CNIL Decision on Whistleblower Hotlines

CNIL Decision on Whistleblower Hotlines

France’s data protection authority, the CNIL – the Commission Nationale de l’Informatique et des Libertés — recently published a decision (n° 2017-191) setting out new guidelines with respect to whistleblower hotlines. The new guidelines implement changes in French law brought about by the Law no. 2016-1691 of December 9, 2016 (the so-called Sapin II Law). Sapin II introduced numerous changes in order to bring about more transparency, to fight corruption and generally to modernize the French economy. Until the mandatory introduction of whistleblower hotlines for companies subject to Sapin II, the CNIL had expressed notable resistance toward such hotlines, bowing begrudgingly to the requirements imposed on U.S. based companies by Sarbanes-Oxley. But Sapin II changed that by mandating the implementation of whistleblower hotlines and the adoption of company codes of conduct. …


The Court of Justice of the European Union validates the Passenger Name Record accord with Canada, but commands a review of its terms

The Court of Justice of the European Union validates the Passenger Name Record accord with Canada, but commands a review of its terms

Seized by the European Parliament to decide on the conformity of the agreement (the “PNR Agreement”) initialed between the European Union and Canada on the transfer of Passenger Name Record (“PNR”) data with the protection of fundamental rights in the European Union, the Court of Justice of the European Union rendered an opinion on 26 July 2017 which upholds the notion of the PNR regime, while requiring a review of the terms of the PNR Agreement. …


Smallhoover Interviewed by Le Monde du Droit TV

March 2016

Paris Partner Joseph Smallhoover was interviewed March 24 by Le Monde du Droit TV on the Privacy Shield – the new agreement between the EU and U.S. on transatlantic data exchange. Smallhoover said the Privacy Shield is a significant improvement over the former Safe Harbour Regime and he welcomes the clarity brought by the Privacy Shield rules to the protection of private data. Click here to view the video, in French.

The Privacy Implications of Whistleblowing in the EU

Whistleblowing schemes were introduced in the EU as a result of the Sarbanes-Oxley Act (“SOX”) adopted by the US Congress in 2002 following various corporate financial scandals. SOX requires US companies and their EU-based subsidiaries to establish “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters [and] the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting of auditing matters.1”  The implementation of whistleblowing schemes will, in most cases, lead to the collection, processing and transfer of personal data (e.g., name of the accused person) which raises data privacy concerns . . .


The (ex) EU-US Safe Harbor At A Glance (2015)

On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe.  Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option.  In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . . ExSafeHarbor