More CNIL Guidance for Multinationals Seeking to Comply with SOX & Dodd-Frank
"United States employers operating in France often face a dilemma. While they may be bound by the whistleblowing requirements of the Sarbanes-Oxley Act (SOX) and its Dodd-Frank amendments,they also are bound by the data privacy requirements of French law, which can be at odds with U.S. whistleblowing laws. The French data protection authority (La Commission Nationale de l'Informatique et des Libert�s or CNIL) periodically issues guidelines that provide some clarity on how employers can resolve this conundrum. On January 30, 2014, the CNIL finalized amendments to these guidelinesexpanding the scope of the topics that could be disclosed through an anonymous whistleblowing hotline. The amendments also clarify the conditions under which SOX-type anonymous whistleblowing is permitted under French law. The new guidelines attempt to balance the CNIL's interest in ensuring that employers establish a transparent whistleblowing system with its divergent interest in protecting the confidentiality of the report and the identity of the whistleblower. In particular, the guidelines require that a whistleblower self-identify, and that the corporate administrator managing the ""alerts"" treat that identification as confidential. The CNIL's guidance provides useful clarity for employers that have implemented, or plan to implement, a whistleblower scheme that is consistent with French law. "