Latest Regulation on Whistleblowing in France: CNIL Extends Scope of Reporting and Supports Anonymity

It has been notoriously difficult in France to implement whistleblowing schemes and ethics hotlines compared to many other jurisdictions in the European Union (EU). Notably, France has been one of the most restrictive countries in the EU as far as the permitted scope of reporting is concerned.

Facing an increasing number of applications, the French data protection authority, the CNIL, in a January 30, 2014 decision, has widened the scope of reporting permitted under the Blanket Authorization of 2005 on whistleblowing/hotlines (referred to as “AU 004”). The decision relies on the “legitimate interests of the data controller” principle under the data protection rules.

The CNIL has also decided to allow more extensive anonymous reporting.

1. Extension of the Scope of Reporting

Previous Practice¹

Fundamentally, reporting could only be justified when based on French legal requirements, with the notable exception of compliance with the US Sarbanes-Oxley Act (SOX).

To fall within the blanket authorization, the whistleblowing scheme must be strictly limited to:

• legal obligations of French law designed to establish internal control procedures in the fields of finance, accounting, banking (for financial institutions) and the fight against corruption; and
• legitimate interests of the data controller, restricted to
  • legal requirements set out by SOX in the fields of accounting and auditing, for groups whose shares are traded on US stock exchanges, and legal requirements set forth by the Japanese Financial Instrument and Exchange Act (so-called “Japanese SOX”) for companies governed by this law; and
  • internal audit on breaches of antitrust law.

Going Forward

Reporting will now be permitted in the fields of:

• finance, accounting, banking (for financial institutions) and the fight against corruption;
• antitrust law;
• harassment, fight against discrimination;
• health, hygiene and security in the workplace; and
• protection of environment.

Regardless of whether the fields relate to the data controller's legal obligation or to its legitimate interests. The noticeable difference is the general reference to the company’s legitimate interest and no longer mainly to French legal requirements.

The extension of the scope is, however, limited to the above fields and, as in the past, if a company wishes to add reporting topics outside the scope of AU 004 to its whistleblower program, it will have to go through the standard authorization procedure before the CNIL.

2. Clarification on Anonymous Reporting

The CNIL, taking into account the provisions of SOX relating to anonymous reporting, now considers that it needs to be more tolerant towards anonymity. It has thus moved the focus of its requirements from “identification of the whistleblower” to “conditions for anonymous reporting”.

As before, the system should not encourage anonymous reporting. Identification of whistleblowers remains the default position and anonymity is accepted on an exceptional basis. There is, however, no longer a requirement for the system to be designed so that whistleblowers must identify themselves.

However a concern remains that allowing anonymity makes it difficult to screen for abuse of the system, such as slanderous reports, and may make it difficult to deal effectively with the situation disclosed in a report if there is no way to ask for further clarifications from the source.

The new regulation therefore provides two conditions for accepting an anonymous report:

• as was already required, processing of an anonymous report requires implementing additional precautions such as, notably, a pre-screening of the report by its initial recipient to determine whether the report can or should effectively be used or disseminated more broadly; and
• as a new condition, but consistent with the one above, in an anonymous report the seriousness of the reported facts must be established and the factual elements must be sufficiently detailed.

These are significant changes that will facilitate the implementation of adequate whistleblowing schemes by companies doing business in France. Some may hope that this is only the first step towards further expansion of the scope of the pre-authorized programs and that the more relaxed approach in France will be followed elsewhere on the Continent.