U.S. companies seeking approval by the French Data Protection Agency to implement whistleblower systems in France will be able to apply online for certification of those programs, according to a representative of the French authority.
As reported by Compliance Week on Nov. 29, the French Data Protection Agency, Commission Nationale de l'Informatique et des Liberte's, last month issued guidelines to enable U.S. companies to comply with the whistleblower provisions of Sarbanes-Oxley without violating French data protection laws. Under that guidance, U.S. multinationals seeking to implement whistleblower systems in France need approval of such systems by the CNIL.
The guidelines were issued after the CNIL, in two separate decisions in May, refused to authorize the whistleblower systems of two American companies with subsidiaries in France because they conflicted with French privacy laws (see related coverage at right). The rulings left U.S. multinationals confused about how to comply with their SOX obligations without violating French law.
“It was clear to us at the Commission that we had to work together and not leave companies between a rock and hard place,” Clarisse Girot, Senior Legal Advisor of the CNIL, said of the guidance during a teleconference last week sponsored by Global Compliance Services.
Girot said companies seeking approval for their whistleblower schemes would be able to go online to complete a self-certification process. The process, which would require companies to self-certify that their whistleblower programs comply with the guidelines, should “only take 10 or 15 minutes,” according to Girot. At press time, no further information was available about the certification process was available on the CNIL Web site. Compliance Week will update readers as information is made available.
Girot noted that the guidance was issued as a guideline, rather than as a recommendation, to allow flexibility. “The guideline document sets the rules for the present time. The issue is not closed,” she said, noting that there will be another consultation process and a French Ministry report is due in early January. The CNIL plans to adopt a decision for a unique authorization of whistleblower systems that comply with the guidance in the guideline document.
In addition, Girot noted that an English version of the Nov. 10 guideline document is now available on the CNIL Web site (see box above, right).
Anonymous Reports Not Encouraged
The French document includes stringent requirements related to the scope of what the whistleblower schemes can include. Girot noted that companies with whistleblower systems that “would like to go further than the guideline document describes,”—for example, to address HR issues—“can file a request for a single authorization, but that’s a heavier process.” Girot added that, “They’re unlikely to get authorization.”
Girot noted that the CNIL has been asked to develop common European Union guidance on the issue. “We’re confident that the guideline document will provide a good basis for the EU guidance, but it won’t be a copy-paste of the French document at the European level,” she said.
One issue Girot addressed during the call was a provision in the guidance that deals with the handling of anonymous reports. While it acknowledges that anonymous reports are a reality, the guideline document specifies that companies shouldn’t encourage anonymous reports. Noting that the issue highlights a cultural difference between the U.S. and France, Girot said, “Anonymous reports do not raise good memories in our minds…it’s hard to accept that anonymous reports are a normal way of raising concerns.”
She noted that the provision was “not only a CNIL fantasy,” but that French companies that consulted on the guidance had suggested it. “Nobody is happy with anonymous reports, while accepting that they’re sometimes important.” Girot said French companies felt that “anonymity cannot be ruled out, but that it should not be the first option.”
Related coverage and resources are available from the box above, right.
No comments yet