Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
France’s privacy office has issued new guidance on whistle-blower hotlines in its latest update to 2005 guidelines aimed at resolving a trans-Atlantic dispute over multinationals’ obligations under the U.S. Sarbanes-Oxley Act (SOX).The 2002 SOX required publicly listed U.S. companies and their foreign subsidiaries to implement codes of conduct to fight against corruption, conflicts of interest, and insider trading, and to establish a mechanism for whistle-blowers to anonymously report violations. In general, those mechanisms became known as hotlines.
The original guidance set out a process for companies to have their whistle-blower hotlines approved by the privacy regulator through a formal administrative review or a self-certification process. But a 2016 French anti-corruption law requires that companies, as of June 1, have whistle-blower hotlines of much broader scope than the 2005 guidelines allowed, privacy practitioners said.
Yael Cohen-Hadria, a privacy attorney at Paris-based law firm YCH Avocats, told Bloomberg BNA that multinationals urged CNIL, France’s independent privacy authority, to rewrite the guidance in light of new, wide-ranging compliance obligations under the comprehensive anti-corruption law.
Carol A.F. Umhoefer, data protection, privacy, and security partner at DLA Piper in Miami, told Bloomberg BNA that unlike CNIL’s earlier tweaks to its hotlines guidance, the present update “represents a radical change for companies” that will face compliance obligations under the new anti-corruption law.
For the first time, the guidelines now allow for reports to be made not only by a company’s employees but also by outside collaborators, Umhoefer said. This is a “considerable expansion for companies that—often reluctantly—have limited use of their hotlines to employees,” she said.
Cohen-Hadria said the updated guidance protects not only whistle-blower privacy but also the privacy of subjects of whistle-blower allegations.
The new guidelines allow multinationals to transfer whistle-blowing information to the U.S. if they are participants in the EU-U.S. Privacy Shield data transfer framework, Cohen-Hadria said. The Privacy Shield is used by more than 2,100 U.S. companies that certify their compliance with EU-approved privacy principles to the U.S. Commerce Department, including Facebook Inc., Alphabet Inc.'s Google, and Microsoft Corp., to transfer data out of the EU more easily. Tens of thousands of EU companies, in turn, rely on the Privacy Shield to transfer data to those U.S. companies.
Once the EU’s new data privacy regime, the General Data Protection Regulation (GDPR), takes effect May 25, 2018, the obligation to comply with CNIL’s “formalities” for hotlines will end, Cohen-Hadria said. However, hotlines declared before that date will remain subject to existing CNIL rules, she said.
The GDPR will provide one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. After the GDPR goes into effect, companies will have to maintain internal registers of their data processing, in which they must indicate processing that was declared to the CNIL before that date, Cohen-Hadria said.
To contact the reporter on this story: Rick Mitchell in Paris at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Full text of the guidance is available, in French, at http://src.bna.com/rnC
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)