France Updates Whistle-Blower Hotline Privacy Guidance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

France’s privacy office has issued new guidance on whistle-blower hotlines in its latest update to 2005 guidelines aimed at resolving a trans-Atlantic dispute over multinationals’ obligations under the U.S. Sarbanes-Oxley Act (SOX).The 2002 SOX required publicly listed U.S. companies and their foreign subsidiaries to implement codes of conduct to fight against corruption, conflicts of interest, and insider trading, and to establish a mechanism for whistle-blowers to anonymously report violations. In general, those mechanisms became known as hotlines.

The original guidance set out a process for companies to have their whistle-blower hotlines approved by the privacy regulator through a formal administrative review or a self-certification process. But a 2016 French anti-corruption law requires that companies, as of June 1, have whistle-blower hotlines of much broader scope than the 2005 guidelines allowed, privacy practitioners said.

Yael Cohen-Hadria, a privacy attorney at Paris-based law firm YCH Avocats, told Bloomberg BNA that multinationals urged CNIL, France’s independent privacy authority, to rewrite the guidance in light of new, wide-ranging compliance obligations under the comprehensive anti-corruption law.

Carol A.F. Umhoefer, data protection, privacy, and security partner at DLA Piper in Miami, told Bloomberg BNA that unlike CNIL’s earlier tweaks to its hotlines guidance, the present update “represents a radical change for companies” that will face compliance obligations under the new anti-corruption law.

For the first time, the guidelines now allow for reports to be made not only by a company’s employees but also by outside collaborators, Umhoefer said. This is a “considerable expansion for companies that—often reluctantly—have limited use of their hotlines to employees,” she said.

Cohen-Hadria said the updated guidance protects not only whistle-blower privacy but also the privacy of subjects of whistle-blower allegations.

EU Data Transfer Regime

The new guidelines allow multinationals to transfer whistle-blowing information to the U.S. if they are participants in the EU-U.S. Privacy Shield data transfer framework, Cohen-Hadria said. The Privacy Shield is used by more than 2,100 U.S. companies that certify their compliance with EU-approved privacy principles to the U.S. Commerce Department, including Facebook Inc., Alphabet Inc.'s Google, and Microsoft Corp., to transfer data out of the EU more easily. Tens of thousands of EU companies, in turn, rely on the Privacy Shield to transfer data to those U.S. companies.

Once the EU’s new data privacy regime, the General Data Protection Regulation (GDPR), takes effect May 25, 2018, the obligation to comply with CNIL’s “formalities” for hotlines will end, Cohen-Hadria said. However, hotlines declared before that date will remain subject to existing CNIL rules, she said.

The GDPR will provide one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. After the GDPR goes into effect, companies will have to maintain internal registers of their data processing, in which they must indicate processing that was declared to the CNIL before that date, Cohen-Hadria said.

To contact the reporter on this story: Rick Mitchell in Paris at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the guidance is available, in French, at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security