CNiL Information on Whistleblower Systems

To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.

CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).

According to the FAQ on whistleblowing systems a whistleblower system must be limited to

serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.

Examples :

  • Accounting and account auditing disorders,
  • False entries,
  • Tax evasion,
  • Fictitious personnel employment,
  • Bribery of public agents …

Specific examples in the banking area:

  • Terrorism funding,
  • Money laundering…

The whistleblower system may also be used to gather reports on facts

that affect the vital interests of the company or it its employee’s physical or mental integrity
Examples:

  • Threat to the safety of another employee,
  • Moral harassment,
  • Sexual harassment,
  • Discrimination,
  • Insider trading,
  • Conflict of interests,
  • Serious environmental breaches or threats to public health,
  • Disclosure of a manufacturing secret,
  • Serious risks to the company’s information system security …

CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not.  CNiL provides this example language for the scope of a whistleblower system:

The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?

Code of Ethics and Whistleblower Programs

A corporate code of ethics is the flip side of the coin of a whistleblower policy: The code of ethics is the principal means of communicating to all staff a strong culture of legal compliance and ethical integrity, while the whistleblower policy is a way to implement such values.