Through its Decision No. 2017-191 dated 22 June, 2017 (published in the Official Journal on 25 July , 2017), the French Data Protection Authority ("CNIL") amended the Single Authorization No. AU-004 on whistleblowing systems.
These modifications, much welcomed by companies, mainly aim at simplifying the formalities applicable to the processing of personal data resulting from the implementation of the compliance procedures required by French Law dated 9 December, 2016 regarding transparency, the fight against corruption and the modernization of the economy (also known as the "Sapin II Law").
The scope of the AU-004 has been widely extended
The CNIL has always been particularly watchful when it comes to whistleblowing systems, considering that French law did not offer any legal ground for allowing their implementation and that they tended to enable "organized denunciation" systems. This reluctance led the CNIL to adopt in 2005 the Single Authorization No. AU-004 to establish the conditions under which these systems could be considered as lawful from a data protection perspective.
Initially limited to whistleblowing in the areas of finance, accounting, banking and anti-corruption issues, the AU-004 had already been amended in the past in order to reflect legal and regulatory changes. In 2010, the scope of the AU-004 had been extended to cover anti-competitive practices. In 2014, it extended further to include discrimination and harassment in the workplace, health, hygiene and safety issues in the workplace, as well as environmental issues (see our article of 14 January 2014 on DLA Piper's Privacy Matters blog).
With the enactment of the Sapin II Law, the CNIL has once again extended the scope of the areas covered by the AU-004, by relying on this French law as the legal basis for this revision. The extension is nonetheless much more significant than past modifications, as the limitations that were laid down in relation to the areas covered by the AU-004 are now lifted.
Indeed, the AU-004 now covers whistleblowing systems allowing any report or disclosure (assuming they occur without pursuing any benefit and in good faith) of any of the following events:
- a crime or offence
- a manifest and serious infringement of any international commitment duly ratified or approved by France;
- a manifest and serious infringement of any unilateral act enacted by an international organization adopted on the basis of an international commitment duly ratified or approved by France;
- a manifest and serious violation of laws or regulations;
- a serious threat or damage to the public interest of which the whistleblower has had personal knowledge;
- obligations defined by EU regulations and by the French Monetary and Financial Code or by the general regulations of the French Financial Markets Authority, which are monitored by the French Financial Markets Authority or the French Prudential Supervision and Resolution Authority; or
- the existence of behaviors or situations contrary to the company’s code of conduct, with respect to corruption or traffic of influence, as soon as the processing is implemented by the data controller to comply with any legal obligation or to pursue its legitimate interest.
Therefore, we note that the list of areas subject to whistleblowing is extremely wide, thus getting closer to the whistleblowing areas admitted for years in North America.
By way of exception, the AU-044 will not, however, cover reports relating to facts that are covered by (i) national defense secrecy, (ii) medical secrecy and (iii) legal privilege.
This extended scope comes along with other significant amendments which should impact the organization of the existent whistleblowing systems among businesses.
Significant amendments to take into account when implementing a whistleblowing scheme
The other amendments of the AU-004 that are likely to have an impact on companies implementing whistleblowing schemes are the following:
Whistleblowers may now be external and occasional collaborators of the entity which implemented the system, not only staff members. In other words, the entity may now give access to these systems to staff that are not strictly on its payroll.
The former version of the AU-044 already included the obligation to identify the whistleblowers and the ban to encourage anonymity. It is now specified that the whistleblower's identifying information cannot be disclosed to any third party without his/her prior consent (except in case of disclosure to judicial authorities).
- Identity of the Whistleblower:
- Identity of the person concerned by the report: Likewise, information identifying the person who is the subject of the report cannot be disclosed to any third party before it is established that the concern is well founded (except in case of disclosure to judicial authorities).
Information in respect of the processing of personal data must be provided to any potential user of the whistleblowing system. Therefore, as the scheme system may now be accessed by external staff, the entity will need to make sure it informs them as well.
The notice must notably include the different steps of the reporting process, define the recipients and the conditions in which the reports can be forwarded to them.
- Information of data subjects:
- Recipients of the reports: The CNIL provides that the reports may be addressed to the employer, the direct or indirect supervisor, but also to any third party contact person or provider, with the obligation to take contractual steps to ensure the security of the data provided and to guarantee the compliance with applicable regulatory requirements (in particular in terms of duration of data retention, confidentiality, misuse of personal data, data recovery at the end of the contract, etc.)
- Finally, the CNIL reassures American economic operators (often actively involved in the management of whistleblowing systems) by acknowledging the validity of the Privacy Shield in case of transfer of data to certified recipients.
What formalities do companies have to fulfill?
Entities that have already committed to the CNIL to comply with the AU-004 do not need to file any additional formality with the CNIL. However, they need to review their privacy notice and their intern procedures to make sure they duly comply with the new conditions laid down by the AU-004, in particular regarding the processing of the identity of the whistleblower and of the persons concerned by the report, contracts with providers, etc.
If no formality has been filed and the whistleblowing system complies with the conditions of the revised AU-004, a commitment to compliance must be filed with the CNIL.
If the system is not compliant with the AU-004 (for instance, if the company plans to implement a whistleblowing system relating to issues covered by medical secrecy or by client-attorney privilege), a specific authorization shall be requested to the CNIL.
The adoption of the revised AU-004 will likely be welcomed by companies whose whistleblowing systems and hotlines tend to generalize and, for many, have become a key element of their compliance efforts. The revised AU-004 will certainly entail a decrease in the number of specific authorization requests relating to whistleblowing systems covering corruption, money laundering or terrorism financing, which have already significantly decreased since 2014.
For further information, please contact Denise Lebeau-Marianna ([email protected]) or Mathilde Hallé ([email protected]).
See Decision n° 2017-191 of 22 June 2017 amending Decision n° 2005-305 on authorizing the automated processing of personal data in the context of whistleblowing systems.