A stricter regime for profiling07 June 2016
French Court of Appeals reject company's whistleblower system despite CNIL approval
A French Court of Appeals in Caen recently confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the "CNIL").
Under French law, the implementation of whistleblowing systems is subject to prior authorization by the CNIL. To reduce the burden of such formalities, the CNIL issued, in 2005, a general authorization for whistleblowing systems limited to the reporting of accounting, financial, banking and corruption misconducts (the "General Authorization"). Benoist Girard decided to implement their whistleblowing system in 2008 by relying on the General Authorization, regardless of three negative opinions on the system issued by the company's Works Council (the "CE").
In 2009, Benoist Girard's CE and Hygiene and Security committee (the "CHSCT") contested the validity of the whistleblowing system before the Caen Tribunal of First Instance, arguing that it allowed the reporting of alleged misconducts which exceeded the scope of those covered by the General Authorization. The CE and CHSCT therefore argued that the system required the obtaining of a prior specific authorization from the CNIL. The Tribunal ruled in favour of the CE and CHSCT, considering that the system, as implemented, was therefore in breach of French data protection legislation and posed an immediate and substantial threat to the rights and freedoms of the employees. Benoist Girard appealed this decision.
In its analysis of the matter, the Caen Appeal Court first held that the CE and the CHSCT had to be consulted prior to the implementation or modification of the whistleblowing system and then moved on to it analyse in detail to evaluate its compliance with French law.
First, the Court analysed the scope of the system. It noted that, while the system was presented as limited to the reporting of misconduct in the fields of accounting, finance, banking and corruption, it still allowed for reporting other matters. Indeed, even though the menus of the online interface did not contain references to the reporting of "matters of vital interest to the company" or "concerns," the homepage of the Ethics Point platform still indicated that it was designed to "report anonymously to the company any suspected bad behaviour or other problems" or "report matters on issues relating to compliance with our code of conduct and the online ethics policies". In addition and more importantly, the Court noted that the system as conceived still allowed any whistleblower to submit an alert with facts relating to any type of misconduct.
Consequently, the Court found that the system did not demonstrate the scope limitations applicable for French employees using the online interface but actually favoured "denunciations" of all sorts. Indeed, according to the Court, reports of concerns outside the scope of admissible concerns still have to be processed for filtering and then generate replies which "far from being limited to restating the categories of admissible concerns, incite the whistleblower to pursue the process through hierarchy".
In addition, the appellate judges considered that regardless of the fact that the company's internal rules expressly stated that "Stryker strongly recommends that users of the whistleblowing helpline identify themselves" the online interface did not discourage employees from remaining anonymous, "on the contrary, various recommendations are even made to preserve [such anonymity]".
Finally, the Court found that the documents provided to the employees did not provide them with sufficient information on their rights in the event that they were the subject of an investigation in this context.
In light of these elements, the Caen Appeal Court ruled that the system could damage the rights and collective and individual liberties of the employees of the company and therefore confirmed the suspension of the system.
The Court's approach appears to be extremely stringent and could require a number of international companies to further review the implementation of their whistleblowing helplines. In this respect, it is important noting that the Court's decision seems to go against the CNIL's position on the Benoist Girard case. Indeed, Benoist Girard had put forward, during the procedure, a letter from the CNIL which confirmed that their whistleblowing system had been inspected and appeared to be compliant with the requirements imposed by the CNIL.
Thus, it appears the CNIL's position on whistleblower programs, in some instances, may not be sufficient to ensure full compliance with French data protection legislation. A further appeal by Benoist Girard may be possible.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016