CNIL amends whistleblowing regime following adoption of "Sapin 2 Law"
In France, the legal framework for whistleblowing schemes derives from on a decision of the French Data Protection Authority (the "CNIL") of 2005 adopting a "single authorization AU-004" for the processing of personal data in the context of whistleblowing schemes. This single authorization and the CNIL's accompanying guidelines are largely based on the Article 29 Working Party's Opinion 1/2006 of 1st February 2006 setting out EU-wide guidelines for whistleblowing schemes in Europe. Companies in France must notify their whistleblowing processing activities to the CNIL via an online self-certification procedure on the CNIL's website, whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in the CNIL's single authorization AU-004.
Initially developed in response to the adoption of the U.S. Sarbanes-Oxley Act of 2002, the CNIL's position historically has been to limit the scope and use of whistleblowing hotlines in France to areas where companies must comply with applicable laws (mainly in the areas of finance, accounting, banking and fight against corruption). Since then, the CNIL has broadened the scope of its single authorization AU-004 a number of times to include other areas, such as compliance with the Japanese Financial Instruments Act, the prevention of anti-competitive practices, discrimination and work harassment, and compliance with health, hygiene, safety and environmental regulations in the workplace.
The Law n°2016-1691 of 9 December 2016 on transparency, the fight against corruption and the modernization of economic life (the so-called 'Sapin 2 Law') requires companies of over 50 employees and public administrations to implement a whistleblowing scheme. The Sapin 2 Law establishes a more harmonized and protective status for whistleblowers by safeguarding the confidentiality of a whistleblower's identity and prohibiting retaliation measures against whistleblowing. Depending on the size of a company, whistleblowing schemes may be used for different purposes, including denouncing criminal offences, serious harm to public property, or violations to a company's code of conduct.
As a consequence, the CNIL has amended its single authorization AU-004 in accordance with the Sapin 2 Law. In particular, the scope of the revised single authorization AU-004 now applies to the reporting of criminal activities, violations of international treaties and acts duly ratified or approved by France, serious violations of laws or regulations (including obligations defined by EU regulations and by the French Monetary and Financial Code or by the general regulations of the French Financial Markets Authority), serious threats or damage to the public interest, and violations of a company’s code of conduct (e.g., corruption or traffic of influence). However, matters of national interest and those that are protected by medical secrecy or client-attorney privilege are excluded from the scope of the single authorization and would require the CNIL's ad hoc approval.
The amended single authorization AU-004 also clarifies the conditions for processing whistleblowing data, including the type of data that may be collected, how such data may be processed and by whom, the period of retention of such data, whose data may be processed as part of a whistleblowing scheme, the rights of individuals against whom accusations are made, and how whistleblowing data may be transferred outside the EU (including to the United States under the Privacy Shield).
The revised AU-004 maintains the possibility for anonymous reporting but reinforces the need to protect a whistleblower's identity. In particular a whistleblower's identity may only be disclosed to a judicial authority after obtaining on the whistleblower's consent. In addition, the data revealing the identity of an individual who is the subject of a whistleblowing report can only be disclosed once the validity of a whistleblowing report has been established, except to a judicial authority.
The CNIL's revised single authorization also extends the list of potential whistleblowers to temporary or external workers (in addition to permanent staff). If, however, a company chooses to extend its whistleblowing hotline to other third parties (such as customers) it must first obtain the CNIL's prior approval. All potential users of a whistleblowing hotline must receive prior notice about how to use the hotline, including the different steps and the conditions for filing a report.
In creating a more formal regime for whistleblowing hotlines, the 'Sapin 2 Law' has clarified the conditions that apply to whistleblowing hotlines in France. As a result of the law, the CNIL has broadened the scope of whistleblowing processing activities in line with current and widely-recognised business practices. Following these legislative changes, large organizations and public administrations who currently do not have a whistleblowing hotline in France will need to set one up under the 'Sapin 2' law and to self-certify to the CNIL's AU-004. Organizations who have already self-certified to the CNIL's single authorization AU-004 in the past are not required to carry out any further formalities but must nonetheless ensure that their whistleblowing hotlines comply with the new conditions set out in the revised single authorization AU-004.