The Clash of Global Privacy and Whistleblower Rules
Some businesses, including public companies that must meet US Sarbanes-Oxley (SOX) requirements, have established ways for employees to report suspected improper internal activity on an anonymous or confidential basis. Whistleblower hotlines are one way for companies to channel internal suspicions and gripes, both to catch and address improper activity if it is occurring and to provide employees with an in-house way of considering complaints and questions about activity that appears suspicious or improper.
At the same time that efforts have increased in this direction, global privacy rules limit cross-border flows of personal data, in the absence of specific employee protections and measures to protect the confidentiality of employee data. Prior issues of the Frost Brown Todd Privacy Update have addressed European, Canadian and Japanese rules that differ from the multifaceted US approach to personal data protection.
This clash of interests led the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertes or CNIL) to issue guidance in November 2005 that affects US businesses with employees in France. The CNIL ruled in two cases initiated by firms that sought the CNIL’s agreement to whistleblower initiatives the firms wanted to establish in France.
The two proposing firms (McDonalds France and battery maker Compaigne Europeenne d/Accumulateurs) proposed to implement a broad whistleblower program for their French employees, which would effectively give them the same rights and protections as afforded US employees. The source of the initiative was compliance with SOX rules that aim to let employees complain internally about suspected corporate wrongdoing without fear of retaliation.
The CNIL’s guidance distinguishes between financial sector activities and other matters. Financial sector activities include issues of accounting, auditing, banking records and anti-corruption measures. These are at the core of what SOX is intended to address. The CNIL declared that allowing French employees to blow the whistle on financial indiscretions is permitted, notwithstanding French (and European) privacy rules regarding release of personal data. For activities beyond the financial sector, however, the CNIL declared that whistleblowing provisions should not be created or implemented by firms in a way that lets French employees transmit personal data to others.
The CNIL guidance is specific that firms should not use whistleblower mechanisms to permit transmission of information on a variety of other topics, such as alleged violation of non-financial laws, internal rules of conduct or ethics or personnel complaints. An example would be if a French worker complained that Mme. Jovair was making improper sexual advances towards a subordinate. The CNIL is also clear that whistleblower systems should not let French employees make anonymous tips or comments, and companies should not encourage anonymity in communications. An example is an unsigned note that Mr. Franck was stealing from petty cash.
If a US company (or a non-US company trying to comply with SOX) receives an anonymous tip, which is a practical certainty once a system is established, it is directed to establish and supervise compliance for specific ways to manage the information and deal with the data received and acted upon. Without such specific steps, the CNIL promises to investigate and take action against a system that runs afoul of French privacy rules.
The clash of policy interests evident in the CNIL ruling is not simply a bureaucratic measure to bridge conflicting statutory language. Instead, it represents a cultural cross-Atlantic difference between competing regimes about privacy. The concept of whistleblowing, which has gained general acceptance in the United States, runs counter to historic French social principles concerning defamation (and frankly, to US due process notions that one should be able to confront one’s accuser). A French trial court in September 2005 ordered a US firm’s French subsidiary to withdraw a whistleblower system that it began earlier that year for SOX purposes, declaring that anonymous communications were antithetical to French law and practice. CE BSN-Glasspack v. BSN-Glasspack, T.G.I. Libourne, R.G. 05-143, Sept. 15, 2005.
Both US firms with European operations and non-US firms whose securities are traded on US markets should review their whistleblower and privacy policies and procedures. European and other country rules differ in their specifics. Generally, however, the laws of many countries are similar in intent and scope to French rules. The quest for a global privacy compliance policy continues and becomes more complicated.
For the text of the CNIL Whistleblower guidelines, see http://www.cnil.fr/fileadmin/documents/La_CNIL/actualite/CNIL-docori-10112005.pdf