. These must only relate to the creation of internal control procedures in the fields of finance, accounting, banking, and corruption, as imposed by French law, and the reporting of alleged violations in the fields of accounting and audit as imposed by SOX.

However, two sentences of article 3 of the Standard Authorization seem to widen this scope by providing that the “facts collected must only relate to the fields covered by the system. Unrelated facts may however be disclosed to individuals of the organisation when the vital interests of that organisation or the moral or physical integrity of the employees are at stake."

This perception of a widened scope of the Standard Authorization was adopted by Dassault Systèmes and followed by the Versailles Court of Appeal in a decision of April 2008.

In this case, the works council of Dassault Systèmes initiated action further to the adoption of a new internal code of conduct, which included the implementation of a whistleblowing system that was argued not to match the scope of the Standard Authorization, and thus to be illegal.

The court dismissed these allegations. Relying on the provisions of article 3, it considered that Dassault Systèmes was entitled to expand the scope of the system for situations where “the vital interests of the group as well the physical and moral integrity of the employees were at stake.” (The helpline allowed the reporting of intellectual property rights violations, divulgation of strictly confidential information, conflicts of interest, insider dealing, and sexual or moral harassment.)

However, this analysis was challenged by an interim order issued by the President of the Caen Tribunal of First Instance in November 2009. In December 2009, it was completely invalidated by the French Supreme Court.

In the first case, the works council of French company Benoist-Girard, a subsidiary of American group Stryker, requested the Caen Tribunal to suspend the company’s whistleblowing system, which consisted of an Internet Web site accessible at the address www.ethicspoint.com, and which had been declared to the CNIL as compliant with the Standard Authorization.

The president of the Tribunal first noted that while the Web site, which was aimed at the French employees of the group, had a limited scope, the American version was nevertheless accessible to them. This American version allowed employees to “anonymously report facts relating not only to corruption or misappropriation in accordance with the American law, but also general topics under the heading of “Other topics of concern,” which can lead to denunciation” in breach of French data protection legislation. In addition, the Web site incited users to make anonymous declarations contrary to the provisions of the Standard Authorization.

The president of the Tribunal therefore deemed that the system violated the Standard Authorization. Consequently, as it had not been specifically authorized by the CNIL, the system was regarded as illegal and the judge ordered its immediate suspension. Extension of the scope of the Standard Authorization through article 3 was, therefore, ruled out.

The French Supreme Court made the same analysis on 8 December 2009 when it put an end to the Dassault Systèmes case and settled the question of the combination of articles 1 and 3 of the Standard Authorization.

The court first considered it necessary to distinguish between the purposes of the whistleblowing system (covered by article 1) and the categories of data that can be processed lawfully in this framework (set out in article 3).

According to the Supreme Court, the reach of article 3 was exclusively limited to the nature of information susceptible to being collected during an alert and could not be interpreted as extending the scope of the purposes authorized under the Standard Authorization. Article 3 “

,” the court said.

This decision, therefore, clearly restricts the scope of the whistleblowing systems benefiting from Standard Authorization to those covering finance, accounting, banking, and corruption. This raises two final comments.

First, the position reached by the French Supreme Court can, in our opinion, be contested, as it seems to rely more on the physical location of the problematic provisions in the Standard Authorization than on the actual terms used.

Indeed, even though the terms of article 3 exclusively refer to the facts and data collected within the whistleblowing system, we perceive them as de facto extending the scope of article 1. If this was not the case, the collection of data relating to the actions endangering vital interests of the company or the physical or moral integrity of the employees would constitute a breach of French data protection legislation requiring that all data collected and processed is “

.” If the sole purposes of systems covered by the Standard Authorization must relate to financial, banking, accounting, or corruption violations, the collection of data or facts pertaining to the physical integrity of an employee, for example acts of violence, hazardous premises, etc..., will never be (save for exceptional cases) pertinent to or in line with the strict purpose of the system. This results in the provisions of article 3 being deprived of their meaning and use.

Second, and on a more positive note, the decision confirms the regulatory power of the CNIL. Indeed, the Supreme Court not only based its decision on the legislation, but also on the CNIL standard authorization. This is all the more relevant in that the CNIL recently faced a number of setbacks in the affirmation of its controlling and sanctioning powers in France.