The CNIL (the French data controller – La Commission Nationale de l’Informatique et des Libertés) defines a ‘whistle-blowing device’ as a system put at the disposal of the employees of a public or a private body in addition to the normal ways of alerting the malfunctioning of the body, in order to incite them to signal to their employer any behaviour that they consider violates the applicable rules. The CNIL admitted the use of whistle-blowing in order to enable French companies to comply with the Sarbanes-Oxley Act of 30 July 2002, which imposes the implementation of whistle-blowing systems, as well as with the French law relating to personal data processing (“Informatique et Libertés” Act). French firms and subsidiaries of companies quoted on the New York Stock Exchange indeed have to comply with the Sarbanes-Oxley Act, in particular by implementing whistle-blowing systems.
In order to simplify procedures, the CNIL adopted a ‘Single Authorisation’ which sets the conditions with which companies must comply in order to benefit from a simplification of the procedures that have to be accomplished to implement whistle-blowing systems (Single authorisation: http://www.cnil.fr/en-savoir-plus/deliberations/deliberation/delib/83/). When a company wishes to implement such systems, it only has to declare that its system complies with the conditions set out by the ‘single authorisation’.
The whistle-blowing systems are in compliance with the single authorisation if certain conditions are met, in particular the following:
- alerts may only be concerned with accounting, banking and the fight against corruption;
- companies that want to implement such devices must warn employees by making certain information available to them;
- the system must not encourage anonymous denunciations.
The French Supreme Court (Cour de cassation), in a ruling of 8 December 2009 (concerning the Code of Behaviour of Dassault Systèmes relating to information for internal use and whistle-blowing), decided that a whistle-blowing system may be used only for the purpose of internal control in the fields of finance, accounting, banking and the fight against corruption. The device implemented by the group Dassault Systèmes had a wider objective, insofar as the system also concerned the breach of conduct rules distinct from such purposes; therefore the whistle-blowing system could not benefit from the CNIL’s ‘single authorisation’.
The Supreme Court's interpretation of the scope of the ‘single authorisation’ is thus extremely restricted. Indeed, the CNIL’s single authorisation provides that the single authorisation may also concern alerts relating to facts that undermine “the vital interests of the organisation or the physical or moral integrity of the employees” (section 3 of the single authorisation).
The CNIL indicated that it would soon modify its ‘single authorisation’ in order to take this ruling into consideration.