Data Protection Report - Norton Rose Fulbright

At the end of 2019, following a public consultation, the CNIL adopted its much-anticipated “standard” on whistleblowing systems.  The “standard” is essentially a reference document which serves as guidance for those implementing whistleblowing systems.

This new standard replaces the single authorisation AU-004 of 22 June 2017 (as amended) which, since the GDPR came into force, no longer has legal force. Whilst the new standard is, in some respects, a continuation of the old AU-004, it also includes some interesting changes.

This new standard introduces a different approach to the implementation of whistleblowing systems. AU-004 was a “mandatory norm” to which an organisation could adhere to via a “compliance undertaking”, meaning that the processing did not require specific authorisation from the CNIL. However, this route meant that the organisation had to ensure that its whistleblowing system was in full compliance with the AU-004 requirements and could not depart from the requirements in any respect.  Otherwise, it would run the risk of implementing a non-compliant whistleblowing system or having to obtain a specific authorisation from the CNIL. As whistleblowing systems of international groups often deviate from the AU-004 on minor points, it was usually necessary for the system to be adapted before being implemented in France in order to meet local law requirements.

However, going forwards, the standard serves only as best practice and is no longer considered a “mandatory norm”. It also gives organisations greater latitude in the management and configuration of their whistleblowing system, provided that the organisation complies with applicable law and can demonstrate its need or interest in the implementation of a system that does not comply in all respects with the standard.

Privacy Impact Assessments

The standard is now an essential tool to assist in conducting a Privacy Impact Assessment (PIA), regardless of whether or not the system implemented deviates from it.  A PIA must be carried out prior to the implementation of a whistleblowing system. The CNIL had provided organisations with a three-year grace period for systems implemented before the entry into force of the GDPR.  But this deadline is fast approaching. The CNIL has indicated in its Q&A that any whistleblowing system (implemented before or after the entry into force of the GDPR) must now be subject to a PIA (see our recommendations at the end of this article).

The standard also anticipates certain changes introduced by the European directive on the protection of whistleblowers adopted in October 2019, which will come into force in 2021.

A single framework for legal and voluntary whistleblowing systems

The standard now provides the possibility of establishing whistleblowing systems which enable alerts to be issued for other areas of compliance, i.e. matters beyond those provided for by applicable laws (such as the Law of 9 December 2016, otherwise called “Sapin II Law”, and the “Duty of Vigilance” Law of 27 March 2017 on the prevention of violations of human rights and fundamental freedoms).

The standard therefore applies to both legal mandatory whistleblowing systems and to ethics lines implemented by organisations on their own initiative.

This allows any organisation to implement a hybrid whistleblowing system, meeting both the legal requirements mentioned above and its internal rules (e.g. for breaches of the organisation’s internal code of conduct that exceed the scope of the Sapin II Law).

However, any organisation must be able to demonstrate its legitimate interest in implementing a whistleblowing system that goes beyond the applicable legal requirements. In this respect, the CNIL indicates that the organisation needs to clearly distinguish and specify the lawful basis for processing (legal obligation, legitimate interest) of the system(s) it chooses to implement.

A more open position of the CNIL on anonymous whistleblowing systems

The CNIL had always been very cautious about systems that allow an alert to be issued on an anonymous basis.  As such, the CNIL prohibited systems which allowed an alert to be issued anonymously on a general basis. The authority now seems to be adopting a more flexible position in its new standard.

The standard states that an alert system “may require or invite the author of the alert to identify himself”, although it still recommends that special precautions be taken when dealing with anonymous alerts. Furthermore, it specifies that the delivery of the receipt to the whistleblower confirming his alert should not be made conditional on the provision of identifying information, when the latter chooses to remain anonymous.

Further details on the processing of sensitive data and the storage of anonymised data

While the new standard does not make any specific changes to the categories of data that may be processed as part of the collection and processing of alerts, it recalls the legal conditions, stemming from the GDPR and the French Data Protection Act, under which sensitive data (political and religious opinions, health data, etc.) and data relating to offences or criminal convictions may be processed as part of a whistleblowing system.

The CNIL also highlights that personal data processed for whistleblowing purposes may be kept for an unlimited period of time once it has been anonymised in accordance with the Article 29 Working Party’s guidelines on anonymisation. However, truly anonymising personal data is very complex in practice and so the CNIL’s indication in this regard has limited practical application.

Whistleblower information

Whilst the CNIL recalls its requirements stemming from the AU-004 on the information of data subjects (general information on the system, including the operating mode of the system, specific information for the individual subject of a report), it now requires that specific information also be delivered to the whistleblower at the time the alert is issued. This information must be communicated to him before he submits his alert to the organisation; for example, by displaying an information notice when he starts the process of issuing his alert or by a tick box validating that he has read the information notice.

The organisation must also send an acknowledgement of receipt to the whistleblower confirming that the alert has been received.

Clarifications on security measures

Whereas the AU-004 merely recalled the need to ensure data security in accordance with legal requirements, the new standard now includes a comprehensive table of the technical and organisational security measures that the CNIL considers necessary to protect data processed in the context of whistleblowing systems.

If the organisation considers that it has taken equivalent measures or that it does not need to do so, it should be able to justify its choice.

Our take

Even if your whistleblowing system has not evolved since the entry into force of the GDPR, you will now have to conduct a PIA of your whistleblowing system.  This must be completed by 25 May 2021 at the latest.

If your system has been implemented recently, or has recently evolved/changed in some respect, then you must carry out a PIA immediately.

The new CNIL standard will be particularly helpful when conducting your PIA.