The French National Commission on Informatics and Liberty (CNIL) – the French data-protection authority – finally updated its standard of best practice on whistleblowing in July 2023, to accompany the significant changes introduced to the whistleblower protection regulation in the second half of 2022.
Context – French Whistleblower Protection Regulation
As a reminder, significant changes to whistleblower protection were first introduced in 2016 by the so called “Sapin II” law, and then by the transposition in France of the European directive on the protection of whistleblowers by the so called “Wasserman” law and its implementing decree, which came into effect in September and October 2022 respectively (the French Whistleblower Protection Regulation).
Significant changes were made by this new regulation, including:
- Expanding the scope of the reports benefitting from protection; even though the scope is not unlimited, it is not restricted to breaches of EU law
- Expanding of the categories of whistleblowers and creating new categories of persons that benefit from protection
- Creating of new procedural rules
The substantive changes mainly concern “internal reporting channels” (i.e. within organisations), but the new regulation also applies to “external reporting channels” to specific authorities or courts, depending on the “sector”.
In addition to the French Whistleblower Protection Regulation, there are other French regulations requiring the implementation of whistleblowing systems, such as, for instance, the regulation on the duty of vigilance.
Changes to the CNIL’s Standard
As a result of the change in the whistleblower protection regulation, the guidance published by the CNIL in 2019 needed updating.
The new CNIL standard retains the same principles, but now covers all whistleblowing systems, although it is limited only to aspects related to data protection. As in the past, it is not binding, but serves as guidance (as well as facilitating the data protection impact assessment).
The main changes, compared to the previous version, concern:
- A simplification of the “scope” of the guidance
The guidance applies to all whistleblowing systems, including those that are outside the scope of the French whistleblower protection regulation and/or are voluntary.
- Setting out new purposes for processing the data collected as part of the processing of a report
A whistleblowing system can be implemented to comply with one or several legal obligations (e.g. anticorruption regulation, duty of vigilance law, etc.). It can also be implemented on a voluntary basis – where organisations do not meet the thresholds above in which the implementation of a whistleblowing system is mandated by law, or when the system is intended to cover initiatives to combat improper or unethical behaviours in light of those organisations’ internal rules (e.g. codes of ethics or internal regulations). Depending on the situation, the legal basis for processing will be compliance with a legal obligation or legitimate interest of the organisation. In some cases, the system will work as a “one-stop shop”, but may require the implementation of specific features, depending on the purpose it serves. The organisation must also comply with transparency requirements in this respect.
- Setting out the expanded definition of whistleblowing and of the persons that are protected under the regulation
- An obligation to provide feedback to the whistleblower
The whistleblower has to be informed of follow up actions.
- New developments on the possibility of outsourcing the management of the report to third-party vendors
- Position on the “pooling of resources”
The CNIL notes that, for whistleblowing systems implemented to comply with Article 6 of the Sapin Law (i.e. the enlarged transposition of the Whistleblower Directive), “in principle”, it is not possible to share resources for the assessment concerning the correctness of the allegations of a report where the companies exceed 250 employees, even within the same group. Moreover, it is not possible for the system to share the report of a whistleblower with another organisation than the one to which the report was made, even within the group – the system should thus offer the possibility of addressing the report to more than one organisation.
- New developments on the different phases of alert processing
- New developments on the processing of “anonymous” reporting
This relates to situations where the whistleblower chooses not to identify themself. This is different to “anonymous information” under GDPR.
- New clarifications relating to data retention periods
- Security measures
Updating the table of security measures to be implemented following the publication of a new version of the CNIL security guide in April 2023.