ICC submitted comments in French and English on draft guidelines issued by the CNIL for the implementation of whistleblowing schemes under the French Data Protection Act, which are to be adopted by the CNIL later in November; the recommendations were submitted by ICC’s Task Force on Privacy and the Protection of Personal Data, which is made up of members of the ICC Commission on E-Business, IT and Telecoms.
The ICC comments recognize the difficult balance between protecting whistleblowers against retailiation and ensuring that hotlines are not used to make false allegations. The comments welcome the CNIL’s guidelines for clarifying the legal status of whistleblower hotlines in France, which was thrown into question earlier this year after the CNIL refused to authoritize the use of such hotlines by two multinationals.
According to Data Protection Task Force Chair Christopher Kuner, “The CNIL’s guidelines are an important step toward increasing legal certainty, but they should take into account the important interests in having global whistleblowing systems“. As an example, the CNIL text seemed to imply that an employee might use whistleblowing systems “only as a secondary option, possibly after having exhausted all other available mechanisms, such as reporting to the hierarchy”. The ICC comments note: “Companies believe that various reporting routes should be made available to employees at the same level, so that they can choose the option they are more comfortable with, depending on the circumstances. Indeed, employees may be afraid of retaliation by contacting their hierarchy, even when retaliation is not an issue.”