France – Compliance Building

Computer Files for Employees in France

France has strict laws on the ability of a company to monitor its employees’ computers. But a recent French decision found that files created by an employee on a computer issued by the company for work purposes are presumed professional unless the employee identified them clearly as personal. So the company can open these files without the employee being present and without telling the employee in advance.

At least that is according to recent post in Proskauer’s Privacy Law Blog. The decision is in French so I am assuming that Ms. Martin’s French is better than mine. (Google’s translation of the case is not very good.)

“Until this case, the case law was unclear on whether folders or files located on an employee’s work computer but titled with the employee’s name or initials would be afforded privacy protection under workplace privacy laws. However in this ruling, the French Supreme Court made clear that all files created by an employee on an employer’s computer belong to the employer unless they are expressly identified as personal. By adopting this position, the French Supreme Court was consistent with the French Data Protection Agency (CNIL) which, since 2002, has advised that employees should be cautious when using their work computers for personal purposes.”

References:

French employers can open files located on a company-issued computer provided that they are not clearly identified as personal by Cecile Martin for Proskauer’s Privacy Law Blog
Court’s Decision (in French)

France Decides Not to Criminalize International Bribery

eiffel tower

“France has severely restricted its jurisdiction and its ability to prosecute cases with an international dimension, which, given the country’s importance in the international economy and the scale of many of its companies, is very regrettable,” according to a report by GRECO. The Group of States against Corruption (GRECO) was established in 1999 by the Council of Europe to monitor States’ compliance with the organization’s anti-corruption standards.

In June of 2000, France introduced legislation related to the OECD Convention. However in the GRECO report the evaluation team wonders “why, despite the economic weight of France and its close historical links with certain regions of the world considered to be rife with corruption, it has not yet imposed any penalties for bribing foreign public officials.” (¶ 76)

France ratified the Criminal Law Convention on Corruption (ETS 173) on April 25, 2008 with an effective date of August 1, 2008. France entered two reservations as part of enacting the law.

France’s Reservation on the Offense:

“In accordance with Article 37, paragraph 1, of the Convention, the French Republic reserves the right not to establish as a criminal offence the conduct of trading in influence defined in Article 12 of the Convention, in order to exert an influence, as defined by the said Article, over the decision-making of a foreign public official or a member of a foreign public assembly, referred to in Articles 5 and 6 of the Convention.”

France’s Reservation on Jurisdiction:

“In accordance with Articles 17, paragraph 2, and 37, paragraph 2, of the Convention, the French Republic declares that it reserves the right to establish its jurisdiction as regards Article 17, paragraph 1.b, of the Convention, only when the offender is one of its nationals and the offences are punishable under the legislation of the country where they have been committed, and that it reserves the right not to establish its jurisdiction regarding the situations referred to in Article 17, paragraph 1.c, of the Convention.”

In my reading of the GRECO report, it sounds like France dropped the international bribery charge because it is too hard to prove and obtain conviction. (¶ 83)

To be fair to France, GRECO has not yet completed the Third Evaluation Round for all 46 members. So other countries many take a similar position. But the 11 made public so far have not excluded bribery of foreign officials.

France causes other problems with compliance programs. France blocks traditional SOX whistleblower programs because of concerns abut worker’s privacy. If you want a whistleblower program in France, you need to register it with the CNiL and it must be limited to reports about the “vital interests of the company or it its employee’s physical or mental integrity”

See:

Paris Pulls the Plug on Enforcement by Richard Cassin of The FCPA Blog
France restricts international corruption investigations by Valentina Pop for the EUObserver.com
Group of States against Corruption publishes report on France by GRECO
Third Round Evaluation Report on France (.pdf) by GRECO (February 2009)
Criminal Law Convention on Corruption (ETS 173) published by the Council of Europe
Status of Third Round Evaluation Reports by GRECO
Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (.pdf) promulgated by the Organization for Economic Co-Operation and Development
CNiL Information on Whistleblower Systems – previous post on Compliance Building
French Data Protection Authority Blocks SOX Whistleblower Programs – previous post on Compliance Building
“Exceptional Guarantees” Against Prosecution for Bribery from Enforcement Action by Bruce Carton
Image of the Eiffel Tower is by Rüdiger Wölk in Wikimedia Commons

CNiL Information on Whistleblower Systems

To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.

CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).

According to the FAQ on whistleblowing systems a whistleblower system must be limited to

serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.

Examples :

Accounting and account auditing disorders,

False entries,

Tax evasion,

Fictitious personnel employment,

Bribery of public agents …

Specific examples in the banking area:

Terrorism funding,

Money laundering…

The whistleblower system may also be used to gather reports on facts

that affect the vital interests of the company or it its employee’s physical or mental integrity
Examples:

Threat to the safety of another employee,

Moral harassment,

Sexual harassment,

Discrimination,

Insider trading,

Conflict of interests,

Serious environmental breaches or threats to public health,

Disclosure of a manufacturing secret,

Serious risks to the company’s information system security …

CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not. CNiL provides this example language for the scope of a whistleblower system:

The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.

French Data Protection Authority Blocks SOX Whistleblower Programs

As a follow-up to the Whistleblowers in France, John B. Reynolds, III and Amy E. Worlton of Wiley Rein LLP offer more insight to the programs and decisions.

CNIL found that employees’ ability to lodge anonymous complaints would increase the likelihood of malicious false reports. CNIL also found that the two companies’ plans would not provide implicated individuals with sufficient access to the records generated by the anonymous tips. Thus, these individuals would not have a sufficient opportunity to challenge accusations. Finally, CNIL held that neither of the companies’ proposals was the least restrictive means of ensuring a responsible corporate culture: employee education or improved auditing standards could achieve the same results without creating and processing personal data about company executives.

See newsletter from Wiley Rein LLP: French Data Protection Authority Blocks SOX Whistleblower Programs.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?