The French data protection authority, the CNIL, has historically placed tight restrictions on the permitted scope of reporting to a whistleblowing hotline, especially if authorisation is to be sought under the Blanket Authorisation of 2005 (referred to as AU-004). Until now, this simplified procedure could only be used to obtain authorisation for hotlines which invited reports relating to finance, accounts, banking and the fight against corruption.
Facing an increasing number of applications which did not fall within the permitted scope of AU-004 (and which therefore were required to be considered for authorisation on a case-by-case basis), the CNIL modified the scope of AU-004, in a decision dated 30 January 2014 which was published on 11 February 2014. At the time of writing, the decision is only available in French.
According to this decision, applications may be made under the AU-004 procedure to obtain authorisation for the processing of personal data pursuant to a whistleblowing hotline which permits reports relating to the following categories, in addition to the categories previously permitted :-
- the fight against discrimination;
- health, hygiene and security in the workplace; and
- the protection of the environment.
The CNIL’s reference to the company’s ‘legitimate interests’, as another justification for the processing of personal data pursuant to a hotline, was also notable, in contrast to its previous position, that the processing must be required under French legal requirements (or pursuant to the reporting requirements imposed by the US Sarbanes-Oxley Act 2002 (“SOX”) and/or its Japanese equivalent).
This represents a considerable extension to the scope of permitted reporting under AU-004, which will be welcomed by those businesses which already operate a hotline in France, or perhaps have held back from doing so, due to the tight restrictions previously in place. In particular, this decision will help multi-national companies to more effectively harmonise the scope of hotlines which cover more than one European Union country.
The CNIL also provided further clarification on how anonymous reports to a hotline should be handled. In light of foreign regulations (in particular, SOX) which impose obligations on some companies located in France to implement whistleblowing schemes which enable anonymous reporting, the CNIL has conceded that it needs to be more tolerant towards such reports.
The CNIL maintains its position that anonymous reporting should not be encouraged. The default position is that whistleblowers should identify themselves when making a report, and that anonymity will only be accepted on an exceptional basis. However, there is no longer a requirement to design the system around mandatory identification.
This increased tolerance is subject to certain conditions, which are aimed at protecting against the increased risk of abuse of the system, which anonymous reports present. Anonymous reports can be processed only if (i) the seriousness of the reported facts is established and the factual elements are sufficiently detailed; and (ii) great caution is exercised in processing the report, including a careful examination by the initial recipient to determine whether the report can be disseminated more widely.
This additional guidance and more pragmatic approach represents an important step, particularly for global corporations attempting to balance obligations imposed by both French and US law.