French Data Protection Authority Issues Frequently Asked Questions Regarding Whistleblowing Programs

Codes of Conduct that contain whistleblowing provisions, such as those implemented pursuant to the Sarbanes-Oxley Act, are likely to raise issues under the European Data Protection laws and, in particular, French law. On March 1, 2006, the French Data Protection Authority (Commission nationale de l’informatique et des libertés or CNIL) issued Frequently Asked Questions (FAQ) in which it answers questions concerning the implementation of whistleblowing programs by employers. The FAQ provides clarification of the guidelines CNIL issued on November 10 and December 8, 2005 regarding compliance of employer whistleblowing programs with the Act of 6 January 1978 on Data Processing, Data Files and Individual Liberties. We have prepared an English translation of the FAQ, which can be downloaded from our Web site by clicking here.

The FAQ describes whistleblowing programs as those set up by a private or public entity to encourage employees to report problems that could seriously affect the entity’s activities or involve its responsibility. According to the FAQ, whistleblowing programs may be complementary to, and are not intended to supplant, other forms of internal organizational monitoring such as auditing. The FAQ notes that employee participation in whistleblowing programs is voluntary, and that employers may not require employees to use whistleblowing programs. Significantly, whistleblowing programs must be authorized by CNIL before they are implemented.

For the full story, please view the PDF.