After more than a year of onsite investigations and hearings, the CNIL has finally published its revised "Autorisation Unique" on “professional alert systems,” the politically correct expression for whistleblowing systems. Its scope is extended to include, in addition to the US SOX, the so-called Japanese SOX, as well as alerts relating to anti-competition practices.
Requests to expand the scope to cover other issues such as security-related risks, health and safety, IP infringement, data protection, harassment and others were unsuccessful. Companies willing to benefit from a larger scope should request a specific authorization from the CNIL and put forward arguments justifying the need for it within their organization.
A major change that will have an impact on the setup of most current processes implemented by French companies is that the professional alert system benefitting from the unique authorization can no longer collect reports relating to the vital interest of the company or the physical or moral integrity of their employees. The previous version of the “Autorisation unique” let companies collect these types of reports and transmit them to appropriate departments. This is no longer possible under the new version, so companies have to modify their report-collection practices.
Companies have a six-month period (as of December 8, 2010) to adjust their organization to the changes resulting from the new decision. If they want to maintain their system as it is currently, they may also elect to request a specific authorization from the CNIL.
For more on this topic, read Olivier Proust’s article “CNIL revises authorization on whistleblowing hotlines”
in the January/February edition of
The Privacy Advisor.
