Information Technology / Communications
19 February 2014
Valérie Da Costa
Baker & McKenzie SCP
Whistleblowing systems: the CNIL takes a new step toward more flexibility
On January 30, 2014, the French Data Protection Authority (the “CNIL”) issued a deliberation no. 2014-042, once again modifying the deliberation no. 2005-305 of December 8, 2005, which governs the single simplified authorization regime applicable to the implementation of whistleblowing systems (“AU004” or “Single Authorization”). Its purpose is to extend the scope of matters which may be reported under the simplified regime and to bring more flexibility to other topics (legal grounds justifying such system and acceptance of anonymous reports). The deliberation will thus have a significant and practical impact for companies.
1. This deliberation is consistent with a trend, already initiated in 2010, to extend the scope of the Single Authorization
After having narrowly limited the scope of the Single Authorization to whistleblowing systems grounded in legislative or regulatory obligations under French or American laws (the “Sarbanes-Oxley” Act of July 2002), and to financial, accounting, banking and anti-corruption matters, in a deliberation of October 14, 2010 no. 2010-369, the CNIL extended the scope of the Single Authorization to whistleblowing systems implemented to fight against anti-competitive practices within the relevant organization and accepted the Japanese Financial Instrument and Exchange Act of June 6, 2006, referred to as the “Japanese SOX”, as a new legal basis.
However, further to the French Supreme Court’s decision of December 8, 2009, the CNIL prohibited the use of the Single Authorization for reports regarding the company’s vital interests or employees’ physical integrity, even to refer them to the competent persons.
As this restricted scope did not meet the ordinary concerns of many companies, this obliged companies to submit specific authorization requests to the CNIL. In particular, in 2011 and in 2012, within the framework of the specific authorization regime, the CNIL authorized, on a case-by-case basis, the implementation of whistleblowing systems (i) dedicated to fighting against discrimination, and (ii) for serious misconduct, such as psychological or sexual harassment, psychological or verbal violence, the disclosure of strictly confidential information, conflicts of interests, respect for human rights, violations of regulations on the environment, health and safety, prohibited commercial practices, etc.
2. Innovations in the deliberation of January 30, 2014, that modify the Single Authorization regime
Faced with these numerous specific requests requiring companies to comply with the restrictive authorization procedure, the CNIL decided to bring some flexibility:
It broadened the legal grounds that may prove the legitimacy of the implementation of a whistleblowing system under the Single Authorization, as these legal grounds can now include both a legal or regulatory obligation under French or a foreign law as well as the legitimate interests of the data controller.
It broadened the scope of the Single Authorization by accepting, in addition to the matters mentioned in section 1 above, the following new matters, which are often mentioned in companies’ codes of ethics:
- fight against discrimination and harassment in workplace,
- workplace health, hygiene and safety,
- environmental protection.
It specified the conditions for taking anonymous reports into account since regulations, such as the Sarbanes-Oxley Act, require companies to implement a system that permits such reports. The CNIL clarifies that anonymous reports:
- must necessarily be tolerated, although it stated that anonymous reports must not be encouraged;
- may be processed provided that (i) the seriousness of the facts involved has been proven and the factual evidence is sufficiently detailed, and (ii) specific precautions are taken (prior assessment by the first recipient of the information that it is appropriate to follow up on the report within the whistleblowing system process).
3. What are the practical consequences for companies?
Does a new Single Authorization need to be filed?
No, if the company already has a whistleblower system that is authorized under the old Single Authorization regime. The company can benefit from the new regime without having to make a new Single Authorization request if the information initially stated has not changed (notably, information regarding the existence of a transfer outside the European Union of the data processed from the whistleblowing system). However, the company will have to modify its information notice to include the new matters that may be reported which it wishes to implement and inform employees of these modifications. It will also have to verify the steps to be taken, if applicable, with the Works Council (“CE”) and the Health and Safety Committee (“CHSCT”).
Yes, if the company is newly implementing a whistleblowing system. It must then comply with the deliberation n°2005-305 as revised and implement an information notice, comply with the limited storage terms and technical security and data transfer protection measures stated in the said deliberation, and make a Single Authorization filing online.
A specific authorization is still necessary for matters not expressly covered by the new scope of the Single Authorization
If the company wishes to use the whistleblowing system beyond the new scope of the Single Authorization, it must submit a more detailed request to the CNIL for a specific authorization which may take more time and be subject to some uncertainty since such an authorization requires an actual dialogue with the CNIL to convince it of the legitimacy of the requested extension. The justification of the matter to be added in light of the legitimate interest of the company will be of the essence to obtain a positive response.
Although we are pleased with this extension, which is a pragmatic response to companies’ business realities and makes the formalities easier for them, we may regret that other fields, which are just as important and may be justified by companies' legitimate interests, were not covered, including conflicts of interests, protection of corporate assets and the disclosure of sensitive or confidential information. May this mean that other deliberations should be expected in the future?
©2014 Baker & McKenzie. All rights reserved.
Baker & McKenzie SCP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.
This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.