By a decision of June 2017, the CNIL has modified its blanket authorization for whistleblowing with a view to adapting it to recent changes introduced by the so-called “Sapin 2” law (the law relating to “transparency, the fight against corruption and modernization of business life”).

Under Sapin 2, there is an obligation on business to implement reporting schemes as follows:

(i) for business having more than 50 employees, a whistleblowing scheme (this obligation takes effect in January 2018);

(ii) for many companies, an internal reporting system as part of an anti-bribery compliance program; and

(iii) for companies providing financial services, a reporting scheme for breaches of EU or French financial market regulation.

Blanket authorization

Whistleblowing schemes currently require prior approval by the CNIL. Given the historical sensitivity around whistleblowing in France, obtaining this approval can be time consuming. In light of this, the CNIL has published a blanket authorization (autorisation unique “AU-004”). AU-004 describes the permitted processing activities relating to whistleblowing, including what data can be collected, with whom, to what extent it can be shared or disclosed, what confidentiality measures have to be taken, how long data can be retained and what information has to be provided to data subjects. To the extent that a company’s whistleblowing scheme for France complies with AU-004, it can self-certify compliance and be authorised immediately. The CNIL has now amended AU-004 to allow implementation of the Sapin 2 requirements.

Whistleblowers

A key change to AU-004 is that, in addition to employees, whistleblowers can now also be third parties working occasionally for the company (although this change does not entirely fit with the definition of whistleblowers in Sapin 2). All whistleblowers must act in good faith and disinterestedly (i.e. without financial incentive).

The scope of reporting

One of the main characteristics of AU-004 has been the fact that whistleblowing is only permitted for a limited number of topics. The number of topics was increased significantly in 2014. In the latest amendment to AU-004, the CNIL has changed the list of topics to a more general description, based on Sapin 2. However, AU-004 will not apply to any disclosed information falling within any of the following categories:

  • doctor/patient relationship
  • client/lawyer professional secrecy; or
  • national security.

Under the amended AU-004, both an employee or third party working occasionally with the company may now report on:

  • a crime or offence;
  • a serious and manifest breach of any laws or regulations applying in France, including those resulting from international commitments or EU regulations; or
  • a serious threat or harm to the public interest of which the whistleblower has personal knowledge.

In addition, (only) employees may report on:

  • behaviors or situations that are contrary to the company’s code of conduct and which relate to corruption of influence peddling. The AU-004 specifies that the legal basis for processing whistleblowing data on this topic may be either compliance with a legal obligation or the legitimate interest of the data controller. The reference to legitimate interest of the data controller has, in the past, notably made it possible to implement schemes not only to comply with French law requirements, but also with foreign laws such as SOX. Thus, in this context this would permit processing of reports with a reference to laws other than French laws or regulations, such as the UK Bribery Act or the FCPA; and
  • breaches of EU or French financial market regulation (where the company provides financial services).

Confidentiality

Under Sapin 2, reporting schemes must protect the identity of the whistleblower, the identity of any person incriminated and the information collected. The disclosure of any of these details carries up to two years’ imprisonment and a €30,000 fine (€150,000 for corporations). The AU-004 now specifies to whom, and in what circumstances, information that would allow the identification of the whistleblower or the incriminated person can be disclosed. AU-004 also specifies which categories of recipients may receive the reports and provides that these recipients shall only receive the relevant level of information on a strict need to know basis.

Additional information to data subjects

Under the amended AU-004, in addition to the information that was already required to be provided to data subjects, the information notice must specify the procedural steps of the whistleblowing system.

Sanction for lack of compliance with data protection regulations

Breach of data protection regulations can lead to sanctions by the CNIL, which include a financial penalty of up to € 3 million, an injunction to cease the processing and possible daily fines and urgency measures where necessary. The maximum level of sanction will increase significantly once the GDPR comes into effect. Breaches can also be sanctioned under criminal law. In addition, information collected by way of a non-compliant reporting system may not be used as the basis for disciplinary action against employees.

GDPR

Whistleblowing schemes present a “high risk” for data subjects and, therefore, will require a Data Protection Impact Assessment (DPIA) and, possibly, consultation with the supervisory authority. AU-004 will remain effective even after 25 May 2018, possibly with further amendments, for setting out what the CNIL considers are the relevant measures necessary to minimize risk for data subjects.

What this means in practice

The modification of AU-004 was much awaited. However, many companies still have a lot of work to do to ensure that their whistleblowing system is compliant before January 2018 and to negotiate contracts with potential vendors. There is added complexity here given the need to integrate compliance with the GDPR. As a result, implementation of the French aspect of a whistleblowing system may prove much more difficult than in the past. For example, the person receiving the report will have to be able to identify if the facts fall into one of the authorized categories even though (apart from corruption) they are no longer listed by theme but by more generic reference to the law (civil and criminal) and international regulations and commitments covering France. This person will need to have a good working knowledge of French law.