Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
The Challenge of Conflicting Laws Governing Hotlines in the United States and France
Publicly-traded companies covered by the Sarbanes-Oxley Act ("SOX") – the U.S. corporate-governance law enacted in the wake of scandals such as Enron Corp. - are required to make available to employees an anonymous whistleblower reporting system (commonly called a hotline). While such systems have raised few legal challenges in the United States, they have been under attack in Europe. Earlier this year the Commission Nationale de l'Informatique et des Libertés ("the CNIL") (the French independent administrative authority protecting privacy and personal data) initially ruled that such systems violated the French Data Protection Act of January 6, 1978, as amended on August 6, 2004 ("the Act"). This apparent conflict between the United States and French law resulted in anxious confusion and concern for many global organizations doing business in both countries. Indeed, this also impacted employment law compliance systems since between 60% and 80% of all hotline complaints deal with employment law issues according to a survey recently concluded by the Open Compliance and Ethics Group (OCEG).
Toward a Possible Solution: In France and Potentially Throughout Europe
On November 10, 2005, the CNIL ended a legal impasse with the U.S. Securities and Exchange Commission (SEC) that had left many international companies, with operations in both the U.S. and France, at risk of either violating the SOX1 or French laws. The CNIL, adopted guidelines for the implementation of whistleblowing schemes ("the Guidelines").
The CNIL which had initially ruled that whistleblower hotlines violated the Act2 seems to have dropped its opposition to so-called whistleblower hotlines.
The CNIL, fully aware of the difficulties created by its initial refusals, and the dilemma faced by U.S. companies operating in France, initiated major talks with the American and European authorities, the unions and the representatives of the personnel of various companies in an attempt to define the conditions under which whistleblower hotlines would be lawful under the Act in France.
Accordingly, the Guidelines represent the new position of the CNIL on whistleblower hotlines. Companies can now establish such hotlines provided that: (1) their scope is limited; (2) they restrict their use to collecting information on specific types of corporate malfeasance; (3) place restrictions on how information collected through them is handled; and (4) ensure due process to individuals anonymously accused.
By adopting the Guidelines (which do not have the form of a "recommendation resolution," in order to provide maximum flexibility for a case by case analysis of whistleblowing schemes) the CNIL provides U.S. companies with a road map that should enable them to do what they are technically required to do under both the SOX3 and the Act. In principle, the CNIL has no objection to such reporting schemes, provided that the rights of individuals directly or indirectly incriminated through them are protected.
In light of the Guidelines, below is a brief summary, of the main requirements international companies operating in both France and the U.S. will have to follow in setting up whistleblower hotlines in France.
1. Whistleblower hotlines must be of limited scope.
In the CNIL's view, whistleblower hotlines or any whistleblowing scheme cannot be perceived as the normal method by which to signal operating difficulties of the company itself. It should only be part of an overall feedback strategy implemented by a company. As such, the whistleblowing programs should be seen as merely complementary to other methods of alert within the company. The CNIL made it clear that whistleblowing schemes will be unlawful if they have a general and indiscriminate scope because such schemes create a risk of abusive or disproportionate incrimination of the professional, or even personal, integrity of the employee concerned.
According to the Guidelines, the scope and incident categories of whistleblower hotlines should either:
- Be limited to accounting, auditing, financial misconduct or corrupt practices such as bribery, collusion, conflict of interest, etc.; or
- If its contains a more comprehensive list of categories, such categories must be justified as being proportional to the organization's overall feedback process or risk profile/concerns4.
In France, an employee should not be required to use a whistleblower hotline. Such use can only be encouraged by the employer.
2. The processing of the information collected through whistleblower hotlines must be restricted.
Although, the CNIL reversed its position of strictly precluding anonymity in the reporting process and recognized that the possibility to report anonymously is a key component in many instances, specific precautions will have to apply. The Guidelines clearly indicate that maintaining confidentiality and preventing antiretaliation are of utmost importance. Thus, for the CNIL the identity of the reporter should not be provided to the implicated party thereby protecting the reporter. In addition, the Guidelines suggest that the collection of reports be performed through a dedicated process to limit the risks that the information be diverted and used for other purposes.
3. The information collection process must be handled within a confidentiality framework by specialists within the company.
The CNIL guidelines provide that the reports be collected and processed by a specific entity within the organization dedicated to those issues. In addition, there should be a limited number of individuals in charge of handling these reports in the report management process. These individuals should be specially trained and subjected to special, contractually-defined, reinforced confidentiality duties. Lastly, the CNIL considers that the circulation of these reports should be as limited as practically possible in order to limit the risks associated with the scattering of personal data.
Having said that, it would seem that analytical or statistical data that is derived from the report can be made available to an oversight person or group outside of France provided the proper precautions regarding the identity of the individuals named in such reports are followed. The Guidelines do not seem to exclude the possibility that an oversight team located outside of France could have the ability to review and evaluate its French operations based upon this statistical data.
4. Due Process to the incriminated person must be ensured.
Lastly, the CNIL will require whistleblowing schemes, in particular the person in charge of the process, to inform any incriminated person (incriminated by a report) as soon as any data concerning him/her is received. The purpose of such quasi-immediate notification to the incriminated person is twofold: (1) to provide him or her with an opportunity to promptly object to his or her data being processed; and (2) to enable him or her to request rectification or deletion, as the case may be.
The CNIL's Guidelines provide guidance to international companies operating in both France and the U.S. on the implementation of whistleblowing mechanisms and should assist them in navigating in the complexities of French and U.S. laws.
What This Means In Other European Countries
A number of European Union Member States, including the United Kingdom, have legislation that addresses whistleblowing in the workplace and acknowledges the need for employees to disclose the improprieties of others in relation to required standards of conduct. However, in other countries there is historical unease over the concept of encouraging individuals to inform against others. Now that the CNIL has adopted the Guidelines that promises to make global compliance more achievable, it is likely that other European nations will adopt a similar solution. Data protection authorities in other European countries (such as Spain and Switzerland) are already looking into the whistleblower issue, and it is likely that data protection authorities in other countries (such as Belgium) would likely adopt the French position. Lastly, the Guidelines will probably add more pressure on the European Commission which was already under substantial pressure to adopt an opinion on the issue.
The situation that arose earlier this year for the German subsidiary of a major U.S. company in Germany, where its implementation or attempt to implement hotlines was brought to a halt by a decision from a German court, differs in certain ways from the situation that McDonald's faced in France (see footnote 2). In the German decision, the ruling that the hotline was illegal arose from the fact that it had been implemented by the company without addressing Section 87 Right of Co-Determination under the German Works Council Constitution Act (Betriebsverfassungsgesetz – BetrVG). In other words, had the company in question first consulted with the Works Counsel - who have a right of co-determination in "matters relating to the rules of operation of the establishment and conduct of employees," it cannot be ruled out that the German court may have upheld the whistleblowing hotline and found it to be lawful under German laws.
The recent European decisions and confusion surrounding hotlines in the various European jurisdictions only emphasize the genuine and urgent need of an intervention from the European Commission.
U.S. employers having operations in France and which are required to set up such whistleblowing schemes should, of course, consult with their employment attorneys to ensure of the compliance of the reporting system under both French and U.S. laws, as well as the laws of other European nations.
1All U.S. companies are required to set up hotlines under the Sarbanes-Oxley Act.
2The Act prohibits the collection of information about an individual based on anonymous accusations. The CNIL had on May 26, 2005, rejected whistleblower programs proposed by McDonald's Corp. and Exide Technologies.
3The Sarbanes-Oxley Act requires only that hotlines be established to allow employees to report accounting or internal-control violations.
4Whistle blowing schemes restricted to financial and corruption categories will receive automatic approval from the CNIL, while other schemes will be reviewed on a case by case basis.
Garry G. Mathiason is a Shareholder in Littler's San Francisco office and is the chair of the firm's Corporate Compliance practice group. Ariel D. Weindling is an Associate in Littler's Los Angeles office and holds law degrees from schools in France, Belgium and the United States. Mr. Weindling is licensed to practice law in Belgium as well as California. If you would like further information, please contact your Littler attorney at 1.888.Littler, firstname.lastname@example.org, Mr. Mathiason at email@example.com or Mr. Weindling at firstname.lastname@example.org.