Requirements of the French Data Protection Authority on Whistleblowing to be applicable throughout the European Union
Further to the enactment in the United States of the Sarbanes-Oxley Act 2002, multinational groups listed on US stock-exchanges have been required to set up specific procedures in their subsidiaries located outside the United States and notably in Europe, called ‘whistleblowing’, enabling employees to report any behaviour of their colleagues which allegedly breaches the law…
Further to the enactment in the United States of the Sarbanes-Oxley Act 2002, multinational groups listed on US stock-exchanges have been required to set up specific procedures in their subsidiaries located outside the United States and notably in Europe, called ‘whistleblowing’, enabling employees to report any behaviour of their colleagues which allegedly breaches the law or corporate policy in the work place (Sarbanes-Oxley Act 2002 : Public Company Accounting Reform and Investor Protection Act, 2002, hereafter ‘the SOX Act’).
However, when the subsidiaries located in Europe process personal data, such systems are subjected to the authorisation procedures provided by both the EU Directive 95/46/EC of 24 October 1995 and privacy and data legislation of each EU Member States (Directive No. 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data : OJ of the European Union, No. L 281, 23 November 1995, p. 50) (hereafter ‘the EU Directive’).
In the event that EU companies listed on US stock-exchanges and EU subsidiaries of US listed companies are not granted such authorisation, they would not be able to comply with the US SOX requirements, unless they implement whistleblowing systems in breach of those of the EU privacy and data protection legislation.
As a result, the French Data Protection Authority, called the CNIL (“Commission Nationale de l’Informatique et des Libertés”) published guidelines in November 2005 providing the conditions under which whistleblowing systems could be set up in compliance with French Act No. 78-17 of 6 January 1978 on data processing, data files and individual liberties, commonly called the “Computer and Liberties Act”.
(See : Guideline document adopted by the CNIL on 10 November 2005 for the implementation of whistleblowing systems in compliance with the French Data Protection Act of 6 January 1978, as amended in August 2004, relating to the information technology, data filing systems and liberties. English version of this document is available on the CNIL’s website: www.cnil.fr ; An updated English version of the Act is available on the following website: http://www.cnil.fr/fileadmin/documents/uk/78-17VA.pdf.)
On 8 December 2005, the CNIL adopted a general authorisation decision (“autorisation unique”) which enables French firms or subsidiaries of US listed companies to benefit from a simplification of the usual authorisation procedures provided that they commit to fulfil the requirements of this decision (Only French version of this decision is available on the CNIL’s website: www.cnil.fr: Délibération n°2005-305 du 8 décembre 2005 portant autorisation unique de traitements de données à caractère personnel mis en œuvre dans le cadre de dispositifs d’alerte professionnelle).
Following the adoption of these rulings in France, the Working Party established to consider Article 29 of EU Directive 95/46/EC, which gathers all European Data Protection Authorities, published its opinion on this matter on 1 February 2006.
In order to ensure the compliance of whistleblowing systems with both the SOX Act and the EU Directive, EU companies listed on US stock-exchanges and EU subsidiaries of US listed companies should therefore take great interest in gaining knowledge of this opinion notably regarding the nature of the system to be set up and the rights to be ensured.
A Specific organisation dedicated to dealing with whistleblowing reports in the areas of accountability, finance, banking and bribery
In order to ensure the compliance of whistleblowing systems with the requirements of both the SOX Act and those of the EU Directive the Working Party, as well as the CNIL, consider that potential systems to be authorised should cover the areas of accountability, finance, banking and bribery and require an organisation dedicated to the processing of its reports.
- Limitation to the areas of accountability, finance, banking and bribery
In the same way as the CNIL, the Working Party limited the scope of its opinion to ‘internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime’.
This limitation results from the Working Party’s beliefs in the urgency of concentrating its analysis on these areas due to the risks of facing sanctions if EU companies listed on the US market and EU subsidiaries of US listed companies do not comply with both the SOX Act and the European privacy and data protection legislation.
In relation to this, the Working Party acknowledge that those companies have a ‘legitimate interest’ within the meaning of Article 7(f) of the EU Directive to set up whistleblowing systems.
They will therefore be entitled to implement such systems on these grounds in the event that national Member States legislation do not allow them to do so.
In each case, the Working Party considers that data ‘has to be collected for specified, explicit and legitimate purposes and must be adequate, relevant and not excessive in relation to the purposes for which they are collected or further processed’.
This means that companies setting up whistleblowing systems must collect only data in direct relation to the facts. However, the Working Party’s opinion does not list what data is considered relevant.
Interestingly the CNIL provides that data can only be collected in relation to the identity, work position, or work and personal details (i.e. phone number, email, etc.) of the whistleblower and of the incriminated person as well as the nature of the facts in question, the investigation or the follow-up.
Although the Working Party refers mainly to the requirements provided by the abovementioned CNIL’s documents, it also slightly diverges from them.
Contrary to the CNIL, the Working Party considered that other fields such as human resources, worker’s health and safety, environmental damage or threats could also fall within the scope of whistleblowing systems. The Working Party will analyse this further in the next few months.
- Establishment of a specific organisation
According to both the Working Party and the CNIL, the management of whistleblowing systems requires establishing a specific organisation in order to ensure a high level of confidentiality and security.
In order to comply, companies are allowed to set up such an organisation within or outside the body, provided that it deals specifically with the processing of whistleblowing reports.
Where an in-house organisation is to be set up, the Working Party insists on the fact that they ‘should be strictly separated from other departments of the company, such as the human resources department’. The Working Party also recommends that the number of persons allowed in an organisation be limited and that members of this service can only process such data as necessary for the fulfilment of their functions.
Where such organisation is external, the Working Party specifies that companies who use this option remain responsible for the resulting processing operations. This does not, however, mean that the external service provides are not bound to comply with privacy and data protection requirements. This may be ensured by means of a contract to be entered into between companies setting up such a whistleblowing system and the external provider whom they chose.
In any case, members of the organisation in charge of the processing of whistleblowing reports must be specifically trained and bound by a contractual obligation of confidentially, strictly defined.
A similar level of confidentiality and security shall be applied where whistleblowing reports are shared throughout multinational groups, including outside the EU.
Under such circumstances, the Working Party considers that ‘groups should deal with reports locally, i.e. in one EU country, rather than automatically share all the information with other companies in the group’, but acknowledges some exceptions if the latter is necessary in relation to the nature or the seriousness of the reported misconduct.
The opinion also states that this communication with other companies within the group, as with any other data transfer outside the EU, shall be subjected to the requirements provided by Articles 25 and 26 of EU Directive. Under these provisions, data can be transferred provided that the recipient entity either entered into an agreement duly approved by the relevant European data protection authority or has a set of binding corporate rules also approved or, if the recipient entity is based in the United States, subscribed to the Safe Harbour.
Balance between whistleblowing purposes and data protection rights
If the Working Party and the CNIL both acknowledge the need for setting up whisteblowing systems in pursuance of a concern to comply with corporate governance principles, they also consider that this need shall be balanced with the rights of information, access and rectification granted to employees in application of the EU Directive. In order to comply, these rights had to be adapted.
- Right of information
The Working Party has drawn a distinction between the rules applicable to potential users and those applicable to incriminated persons.
The first set of rules state that clear and complete information on the whistleblowing system must be given to potential users by any appropriate means.
In application of Article 10 of the EU Directive, this information provides that the data controller has ‘to inform data subjects about the existence, purpose and functioning of the scheme, the recipients of the reports and the right of access, rectification and erasure for reported persons’.
Employees should also be informed that any abuse of the system may result in disciplinary action and judicial proceedings being commenced against the perpetrator. Use in good faith, however, may not make whistleblowers liable to penalties.
The second set of rules concerns incriminated persons. In application of Article 11 of the EU Directive, the person responsible for the system must notify the person identified no later than at the time when the relevant data is recorded, whether in a digital form or not, so as to enable him or her to exercise his statutory right to object promptly to his or her data being processed, for a legitimate reason.
However, in order to avoid the destruction of evidence, the incriminated person should not be informed before indispensable protective measures have been taken.
The Working Party finally adds that the incriminated employee must be informed ‘about  the entity responsible for the whistleblowing scheme,  the facts he is accused of,  the departments or services which might receive the reports within his own company or in other entities or companies of the group of which the company is part, and  how to exercise his rights of access and rectification’.
- Confidentiality and rights to access, rectification and erasure
In relation to the information right, the Working Party considered that the rights to access, rectification and erasure ‘may be restricted in order to ensure the protection and the rights and freedoms of others involved in the scheme’.
Despite the opinion stressing immediately after this that ‘this restriction should be applied on a case-by-case basis’, the Working Party insists strongly on the fact that the identity of the whistleblower shall not be disclosed to the incriminated person under any circumstances.
In application of Article 12(b) of the EU Directive, the opinion states that ‘data subjects have the right to rectify or erase their data where the processing of such data does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data’.
For the purpose of whistleblowing processing, the exercise of these rights by the incriminated person is therefore restricted.
Far from depriving the person concerned from his or her right of access and rectification, their adaptation is in practice the sole means enabling an efficient and objective process of whistleblowing.
On the grounds of the abovementioned documents provided by both the Article 29 Working Party and the CNIL, EU companies listed in US stock-exchanges and EU subsidiaries of US listed companies are provided with an accurate legal framework enabling them to comply with the requirements of both the US SOX Act and the EU Directive on privacy and data protection.
In order to send a positive message to concerned companies, the Chairman of the Working Party, Mr. Schaar, addressed a letter to the Chairman of the Stock Exchange Commission, Mr. Cox, in order to inform US authorities of these recent developments and invite them to work together jointly of any further developments.