News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | CNIL Amends Whistleblowing Rules, Effective Now Related reading: CNIL 2014 Inspections Programme Released

rss_feed

""

In France, the legal framework for whistleblowing schemes is based on a decision of the French Data Protection Authority, the CNIL, of 2005 adopting a "single authorization AU-004" for the processing of personal data in the context of whistleblowing schemes. In principle, companies must obtain the CNIL's approval prior to implementing a whistleblowing scheme. The CNIL's single authorization AU-004 allows companies to do so simply via a self-certification procedure, whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in AU-004.

Initially, companies could only self-certify to AU-004 if they were required to adopt a whistleblowing scheme either to comply with legal or regulatory requirements in specific and limited areas; i.e., finance, accounting, banking, fight against corruption, or if they could demonstrate a legitimate purpose, which at the time, was limited to complying with Section 301(4) of the U.S. Sarbanes-Oxley Act.

In 2010, the CNIL broadened the scope of its single authorization AU-004 by expanding the "legitimate purpose" condition to cover two new areas: compliance with the Japanese Financial Instruments Act and the prevention of anti-competitive practices; i.e., anti-trust matters.

On January 30, the CNIL amended AU-004 a second time, essentially to add the following areas to the scope of whistleblowing schemes: the fight against discriminations and work harassment; compliance with health, hygiene and safety measures at the workplace, and the protection of the environment.

These successive amendments show that the CNIL's view on whistleblowing schemes has evolved over time and it has adopted a more realistic and pragmatic approach given that, in today's world, many multinational organizations require their affiliates to implement a streamlined and globalized whistleblowing scheme across multiple jurisdictions. Under the revised framework, whistleblowing schemes are still limited to pre-defined areas and cannot be used for general and unlimited purposes. Nevertheless, the broadened scope of whistleblowing schemes allows companies and their employees to act more in line with an organization's internal code of business conduct and the various areas that it covers. The CNIL's decision should therefore enable companies to use their whistleblowing schemes more consistently across jurisdictions and to streamline the reporting process in areas that are commonly recognized as fraudulent or unethical.

The CNIL also clarified its position regarding anonymous reporting. Historically, the CNIL considers that anonymous reporting creates a high risk of slanderous reporting and can have a disruptive effect for companies. In its decision of January 30, the CNIL states that organizations must not encourage individuals to make anonymous reports and, on the contrary, anonymous reporting should remain exceptional. The CNIL also specifies the conditions that apply to anonymous reporting, namely:

  • The seriousness of the facts that were reported must be established, and the facts must be sufficiently precise;
  • The anonymous report must be handled with specific precautions. For example, the initial receiver of the report should assess whether it is appropriate to disclose the facts within the whistleblowing framework prior to doing so.

The CNIL's intention here is to limit the risk of slanderous reporting by encouraging companies to establish a clear and transparent system for employees, while ensuring that the appropriate security and confidentiality measures have been implemented, particularly to protect the identity of the whistleblower.

Effectively, the revision of the CNIL's single authorization AU-004 can also be viewed as a tactical move by the CNIL to funnel companies through the self-certification approval process, rather than to seek ad-hoc approval from the CNIL. It also encourages companies to be more transparent regarding the purposes for which their whistleblowing schemes are used and allows the CNIL to enforce compliance with the Data Protection Act more efficiently.

The CNIL's decision does not specify any date of entry into force. Therefore, these amendments came into force on January, the date of the publication of the decision in the Official Journal. The decision also does not specify any grace period for complying with the new conditions; therefore, companies are required to comply with them immediately.

 

Author
Headshot Olivier Proust, CIPP/E IAPP Member Contributor
Tags
Europe
Comments

If you want to comment on this post, you need to login.

Related Stories
CNIL 2014 Inspections Programme Released
The CNIL has unveiled its 2014 programme, with a goal of carrying out 550 inspections—up 33 percent from 2013. Bird & Bird has compiled the details, noting that of the inspections targeted for this year, some 350 are expected to be conducted onsite with about 200 to be online. “This ...
Read More queue Save This
CNIL Adopts Workplace Privacy Protections
French data protection authority, the CNIL, has adopted and released binding guidelines concerning privacy protection at work, reports Lexology. While employers may monitor employee Internet access, e-mails and files, they must declare this to the CNIL and inform their employees. They may not use &l...
Read More queue Save This
CNIL Amends Whistleblowing Rules, Effective Now
The French Data Protection Authority’s whistleblowing scheme allows companies to comply via a self-certification procedure whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in single authorization AU-004. The CNIL's view on ...
Read More queue Save This
CNIL Announces Data Processing Exemption
The French Data Protection Authority (CNIL) has published its Deliberation No. 2011-023, which IT Law Group reports should make reporting requirements less odious for companies that have no operations in France but use subcontractors or cloud providers there to process data. The French Data Protecti...
Read More queue Save This
CNIL Announces Inspection Targets for 2014
The French data protection authority, the CNIL, has unveiled its 2014 programme for inspections, with a goal of carrying out 550 inspections—at an increase of 33 percent from 2013. Bird & Bird has compiled the details, noting that of the inspections targeted for this year, some 350 are expect...
Read More queue Save This
Related Stories
Tags
Europe
Recent Comments