The French CNIL’s New Guidance on Whistleblowing
Tuesday, August 1, 2023
French CNIL Guidance on Whistleblowers
Print Mail Download i

The French National Commission on Informatics and Liberty (CNIL) – the French data-protection authority – finally updated its standard of best practice on whistleblowing in July 2023, to accompany the significant changes introduced to the whistleblower protection regulation in the second half of 2022.

Context – French Whistleblower Protection Regulation

As a reminder, significant changes to whistleblower protection were first introduced in 2016 by the so called “Sapin II” law, and then by the transposition in France of the European directive on the protection of whistleblowers by the so called “Wasserman” law and its implementing decree, which came into effect in September and October 2022 respectively (the French Whistleblower Protection Regulation).

Significant changes were made by this new regulation, including:

  • Expanding the scope of the reports benefitting from protection; even though the scope is not unlimited, it is not restricted to breaches of EU law
  • Expanding of the categories of whistleblowers and creating new categories of persons that benefit from protection
  • Creating of new procedural rules

The substantive changes mainly concern “internal reporting channels” (i.e. within organisations), but the new regulation also applies to “external reporting channels” to specific authorities or courts, depending on the “sector”.

In addition to the French Whistleblower Protection Regulation, there are other French regulations requiring the implementation of whistleblowing systems, such as, for instance, the regulation on the duty of vigilance.

Changes to the CNIL’s Standard

As a result of the change in the whistleblower protection regulation, the guidance published by the CNIL in 2019 needed updating.

More than 10 months after the regulatory changes became effective, the CNIL has finally published the revised standard on whistleblowing systems and an FAQ list.

The new CNIL standard retains the same principles, but now covers all whistleblowing systems, although it is limited only to aspects related to data protection. As in the past, it is not binding, but serves as guidance (as well as facilitating the data protection impact assessment).

The main changes, compared to the previous version, concern:

  • A simplification of the “scope” of the guidance

The guidance applies to all whistleblowing systems, including those that are outside the scope of the French whistleblower protection regulation and/or are voluntary.

  • Setting out new purposes for processing the data collected as part of the processing of a report

A whistleblowing system can be implemented to comply with one or several legal obligations (e.g. anticorruption regulation, duty of vigilance law, etc.). It can also be implemented on a voluntary basis – where organisations do not meet the thresholds above in which the implementation of a whistleblowing system is mandated by law, or when the system is intended to cover initiatives to combat improper or unethical behaviours in light of those organisations’ internal rules (e.g. codes of ethics or internal regulations). Depending on the situation, the legal basis for processing will be compliance with a legal obligation or legitimate interest of the organisation. In some cases, the system will work as a “one-stop shop”, but may require the implementation of specific features, depending on the purpose it serves. The organisation must also comply with transparency requirements in this respect.

  • Setting out the expanded definition of whistleblowing and of the persons that are protected under the regulation
  • An obligation to provide feedback to the whistleblower

The whistleblower has to be informed of follow up actions.

  • New developments on the possibility of outsourcing the management of the report to third-party vendors
  • Position on the “pooling of resources”

The CNIL notes that, for whistleblowing systems implemented to comply with Article 6 of the Sapin Law (i.e. the enlarged transposition of the Whistleblower Directive), “in principle”, it is not possible to share resources for the assessment concerning the correctness of the allegations of a report where the companies exceed 250 employees, even within the same group. Moreover, it is not possible for the system to share the report of a whistleblower with another organisation than the one to which the report was made, even within the group – the system should thus offer the possibility of addressing the report to more than one organisation.

  • New developments on the different phases of alert processing
  • New developments on the processing of “anonymous” reporting

This relates to situations where the whistleblower chooses not to identify themself. This is different to “anonymous information” under GDPR.

  • New clarifications relating to data retention periods
  • Security measures

Updating the table of security measures to be implemented following the publication of a new version of the CNIL security guide in April 2023.

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Bettors Beware: Read Sixth Circuit Before Wagering on the Kentucky Derby
by: Trane J. Robinson
The Price Cap on Russian Oil – Part 2: Updated OFAC Guidance
by: Richard J. Gibbon
Parties Beware—Noncompliance with Delaware ABC Statute Can Lead to Serious Consequences (US)
by: Michelle N. Saney
(UK) What Practical Changes Can IPs Expect from the Proposed Amendments to FCA Guidance?
by: Rachael Markham , John Alderton
Intelligent AI Guidance from the USPTO Identifies Potential Perils
by: Frank L. Bernstein
The Status of Non-Competes in Healthcare: How the FTC Rule and Other Recent Developments Affect Non-Competes for Doctors, Nurses, and Other Healthcare Practitioners
by: Paul Erian , William J. Kishman
EEOC Updates Workplace Harassment Guidelines Reinforcing Protections for LGBTQ+ Employees (US)
by: Ariel S. Cohen
Are the USPTO’s Proposed Terminal Disclaimer Fees the End of Continuing Applications?
by: Frank L. Bernstein
The USPTO Proposes Steep RCE Fees. Will Patent Prosecution and Appeal Strategies Change?
by: Frank L. Bernstein , Michael Adams
The Price Cap on Russian Oil – Part 1: Increased OFAC Enforcement
by: Richard J. Gibbon

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins