France's data protection authority, the CNIL – the Commission Nationale de l’Informatique et des Libertés -- recently published a decision (n° 2017-191) setting out new guidelines with respect to whistleblower hotlines. The new guidelines implement changes in French law brought about by the Law no. 2016-1691 of December 9, 2016 (the so-called Sapin II Law). Sapin II introduced numerous changes in order to bring about more transparency, to fight corruption and generally to modernize the French economy. Until the mandatory introduction of whistleblower hotlines for companies subject to Sapin II, the CNIL had expressed notable resistance toward such hotlines, bowing begrudgingly to the requirements imposed on U.S. based companies by Sarbanes-Oxley. But Sapin II changed that by mandating the implementation of whistleblower hotlines and the adoption of company codes of conduct.
All whistleblowing schemes must be registered with the CNIL, either by filing for a specific request for authorization or, where strict criteria could be met, by making a declaration that the scheme falls within the so-called “Single Authorization” rules. However, prior to the CNIL's recent decision, the Single Authorization rules were not terribly flexible and indeed limited whistleblowing schemes to a finite set of subjects that could be reported: finance; accounting; banking and anticorruption issues; anti-competitive practices; workplace discrimination and harassment; workplace health, hygiene and safety issues; and environmental issues. All other whistleblowing subjects not falling within the Single Authorization would have to be approved specially by the CNIL, but would meet with invariable bureaucratic intransigence. The rigidity of the prior rules and their conflict with those of other regimes such as Sarbanes-Oxley created a certain tension. For instance in the event a report was made to a hotline which did not fall within the ambit of the hotline authorization, under the prior French regime it had to be referred to the normal chain management and not left to the hotline procedure. Under the previous rules anonymous whistleblowing was prohibited, even though foreign regimes such as Sarbanes-Oxley required it. The new guidelines do allow for greater flexibility.
The new guidelines do specifically state that the whistleblowing hotline should not incite the caller to remain anonymous (except where the circumstances require it), but they do not prohibit anonymity and do provide that the whistleblower’s identity should be treated confidentially and may not be revealed, except to the judicial authorities or with the consent of the whistleblower herself.
The rules with respect to the Single Authorization are now expanded to include whistleblowing with respect to the following: a crime or offence; a manifest and serious infringement of an unilateral act of an international organization adopted on the basis of an international commitment duly ratified or approved by France; a manifest and serious violation of laws or regulations; a serious threat or damage to the public interest of which the whistleblower has had personal knowledge. Also covered are obligations incumbent on a company by reason of European Union regulations and the French Monetary and Financial Code or the General Regulations of the French AMF – Autorité des Marchés Financiers (French Financial Markets Authority); acts of corruption on influence trafficking; and – interestingly – violations of the enterprise’s code of conduct.
As exceptions to this rather broad list of items which now fall within the Single Authorization are matters of national defence, as well as medical secrets and attorney-client secrets.
The new rules also make it clear that a company may have recourse to a third-party service provider with respect to the whistleblowing hotline, provided that information is only provided to it under the strictest limitations on confidentiality.
The CNIL’s recognition that it may not be reasonable to require an enterprise company subject to the Sapin II requirement to operate a hotline full time demonstrates flexibility not commonly observed in the past on the part of the CNIL.
Article 5 of the new rules is particularly interesting in that it specifically refers to and permits the transfer of confidential personal data outside of the European Union to the United States made in conformity with the Privacy Shield rules or the EU’s standardized contractual clauses for data processing.
Among other things, new rules also provide detail on what information may be collected by the hotline, how the data is to be handled and (within broad limits) by whom, how long the data may be stored and when they must be destroyed.
Reassuringly, the new guidelines also detail the rights of the person(s) reported to the hotline to be made aware of the accusations against them and to defend themselves.
Finally, it is worth noting that an enterprise whose whistleblowing hotline already benefits from the Single Authorization will not have to make a new declaration in order to be covered by the expanded scope of the Single Authorization – But of course it will have to comply with all of the new rules for the Single Authorization to be valid.