CNIL issues guidelines

10 January 2006

Nick Aries

In Issue 7 (November 2005) of this Newsletter, we reported that the French Data Protection Authority (CNIL) had launched an extensive consultation process on the implementation of whistle-blowing schemes in France. Following this consultation, on 15 November 2005 the CNIL published guidance setting out key conditions that whistle-blowing schemes should meet in order to conform to French Data Protection law. The CNIL is still in discussions with the SEC and other experts to make sure the guidance is compatible with the Sarbanes-Oxley Act.

At the moment whistle-blowing schemes must be pre-authorised by the CNIL; the CNIL has promised a further decision, which will grant a class authorisation to schemes that follow its guidance.

The key recommendations in the current decision are:

  • Restricting the scope of the scheme to accounting, auditing, financial and anti-corruption matters. Any scheme whose scope goes beyond this will have to be individually authorised by the CNIL (rather than being subject to the group authorisation decision referred to above). This would be the case e.g. for schemes covering general compliance with the law, with internal rules, and with codes of conduct
  • Discouraging anonymous whistle-blowing: the reporting employee ought to be identifiable. In this way, the CNIL hopes to avoid/minimise the risk of slanderous denunciation. The CNIL recognises that anonymous reporting could still occur in reality, though it recommends that such reporting is treated with special caution
  • Setting up a special department to deal with and respond to whistle-blowing. This would help to restrict the field of circulation of the allegations
  • Informing the alleged wrongdoer of the reported allegation as soon as measures have been taken to ensure, among other things, the preservation of evidence needed to investigate the allegation. This allows the person identified to respond to the allegation

The guidance goes some way to resolving in France the conflict between the duty on US owned companies to introduce anonymous reporting schemes, and the need to comply with data protection law. This is a problem that is being encountered throughout Europe (see e.g. comments in this issue’s article from Germany on the Wal-Mart decision). The French guidance is significant because it is expected to form the basis of the official line taken by the Article 29 Working Party (the independent European advisory body on data protection and privacy) in this area.

The full French text of the guidance document is available here. An English language version is available here.