The CNIL, the French data protection authority, has just published the conclusions of its deliberation on October 14, 2010 concerning its new approach of whistle blowing hotlines.
Operating a whistle blowing hotline in France is subject to notification to the CNIL since personal data are collected and processed. This is a specific notification procedure since running such a hotline is not considered as belonging to the management of Human Resources.
Before its October 14, 2010 deliberation, the CNIL had decided, in 2005, to implement a simplified notification procedure for whistle blowing hotlines for French data controllers to assist French companies required to provide notifications under the Sarbanes Oxley Act. This procedure was based on the “Unique Authorization” / ‘Autorisation unique’ No. 004″ (AU-004) dated December 8, 2005.
Although the CNIL mentioned that hotlines should primarily be dedicated to accounting, finance, banking and bribery issues, in 2005 the CNIL also raised the possibility of extending the scope of such hotlines to any violation in general which could be detrimental to the company or to the “moral or physical integrity of its employees”.
This relatively broad interpretation was challenged by the French case-law: in particular, on December 8, 2009 the French Supreme Court / ‘Cour de Cassation’ ruled severely against a French company which had implemented a whistle blowing policy which went beyond accounting, finance, banking issues.
As a result, with its October 14, 2010 deliberation, the CNIL decided to revise its ‘Autorisation Unique’ and to remove any wording that would allow broadening the scope of such hotlines beyond:
- banking issues
- the fight against bribery
- anti-competitive practices (a new issue which has now been added)
Therefore, any whistle blowing hotline that goes beyond these issues (for example, by including discrimination or Intellectual Property issues) will be required to be made compliant within the next 6 months.
Any company wishing their hotline to have a broader scope will need to be authorized specifically by the CNIL and will no longer benefit from the simplified notification procedure. In our opinion, given the case-law mentioned above, this authorization process could nevertheless be challenged as being contrary to the principles set forth by the French Supreme court in 2009.
Finally and in any case, if the operation of a hotline could involve the transfer of data to the U.S., which is not considered by the EU as offering an equivalent level of data protection to the EU, the hotline notification to the CNIL will also need to deal specifically with that transfer.