Privacy & Cybersecurity Law Blog

On September 23, 2011, the Labor Chamber of the Court of Appeals of Caen (the “Court”) upheld a decision to suspend a whistleblower program implemented by a U.S. company’s French affiliate, despite the fact that the French Data Protection Authority (the “CNIL”) had inspected and approved the program prior to implementation. This decision follows recent amendments to the legal framework for whistleblower programs in France.

The Court suspended the program on the grounds that the company’s employee representative groups (i.e., the Works Council and the Employees’ Hygiene & Safety Committee) had not been duly consulted before the final version of the whistleblower program was put in place. Notably, the Court also found that:

• Information appearing on the whistleblower hotline’s homepage was inconsistent with the company’s whistleblowing standard operating procedure. In particular, the French version of the website did not clearly limit the scope of reports to reflect French legal requirements, and allowed employees to report all sorts of “suspected bad behavior and other problems” or “compliance issues relating to the company’s code of conduct and ethics policies.”
• Although the standard operating procedure encouraged hotline users to identify themselves in accordance with the CNIL’s single authorization AU-004, the website seemed to promote anonymity in reporting.
• French employees had not been properly informed about their rights. For example, neither the standard operating procedure nor the website clearly mentioned the right to access and rectify or delete personal data.

Read the Court’s decision (in French).