Greetings et salutations des Cévennes,
France is one of those countries that we think we know, and that assumption, at least in part, tends to camouflage its many secret places from the well traveled — even from the French themselves. One such place is the Cévennes in southern France, mystical in its breathtaking vistas of deep valleys and rolling hills and forests; I am currently spending the week here. It is slightly off the beaten track despite its accessibility via France’s fast train network; I do like the ease of the TGV.
Protected by National Park status, rising above the plains of the Languedoc, its winding rivers lead to the Mediterranean. A country historically steeped in protestant rebellion and Huguenot tradition dating back to the persecutions at the hands of catholic kings in the 17th century, the Cévennes gradually reveals a bit more of itself at each bend in its winding narrow roads, through its villages and towns, and along its mountainous paths. Suffice to say, I recommend the region if you want to avoid the well-known axes of French tourism.
Staying with a French theme, I recently saw an interesting update regarding the CNIL issuing new guidance on whistleblower hotline services in France, against the backdrop of new national anticorruption legislation. Bear with me here. The guidance is primarily aimed at resolving a longstanding trans-Atlantic dispute over multinationals and their obligations — under the SOX US Act of 2002 (thank you, Enron) — requiring publicly listed companies and their foreign subsidiaries to implement "heavy procedural" codes of conduct to fight corruption, conflicts of interest, and insider trading, and consequently the establishment of an appropriate mechanism for whistleblowers to anonymously report violations. Initially, the CNIL took the position that anonymous whistleblowing hotlines were not proportionate to their purported purpose, creating risks that employees would be slandered, and so ensued a face-off between SOX and French data protection law.
The resulting original CNIL guidance from 2005 set out a process for companies to have their whistleblower hotlines approved by the privacy regulator through a formal administrative review or a self-certification process. Fast forward to 2016, and the long-awaited new French anti-corruption law (known as Sapin II) required that companies must facilitate whistleblower hotlines of a much broader scope than the existing guidelines allow, including "reporting" of serious infringement of international commitments duly ratified or approved by France, or a manifest and serious violation of existing laws or regulations, including EU Regulations. Interestingly, the revised amendments to the guidance also specify that whistleblowers may be either staff members of the organization or external service providers to the organization, such as consultants or contractors.
Among other things, the new amendments also provide detail on what information may be collected by the hotline, how the data is to be handled and by whom (this remains loosely defined), how long the data may be stored, and when it must be destroyed. The new rules also extend the privacy notice provisions associated with the scheme to include how reports are to be filed and who may have access. Reassuringly, the new guidelines also detail the rights of the person(s) reported to the hotline to be made aware of the accusations against them and protects their rights to defend themselves. In this respect, the revisions specify that the personal data identifying the whistleblower may only be disclosed to judicial authorities with the whistleblower’s consent. Similarly, information identifying the reported individual may only be disclosed to judicial authorities when it is established that the concern is well founded.
From the overall EU data transfer perspective, the new guidelines allow companies to transfer whistleblowing information to the U.S. if they are participants in the EU-U.S. Privacy Shield data transfer framework. Additionally, the new rules also permit the transfer under the EU's standardized contractual clauses for data processing.
And, with that, I'll return to the winding rivers and mountainous paths.
If you want to comment on this post, you need to login.