The
employment contract creates reciprocal obligations for
employers and employees to be performed in a loyal manner.
The employer is under the obligation not only to pay the
employee but also to procure work that fits with employee’s
skills and experience. The employee is under the obligation
to comply with employer’s instructions and to perform his
duties in a professional and timely manner. This obligation
of loyalty is reflected in Article L.120-4 of the French
labor Code which provides that “employment agreement
shall be performed in good faith”.
Employer’s obligation to perform employment contract in good
faith may have some effective consequences on employees’
privacy rights. For instance, an employer failing to inform
employees of the monitoring of their website connections is
in breach of his obligation of loyalty and cannot take
advantage of an employee’s personal website connections to
terminate him for fault (see Court of Appeals of
Montpellier, ruling of September 4, 2002, Tort v. Euro
Communication Equipements).
The
obligation of loyalty is in force throughout the employment.
Interestingly enough, it is effective even before the
employment contract is in force. Pursuant to Article
L.121-6 paragraph 2 of the labor Code, during a recruitment
process, prospective employees should not be asked questions
which are not relevant with the job position to be fulfilled
(e. g. questions relating to private life). In addition,
candidates must be informed of the methods of evaluation to
be used before they are implemented, it being specified that
these methods must be relevant and that candidates must be
given access to the results, which must remain confidential
(Art. L.121-7 and L.121-8 of the French labor Code).
I.
Employment privacy rights
Employers may be tempted to take advantage of the new
technologies to monitor employees’ use of the Internet and
electronic mail, without their knowledge, in particular when
one knows that 80 % of employees confess that they regularly
send personal e-mails at some point during the workday and
more than 60% of on-line purchases are believed to be made
during normal working hours.
Needless
to say, the ability of management to monitor such use is
likely to conflict with employees’ right to privacy and
individual freedom in the workplace.
I.1Principles governing monitoring:
I.1.1
In the EU:
§Several
regulations have been adopted to protect individuals’ right
to privacy, including the EU Directive of October 24, 1995
(95/46EC) on the protection of personal data and the free
movement of such data. This Directive is intended to
safeguard individuals’ right to privacy by giving them
rights whenever a third party “processes” data about them.
“Processing” is interpreted widely and should certainly
include the monitoring of employee’s communications, the use
of surveillance cameras, drug and alcohol testing etc. The
Directive requires that data processing must be fair and
lawful. In particular, personal
data must be adequate, relevant and not excessive in
relation to the purposes for which they are collected and/or
further processed.Personal
data may be processed only if
processing is necessary for compliance with a legal
obligation to which the controller is subject, or if
processing is necessary for the performance of a task
carried out in the public interest or in the exercise of
official authority vested in the controller or in a third
party to whom the data are disclosed.
There is no doubt that the EU Directive is enforceable
within the UE Member States.
The European Court of justice has ruled that its provisions
are directly applicable, meaning that private individuals
can rely thereon in national courts to circumvent national
legal provisions contrary to these provisions (ECJ May 20,
2003 case 465/00, Rechnungshof v. Osterreichischer
Rundfunk).
Many European countries, if not all, have transposed the
Directive into their national laws, even though some of them
were late given that the Directive had to be implemented by
October 24, 1998.
In the UK,
the Data Protection Act 1998 transposed the Data Protection
Directive, although the Act did not come into force until 1
March 2000. The English data protection Authority is the
“Office of the Information Commissioner Executive
Department”.
In
Germany,
data protection is a matter governed by federal laws or by
the states according to their competencies. Therefore, the
federal data protection act
(Bundesdatenschutzgesetz – BDSG) exists as well as
corresponding data protection laws in the federal states.
The BDSG was amended in compliance with the Directive on
May 18 2001, which amendment took effect on 23 May 2001.
The various state laws also required amendments. The German
data protection Authority is “Der Bundesbeaufragte für den
Datenschutz”.
In Ireland,
the current law regulating the use of personal data is the
Data Protection Act 1988. Ireland implemented the Data
Protection Directive on July 1, 2003. The Irish data
protection Authority is the “Data Protection Commissioner”.
In Italy,
the Directive was implemented by
a law of December 31, 1996, which law was amended several
times, in particular in December 28, 2001. The new data
protection Code entered into force on January 1, 2004. The
Italian data protection Authority is the “Garante per la
Protezione dei Dati Personali”.
In Spain,
the Data Protection Directive was incorporated into Spanish
law by a law of December 13, 1999, on Personal Data
Protection and by several implementing regulations. The
Spain data protection Authority is the “Agencia de
Proteccion de Datos”.
§
Most EU Members States havesigned the
Convention for the Protection of Individuals with
regard to Automatic
Processing
of Personal
Data of January 28, 1981,
whosepurpose is to secure, in the territory
of each Party and for every individual, whatever his
nationality or residence, respect for his rights and
fundamental freedoms and in particular his right to privacy,
with regard to automatic processing of personal data
relating to him.
§
All EU members States have signed the European Convention on
Human Rights, which provides that any individual has a right
to protect his/her privacy, family life, domicile and
correspondence.
The
European Court of Human Rights has rendered several
important decisions on this legal basis, including a
decision dated May 27, 1997. More particularly, the Court
held that since the employee had not been given any prior
warning that her telephone calls were liable to interception
by the employer, the employee would have had a reasonable
expectation of privacy for the calls). In other words, if
the employee does not have a reasonable expectation of
privacy, then an employer may be free to monitor calls –
subject to the overriding requirement that any monitoring
must be for a defined purpose and be proportionate to the
objective it seeks to achieve.
I.1.2 In France:
Although
Article 9 of the civil Code provides that “any individual
has a privacy right”, French law does not contain any
general provision preventing employers from monitoring
employees’ use of the Internet and electronic mail.
However,
the French labor Code contains two important principles,
which may have an impact upon the monitoring of employees’
activities in the workplace, i.e. principle of
proportionality and principle of transparency:
proportionality is guaranteed by article L. 120-2, which
provides that “no one may restrict individual or
collective rights if such restriction is not justified
by the nature of the task or proportional to the
objective sought”; and
transparency is ensured by article L. 121-8, which
provides that “no information on employees or
prospective employees can be gathered if the process has
not been previously brought to the knowledge of the
employee or the prospective employee”.
Furthermore, Article 226-1 of the criminal Code provides
that any individual intruding on a third party’s privacy may
be subject to a term of imprisonment of one year and a fine
of EUR 45,000. Under article 226-7 of the criminal Code,
legal entities may also be held liable on the basis of
article 226-1 of the criminal Code.
Protection of personal data is governed by the data
protection Act of January 6, 1978. Under this regulation,
personal database established for professional purposes
through an automatic processing must be declared to the
French data protection Commission, which is the
administrative body in charge of personal data collection
and control.
In
substance, according to the French data protection Act, the
collection, use and store by any companies – whether French
or not - established in France of any information relating
to an identified person or a person who can be identified,
in particular by reference to an identification number or to
one or several factors specific to his/her identity, must be
declared to the French data protection Commission. To that
end, the particular company must fill out a form indicating,
inter alia, which information will be stored, the time
during which it will be retained, to whom it will be
disclosed and for which purpose those data are retained.
Due to
the absence of any general legal provision dealing with
employers monitoring employee’s use of the Internet and
electronic mail in the workplace, French courts and the data
protection Commission have been pushed to determine the
rules concerning monitoring in a more accurate way.
In a
statement of April 3, 2000, the French data protection
Commission ruled that “any restriction to employees’
rights must be proportionate and should not be excessive in
light of the employment-related needs”.
In the
Nikon Case, the French Supreme Court rendered an important
decision on October 2, 2001 affirming employee’s right to
privacy in the workplace. Indeed, the High Court held that
an “employee has a right to privacy, even in the
workplace and during the working time; privacy entails the
protection of the confidentiality of communications;
therefore, the employer cannot have access to the personal
messages sent or received by the employee via a company’s
computer, even though the employer’s policy prohibits the
use of company’s computers for private reasons” (See
labor division of the Supreme Court, ruling of October 2,
2001, n° 99-42.942).
As a
consequence, even though a company’s computer is at the
disposal of an employee for professional reasons only, the
employer does not have an absolute right to examine the hard
drive of that employee.
However,
employees’ right to privacy is not absolute. Unless an
e-mail can be identified as personal, the e-mail arriving in
the electronic mail-box of the employee will be considered
as professional and the employer will be allowed to check
its contents.
In
practice,
employees’ e‑mail communications are not considered private,
except if such designation is made by the sender or the
recipient or if the subject of the email seems to be
private. Any email which is not designated as private or not
seems to be private is considered as professional and is
susceptible to be opened by the employer. Employees are
therefore encouraged to create a special “Personal Folder”
to which they will be able to allocate any email or document
that they do not want the employer to have access to.
Likewise, the French data protection Commission recommends
that the employee mentions expressly in the email’s object
whether it is a personal or professional email. In such a
case, it is incumbent upon the employer to check, before
opening the email and disclose it, when the employee is
absent, whether it is a personal or confidential email.
In short, it is not because a company’s computer is put at
the disposal of an employee for professional reasons, that
the employer has an absolute right to go through the emails
of that employee and to disclose their content to a third
party
Employers breaching the secrecy of correspondence may face a
term of up to one year imprisonment and/or a fine of up to €
45,000.
The
Nikon decision has been counterbalanced in a ruling of May
17, 2005.
The
factual background submitted to the Supreme Court was as
follows: having
discovered pornographic photographs in an employee’s desk
drawer, an employer decided, without notice to the employee
in question, to examine the contents of a file entitled “perso”
stored in the hard drive of his office computer. Based on
the information thus discovered (the nature of which was not
specified in the ruling), the employer dismissed the
employee for gross misconduct.
In its
ruling of May 17, 2005, the French Supreme Court sanctioned
the employer’s behavior and reasserted that “the employer
is not allowed to access files contained in the hard drive
of the office computer of the employee and identified by him
as personal, except in the presence of the employee or, in
his absence, provided due notice to attend has been served
on him, except in the event of a specific risk or hazard”.
The
French Supreme Court has thus considered that the personal
nature of a file does not suffice to remove it from the
control of the employer.
The Court liberalizes the opening of the personal files
insofar as the employee is present or has been duly
summoned. This requirement seems to be a formal guarantee
and has one
exception, which is the specific
risk or hazard
justifying the opening by the employer of the personal files
without summoning the employee.
Unfortunately, the Court has not been very explicit as to
what this means in practice. Should
it be considered, based on this formulation, that employers
are now authorized to access employees’ personal data
without notice, by claiming, for example, possible
competition or fear of "leaks" of confidential information?
Also, should it be considered that any illicit act likely
to harm to the employer or third parties undoubtedly
justifies this opening? Under such circumstances, the
employer will most likely have to prove that his fears were
based on objective elements previously in his possession.
I.2 Employers’ right to monitor is limited
Apart
from the limits set by the two above decisions, French
Courts consider that employers have the right to monitor
employees’ use of the Internet in the workplace, subject to
the following conditions:
the
surveillance system requires the prior consultation of
the works council;
employees must be warned that their e-mails and Internet
use may be monitored;
employers’ monitoring must be based on a legitimate
business needs; e.g. security reasons;
employers’ monitoring must be reasonable and
proportionate to the objective it seeks to achieve: any
policy abusively restricting employees’ freedom in the
workplace can be withdrawn by the labor Authorities
(article L.122-37 of the labor Code);
the
French data protection Commission has to be informed of
employer’s plan to implement a monitoring system in the
company.
I.2.1 Consultation
of the works council:
Under
the UK Employment Practices Data Protection Code, companies
operating in the UK are encouraged to carry out an impact
assessment before employee monitoring to determine whether
any adverse impact on employees is justified by the benefits
to the company.
French
employment law is stricter than UK law as employers are not
allowed to apply policies restricting employees’ use of the
Internet and e-mail communications without consulting the
employees’ representatives. Article L.432-1 of the labor
Code provides that the company’s works council must be
informed on techniques and methodologies used in the hiring
process and on computerization of personnel data, including
any subsequent changes. Furthermore, pursuant to article
L.432-2-1 of the labor Code, the company’s works council
must be informed on techniques and methodologies used on
computerization of personnel information. The works council
must also be informed and consulted prior to the use of any
technology or methodology, permitting it to review the
activities of employees. For instance, the company’s use of
operating systems which include tracing techniques in order
to measure the size or frequency of exchanges messages
requires that the employee representatives be informed and
consulted.
Criminal
sanctions may even be imposed upon the employer for failure
to consult the works council (i.e. fine of 3,750 Euros
and/or a term of imprisonment of up to one year).
I.2.2. Employeesmust be warned that
their e-mails, Internet and telephone use may be monitored
Whatever
the technologies used to monitor employees, employers should
previously inform them. The French Supreme Court has
dismissed an employee from his claims against a company,
which had intercepted his telephone conversations by ruling,
in its decision of March 14, 2000, that “onlythe
use of surveillance systems not brought to the employees’
knowledge is illegal. […]; the employees had been
informed that their telephone conversations were likely to
be monitored”. The rationale of this decision could be
that so long as employees are told that monitoring will take
place they have no reasonable expectation of complete
privacy on their e-mail and telephone communications.
Informing employees derives from employers’ obligation to
loyally perform employment agreements. In its decision of
November 20, 1991, the Supreme Court held that by installing
surveillance cameras on the work premises without informing
employees beforehand, the employer had not acted in good
faith. In a decision rendered on May 22, 1995, the Supreme
Court extended the scope of application of its ruling of
November 20, 1991 to any system of monitoring of the
employees’ activities (See Decision N° 93-42.440.078 SA
Manulex service v. Salingue, Bull. N° 164).
The case
law has not specified under which form this information had
to be brought to the employees’ knowledge. Warnings that
e-mails or telephone calls could be intercepted can be
included in the employment agreement, the staff handbook
and/or on notice boards. According to the French Data
Protection Commission, as a reminder to employees, employers
may also choose to include their privacy policies on their
employee-computer log-on screens.
I.3
How to prove the e-mail, Internet and telephone abuse?
French
courts have restricted employers’ right to make such a proof
on the basis of their obligation to perform employment
agreements in good faith. In particular, the French Supreme
Court ruled in its decision of November 20, 1991 that “if
an employer is entitled to monitor its employees in the
workplace, any recording of pictures or talks of employees
for whatever motives, without their knowledge, is not a
valid means of proof" (See labor division of the French
Supreme Court, ruling of November 20, 1991, Neocel v.
Spaeter, Bull. Civ. N° 519).
The
corollary of this decision is that employee representatives
are entitled to request the withdrawal of pieces of evidence
if they have been obtained by unlawfully restricting
employees’ individual freedom and privacy.
French
labor courts consider that an employee can be validly
dismissed if it is proved that he has used the company’s
computers to visit pornographic websites. However, the hard
disk of an employee’s computer cannot be deemed a valid
proof if the employer has failed to store it in a safety
manner. Indeed, a hard disk can be easily altered from the
time when the facts took place until the hearing date (See
labor Court of Nanterre, decision of July 16, 1999 Rice v.
IBM France; First Instance civil Court of Le Mans, decision
of February 16, 1998).
Unlike
criminal courts, French civil courts are somewhat reluctant
to admit means of proof resulting from a video surveillance
system due to the possibility of falsifying videotapes (See
Court of Appeals of Aix-en-Provence, ruling N° 91/2125 of
January 4, 1994). The Court of Appeals of Paris held that a
videotape cannot be a valid proof in support of accusation
of theft (See Court of Appeals of Paris, ruling of May 12,
1999, n° 98/05208).
For security and prevention requirements or for avoiding the
congestion of the network, the company may put in place
measuring instruments of the frequency or cut files attached
to the emails. After having consulted the works council,
the company may also put in place an a posteriori check of
the Internet data connections, which will not able the
identification of the employees. Although it is recommended
to give preference to statistical monitoring rather than
individual monitoring, the individual monitoring of the
frequency and the duration of visits of web sites or
non-professional telephone conversations is allowed but
requires a prior declaration to the French data protection
commission, in addition to obligations of informing
employees in advance.
I.4 How to
create and implement a privacy policy?
The French Data Protection Commission has recommended
companies to adopt a code of conduct on the use of new
technologies by employees and the employers’ right of
monitoring. The
labor Court of Paris held that an employee had been validly
dismissed for real and serious cause after sending by
mistake to all the staff an e-mail revealing his
homosexuality as his behavior was in breach of the company’s
policy on the use of computers, which had previously been
submitted to his signature (See labor court of Paris, ruling
of February 1st, 2000). In its decision of
September 19, 2000, the labor Court of Montbeliard ruled
that an employee had been validly dismissed for real and
serious cause as he had used the company’s e-mail to
communicate information on its internal reorganization
during his working time and for personal reasons. The labor
Court based its decision on the fact that the company had
widespread a note informing the employees that their e-mails
could be checked at any time.
Below is
a list of tips that employers going global should keep in
mind when creating and implementing a privacy policy:
·ensure
that any employee monitoring is necessary and proportionate
and that any personal data held on employees is processed in
a fair and lawful way by telling employee reps. and
employees in advance how and why monitoring will take place;
·before
drafting a privacy policy, draw up a check list of issues to
be considered;
·ensure
that the policy is consistent with the relevant legislation,
while keeping in mind that both the implementation and
enforcement of the EU directive of 1995 on the
protection of individuals’ right to privacy varies
considerably between member states;
·the
policy should make it clear which degree to privacy they may
expect in the workplace;
·the
policy should be updated on a regular basis to keep pace
with the local regulation;
·the
policy should enable employees to have the right to make a
reasonable use of the email and of the Internet for private
reasons or at least provide a private and unmonitored
telephone line available for the staff; the employer should
also take into account the ease with which sites can be
visited by accident and always give the employee an
opportunity to explain or challenge the results;
·monitoring
must be conducted in a non-discriminatory manner: employers’
policy should not refer to or denigrate a person’s race,
religion, sex, age, national origin, disabilities or
physical appearance;
·the
policy should contain some appropriate guidelines for
securing storage of employee personal data;
·privacy
policies should make sure that when using emails for
personal reasons, employees delete any reference in the
message to the company (as the automatic signature of the
employer) and any indication which could let the recipient
think that the message is written for a professional purpose
or in a professional framework;
·the
least invasive means of monitoring should always be used –
for example, automated systems that monitor the number and
size of emails should be used where practicable rather than
monitoring the content of communications;
·think
carefully before transmitting data obtained as a result of
an investigation to another jurisdiction – the EU Directive
prohibits the transfer of personal information to countries
outside the European Economic Area unless the transfer is to
a country that provides an adequate level of protection for
the rights and freedoms of individuals in the processing of
information about them. The US is not deemed to assure a
sufficient level of protection.
One
should also keep in mind that a privacy policy can only be
effective if it used. If a policy exists, but the company
fails to apply it, the company is going to be in difficult
situation where it seeks to impose disciplinary actions and
the employee is able to show that in the past nothing has
been done about it notwithstanding written rules.
II. Employment
confidentiality concerns
Below is
a list of some of the most frequently asked questions with
respect to employment confidentiality concerns in the
workplace.
II.1 Are employees obliged to disclose his/her
computer’s password to his/her employer?
As
explained here above, the computer put at the employee’s
disposal is the company’s property. If it can be protected
by a password, this security measure is not sufficient to
transform the computer into a personal belonging.
Therefore, French courts have found in a decision dated
March 18, 2003 that
the existence of passwords do not restrict or eliminate
company's ability or right to access electronic
communications when necessary for ensuring the proper
functioning of the company, after having informed the
concerned Employee.
However,
in order to be totally transparent, the French data
protection Commission recommends that the employer informs
the employee that he accessed to his/her computer during
his/her absence and that he paid attention not to open
private emails.
II.2 Are employees allowed to disclose data belonging
to the company in courts?
It may
happen that employees who have issued a lawsuit against
their employer be tempted, in order to establish that their
claims are grounded, to disclose in courts documents
belonging to the company and duplicated without company’s
knowledge.
Since
1998, the labor division of the French Supreme Court
acknowledges that an employee may validly disclose documents
belonging to the company in order to ensure his/her defense
if s/he took knowledge of them when performing his/her
duties.
On the
contrary, the criminal division of the French Supreme Court
considered that the employees found under such circumstances
were likely to be condemned for theft.
In two
rulings dated May 11, 2004 the criminal division of the
French Supreme Court decided to standardize its position
with that of the labor division.
Therefore, favoring the employee’s defense right upon the
company’s property right, the criminal division of the
French Supreme Court ruled that an employee prosecuted for
theft for having duplicated documents belonging to the
company may be discharged if the two following conditions
are fulfilled:
Øthe
employee took knowledge of the documents when performing his
duties for the company;
Øthe
disclosed documents must be strictly necessary to the
employee’s defense before the court.
II.3
Are employees allowed to disclose company’s data to
competitors?
Even if
employment contracts doe not contain an exclusivity clause
in favor of the employer, full time employees are not
allowed to perform, for themselves or for a third party, a
competing activity all along their employment relationships.
Indeed,
employees are bound by an obligation of loyalty, which
should be distinguished from the non-compete obligation as
this obligation only comes into force at the end of the
employment relationship.
In the
same way, it should be outlined that employees disclosing an
employer’s manufacturing process may face a two-year term of
imprisonment and a fine up to Euros 300,000.
II.4 Are employee representatives allowed to disclose
information about the company?
Under
French employment law, employee representatives and
unionists are bound by an obligation of confidentiality with
respect to any information provided to them in the course of
their duties and having a confidential character or
presented as such by the employer (Article L.432-7§2 of the
French Labor Code).
Consequently, if an employer considers that a protected
employee is in breach of his/her obligation of
confidentiality and that such a breach is serious enough to
consider terminating the employment contract of that
employee, it will have no other alternative but to ask the
Labor Authorities to authorize the termination.
Indeed,
unlike other employees, unionists, members of the works
councils, members of the health and safety committees,
personnel delegates are protected employees, meaning that
their termination must be previously approved by the labor
Authorities. To that end, labor Authorities will make sure
that the envisaged termination is not a discriminatory
measure against the protected employee.
III. The difficulties to apply an international privacy
policy based on the SOX regulation
While
whistleblowing policies are generally considered in the US
as a positive measure that helps expose fraudulent
practices, French employees baulk at the thought of an
internal policy that they consider provides a “carte
blanche” for malicious false accusations and vindictive
reports.
Therefore, one should not be surprised to hear that the
extra-territoriality of the American Sarbanes-Oxley Act
(SOX) raised some concerns in Europe and in particular in
France.
By two decisions dated May 26, 2005, the
French Data Protection Agency,
which is responsible for authorizing automated (i.e.,
not paper-based) whistleblowing procedures in France, denied
McDonald’s France and the CEAC (Compagnie Européenne
d’Accumulateurs) the authorization to implement
whistleblowing procedures that would have allowed their
French employees to report, through
anonymous employee hotlines, any suspected or unethical
conduct in the workplace. The French Data Protection Agency
objected to the fact that the employees concerned by the
denunciation would not be immediately informed of the
collection of data questioning their professional integrity
and would not be in a position to oppose such collection,
which would be in violation of the French Data Protection
Act dated January 6, 1978.
The
French Data Protection Agency also put forward that there
are other means available to French employers to secure the
enforcement of legal provisions and the company’s rules. In
particular, the Agency pointed out that useful means to
ensure corporate governance enforcement included providing
adequate information and training to the staff, and
involving the company’s auditors, the French Labor
Inspection or Labor Courts.
In a
ruling dated September 15, 2005, the French Labor Court of
Libourne held that a note requiring employees were to report
cases of fraud or embezzlement by calling an ethic hotline
must be removed from the workplace because:
-“when
simply reading the note, it becomes clear that information
that may be provided anonymously through a free telephone
line includes, but is not limited to, accounting fraud or
embezzlement (which, by the way, are violations of law that
can hardly be detected by employees) and can also refer to
all facts “violating ethical principles, such as fraud or
theft, or the non-compliance of accounting regulations of a
more general nature”;
-
irrespective of the way the data collected in this process
are actually treated later on, such a service regulation
involves the risk for the employees who might be anonymously
denounced of having to face an internal investigation
entailing possible sanctions, without being able to exercise
their right to defend themselves;
-
furthermore, the procedure in dispute and the risk of
calumnious denunciation they involve seem disproportionate
to its purpose and unfit to prevent possible embezzlement;
-the
individual liberties of those employees who fall victim of
anonymous denunciations are at risk”.
Therefore, a real brain-storming started for the French
subsidiaries of US companies on how to comply with SOX
provisions without violating the French Data Protection Act
of January 6, 1978?
After discussions with the SEC and the European Commission,
as well as various US hotline providers and other
professional organizations, the French data protection
Commission issued, on November 30, 2005, recommendations for
whistleblowing procedures, in which it provides a number of
guidelines.
Interestingly enough, the EU Authorities have also started
to think about reconciliation between the SOX provisions and
the EU Directive 95/46 of October 24, 1995. On February 1,
2006, an independent European advisory body (so called
“working party”) has issued guidance on how internal
whistleblowing schemes can be implemented in compliance with
the EU Directive. However, at this point in time, there is
no final opinion from any EU Authorities on this issue.
Going back to the French situation, one should note that on
December 8, 2005, the French data protection Commission
rendered a decision that seems to offer a compromise between
US and French legal requirements, provided that companies
agree to comply with the following principles:
·
Matters that can be reported are limited
to the whistleblowing systems based on French statutory or
regulatory obligations of internal control in the financial,
accounting, banking and anti-bribery areas, as well as to
the whistleblowing systems implemented in the accounting and
auditing sectors by companies falling under the SOX
regulation.
·
Discouraging anonymous denunciations:
the whistleblower must identify himself/herself but his/her
identity is kept confidential by the organization handling
whistleblower alerts.
·
Employees concerned by the denunciation
should be notified of the information retained
by the person responsible for the whistleblowing system as
soon as his/her personal data is recorded, so as to allow
him/her to oppose the processing of such data. This
notification, which is to be provided in such a way as to
ensure proper delivery to the relevant employee, must
specify the entity responsible for the whistleblowing
system, the acts of which s/he is accused, the departments
that may receive the alert, as well as how s/he may exercise
his/her right to access personal data to correct or delete
any inaccurate, incomplete, misleading or outdated data.
The incriminated person may not, under any circumstances,
rely on his/her right to access to obtain information
concerning the identity of the whistleblower.
·
The data that may be processed must be limited to:
-
the identity, job title and contact information of the
whistleblower, the persons incriminated and the persons
involved with the collection and/or processing of such
alerts;
-
the reported
facts;
-
elements collected to verify the reported facts;
-
account or summary of the verifications made;
-
the action taken in response to the alert.
·
Limitations on the data that can be communicated:
the persons in charge of collecting or processing the data
are recipients of all or part of the data to the extent that
such data is necessary for the performance of their duties.
This data may be communicated, within the group of companies
to which the organization belongs, to the persons
specifically responsible for managing whistleblowers’
alerts, insofar as such communication is necessary for the
verification of the whistleblower’s alert or results from
the organization of such group. In the event an external
service provider is hired to collect or process
whistleblowers’ alerts, the persons specifically responsible
for these assignments within the external service provider
will only have access to all or part of the data to the
extent of their respective powers. In the event that an
external service provider is designated to manage all or
part of the whistle blowing system, he specifically agrees,
by virtue of a written contract, to refrain from using the
data for illegitimate purposes, to ensure confidentiality,
to comply with the time limits for data storage, and to
destroy or return any and all written or computerized forms
of personal data upon termination of services. In all cases,
the persons responsible for collecting and processing
whistle blowing alerts shall be limited in number,
specifically trained, and bound by a reinforced duty of
confidentiality by virtue of a written contract.
·
Transfer of personal data outside the E.U.:
the transfer of personal data to non-E.U. countries that do
not provide adequate protection, as defined in the French
Data Protection Act of 6 January 1978, is subject to the
requirement that the legal entity where the recipient of
the personal data works has signed the Safe Harbor
framework, and has expressly included all Human Resources
data in the scope thereof or, failing that, that the
recipient has entered into a transfer contract based on the
model clauses issued by the European Commission, or the
group to which the affected entities belong has adopted
internal regulations that have been previously approved by
the French data protection Commission as affording an
adequate level of protection of privacy and fundamental
human rights.
·
Duration of data storage:
the storage of the data contained in the whistleblower’s
alert, which is deemed to be outside the scope of the
whistleblowing system, should be destroyed or archived
immediately. Data contained in a whistleblower’s alert
giving rise to verification should be destroyed or archived
by the organization responsible for managing such
whistleblowers’ alerts within two months from the closing of
verification operations if no disciplinary procedure or
legal proceedings are initiated. Once disciplinary actions
or legal proceedings are initiated against the person
incriminated in the alert or against the author of an
abusive alert, the organization responsible for managing
alerts must keep the data relating to such alert until the
end of the said actions or proceedings. Data that must be
archived should be kept in a separate and distinct
informational system with restricted access, for a period
not to exceed the statute of limitations for bringing legal
action.
·
Any abuse of the whistleblowing system may result in
disciplinary
as well as legal action against the abusive whistleblower.
Good faith use of the whistleblowing system, even if the
facts are later proven inaccurate or are not acted upon,
will not expose the whistleblower to any disciplinary
sanctions.
