Privacy & Cybersecurity Law Blog

On July 25, 2017, the French Data Protection Authority (“CNIL”) published their decision on the adoption of several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”). The amendments reflect changes introduced by French law on December 9, 2016, regarding transparency, the fight against corruption and the modernization of the economy, also known as the “Sapin II Law.”

Since 2005, companies in France have had to register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for the CNIL’s approval. Companies that self-certify to the Single Authorization make a formal representation that their whistleblowing scheme complies with the pre-established conditions set out in the Single Authorization. Until now, only the following types of issues could be reported under the CNIL’s Single Authorization: finance, accounting, banking and anti-corruption issues, anti-competitive practices, workplace discrimination and harassment, workplace health, hygiene and safety issues and environmental issues. The scope of whistleblowing schemes had to be limited to these areas in order to benefit from the CNIL’s Single Authorization.

Through the recent amendments, the CNIL has extended the scope of the Single Authorization to any reports relating to:

• a crime or offence;
• a manifest and serious infringement of an international commitment duly ratified or approved by France;
• a manifest and serious infringement of an unilateral act of an international organization adopted on the basis of an international commitment duly ratified or approved by France;
• a manifest and serious violation of laws or regulations;
• a serious threat or damage to the public interest of which the whistleblower has had personal knowledge;
• obligations defined by EU regulations and by the French Monetary and Financial Code or by the general regulations of the French Financial Markets Authority, which are monitored by the French Financial Markets Authority or the French Prudential Supervision and Resolution Authority;
• the existence of behavior or situations contrary to the company’s code of conduct, in respect to corruption or trading in influence.

However, the revised Single Authorization does not cover issues covered by national defense secrecy, medical secrecy and legal privilege. Organizations allowing reporting on these issues must file a formal request for the CNIL’s approval.

The revised Single Authorization also specifies that whistleblowers may be staff members of the organization or external and occasional collaborators (such as consultants/contractors). Whistleblowing schemes open to other third parties (such as customers) will not fall within the scope of the Single Authorization.

Further, the revised Single Authorization notes that the whistleblower must identify themselves, and their identity must be processed under conditions of confidentiality. In this respect, the revised Single Authorization specifies that the information identifying the whistleblower may only be disclosed to judicial authorities and with the whistleblower’s consent. Similarly, information identifying the reported individual may be disclosed only to judicial authorities and when it is established that the concern is well-founded.

Finally, the revised Single Authorization adds that the privacy notice must explain how reports may be filed through the whistleblowing scheme and who will receive the reports.

Organizations that have already self-certified to the Single Authorization do not need to make a further representation that they comply with the revised version of that Single Authorization, but they must ensure that they meet its new conditions.