II-11.1 : Whistleblowing: the French Cour de Cassation reduces the scope of the unique authorisation.

www.legifrance.gouv.fr

Context and Summary

 In its decision handed down on December 8^th, 2009, the Social Chamber of the French Cour de Cassation (Court of Cassation) indicated that internal corporate whistle blowing systems authorised by the CNIL (La commission nationale de l’informatique et des libertés, or the French Data Protection Agency), through so-called ‘fourth unique authorisations’, on the basis of a Decree issued in application of the Loi informatique et libertés (Data Protection Act), are to be restrictively interpreted. The case concerned the Dassault Corporation, which had implemented, in conformity with the provisions of the Sarbanes Oxley Act, a code of good practices applicable within the company. As part of this code, a whistle blowing system was implemented, enabling employees to send emails to a dedicated email address in order to notify any breaches of the rules governing their professional activity. Before implementing this email system, Dassault had asked the CNIL to approve this scheme with a ‘fourth unique authorisation’. Article 3 of this unique authorisation allowed Dassault to collect information not only on financial, accounting, or corruption breaches of the code, but also any facts linked either to the vital interests of the company or the physical or mental integrity of its employees. In this regard, the Cour de cassation’s decision states that article 3 of the unique authorisation must not be interpreted as allowing companies to make extensive use of whistle blowing schemes. Therefore, any extensive system has to be explicitly and individually approved by the CNIL, rather than be granted a standard ‘fourth unique authorisation’. Besides, any personal data collected by the scheme that is protected by the Loi informatique et libertés (Data Protection Act) of January 6, 1978, must be explicitly declared to the CNIL in the application for authorisation. 

Brief commentary

This decision by the French {Cour de cassation} illustrates regulation’s special architecture and the impact of judicial decisions on the regulator’s activity. Regulators’ independence is indeed framed by case law, which nurtures a particular form of cooperation between judges and regulators. The CNIL announced in a press release that its ‘fourth unique authorisation’ would be modified in order to comply with the decision. The impact of the Court’s decision is therefore very significant, and with regards to the relationship between judges and regulators, Regulatory Law results from the collaboration of several different authorities, which offers citizens a protective framework against the power of regulators. Besides making the ‘fourth unique authorisation’ compliant with Article 6 of the European Charter of Human Rights, the decision has an even more significant impact in that it raises the issue already presented by the {Rapport Coulon} (Coulon Report) on the decriminalisation of corporate law, which is that judges have to be trained in order to prepare them to deal with the technical nature of regulated sectors.

Regardless of the relationship between the judge and the regulator, this decision illustrates the clash between national regulations on one hand, and sectorial regulation on the other hand. Indeed, there must be balance between financial regulations based on information, and regulation of personal data based on secrecy, difficulty and casuistry — at least, this is the way judges usually see the issue, as in the present decision. Moreover, companies, from the moment they are active internationally, are subject to several legal systems and have to satisfy regulators that ignore each other, because of the independence of normative legal systems;

Thus, the Sarbanes Oxley Act is quite universal in scope, since it applies to any company, domestic or foreign, listed in the U.S.A. National regulators—in this case, the CNIL, and national judges do not apply the provisions of this law. Accordingly, economically unified companies are segmented by geographically different regulations, which makes governance difficult.

Finally, this case allow us to take the measure of the role of codes of good conduct in applying provisions of foreign law in another country, which make such laws universally applicable. Thus, as demonstrated by Professor Gerard Farjat, codes of good conduct may be the most appropriate normative mode of economic globalisation, as long as their content is controlled by judges, as in this case.