In France, the legal framework for whistleblowing schemes is based on a decision of the French Data Protection Authority, the CNIL, of 2005 adopting a "single authorization AU-004" for the processing of personal data in the context of whistleblowing schemes. In principle, companies must obtain the CNIL's approval prior to implementing a whistleblowing scheme. The CNIL's single authorization AU-004 allows companies to do so simply via a self-certification procedure, whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in AU-004.
Initially, companies could only self-certify to AU-004 if they were required to adopt a whistleblowing scheme either to comply with legal or regulatory requirements in specific and limited areas; i.e., finance, accounting, banking, fight against corruption, or if they could demonstrate a legitimate purpose, which at the time, was limited to complying with Section 301(4) of the U.S. Sarbanes-Oxley Act.
In 2010, the CNIL broadened the scope of its single authorization AU-004 by expanding the "legitimate purpose" condition to cover two new areas: compliance with the Japanese Financial Instruments Act and the prevention of anti-competitive practices; i.e., anti-trust matters.
On January 30, the CNIL amended AU-004 a second time, essentially to add the following areas to the scope of whistleblowing schemes: the fight against discriminations and work harassment; compliance with health, hygiene and safety measures at the workplace, and the protection of the environment.
These successive amendments show that the CNIL's view on whistleblowing schemes has evolved over time and it has adopted a more realistic and pragmatic approach given that, in today's world, many multinational organizations require their affiliates to implement a streamlined and globalized whistleblowing scheme across multiple jurisdictions. Under the revised framework, whistleblowing schemes are still limited to pre-defined areas and cannot be used for general and unlimited purposes. Nevertheless, the broadened scope of whistleblowing schemes allows companies and their employees to act more in line with an organization's internal code of business conduct and the various areas that it covers. The CNIL's decision should therefore enable companies to use their whistleblowing schemes more consistently across jurisdictions and to streamline the reporting process in areas that are commonly recognized as fraudulent or unethical.
The CNIL also clarified its position regarding anonymous reporting. Historically, the CNIL considers that anonymous reporting creates a high risk of slanderous reporting and can have a disruptive effect for companies. In its decision of January 30, the CNIL states that organizations must not encourage individuals to make anonymous reports and, on the contrary, anonymous reporting should remain exceptional. The CNIL also specifies the conditions that apply to anonymous reporting, namely:
- The seriousness of the facts that were reported must be established, and the facts must be sufficiently precise;
- The anonymous report must be handled with specific precautions. For example, the initial receiver of the report should assess whether it is appropriate to disclose the facts within the whistleblowing framework prior to doing so.
The CNIL's intention here is to limit the risk of slanderous reporting by encouraging companies to establish a clear and transparent system for employees, while ensuring that the appropriate security and confidentiality measures have been implemented, particularly to protect the identity of the whistleblower.
Effectively, the revision of the CNIL's single authorization AU-004 can also be viewed as a tactical move by the CNIL to funnel companies through the self-certification approval process, rather than to seek ad-hoc approval from the CNIL. It also encourages companies to be more transparent regarding the purposes for which their whistleblowing schemes are used and allows the CNIL to enforce compliance with the Data Protection Act more efficiently.
The CNIL's decision does not specify any date of entry into force. Therefore, these amendments came into force on January, the date of the publication of the decision in the Official Journal. The decision also does not specify any grace period for complying with the new conditions; therefore, companies are required to comply with them immediately.
If you want to comment on this post, you need to login.