Modifications to the CNIL’s Blanket Permission for Whistleblowing in France

By a choice of June 2017, the CNIL has customized its blanket permission for whistle-blowing with a view to adjusting it to current modifications presented by the so-called “Sapin 2” law (the law associating with “openness, the battle versus corruption and modernization of business life”).

Under Sapin 2, there is a commitment to business to execute reporting plans as follows:

(I) for business having more than 50 workers, a whistleblowing plan (this commitment works in January 2018);.

(ii) for many businesses, an internal reporting system as part of an anti-bribery compliance program; and.

(iii) for business offering monetary services, a reporting plan for breaches of EU or French monetary market policy.

Blanket Permission

Whistleblowing plans presently need previous approval by the CNIL. Provided the historic level of sensitivity around whistleblowing in France, acquiring this approval can be time-consuming. Due to this, the CNIL has released a blanket permission (authorization special “AU-004”). AU-004 explains the allowed processing activities associating with whistleblowing, including what information can be gathered, with whom, to what level it can be shared or revealed, what privacy steps need to be taken, for how long information can be maintained and what details needs to be offered to information topics. To the degree that a company’s whistleblowing plan for France adheres to AU-004, it can self-certify compliance and be authorized instantly. The CNIL has now changed AU-004 to enable execution of the Sapin 2 requirements.

Whistleblowers

An essential change to AU-004 is that, in addition to staff members, whistleblowers can now also be 3rd parties working periodically for the company (although this change does not completely fit with the meaning of whistleblowers in Sapin 2). All whistleblowers should act in excellent faith and disinterestedly (i.e. without monetary reward).

The Scope of Reporting

Among the primary qualities of AU-004 has been that whistleblowing is just allowed for a restricted variety of subjects. The variety of subjects was increased substantially in 2014. In the current change to AU-004, the CNIL has altered the list of subjects to a more general description, based upon Sapin 2. AU-004 will not use to any divulged details falling within any of the following classifications:

doctor/patient relationship.
client/lawyer expert secrecy; or.
nationwide security.
Under the modified AU-004, both a worker or 3rd party working periodically with the company might now report on:

a criminal activity or offense;

a major and manifest breach of any laws or policies using in France, consisting of those arising from worldwide dedications or EU guidelines; or

a major risk or damage to the public interest which the whistleblower has a personal understanding.

In addition, (just) staff members might report on:

habits or circumstances that contrast the company’s standard procedure and which connect to the corruption of influence peddling. The AU-004 defines that the legal basis for processing whistleblowing information on this subject might be either compliance with a legal responsibility or the genuine interest of the information controller. The referral to the genuine interest of the information controller has, in the past, significantly made it possible to carry out plans not just to adhere to French law requirements, but also with foreign laws such as SOX. Hence, in this context this would allow processing of reports with a referral to laws besides French laws or guidelines, such as the UK Bribery Act or the FCPA; and

breaches of EU or French monetary market guideline (where the company supplies monetary services).
Privacy.

Under Sapin 2, reporting plans should secure the identity of the whistleblower, the identity of anyone incriminated and the details gathered. The disclosure of any of this information brings as much as 2 years’ jail time and an EUR30,000 fine (EUR150,000 for corporations). The AU-004 now defines to whom, and in what situations, details that would enable the recognition of the whistleblower or the incriminated person can be revealed. AU-004 also defines which classifications of receivers might get the reports and offers that these receivers will just get the appropriate level of info on a stringent must know basis.

Extra Info to Information Topics

Under the changed AU-004, in addition to the info that was currently needed to be supplied to information topics, the info notification need to define the procedural actions of the whistleblowing system.

Sanction for The Absence of Compliance with Information Security Policies

Breach of information security policies can result in sanctions by the CNIL, that include punitive damages of as much as EUR 3 million, an injunction to stop the processing and possible day-to-day fines and seriousness steps where required. The optimum level of sanction will increase substantially as soon as the GDPR enters impact. Breaches can also be approved under criminal law. In addition, details gathered by way of a noncompliant reporting system might not be used as the basis for disciplinary action versus workers.

GDPR

Whistleblowing plans provide a “high danger” for information topics and, for that reason, will need a Data Protection Impact Assessment (DPIA) and, potentially, an assessment with the supervisory authority. AU-004 will stay efficient after 25 May 2018, perhaps with more changes, for setting out what the CNIL thinks about are the appropriate steps essential to reduce danger for information topics.

What This Means in Practice

The adjustment of AU-004 was much waited for. Many businesses still has a lot of work to do to make sure that their whistleblowing system is certified before January 2018 and to work out agreements with possible suppliers. There is included intricacy here offered the must incorporate compliance with the GDPR. As an outcome, execution of the French element of a whistleblowing system might show far more challenging than in the past. The person getting the report will have to be able to determine if the truths fall into one of the licensed classifications even though (apart from corruption) they are no longer noted by style but by more generic referral to the law (civil and criminal) and global policies and dedications covering France. This person will have to have a great working understanding of French law.