NEWSLETTER No 38 // Thursday 27 July 2023
|
|
|
|
Whistleblowers and personal data: joint protection is essential!
|
|
|
|
This month, La Lettre du DPO interviewed Domitille Fontaine-Castets, Chief Compliance Officer of the renowned French hotel group Accor, and Claudio Interdonato, Business Development Director South Europe of EQS Group (a provider of cloud-based compliance software solutions). In this issue of La Lettre du DPO, they give their respective views on the need to protect whistleblower data, in a world where whistleblowing is increasingly widespread due to the need to respond to systemic risks (corruption and money laundering, environmental destruction, cyber-insecurity, etc.), while striking the necessary balance in also protecting the fundamental rights of the whistleblowers themselves (privacy, security, etc.).
A relatively recent regulation, in response to US sanctions. Michel Sapin (who was, at the time, France’s Minister of Economy and Finance) initiated the law “relating to transparency, the fight against corruption and the modernisation of economic life” (known as the “Sapin 2 law”, enacted on 9 December 2016, n° 2016-1691). He acknowledges that such law was intended to “bring France up to the best international standards in the field of transparency, and in action against corruption” (press release published on 31 March 2016, by the Government Information Service). This initiative, preceded by law n° 2013-1117 of 6 December 1993 (which strengthened the legal framework governing economic, financial and tax crime), was - as we know - motivated by the desire to correct France’s poor ratings in the fight against corruption and to dampen the desire of foreign jurisdictions to punish French companies that fail in this area by means of repressive legislation with extraterritorial scope (as was the case, for example, with Alstom, which was fined more than 770 000 000 dollars by the US Courts for acts of corruption).
Whistleblowers: extensive protection. While most of its provisions apply to a limited series of financial offences (corruption, influence peddling, illegal interest-taking, etc.), the Sapin 2 law enacted from the outset a protective regime for all those who take the risk, selflessly and in good faith, of revealing facts constituting violations of a standard of domestic (legislative or regulatory), Community or international law (and ratified or approved by France), whatever its nature, provided that it threatens the public interest. Initially confined to “serious and manifest” breaches of the law and to facts directly witnessed by the whistleblower, this protection was then extended to all breaches, including those reported to the whistleblower, by the “Waserman” law (n° 2022-401 of 21 March 2022), which also extended protection to non-profit “facilitators” (trade unions, associations, etc.) and to persons “in contact” with a whistleblower (relatives, colleagues, etc.). In addition, the previous prioritisation (imposing that the whistleblower should first use internal channels, then, in the event of inaction, external channels – the courts, ombudsman, etc. - and, lastly, public channels) has been made more flexible by giving the whistleblower the freedom to choose between internal or external reporting.
Protection of data relating to whistleblowers: the CNIL’s vigilance is the essential tool in this area. The protection afforded to whistleblowers, which in particular guarantees them strict confidentiality (with regard to their identity and that of the persons and facts cited in the report), also implies protection of the data relating to them. In order to guide organisations (both those subject to the Sapin 2 law or other regulations requiring them to set up whistleblowing systems, as well as those that are not subject thereto but nevertheless wish to do so) in complying with the GDPR to protect such data, the CNIL adopted a set of guidelines on 18 July 2019, a new version of which has just been published on 23 July 2023. The updated guidelines will need to be looked at for any further compliance aspects to be taken into account. These guidelines include the need to inform data subjects, limit data retention periods and carry out a data protection impact assessment (DPIA). To comply with these requirements, the adoption of a software tool will be a crucial asset, particularly for companies with multiple geographical locations.
|
|
|
|
“The adoption of the law known as ‘Sapin 2’ (...) requires the collection and processing of data, some of which is sensitive (...). It was only natural that I should look into the GDPR”
|
|
|
|
Domitille Fontaine-Castets began her career as a lawyer specialising in mergers and acquisitions, a field she worked in for nearly eight years, two of which were spent with an English law firm based in Paris. She then encountered the subject of compliance through the key regulations relating to business ethics (the fight against money laundering, anti-competitive behaviour and corruption, personal data protection, etc.) with a major electrical equipment distribution group where she worked before joining the French hotel group Accor, where she deals exclusively with these subjects (as Chief Compliance Officer).
For La Lettre du DPO, she looks back on her career in detail and shares her views on the subject of whistleblowers (and the processing of their data) within organisations.
|
|
|
|
1/- What is your background and what prompted your interest in data and the GDPR?
During my practice of company law, while working on mergers and acquisitions, including of an international nature, I came across the key regulations under which governments (often working together on a regional or even international level) were trying to ‘clean up’ the business world by standards enacting formal obligations to collect and process information in order to better detect any undesirable behaviour (fraud, harassment, corruption, etc.), putting the authorities in a position to act according to a logic geared towards prevention and thus implying a change in such behaviour under the pressure of this formalism. This can be very burdensome, in particular with the adoption of Law n° 2016-1691 known as ‘Sapin 2’ in December 2016 which requires the collection and processing of data, some of which is sensitive due to the seriousness of the facts it reveals. It was therefore only natural that I should look into the GDPR, which came into force in 2018 and which also brought the protection of personal data within the scope of my responsibilities as DPO in my previous job.
2/- What are your current responsibilities and what project(s) are you currently working on in relation to whistleblowers?
All these regulations respond to ‘monumental goals’, to use Professor Frison-Roche's expression (by which she means ‘concern for others’, aimed at making the world and human society more ‘sustainable’, such goals being threatened, for example, by corruption, damage to the environment or the rights of individuals through the processing of their data). They therefore follow a common philosophy, which has led to the emergence of the position of Compliance Officer. This position, which is my job today, leads me to work on the identification of risks and then responding to them through control and prevention measures, in line with the regulations and standards that Accor has adopted in six areas: the fight against corruption, compliance with international sanctions (e.g. those adopted against Russia), compliance with competition rules, compliance with payment standards in hotels, compliance with standards protecting human rights (involving the duty of care), and lastly the protection of personal data. On a day-to-day basis, with regard to whistleblowers and the current legal issues on this subject, we have chosen, on the one hand, to open up this option to anyone (our suppliers and customers, for example), and not keep it for our employees alone; on the other hand, to enable alerts to be processed locally (without requiring them to be examined at HQ level); and lastly, to rework the retention periods and update the impact analysis imposed by the GDPR. On the whole, this whistleblowing system works well because, leaving aside the nonsensical accusations received from time to time, most whistleblowers enable us to identify genuine malfunctions, which we then deal with. To encourage this, I think it is necessary to limit the use of anonymous alerts, because the investigation process, making it possible to rule out any dubious actions, very often requires us to contact the person who made the alert.
3/- How do you see the future of these regulations?
Digital technology, which has considerably facilitated means of communication, has also given rise to a world of absolute transparency, since our every move is now traceable. Secrecy and intimacy are gradually disappearing, if only through the data constantly collected by the digital tools we use, or simply present in our personal or professional environment. And, in my opinion, this sort of ‘tyranny’ of transparency will not be reversed. In this context, whistleblowers will continue to be protected, and probably increasingly so. To rebalance the protection of all those implicated in whistleblowing, compliance with the GDPR is one of the keys.
|
|
|
|
“The right tools for whistleblowing systems: a crucial step in building user trust”
|
|
|
|
It is imperative for organisations to implement a customisable internal whistleblowing system that enables them to comply fully with current whistleblower protection laws and the GDPR. For more than 20 years, EQS Group has been developing high-quality, secure digital solutions, and is one of the world’s leading providers of cloud and compliance software solutions. With over 2 500 customers worldwide and its flagship product EQS Integrity Line, EQS Group is the European leader in internal whistleblowing systems. Claudio Interdonato, Business Development Director South Europe at EQS Group, agreed to share with La Lettre du DPO his views on how to ensure the smooth running and success of a procedure for collecting and handling whistleblower alerts.
Raise awareness and build trust by implementing a communication plan.
“Mechanisms need to be put in place to ensure that the whistleblowing system is trusted not only by employees, but also by third parties. It is essential that that employees know how to raise an alert. This requires a dedicated whistleblowing policy, training, a long-term communication plan and, above all, the involvement of top management in order to avoid any fear of reprisals, which is one of the main reasons why employees do not blow the whistle. In addition, the communication plan must specify that whistleblowers are guaranteed anonymity, but also that the information they pass on will remain confidential. The advantage of the EQS Integrity Line software, which is a SaaS solution hosted by EQS Group, is that it maintains the integrity of the information (by preventing people’s IP addresses from being read and by encrypting information). All these measures help to build trust.”
Information security and confidentiality.
“Our solutions meet the highest standards of information security and confidentiality. In practical terms, this means ISO 27001 “information security management” certification and compliance with the GDPR, with annual audits carried out by external service providers. In this respect, we do not transfer personal data outside the EU and guarantee data anonymisation. In terms of security, we use firewalls and our systems are subject to regular “pen tests” to ensure their robustness. To maintain confidentiality (respecting the integrity of the information and preventing it from being modified), the platform keeps an audit log to trace the information and find out who is doing what. In addition, it is possible to configure the solution in order to know who has access to what (for example, limiting harassment-related reports to the HR department). EQS Group does not have access to its clients’ data. To ensure the whistleblower’s anonymity, guarantees must be put in place such as those available in our solution (for example, no IP tracking on the servers, the creation of a discussion channel accessible by means of a password known only to the whistleblower, the use of a voice modification system so as not to recognise the person and the deletion of metadata appearing in documents sent by the whistleblower).”
|
|
|
|
The environmental footprint of digital technology: regulating the digital space while protecting environmental issues
|
|
|
|
The carbon footprint of digital technology now represents 4% of global emissions, including 2.5% in France. The French Environment and Energy Management Agency (ADEME) and the French Telecommunications Regulatory Authority (ARCEP) have drawn up an alarming report, warning that if no action is taken, France's carbon footprint could increase by 45% by 2030. So how do we combine the rapid evolution of digital technology and resource- and energy-intensive security requirements (such as encryption) with environmental imperatives? In its 9th issue of the Cahier Innovation et Prospective, the CNIL reminds us of the importance of the principle of data minimisation. It calls for the GDPR to be used as a tool for regulating the digital footprint, through “sober" computing, with thought given to the environmental benefits of each IT process (encouraging eco-design and the introduction of robust systems to avoid security breaches and data leaks). It also invites future drafters of the general reference framework for the eco-design of digital services provided for in Article 25 of the “REEN” Act (a French Act for reducing the environmental footprint of digital technology) to take account of its recommendations on cookies and misleading designs, the proliferation of which leads users to share more data. It also encourages companies to measure the environmental impact of their training algorithms at a time when artificial intelligence is being regulated.
|
|
|
|
Update of the 2019 CNIL "professional alerts" guidelines
|
|
|
|
The changes brought about by the "Waserman" law of 2022 have made it necessary to amend the guidelines on "professional alerts" adopted on 18 July 2019 by the French data protection authority (the “CNIL”), in order to ensure their consistency with the new rules in this area, particularly with regard to the:
- new categories of persons likely to issue an alert who benefit from the protective regime for whistleblowers;
- new deadlines for processing whistleblower reports, and the obligation to inform whistleblowers of the important stages of the procedure;
- new data recipients, as many sector-based public authorities will henceforth be competent, each in their own field, to receive and process what are referred to as "external" alerts.
The CNIL submitted the draft amendments to public consultation, which ended on 5 May 2023. The draft is now being examined with a view to adoption of the final guidelines.
|
|
|
|
Major turn of events on 10 July 2023: the new adequacy decision for the EU-US Data Privacy Framework!
|
|
|
|
On 10 July 2023, on the basis of Article 45 of the GDPR, the European Commission adopted an adequacy decision stating that the United States provides an adequate level of protection for personal data, comparable to that of the European Union. The EDPB and the European Parliament had, however, expressed strong reservations in their respective opinions of 28 February and 11 May 2023. European companies can therefore once again freely transfer personal data to US entities registered on the Department of Commerce’s list (self-certification system). As a reminder, the Schrems II ruling by the CJEU on 16 July 2020 invalidated the previous adequacy decision with regard to the United States, known as the "Privacy Shield", notably because of the ways in which the US intelligence services were able to access the personal data of Europeans. One of the key elements underpinning the new adequacy decision is President Joe Biden's Executive Order No.14086 of 7 October 2022, which in principle strengthens the protection of personal data vis-à-vis the US intelligence services. This new decision will very probably be the subject of a new appeal to the CJEU, no doubt brought by the NOYB association, the president of which is Max Schrems, who was quick to react following the European Commission's announcement. Watch this space ...
To find out more, click here
|
|
|
|
Thursday 28 September 2023 |
|
|
|
Annual “Connected Territories” conference
|
|
|
|
This conference organised by the Arcep will take place at the Institut du Monde Arabe in Paris and will bring together local elected officials, State and operator representatives to discuss regional digital development. This will also be an opportunity for the Arcep to present Volume 2 of its annual report on its regulatory work, its actions and, in particular, its objectives in terms of digital development, such as the continued development of high-quality mobile connectivity throughout the country and the completion of the roll-out of fibre for businesses.
It will soon be possible to register for the event here
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the Intellectual Property and Digital Law Team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of klein • wenner which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
