The French data protection authority (the Commission Nationale de l’Informatique et des Libertés – CNIL) has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting.
Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation requires that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated).
In order to simplify the procedure, the CNIL had adopted, in December 2005, a “standard authorization” for whistleblowing helplines which strictly matched the scope described in the decision. The CNIL decision limited the benefit of the “standard authorization” to helplines destined at signalling misconducts in the fields of accounting, banking, auditing, and the fight against fraud as covered by French legislation as well as those expressly covered by the terms of article 301(4) of the U.S. Sarbanes Oxley Act.
In 2010, the CNIL had already broadened the scope of its “standard authorization” to include the reporting of anti-competition behaviours.
The new version of the authorization significantly broadens the scope as it now provides a simplified authorization procedure for systems designed to provide employees with the ability to report actions violating, in addition to the topics above, the principles regarding:
- The fight against discrimination and harassment at the workplace;
- Health, safety and security at the workplace; and
- Protection of the environment.
The implementation of the helpline now has to be either justified by specific legal requirements or the legitimate interests of the company. The second leg of the justification therefore opens the door to companies relying on their internal binding codes of conduct to rely on the CNIL’s “standard authorization”.
Even though the CNIL broadened the scope of reporting categories, it must be noted that the requirements regarding anonymous reporting have been somewhat tightened. Indeed, in addition to the usual requirements that anonymous reports should be handled with specific caution and that anonymous reports should not be encouraged, the CNIL now requires that entities relying on the standard authorization only allow anonymous reporting in cases where “the seriousness of the facts described is established and the factual elements are sufficiently detailed“.
This therefore creates a heavier burden on entities accepting anonymous reports to implement a stringent preliminary vetting and verification procedure when receiving an anonymous alert.
Finally, it should be underlined that professional whistleblowing systems which do not meet the criteria set out in the standard authorization may still be submitted to the CNIL for prior specific authorization by the CNIL. These systems are therefore not systematically prohibited in France but are subject to greater scrutiny by the French data protection authority.