Workers being globalised in spite of themselves!

• Investigation
• Assessment of whistle-blowing systems
• Substantial growth of transborder data flows
• Geo-location systems applied to employee vehicles

Whistle-blowing systems, mandatory for listed companies in the United States under the Sarbanes-Oxley Act, enable company employees to report any behaviour violating legal requirements or company rules, without having to go through the traditional management lines.

The very first finding is that French workers do not make much use of such systems. These mechanisms, set up by parent companies headquartered abroad, seem unsuitable to the usual practices found within French companies. It would appear that such systems present little usefulness in the existing context of the legal requirements provided under the French Code of Labour or versus the traditional ways of resorting to the normal management line to report any malfunctions.

The second observation resulting from our investigations is an inadequate understanding of the requirements arising from the French Data Protection Act when implementing whistle-blowing systems. This is the case for a number of companies who have signed a compliance commitment under the “Single Authorisation No.4”, even though very few of the systems in place are actually restricted to the fields of “finance, accounting, banking and anti-corruption”, as specified by Article 1 of the French law. In reality, the companies' whistle-blowing system is most often backed by their own code of conduct, generally drafted by the parent company and covering a much broader scope than that allowed by CNIL single authorisation.

In 2007, CNIL authorised 1682 transfers of transborder data flows and 538 other applications are pending investigation.

Two different cases may be observed in the Human Resources sector.

Firstly, data flows may be transferred at the request of the parent company located for instance in the US for purposes of streamlining their corporate HR management tools: in which case, all subsidiaries use the same software and the data are hosted on the servers at the parent company.

In such context, a complete lack of compliance with the legal obligations of the French Data Protection Act has been found in a number of cases: absence of information to the personnel, ignorance about the allowable post-transfer data retention time, lack of CNIL authorisation which constitutes an offense punishable by 5 years in jail and a €300,000 fine in pursuance of Article 226-16 of the Criminal Code.

In the second case, data are transferred abroad under subcontracting agreements: a company decides to outsource its payroll management or recruitment process to an independent service provider located abroad or hosting its databases in a foreign country. Frequently, the company data controller do not even know where the data are actually located, though they have the responsibility for it.

Such situation ignore the obligations of the law providing for information of individuals whose data may be transferred to non-EU Countries, as well as the provisions requiring that the data controllers responsible for data processing should have “full control” over the security of the data for which they are responsible. Such control implies knowledge of the physical location of the databases and assurance that any data transfer will be done in such a way as to guarantee their confidentiality.

These systems enable an employer to track at all times the geographic location of employees driving a vehicle equipped with a GPS device.

Legitimate purposes justifying the implementation of geo-positioning tools are sometimes badly understood by companies who tend to neglect to define precisely the expected goals for resorting to such devices. Consequently, companies run the risk of not being able to justify the legitimacy of purpose, particularly with respect to the relevant CNIL recommendation adopted on 16 March 2006.

Some ten investigations conducted on the subjects have largely revealed a lack of information to the employees about their rights (right to access, rectification and opposition) along with the absence of any definition on the retention period for the data collected by employers.