Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, better known as the Whistleblowing Directive (hereinafter the "Directive"), should have been transposed into national law by 17 December 2021.
Since the draft law transposing the Directive into national law was submitted to the Chamber of Deputies on 10 January 2022 (hereinafter referred to as the "Draft Law"), numerous opinions have been issued.
To date, there is no exact picture of when the Draft Law will be voted on but given the delay in the transposition deadline and the fact that the Draft Law has been amended by the government on 28 March 2023, we can assume that the vote will take place soon.
Why are lawyers particularly concerned by the transposition of the Directive?
Article 1(3) of the Draft Law provides that: "Facts, information or documents covered by medical secrecy or the secrecy of relations between lawyers and their clients (...) are excluded from the system of protection introduced by this law, without prejudice to any derogating legal provisions".
As a result, internal audits of client data carried out by their lawyers are strictly confidential and therefore excluded from the scope of the Draft Law and cannot be seized in the context of an investigation initiated by a whistleblower, unlike other professions offering such services. Furthermore, Article 3(3)(b) of the Directive also provides that: "This Directive shall not affect the application of Union or national law relating to (...) the protection of legal and medical professional privilege".
Furthermore, it is important to point out that the former Article 1(4) of the Draft Law provided that: "A person who breaches a protected secret referred to in paragraph 3 shall not be criminally liable if the report is proportionate and necessary to safeguard the public interest and if it is made in accordance with the conditions of this law". This paragraph created legal uncertainty and rendered the exclusion in Article 1(3) of the Draft Law meaningless. Fortunately, following formal opposition from the Conseil d'Etat, the former paragraph 4 was simply deleted by the government in its amendments of 28 March 2023.
How to ensure the protection of personal data?
According to Article 6 of the Draft Law, companies with more than 50 employees must establish internal reporting channels. However, Article 23 of the Draft Law makes it clear that any processing of personal data must be carried out in accordance with Regulation (EU) 2016/679 (hereinafter the "GDPR"). In order to ensure the compliance of the reporting channel with the GDPR, it is strongly advised to carry out a personal data protection impact assessment ("DPIA") on such reporting channels.