CNIL refuses to authorise the implementation of ethics lines

12 July 2005

Hélène Lebon, Nathalie Lambert

The introduction of the Sarbanes-Oxley Act means that companies listed on the New York Stock Exchanges must implement measures that allow their employees to anonymously report any behaviour that does not comply with standards of professional integrity.

Accordingly, McDonald’s France and La Compagnie Européenne d’Accumulateurs, two French subsidiaries of American plcs submitted registration requests to the French Data Protection Authority (“the CNIL”). These related to “ethics lines”, or professional integrity projects, designed to allow employees to warn the management of the company or parent companies concerned by telephone, e-mail, fax or letter, of practices or behaviour by other employees which they considered to have failed to comply with current laws or internal company rules.

In two decisions dated 26 May 2005, the CNIL refused to authorise these processing requests, having considered the following:

  • An ethics line falls within the scope of the French Data Protection Act (“the Act”) providing that the French subsidiary is the data controller of the associated processing of personal data. This is particularly the case where investigations are conducted about specific employees who are named via an ethics line. Therefore, ethics lines must comply with the provisions of the Act.
  • Ethics lines and associated processing must receive prior authorisation from the CNIL as a result of article 25-I 4° of the Act because if named employees are found to be at fault, such processing may lead to them losing their job.
  • An ethics line is, by principle, contrary to the Act as it could lead to an organised, professional whistle-blowing system. In particular, the CNIL pointed out that the ability to make an "ethical warning" anonymously could only increase the risk of slanderous denunciations. Furthermore, the CNIL deemed that the systems presented were disproportionate with respect to the intended purposes. Indeed, other means, provided for by law, already exist in order to ensure compliance with legal provisions and rules fixed by companies, e.g. increased employees’ awareness through information and training, audit and warning role of statutory auditors in financial and accounting matters, bringing an action before the work inspection or competent jurisdictions.

Finally, the CNIL emphasised that employees named via an ethics line are not informed of the recording of the data questioning their professional or personal integrity and therefore cannot object to processing of their personal data.The acts of collecting and processing this data, which could potentially include details of criminal offences, can therefore be considered as unfair.