La Revue Squire

Is France against whistleblowing ?


Rédigé par Frédéric Saffroy le 20 Janvier 2006


In the ongoing love-hate relationship between France and the US, France is once again at the forefront of the Résistance against the effect of US legislation on European domestic legislation and social and cultural behaviour. The latest controversy concerns whistleblowing procedures which must be implemented in all companies listed on a US stock exchange as a result of the Sarbanes-Oxley Act of 2002.

In May 2005, the French Data Protection Agency (“CNIL”) refused to approve two whistleblowing procedures set up by US companies. These decisions were unsurprising given France’s historical reluctance to implement a legal framework for this practice. The cultural background to this position is the occupation of France during the Second World War and an ongoing sensitivity to any form of denunciation. There are also reservations about whistleblowing in other EU countries due to recent or historical experience of informers in totalitarian or autocratic states. The CNIL’s decisions, confirmed by a French Court decision in September 2005, came in the middle of a public debate on the implementation of a corporate Code of Ethics that some unions consider to be illegal.

However, a more flexible position was adopted in November 2005 when the CNIL released a set of guidelines that will (i) form the basis of its rules which will be published in January 2006; and (ii) form the basis on which the Article 29 Data Protection Working Party is expected to adopt a pan-European position on whistleblowing.


The implementation of whistleblowing procedures in France raises issues in three areas of French law:
(i) General criminal law (see § 1.)
(ii) Labour law (see § 2.); and
(iii) Data Protection law (see § 3.).

1. GENERAL CRIMINAL LAW

1.1 General provisions of the French criminal law concerning denunciation

In France there is no general obligation of denunciation except in relation to crime. Importantly, this kind of denunciation can only be made to the public prosecutor or to the police and failure to report a crime could lead to criminal prosecution (section 223-6 of the Code penal – Criminal Code).

There are certain individuals and organisations that are legally obligated to inform the public prosecutor of any violation of law which constitutes a misdemeanour (“delit”) under French criminal law. Chartered accountants and statutory auditors as well as attorneys and bailiffs amongst others, have a specific duty to report to the Ministre du commerce any sum or transaction suspected of being related to illegal drug trafficking, terrorist activities, corruption or any other organised criminal activity (section L. 562-2 of the Code Monétaire et Financier – Monetary and Financial Code). Any other legal entity or individual whose professional activities involve dealing, managing or controlling investments is obliged to report to the public prosecutor any financial transaction he knows or suspects to originate from any illegal source (section L. 562-1 of the Code Monétaire et Financier).

Subject to the above, French law dictates that employees cannot be mandated by their employer to blow the whistle.

1.2 Defamatory denunciation

The dangers of whistleblowing procedures include:

(i) a whistleblower uses the procedure to maliciously denounce a colleague with false information;
(ii) the whistleblower provides facts which are unproven and/or unsupported by sufficient evidence.

Article L. 226-10 of the Code Pénal provides:

“A denunciation made by any means and directed against a specific individual, of a fact that is liable to cause judicial, administrative or disciplinary sanctions and that the maker knows to be totally or partially false, where it is sent either to a judicial officer or to a judicial or administrative police officer, or to an authority with power to follow it up or to refer it to the competent authority, or to superiors or to the employer of the person concerned, is punishable by five years’ imprisonment and a fine of € 45,000.”

In view of the above, if a company implements a whisteblowing procedure it could conceivably be deemed an accomplice to the whistleblower under section L. 121-7 of the Code Pénal and thus subject to the same penalties as the errant whistleblower.

2. LABOR LAW

2.1 Monitoring and control of employees

Section L. 120-2 of the Code du travail (Labour Code) prohibits employers from restricting individuals’ rights unless justified by the employees’ duties or proportionate to the employer’s purpose. The employer is nevertheless entitled to monitor and process sound and data in relation to employees. However, under the provisions of this article, the data must be adequate, relevant and not in excess of the purpose for which it is processed.

2.2 Informing and consulting the Works Council

The reasons for obtaining the data must be clear and legitimate, and surveillance and monitoring systems must be implemented prior to data collection. Section L. 432-2 of the Code du travail states that the Works Council must be informed and consulted prior to the implementation of any significant project with regard to new technologies which could impact upon employees’ employment, qualification, remuneration, training or labour conditions. Information in relation to such a project must be communicated to the Works Council one month prior to the meeting on the proposed technology.

The Code du travail states that the Works Council must be consulted prior to the automatic processing of data and/or modification to the processing systems (section L. 432-2-1 of the Code du travail). This obligation is also applicable if any method or system is implemented which allows for employees to be monitored. Non-compliance with these provisions constitutes a criminal offence of impediment to the Works Council missions (called “délit d’entrave”) for which an employer could be liable to one year's imprisonment and a fine of 3,750 euros (section L. 483-1 of the Code du travail).

NB : It should be noted that in relation to a similar German provision a German Labour Court ruled on 15 June 2005 that a Wal-Mart whistleblowing hotline was illegal because it was implemented without first consulting the Works Council. In relation to the telephone hotline, the Court stated that :

(i) the company’s Code of Ethics contained a whistleblowing procedure and threatened disciplinary action in case of breach and therefore required Works Council consent; and

(ii) the telephone hotline constituted technical equipment designated to monitor employee conduct which also required prior consent from the Works Council.

2.3 Amendment to the Règlement Intérieur

The Règlement intérieur (Internal Regulations Handbook) sets out an employer’s disciplinary rules and potential sanctions for non-compliance (section L. 122-34 of the Code du travail). From a French labour law perspective whistleblowing may have consequences for the denounced individual if the information is correct, but also for the whistleblower if the information turns out to be inaccurate. Both actions can be penalised under the Règlement intérieur. It is therefore necessary, if a whistleblowing procedure is implemented, to amend the Règlement intérieur.

Under French labour law the Règlement intérieur cannot be implemented or amended unless it complies with the following:

- it must first be submitted to the Works Council, or if a corporation does not have a Works Council to the employees' representatives;
- it must be submitted to the Health & Safety Committee for approval on matters related to its competence (see German case above);
- it must be communicated to the Labour Inspection; and
- it must be notified to the secretariat-greffe of the Conseil des prud'hommes (Labour Court).

2.4 Protection in France of employees who report certain offences

Employees are entitled to report the following misdemeanor offences: discrimination, harassment and sexual harassment. The Code du travail states that employees cannot be sanctioned for “testifying” or “reporting” facts in relation to these offences. Such a report can be made to any trade union of the company that is then allowed to sue the alleged defendant (section L. 122-45 and seq. of the Code du travail).

2.5 The 15 September 2005 decision of the Tribunal de grande instance of Libourne

On 7 July 2005, a case was brought before the Tribunal de grande instance (First Instance Civil Court) in Libourne (Gironde) for summary proceedings (fast track, known in France as "référé") by the local branch of a national Trade Union (the “CGT”) and the Works Council against the French subsidiary of BSN Glasspack. The Works Council had been informed about the process and the dedicated tools and were not satisfied with company's answers and the risk of anonymous denunciations.

The Court order (“ordonnance”) was issued on 15 September 2005 and stated that regardless of the ultimate treatment of information received on a hotline, there was a risk of employees being anonymously denounced, having an internal investigation launched against them and being the subject of sanctions without ever having been given the right to defend themselves. Moreover, the Court said that the present system (i.e. the hotline), like the one that was planned for BSN Glasspack’s factory in France, with the concomitant risks of slanderous denunciation, seemed disproportionate to the objectives of the US law.

The Court also said that the mere possibility of damage to an employee, who could be a victim of anonymous denunciation made by the means of a private and uncontrolled system that cannot be justified by the interests of the company, is sufficient to impose interim measures. As a protective measure, the judges ordered the Company to remove controversial notices from the notice boards until a full ruling is issued. Interestingly, the Court indicated that an agreement with employee representatives in relation to the methods of enforcing US legal requirements would be acceptable if it also complied with French law.

3. DATA PROTECTION IN FRANCE AND THE DECISIONS FROM THE CNIL

3.1 The CNIL’s decisions dated 26 May 2005 (Mc Donalds & CEAC)

On 16 June 2005, the CNIL published two decisions of 26 May 2005 in which it refused to authorise the processing of personal data obtained by means of whistleblowing systems through which employees could report wrongdoing or misconduct on the part of their colleagues.

The systems in question were to be implemented by the French subsidiaries of American companies in accordance with the Sarbanes-Oxley Act of 2002. The requests for authorisation concerned systems which permitted employees to disclose any practice or behaviour of other employees which might be in breach of binding corporate rules or the company’s code of ethics to the managers of the subsidiary or parent company by telephone, email, fax or post.

In its decisions, the CNIL made the following points:

a. The systems in question were disproportionate with regard to
(i) the purpose of the personal data processing; and
(ii) the risk of false accusations.

b. The employees that are the subject of a disclosure are neither informed of the allegations that bring their professional integrity into question at the time the disclosure is made nor do they have the ability to object to the processing of their personal data. The method of collecting and processing this data could therefore be regarded as unfair.

c. The ability to implement this ‘ethical alert’ on an anonymous basis would only increase the likelihood of false accusations.

It should be noted that the CNIL refused the request for authorisation from McDonald’s France even though:

- the transfer of data to the USA was to be governed by a framework agreement on the transfer of data; and
- the use of the “alert system” was optional.

The CNIL also refused an authorisation request from Compagnie Européenne d’Accumulateurs (CEAC) (a subsidiary of Exide Technologies) despite the fact that disclosures would have been made to an American service provider acting on behalf of the parent company and that, as the calls were going to be made in French, a second American service provider would also have intervened.

The CNIL’s decisions prohibited the implementation in France of any system, process, procedure or policy through which employees denounce the behaviour of their colleagues and involving the processing of personal data.

Furthermore, any provision in an employment contract obliging the employee to report to senior management any wrongdoing is also likely to be unenforceable, if not unlawful, under French law unless the employee is subject to a specific statutory obligation to report misconduct by virtue of his or her senior status (see § 1.1 above).

3.2 The CNIL’s Guidelines for the implementation of whistleblowing schemes
(10 November 2005)

Following its refusal to authorise the whistleblowing procedures described above, the CNIL launched a consultation on the matter with the SEC, the French Ministry of Labor and others concerned about whistleblowing procedures (businesses, lawyers, trade unions, etc.). The result of the consultation was a set of guidelines published by the CNIL on 15 November 2005.

The following principles form the basis on which the CNIL will approve or refuse a whistleblowing scheme :

The whistleblowing scheme must be based either on a French legal requirement or on the legitimate interest of the company - such as the obligation to comply with a foreign legal requirement. The CNIL considers that the Sarbanes-Oxley Act falls within the latter category.

Only whistleblowing schemes relating to the following four areas will be automatically acceptable:
- banking;
- accounting;
- the fight against corruption.

Whistleblowing schemes relating to anything else will be considered on a case-by-case basis.

The use of the whistleblowing systems should not be optional.

Only certain categories of employees can be involved in a whistleblowing scheme, i.e. employees involved in banking, accounting, finance or corruption.

The CNIL does not prohibit anonymous whistleblowing but states that anonymous reports should be subject to specific precautions.

Information on the whistleblowing procedure must be clear and extensive.

One or more individuals must be responsible for the scheme. If the whisteblowing scheme is administered by an external entity, then the CNIL states that the contract for services should contain: (i) a strict duty of confidentiality; (ii) measures to avoid the data being used for other reasons; (iii) a limited data retention period.

In relation to the retention of data, the CNIL states the following:

- any data relating to a report which is found to be unsubstantiated must be deleted immediately ;
- data that required verification should not be kept for more than two months after the verification work is finished ;
- as soon as a report leads to disciplinary action or a court proceeding, the data may be retained for as long as necessary.

Data collected in a whistleblowing scheme can be communicated to another company or organisation within the group of companies only if this is necessary because of the nature of the whistleblowing scheme or the nature of the data collected. Data transferred outside the European Union must comply with relevant international data transfer regulations.


These are the principles that the CNIL has outlined for the implementation of a whistleblowing procedure. It should be noted that these guidelines do not consider employment law or other applicable legislation.

It is therefore important to note the following :

To the extent that the whistleblowing scheme affects employees’ duties (work contract, collective labour agreement, internal rules etc.) there must be preliminary consultation and information sessions with the relevant employee representatives.

If information collected from a whistleblowing scheme in France is required for a foreign legal proceeding (whether or not in the EU) then it must be transferred to the relevant authority in the jurisdiction in compliance with international conventions (i.e. the Haye Convention of 1970). If these procedures are not complied with then the person or persons who transmitted the information could be liable under the law of 26 July 1968 (blocking statute) to 6 months imprisonment and a fine of 18,000 euros.








Vous souhaitez recevoir nos articles par mail, saisissez ci-dessous votre adresse mail :
















Rester Connecté
Rss
LinkedIn
Twitter




Si vous souhaitez recevoir par email, dès leur mise en ligne, tous les articles publiés sur La Revue, saisissez ici votre adresse :