Filers Beware! Court of Appeal Rejects CNIL-approved Whistleblowing System


In a decision dated September 23, 2011, the Court of Appeal of Caen suspended the implementation of a whistleblowing system that had been previously authorized by the French Data Protection Agency (CNIL) because, in the court’s view, the system infringed on the individual and collective rights and liberties of the company’s employees.

In the case at hand, the French subsidiary of a U.S. group had, in 2008, implemented a whistleblowing system to comply with SOX requirements in the United States. After various modifications, the CNIL authorized the French subsidiary to implement the system because the program complied with the CNIL’s simplified filing procedure for whistleblowing systems.

Our readers will remember that pursuant to rules in existence since 2010, see our post of December 15, 2010, companies are able to take advantage of the CNIL’s simplified filing procedure for whistleblowing systems as long as the whistleblowing system does not encourage whistleblowers to remain anonymous and is limited in scope to conduct violations in the following areas:

  • accounting;
  • finance;
  • banking;
  • anti-corruption;
  • competition;
  • companies concerned by SOX Act section 301 (4) of July 31, 2002;
  • Japanese SOX of June 6, 2006.

Here, despite the CNIL’s approval of the French subsidiary’s whistleblowing system, the employees’ representatives brought a lawsuit against the subsidiary in the Caen Tribunal of First Instance because they believed the system to be flawed in a number of ways, including the following:

  • the scope of complaints which could be made through the whistleblowing system was too broad: employees could file complaints on any kind of wrongdoings or problems;
  • any Internet user could report wrongdoings about a French employee of that company even if those wrongdoings were outside the scope of the CNIL’s simplified filing procedure;
  • contrary to the simplified filing procedure issued by the CNIL, the whistleblowing system encouraged the whistleblower to remain anonymous; and
  • employees were not sufficiently informed about their access and rectification rights with respect to the data about them.

The Court of Appeal of Caen ruled that the claims made by the employees’ representatives were well-founded for the following reasons:

  • the whistleblowing system was outside the scope defined by the French Data Protection Agency, in large part because it permitted complaints of all kinds;
  • the whistleblowing system had been modified unilaterally by the company without the works council and the health and safety committees being informed and consulted prior to any changes being made.

In light of this new decision, companies implementing whistleblowing systems in France need to make sure that (i) the scope of their whistleblowing systems does not exceed the scope defined by the CNIL in its simplified filing procedure and (ii) they inform and consult employees’ representative bodies prior to making any changes to such systems. Failure to do so may lead to challenges by employees or their representative bodies that will halt the implementation of the offending whistleblowing system in France. This, in turn, may raise various issues in the United States, in particular with respect to SOX compliance, that could have significant legal consequences, since according to Section 301 of SOX, audit committees of listed multinationals have to launch hotlines for the confidential, anonymous submission of employees’ complaints or concerns regarding questionable auditing or accounting matters.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.