Sarbanes-Oxley and whistle-blowing hotlines

Following its two rulings that refused to authorise the implementation of “ethics lines” on 26 May 2005, the French Data Protection Authority (CNIL) has launched an extensive consultation process. The aim is to find a suitable means for French subsidiaries of US companies to meet their obligations under the Sarbanes-Oxley Act, whilst still conforming to French Data Protection law. Both American and European authorities have been consulted on this topic, as well as French companies affected by the decisions.

Christophe Pallez, Secretary General of the CNIL, has pointed out that the May decisions were based on the facts of the two cases, and do not amount to a complete ban. He highlighted the following as five key elements to consider in deciding what would make a whistle-blowing scheme acceptable under French Data Protection law:

a) anonymity – should a special scheme be in place?

b) scope – should this extend to financial and auditing information, or beyond?

c) circulation of information – should there be a limited circle, e.g. just within France, or wider?

d) when should the data subject be informed?

e) how long should the information be retained?

The CNIL is preparing its report and hopes to publish its guidance on the issue by the end of October 2005. (For more information about the May decisions themselves - McDonald’s and La Compagnie Européenne d’Accumulateurs - please see the article by Hélène Lebon and Nathalie Lambert in the previous edition of this newsletter.)

Employee vehicle tracking

Meanwhile, the CNIL is also consulting on the separate issue of location data regarding employees. In particular, the ability to locate an employee by establishing the exact position of his vehicle is under consideration. Whilst such initiatives might allow more effective tracking of merchandise, and improve security of individuals and of goods, they overlap into the realm of surveillance since they provide information on hours kept by an employee, routes used, and even the speed of the vehicle. This calls into question what level of control over employees is acceptable. It also raises an issue about the dividing line between working life and private life.

As a result, the CNIL has been consulting with Trade Unions, professional bodies, government departments and businesses in order to make a recommendation about the acceptable use of such location data. In particular, the CNIL envisages addressing: the retention period for the location data; who will access the data; how the information on the speed of the vehicle is dealt with; and what security measures should be in place.