Privacy & Cybersecurity Law Blog

On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL.  Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization.  In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act.  Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.

Furthermore, the CNIL deleted a provision of the Single Authorization that previously authorized companies to use their whistleblowing hotline to report facts that did not fall within the pre-established scope but nevertheless posed a threat to the “vital interests” of the company.  This deletion complies with a French Court of Cassation decision from December of last year, in which the Court ruled that the CNIL’s Single Authorization restricted the use of whistleblowing schemes to the limited scope prescribed by it, and did not authorize extensions of such schemes to other areas.

Finally, companies that have already registered their whistleblowing schemes with the CNIL have up to six months, starting from the publication of these revisions, to comply with these new rules and amend their schemes if needed.

For more information, view the amendments to the CNIL’s Single Authorization (in French).