In a move expected to clear a path for companies seeking to implement whistleblower systems in France that will comply with both the Sarbanes-Oxley Act and French data protection laws, the French Data Protection Agency has set up a means to let companies get the required approval of their systems online.
As expected, the Commission Nationale de l'Informatique et des Libertes has made available online a single authorization for whistleblower systems that comply with its guidelines.
As Compliance Week previously reported (see related coverage in box at right), the CNIL recently rejected the whistleblower systems of two American companies with subsidiaries in France because the systems conflicted with French privacy laws. In November, the French agency issued guidelines to enable U.S. companies to comply with the SOX whistleblower provisions without violating French law. Those guidelines require companies to get approval of their whistleblower systems from the CNIL. Last month, a senior legal advisor of the CNIL said the agency planned to implement an online authorization for systems that adhere to the guidelines.
Schreiber
“Now there’s a fix to the problem and a mechanism to implement the fix,” says Mark Schreiber, partner at Edwards Angell Palmer & Dodge and co-chair of the privacy matters practice of the World Law Group, a network of independent law firms that advised on the CNIL guidance. “This is truly an elegant vehicle, much like the U.S. Safe Harbor enrollment process. All the work by the company is behind the scenes and the certification is a Web-based click-through.”
The CNIL reviewed its process with the SEC staff at a December meeting, and “there don’t appear to be any conflicts with SOX,” says Schreiber.
To get approval of whistleblower systems, companies will fill out the online authorization form and submit it to the CNIL. The CNIL will issue a receipt by mail confirming the information. The process takes about two weeks, according to Raphaël Dana, an attorney with Soulier in Paris. (For English translations of the authorization forms, see box above, right).
Scrutiny And Analysis
“With the new authorization, companies can comply with both laws quite quickly,” Dana says. “Even local companies benefit from it, since the authorization is accessible to any French company.”
Bond
“The single authorization decision goes a considerable way to solving the problems that many companies have been having in complying with the SOX and French data protection laws,” says Robert Bond, partner and data protection expert at London-based Faegre & Benson, and co-chair of the WLG Privacy Matters practice.
While Schreiber and others say the authorization process is simple, they stress that the work required to adhere to the CNIL guidelines is not as easy.
“There’s a lot of work any company wishing to do this has to employ beforehand,” Schreiber says. “This doesn’t minimize the amount of scrutiny and analysis companies and counsel will need to do to narrow their codes of conduct and put in place certain data precautions. That real work is still there on the ground level.”
For example, Schreiber notes, the scope of the whistleblower scheme must be limited to financial, accounting, banking, fraud, bribery and SOX-related matters. In addition, there are issues and restrictions related to the categories of data collected, who receives the data, the duration that data can be stored, and required security measures and transfer precautions for data that is going to be sent from France to the U.S.
What’s more, companies that want to implement whistleblower systems that go beyond what the guideline document describes must file a regular request for authorization. Dana says that process, which he says can also be completed online, takes longer and requires more information and documentation than the simple authorization. Once a company applies for a regular authorization, Dana warns, the CNIL “has up to two months to review the company’s file, and they can still come back with questions and request additional documents.”
To obtain the simple authorization, Bond says, companies should:
ensure that the company has in place a whistleblowing policy that complies with the guidelines and the decision;
ensure that the whistleblowing policy is appropriately communicated to employees;
involve works councils or union representatives where appropriate;
ensure that in general the company is complying with applicable data protection law;
ensure that the company has in place suitable contracts with third parties that may be hosting the whistleblowing hotline;
ensure that the company has a suitable cross-border data-flow agreement to deal with the general movement of personal data into and out of Europe.
“It doesn’t appear that the authorization needs renewal, but if the whistleblowing policy is changed, then that may affect the initial authorization,” Bond says.
Bond also notes that the authorization only applies to the whistleblowing scheme itself. “Therefore, companies need to be sure that they are in compliance with all other aspects of French data protection, human rights and labor laws,” he says.
The CNIL is developing common European Union guidance on the issue based on the guideline document; related coverage and the CNIL guidance is available from the box above, right.
No comments yet