Privacy & Information Security Law Blog

In a decision published on February 11, 2014, the French Data Protection Authority (“CNIL”) adopted several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France have had to register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL. Companies that self-certify to the Single Authorization make a formal representation that their whistleblowing scheme complies with the pre-established conditions set out in this authorization. Until now, only the following whistleblowing schemes could benefit from the CNIL’s Single Authorization:

• Whistleblowing schemes implemented to comply with a French legal obligation in the following areas: finance, accounting, banking and anti-corruption;
• Whistleblowing schemes implemented to comply with Section 301(4) of the Sarbanes-Oxley Act or the Japanese Financial Instrument and Exchange Act, and to fight against anti-competitive practices.

Through the recent amendments, the CNIL has extended the scope of the Single Authorization to include (1) the fight against discrimination and harassment in the workplace, (2) health, hygiene and security in the workplace and (3) protection of the environment. Whistleblowing schemes that allow reporting in those areas may now benefit from the Single Authorization. The CNIL also clarified that, although anonymous reporting should not be encouraged, it may be tolerated, subject to two conditions. Specifically, anonymous reports may be processed if (1) the seriousness of the reported facts is established and factual elements are sufficiently detailed and (2) the processing of the anonymous report is performed with great caution (including a prior examination by the first recipient of the report regarding the opportunity to disseminate the report within the whistleblowing scheme). Whistleblowing schemes which do not comply with these conditions must be authorized by the CNIL on a case-by-case basis.

This is the second time that the CNIL revised its Single Authorization. In 2010, the CNIL extended the scope of the Single Authorization to acknowledge that companies may operate whistleblowing schemes in areas beyond financial issues.