Court Takes Narrow View on Safe Harbor for Whistleblower Procedures in France

On December 8, 2009, the French Cour de Cassation rendered an important judgment about the implementation of whistleblower procedures in France.

Since 2005, whistleblower procedures have been the subject of considerable controversy and difficulties in France. After prohibiting affiliates from McDonald’s Corporation and Exide Technologies from implementing whistleblower procedures required under the Sarbanes-Oxley Act, [1] the French Commission Nationale de l’Informatique et des Libertés (the “CNIL”) released guidelines (the “Guidelines”) summarizing its views on whistleblower procedures [2] and later implemented a safe harbor (the “Safe Harbor”) whereby whistleblower procedures are deemed authorized pursuant to a “unified authorization,” subject to certain conditions. [3]

Since the publication of the Safe Harbor, companies wishing to implement whistleblower procedures in France have three options: [3]

• (i) to eliminate automated processing to avoid any CNIL notification and any commitment to comply with the Safe Harbor’s requirements that are more restrictive than the general requirements of the French personal data protection law of January 6, 1978, as amended (the “Data Protection Law”); [4]
• (ii) to implement whistleblower procedures that involve automated processing in compliance with the Safe Harbor requirements with an undertaking to comply with such requirements; or
• (iii) to implement whistleblower procedures that involve automated processing without complying with the Safe Harbor requirements and to seek the CNIL’s prior authorization.

Dassault Systèmes, a French company that was listed on Nasdaq until October 16, 2008, [5] followed the second option. In doing so, and consistent with common practice in the United States, it provided that its whistleblower procedure would be available not only to report matters referred to by Section 301(4)(A) of the Sarbanes-Oxley Act and related regulations, i.e., complaints regarding “accounting, internal accounting controls, or auditing matters”, but also alleged violations of the company’s code of ethics. Dassault Systèmes was careful to provide that alleged violations of the code of ethics could be submitted through its whistleblower procedure only to the extent they involved the “vital interest” of the company or the “physical or moral integrity” of its employees.

This latter restriction was intended to comply with the Safe Harbor, which provides:

• in its Section 1, that the only eligible procedures consist of procedures designed to address French law requirements in the areas of internal controls for financial, accounting, banking and anti-corruption matters, provided that procedures regarding the areas referred to by Section 301(4) of the Sarbanes-Oxley Act are also eligible; and
• in its Section 3, that facts relating to other areas can also be reported through the procedure when the “vital interest” of the company or the “physical or moral integrity of its employees” is at stake.

The Cour de Cassation, however, found that whistleblower procedures eligible for the protection of the Safe Harbor cannot have any purpose other than those defined in its Section 1. According to the judgment, the provisions of Section 3 are not intended to make procedures with a different purpose, covering areas other than those defined in Section 1, eligible for the Safe Harbor.

This interpretation is perplexing, not least because it fails to provide a justification for Section 3. This lapse seems particularly noteworthy in light of the Guidelines, which are part of the Safe Harbor and provide that reports outside the areas allowed for the permissible procedures cannot be processed “except if the vital interest of the enterprise [or] the physical or moral integrity of its employees is at stake.”

Regardless of the merits of the Court’s interpretation, it remains possible for companies subject to the cumulative application of the Sarbanes-Oxley Act and the Data Protection Law [6] to design whistleblower procedures that ensure compliance with both statutes and related regulations. To that end, whistleblower procedures must provide that they do not apply in France to alleged violations of the company’s code of ethics (irrespective of the seriousness or possible implications of such violations), but only to reports falling strictly within the scope of Section 301(4)(A) of the Sarbanes-Oxley Act or the other areas specifically permissible according to Section 1 of the Safe Harbor, namely banking and anti-corruption. In so providing, the procedures would comply with the second option outlined above. The first and third options were not affected by the Court’s ruling and also remain available.

Endnotes

[1] See our memorandum of July 28, 2005 “Whistleblower Procedures and Personal Data Protection in France.”
(go back)

[2] See our memorandum of November 21, 2005 “French Regulator’s Guidelines on the Implementation of Whistleblower Procedures.”
(go back)

[3] See our memorandum of March 2, 2006 “French Safe Harbor and Unified Authorization Regulations for Whistleblower Procedures.”
(go back)

[4] It being noted that compliance with the substantive requirements of the Data Protection Law, such as fairness and reasonableness of the process; restrictions on processing of “sensitive” data; and information, and availability of access and rectification rights to the persons whose data are collected, remain nonetheless applicable.
(go back)

[5] Dassault Systèmes’s deregistration with the SEC was effective on January 15, 2009.
(go back)

[6] Such as French companies listed in the United States and French subsidiaries of U.S. public companies.
(go back)