French Employment Minister’s report challenges CNIL’s position on whistleblowing

28 June 2007

Ariane Mole

On 6 March 2007, a report commissioned by the French Employment Minister, Gérard Larcher, was published. It included proposals to help ensure that whistleblowing activities comply with French employment law.

The report is striking because its author’s position on whistleblowing is markedly different from that of the CNIL, the French data protection authority.

1) The report only agrees with the CNIL's position in two regards

  • Employees cannot be forced to use the whistleblowing system;

  • Providing whistleblowers with guaranteed confidentiality is preferable to granting them anonymity.

2) The report favours specific protection of whistleblowers

In contrast to the CNIL, the report proposes that whistleblowers should be protected by the inclusion of new provisions in the Labour Code. This protection would be similar to the protection against harassment currently provided under French law.

3) The report’s definition of a whistleblowing system is different to the CNIL’s

The CNIL’s position is that whistleblowing systems simply collect and handle alerts and that these systems must be technical in nature (even if quite basic). For example, a specific telephone number or email address would constitute a whistleblowing system for the CNIL’s purposes. However, the CNIL does not consider that procedures for informing an individual of suspected maladministration (for example a line manager, employee representative or internal compliance manager) would constitute such a system within the scope of the French Data Protection Act.

By contrast, the definition proposed by the report is wider; any alert arrangements will constitute a whistleblowing system, irrespective of the communication channel used. The report’s position is that any arrangements enabling employees to alert their chief executive officer or compliance officer to actions which may damage the business will constitute a whistleblowing system.

4) The report proposes widening the definition of whistleblowing

On 8 December 2005, the CNIL proposed that whistleblowing mainly referred to employees raising an alert on potential breaches of financial and banking legislation - "financial, accounting, banking, auditing and the fight against fraud." This was in line with the provisions of the Sarbanes Oxley legislation in the US. The CNIL also considered that "facts which compromise the vital interests of the company or physical or psychological integrity of its employees" could be disclosed.

However, the Minister’s report goes beyond this and recommends that whistleblowers could also draw attention to breaches of ethical or corporate governance regulations provided that these breaches seriously prejudice the company’s interests. The report’s position is that, rather than limiting whistleblowing by specifying categories of breach, the key issue to consider is the seriousness of any given breach and the potential damage that could be incurred.

The report does not indicate what breaches should be included in any whistleblowing system. However, it does suggest that each company should draw up a list of breaches either in the form of a negotiated agreement or an employer’s decision after it has consulted with the relevant trade union or employee representatives and informed the labour inspector.

5) Conclusion

The French Employment Minister has not yet confirmed whether he intends to implement the findings of this report. Whether or not he does, the fact that the report differs from the CNIL’s position on a number of issues is likely to spark further debate, particularly in terms of defining the kind of company actions which could be subject to whistleblowing procedures.

Legally, the report's proposals are not incorporated into the Labour Code and the criteria defined by the CNIL will continue to apply. If companies do not comply with the CNIL’s criteria, the CNIL can effectively prevent them from setting up whistleblowing procedures. This is on the basis of Article 25-I,4° of the French data protection law which gives the CNIL authority over automated data processing which is implemented as part of a whistleblowing system where no other statutory or regulatory provisions apply.

Authors