In a decision published on February 11, 2014, the French Data Protection Authority (CNIL) has for the first time adopted truly sweeping changes to its Single Authorization No. 004 on Whistleblowing.
The CNIL has vastly simplified formalities for most employers by allowing companies that are not subject to Sarbanes-Oxley Section 301(4) to be eligible to self-certify their hotline compliance under the Single Authorization. The CNIL has enlarged considerably the scope of permissible whistleblowing subjects to include workplace discrimination, harassment and safety, as well as environmental protection. The CNIL has also modified its requirements for anonymous hotline reports.
Historically, the CNIL has been exceptionally circumspect about whistleblowing. The enactment of Sarbanes-Oxley (SOX) in 2002- a consequence of the Enron scandal that unfolded in the U.S. in 2001 – required publicly-listed U.S. companies and their French subsidiaries to set up anonymous whistleblowing hotlines. The CNIL took the position that anonymous whistleblowing hotlines were not proportionate to their purported purpose and created risks that employees would be slandered. These opposing viewpoints put publicly-owned U.S. groups with French subsidiaries between the proverbial “rock and a hard place”, essentially ensuring those groups would have to choose between violating SOX, or violating French data protection law.
In 2005, the CNIL found a solution by adopting Single Authorization No. 004, providing a blanket authorization for whistleblowing systems that adhere to a strict set of conditions set forth by the CNIL. Among those conditions: Being subject to SOX Section 301(4), and limiting the scope of permissible reportable subjects to SOX requirements, e.g., accounting irregularities, as well as finance, banking and anti-bribery violations. Single Authorization No. 004, like all CNIL Single Authorizations, also had the critical advantage of allowing employers to self-certify, in a short and simple form, their compliance with the conditions set forth by the CNIL. Hotlines not meeting those conditions require a specific authorization from the CNIL (a much more complicated and lengthy process).
In 2010, partially as a response to increasing specific authorization requests, the CNIL expanded Single Authorization No. 004 to include companies governed by Japanese SOX, and subjects related to competition (anti-trust) violations.
With whistleblowing hotlines gaining credibility as a necessary element of an effective compliance program, there has been an explosion in the number of specific authorization requests for whistleblowing hotlines: Almost 100 hotlines were authorized by the CNIL in 2012 and 2013. This number should decrease in 2014 because revised Single Authorization No. 004 will apply far more broadly than its predecessors. The CNIL has also clarified requirements for anonymous reports, providing that persons filing reports must identify themselves, but that a report from a person who wishes to remain anonymous can be accepted if the seriousness of the alleged facts is demonstrated, if those facts are sufficiently detailed, and if the report is processed with additional precautions such as a preliminary examination by a sole reviewer.