December 3, 2014
Following the adoption of the Sarbanes-Oxley Act on July 30, 2002, companies publicly listed on US stock markets have to implement — including in their foreign subsidiaries — internal control mechanisms, such as whistleblowing procedures, in order to prevent malpractice, mismanagement or misconduct.
French law has imposed strict conditions on the implementation of such whistleblowing procedures in France. Accordingly, French subsidiaries of US-listed companies and French companies listed in the US must adapt their whistleblowing policies in order to comply with such requirements.
A recent decision of the High Court of Caen (Tribunal de Grande Instance) confirms that a whistleblowing procedure implemented in a French subsidiary of a US-listed company that does not strictly comply with such requirements is illegal.
The French Whistleblowing Data Protection Regulation
Amongst the various French regulations applicable to whistleblowing procedures, the French Data Protection Authority has issued a resolution whereby companies must — prior to the implementation of any whistleblowing procedure — identify the areas covered by the procedure. Such areas must, in any case, be limited to the following activities:
In addition, such resolution provides that Companies must clearly inform their employees that the whistleblowing procedure is restricted to specific areas and can only be used to collect objective data relating to such areas.
The High Court of Caen Decision
In 2008, a French subsidiary of a US publicly listed company implemented a whistleblowing procedure allowing any employee to report all conduct or activities that were suspected to be irregular, unethical, or illegal. Reports could be made through a hotline, a website and an email address. The company delegated the management of the hotline as well as hosting of the website to a third-party service provider (Ethics Point).
In accordance with the French data protection rules, the company handed out an information note to the French employees stated that complaints could only relate to the following areas: accounting, finance, banking and the fight against corruption.
However, the website managed by the third-party service provider had no limits with respect to the areas which could be covered by the complaints. In particular, the site generally allowed French employees to "report anonymously any suspected misconduct or other problems to the company." De facto, the complaints could target any French employee regarding facts that did not necessarily fall under the scope of the limited pre-identified areas.
The High Court of Caen considered the whistleblowing procedure to be unlawful, for the reporting system that was available to employees did not clearly set the type of information that could be submitted.
According to the Court, the risk attached was a potential escalation of the reporting device into an organized system of denunciation and false accusation based on facts relating to privacy. In particular, the Court noted that complaints could result, especially if they were made on the basis of information relating to private life, to rumours, behavioural changes of both managers and colleagues, to internal investigations, disciplinary measures against employees or dismissals unrelated to the purpose of the whistleblowing procedure. For the Court, the fact that the selection of the information was made afterwards by the third-party service provider was not a sufficient protection against possible abuse of the whistleblowing procedure by or against the employees.
As a result of the cancellation of the whistleblowing procedure, the Court held that any information collected through the website could not be used for disciplinary measures or dismissals of any employees of the French subsidiary.
Issues to Consider
This decision illustrates the fact that, in order to be valid, a French whistleblowing procedure must, among the other French applicable legal requirements, clearly limit the information that may be reported by employees to the areas previously identified by the company. Moreover, this restriction must be ensured by both the company itself and the third-party service provider used by the company, if any.
Our clients should make sure that such limitations are strictly applied in the context of whistleblowing procedures made available to French employees.
 Tribunal de Grande Instance de Caen (High Court of Caen), second chamber, September 15, 2014, No. 10/00290, Benoist Gérard.
 Resolution No. 2005-305 dated December 8, 2005, as amended on January 30, 2014 –
Single Authorization No. AU-004 of the Commission Nationale de l’Informatique et des Libertés (CNIL).
 If not, the whistleblowing will be subject to a special authorization from the Commission Nationale de l’Informatique et des Libertés (CNIL – the French Data Protection Authority).
Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work or the following lawyers in the firm’s Paris office:
© 2014 Gbson, Dunn & Crutcher LLP