Professional whistleblowing programs: will the extension of the scope of reporting recently decided by the French Data Protection Authority indirectly lead to an increase in the use of such programs?

In deliberation n°2014-042 published on January 30, 2014, the French Data Protection Authority has taken a new step forward with respect to whistleblowing programs.

It has indeed once again amended the simplified single authorization and extended its scope to new issues (including hygiene and safety, environment, workplace discrimination and harassment) that are de facto often addressed in companies’ codes of ethics.

Through this new deliberation, the CNIL not only extended the list of topics governed by the Single Authorization but it also expanded the legal basis likely to be relied upon to justify the legitimacy of the implementation of a whistleblowing program, and clarified the conditions in which anonymous reports may be taken into account.

1. Definition of “whistleblowing” and brief background review of the introduction and “legalization” of whistleblowing programs in France

It is in the wake of the Enron and the WorldCom accounting scandals that the United States has adopted the Sarbanes-Oxley Act of July 31, 2002 requiring that all companies listed on US stock markets, as well as their subsidiaries, implement a professional whistleblowing program enabling employees to anonymously and confidentially report (through a toll-free phone number, a dedicated Internet portal or a dedicated e-mail address) any concerns regarding fraudulent practices or malpractices in accounting and financial matters.

Even though it was first reluctant to this type of programs that leads to a form of denunciation, the CNIL soon became confronted with the reality of the business world. Faced with the extraterritoriality of a number of foreign Laws (Sarbanes-Oxley Act 2002, Japanese SOX of June 6, 2006), the CNIL eventually gave in.

It is in this context that it adopted, by way of deliberation n° 2005-305 dated December 8, 2005, the Single Authorization or “AU-004” aimed at creating whistleblowing à la française.

A professional whistleblowing program, as defined by the CNIL, is an optional system made available to employees (and to any other persons working in the relevant organization) to report (primarily on a non-anonymous basis) any issues that can significantly affect the organization’s business or incur its responsibility in a serious manner. Such a system comes in addition – but does not supersede – the other usual information reporting channels, e.g. personnel representatives, labor inspection authorities, managers, etc.

A professional whistleblowing program requires the implementation of an automated processing of personal data and, as such, completion of a number of preliminary formalities with the CNIL. The reported information is then examined in a confidential manner and enables the employer to decide, with full knowledge of the facts, on any potential corrective actions.

Before implementing a professional whistleblowing program, it is necessary to follow one of the two CNIL procedures: Single Authorization “AU 004” procedure or specific authorization procedure.

Wherever the professional whistleblowing program contemplated by a company meets, in every respect, the requirements of the Single Authorization ”AU-004”, the company must simply send to the CNIL a declaration of compliance (the declaration form is available on the CNIL’s website) that has only a declaratory function.

The CNIL does not check the information provided in the declaration and sends back a receipt by mail. This receipt is an open sesame to lawfully implement the contemplated whistleblowing program.

On the other hand, if a company wishes to implement a professional whistleblowing program that goes beyond the framework established by the Single Authorization “AU-004”, it must send to the CNIL a complete individual authorization application file that will be subject to a detailed and thorough examination by the CNIL. Indeed, this process implies a real discussion with the CNIL in order to “convince” it that the requested extension is legitimate. This procedure is, therefore, longer than the Single Authorization procedure and its outcome more uncertain.

Prior to the January 30, 2014 deliberation, professional whistleblowing programs likely to be eligible to the Single Authorization procedure had to be limited to the following areas:

• finance,
• accounting,
• banking,
• anti-corruption,
• anti-competitive practices.

In addition, to be eligible to the Single Authorization, companies had to prove that the implementation of the professional whistleblowing program was legitimately needed (i) to answer to “French legal or regulatory requirement” or (ii) because they were subject to the Sarbanes Oxley Act 2002 or to Japanese SOX 2006.

Between 2011 and 2013, the CNIL examined almost 60 specific authorization applications in relation to issues that fell outside the scope of the Single Authorization (discrimination, workplace harassment, health, hygiene, safety, environment) or to issues that did concern financial, accounting, banking or anti-corruption matters but for which the data controller was unable to prove that it was subject to a French legal or regulatory requirement.

In these circumstances, the CNIL felt it necessary to extend the scope of the Single Authorization to other areas.

2. Innovations brought about by the January 30, 2014 deliberation

In its January 30, 2014 deliberation, the CNIL extended the scope of the Single authorization to include the following topics:

• fight against discrimination and harassment;
• health, hygiene and safety in the workplace;
• protection of the environment.

In addition, the CNIL broadened the Single Authorization eligibility criteria: while the simplified Single Authorization procedure used to be reserved to companies subject to a “French legal or regulatory requirement” and to companies subject to the Sarbanes Oxley Act 2002 or to Japanese SOX 2006, it now applies without distinction to any and all companies that wish to implement a professional whistleblowing program to answer a “legal obligation” or meet a “legitimate interest”.

Lastly, another important innovation of the January 30, 2014 deliberation deals with the identification of the whistleblower. Indeed, the CNIL has always recalled the imperative need to be able to identify whistleblowers.

According to it, whistleblowers must be invited to identify themselves to make them accountable for the use of the system and avoid a slippery slope towards denunciation and malicious accusations, facilitate their protection against potential retaliation measures and have the possibility to ask them for additional details.

The CNIL stuck to its views: the principle is the identification of the whistleblower and anonymous reports must remain the exception. Yet, the circumstances in which anonymous reports are tolerated have been clarified. Article 2 of the Single Authorization “AU-004” now severely restricts the possibilities of making an anonymous alert:

• firstly, “the seriousness of the reported facts [must be] established” and “the factual elements [must be] sufficiently detailed”;
• secondly, “the processing of the report [must be surrounded with] specific precautions, such as a preliminary examination by the recipient of whether or not the reported information must be followed up within the whistleblowing system.”

3. What are the practical implications for businesses?

The January 30, 2014 deliberation is fully consistent with a current trend towards improved corporate governance and reinforced transparency and ethics (Corporate Social Responsibility, codes of ethics and business conduct, whistleblowers, etc.).

As such, this extension indisputably addresses, with a pragmatic approach, the realities of the business world and makes thing easier for companies.

Given the challenges and important risks (criminal liability) faced by companies with respect to hygiene and safety, discrimination and harassment but also environment, it is necessary to ensure that businesses have efficient tools to detect any unlawful/wrongful practices and behaviors within their own organization.

It is, however, regrettable to see that other issues, such as the disclosure of sensitive or confidential information, are not covered by the recent extension.

In any event, it remains to be seen whether the extension of the scope of reporting will entail a surge in the use of professional whistleblowing programs within companies. Indeed, based on the compliance audits and checks it has carried out in the past few years, the CNIL has noted that employees make little use of this type of programs. This can be partly explained by the fact that in France there already exist standard channels to report problems or irregularities within an organization, such as the staff representative alert procedure and the possible recourses to the labor inspection authorities. Yet, this is mainly due to the fact that, even though mentalities are evolving with the globalization of corporate cultures and management methods, a whistleblowing scheme that encourages denunciation (especially a priori on a non-anonymous basis) is still quite ill-perceived in the French culture.

It should be noted that companies that have already implemented a whistleblowing program under the former Single Authorization regime do not have the obligation to file a new declaration of compliance insofar as the information mentioned in the prior declaration remains unchanged. However, companies may wish to amend their information notice to include new areas to be covered by the whistleblowing program, in which case they must inform their employees of such amendments. In addition, they must not forget to consult, if applicable, their Works Council and Health, Safety and Working Conditions Committee in this respect.