Online Whistleblowing Platform Must Be Strictly Set-Up for Not Accepting Reports going beyond the CNIL's Simplified Authorisation


On September 23, 2011, a French Court of Appeal (the “Court”) declared illegal and suspended a whistle-blowing system put in place by Benoist Girard (the “Company”) which had been notified to the CNIL in accordance with its whistleblowing guidelines.
As required by the American Sarbanes-Oxley Act of 2002, the Company (a former subsidiary of an American medical equipment manufacturer) had put in place a whistle-blowing system which allowed American employees and those of foreign subsidiaries to denounce any fraud and embezzlement brought to their knowledge. 
The French Data Protection Authority (the “CNIL”) had limited the introduction of whistle-blowing schemes. Under the CNIL’s guidance, such systems are only lawful if:

  • they meet the “simplified authorisation” requirements issued by the CNIL via its resolution of the 8th of December 2005. In this situation, reports are limited to accounting, finance, banking, and bribery/corruption. The system must not encourage anonymous reports amongst other matters; or

  • a prior-authorisation from the CNIL is obtained. This approach is designed for whistleblowing systems which do not fall within the scope of the simplified authorisation.

The Company had followed the simplified authorisation approach. Despite this authorisation and a CNIL on-site investigation of the whistle-blowing system which confirmed that the scheme was in line with the CNIL’s requirements, it has been declared illegal by the Court.
The facts of this case are interesting. The Company’s world-wide whistle-blowing system is provided by an external provider, Ethics Point. It is the online whistle-blowing platform of the scheme which was at issue here.
In order to conform to the CNIL’s requirements, “questions of vital interest to the company” and “subjects of concern” were removed from the topics available for report in the online French ‘menu’. But they remained active if, on the US site, you clicked “France” on the list of proposed countries. In this manner it was still possible to make reports not part of the CNIL’s authorisation. Furthermore, the Ethics Point system was designed on the basis of anonymity. This had been maintained despite the CNIL recommendations not encouraging such possibility.
Our Recommendation: Entities relying on the CNIL’s simplified authorisation must therefore carefully review the functionality of the online whistle-blowing platform and/or make sure that third-party provider strictly complies with the CNIL’s requirements. Systems must be strictly set-up not to accept French reports which go beyond the scope of the simplified authorisation.