We are reminded daily, with each request to accept website cookies and provide consent, that GDPR is here and organisations are taking their responsibilities seriously.
The drive to ensure compliance before GDPR Day was not the end of the story, however.
The true definition of “GDPR compliance” is gradually becoming clearer thanks to continuous updates from Member State Regulators, the European Data Protection Board (EDPB), European Court of Justice (ECJ) and legal experts. These definitions, though, are not necessarily consistent across all Member States.
How the GDPR has affected whistleblowing ?
Protecting the confidentiality of a whistleblower has always been a cornerstone of providing a successful whistleblowing service. Users need to trust the system for it to be effective.
The GDPR’s provision on the protection of data through adequate technical and organisational measures serves to strengthen the above principle.
Most categories of data have the potential to be processed as part of a whistleblowing report so ensuring that the data is handled in a sufficiently protected environment is key. The “Privacy by Design” principles are important here.
A system which is built “from the ground up” to encompass data protection principles and appropriate security measures will reduce the chances of a data breach. Where third-party whistleblowing services play a role, due diligence and supplier management processes have become more important than ever.
Data protection authorities in France and Germany have specifically stated that whistleblowing services present “high risk” processing and require full Data Protection Impact Assessments (DPIAs) to be undertaken.
This requires providers to assess the compliance of their service and the risks presented as part of their solution. This is a worthwhile exercise both in ensuring due diligence for customers and identifying and managing risks to prevent breaches from occurring.
This, coupled with the Privacy by Design principle, can be used to improve the services safeguards and re-assure Controllers that the service has undergone an in-depth review to ensure privacy is at the forefront.
A crucial area for any sector is the legitimate grounds for processing – particularly in relation to whistleblowing. Consideration of legitimate interest versus subject right has been a hot topic in legal commentary and potential case law alike.
At a recent keynote, Koen Lenaerts explained the ECJ has multiple cases where the crux of the issue revolves around this question. In the cases referenced, it was suggested that interference with the subject’s right was higher where profiling was involved in the data collection.
This is a highly relevant point in a whistleblowing context, where establishing sufficient grounds for processing is particularly important. Ensuring transparency and confidentiality in the provision of the service is key.
Users should be made aware of their data journey at point of contact, but it should also be considered at an employer level. This clarity should therefore be provided in any whistleblowing policy or communication about the potential for data processing and, where using a third party provider, the data transfer requirements.
Whilst the GDPR provides us with a framework, some provisions have been left at Member States’ discretion.
As a company with an international client base, we keenly observe the implementation of GDPR into national legislation, particularly the way in which the processing of data regarding criminal offences is handled in accordance with Article 10.
Whilst a report may concern the committing of a crime, at the time of reporting it is not a substantiated criminal offence. This is another reason why the data processed in the provision of the service must remain confidential and be protected to a high standard.
How long can you store a whistleblowing report under GDPR?
Article 5(1) (e) provides that the data should only be stored for as long as is necessary for the purpose for which it has been processed. However, an investigation into a whistleblowing report does not take a set amount of time.
Depending on the level of detail and availability of evidence, investigations can take months, potentially longer if the case progresses to formal criminal charges, so determining a “compliant” timescale for the retention of report data can be difficult.
At the time of writing, there have not been any cases focused on the retention of such data. Whilst some countries have supplementary provisions (France, for example, has a requirement that reports are handled within two months), there is no hard and fast rule regarding this subject.
What is clear is that data should only be retained for as long as it is required. If a whistleblowing report has been fully investigated and no further action taken, a case should be closed and companies must consider if they have a legitimate reason for the continued storage of that data.
The introduction of the proposed EU Whistleblowing Directive may provide further guidance on this issue but, for the meantime, it is important for companies to assess their legitimate grounds for retention and the Data Minimisation principles woven into GDPR.
Right to be forgotten
Although no cases have developed around this issue yet, some legal commentary has focused on the interaction of the right to be forgotten versus a legitimate interest to retain. This is particularly relevant when considering whistleblowing.
For instance, a previously disclosed reporter may attempt to exercise their right to be forgotten midway through an investigation. It might be argued that the information can be retained under Art 17(1)(a) to facilitate a criminal investigation – or for the company’s legitimate interest in ensuring that the “wrongdoing” does not reoccur.
There are multiple cases with the European Court of Justice (ECJ) which may help to further discussion on this point but at the time of writing a decision has not been reached. The Whistleblowing Directive, if passed, may also provide further clarification once finalised.
The Morrisons Case
A 2018 case involving Wm Morrison Supermarkets plc ( EWCA Civ 2239) established that an employer can be vicariously liable for an employee’s deliberate leak of personal data. At the same time, the UK Court of Appeal acknowledged in their judgement that there was no foolproof system to prevent a rogue employee from disclosing data.
Such a case demonstrates why organisations must take appropriate steps to protect data from both internal and external threats – particularly when considered alongside the severe financial penalties that could be imposed under GDPR.
The Article 14 anomaly (Germany)
The data protection authorities in Germany have taken a unique approach to the application of Article 14 (relating to data that is not obtained from the data subject). This has resulted in guidance being issued that may disproportionately harm the whistleblower.
The German authorities’ interpretation requires the Controller to inform the accused (data subject) of the source of the report (the whistleblower). This may specifically identify the whistleblower to the accused.
At the same time, it has been determined there is no statutory justification for the disclosure of a whistleblower’s name. As a result, whistleblowers should be told their details may be shared at the point of reporting. They can also withdraw consent under Art 7(3) GDPR but, given the one month timescale of notification, this right is unlikely to be exercised in time.
We have contacted the relevant German authorities and requested further comment on the practicality of this provision, and its potential conflict with EU whistleblower protection provisions.
At the time of writing no further guidance has been provided by either the German authorities, or the EU. Once the proposed Whistleblowing Directive has been passed, the provisions of Article 14 may not be applicable because, in accordance with Art 14(5)(c) there will be a requirement under union law to maintain a whistleblowing service and, in turn, process data in this manner.
ePrivacy, Brexit, and what comes next?
Delayed until 2019, the EU’s ePrivacy Regulation has the potential to be even more restrictive than the GDPR in some areas. The current drafting revolves around the consent of the data subject in the handling of data. Those relying on a “legitimate interest” under GDPR rules may therefore encounter new challenges when the new regulation is introduced.
Companies headquartered in the UK face further uncertainty with regard to Brexit. Whilst a draft agreement was finally published on 15th November 2018, it has attracted numerous calls for change.
In Article 71 of the current drafting, the UK has agreed to be bound by union law on the Protection of Personal Data until 31 December 2020. Discussions have hinted at a favourable “adequacy decision” by the end of this transitional period, under which data transfer to the EU would still be permitted under GDPR through this mechanism.
If the current Agreement is rejected and the UK leaves the EU without a formalised agreement it may present further issues Even though the provisions of the EU are enshrined within national legislation, a formal agreement does not exist in relation to the processing of data post-Brexit.
It is unlikely an adequacy decision will be made before the 29th March 2019.
Meanwhile, the draft EU Whistleblowing Regulation also has the potential to change the way we process the data of a whistleblower.
Providing a legal requirement for the establishment of whistleblowing provisions will ensure that there is a legitimate interest in the processing of whistleblower data. This regulation’s interaction with the GDPR, particularly in relation to data subject rights, may address some of the difficulties mentioned above.
Until cases reach the highest courts of the Member States, or are referred to the ECJ or EDPB, there is still potential for interpretation of the GDPR to change. Clearly, this means ensuring compliance will remain a long term challenge.
Further upheaval may yet be ahead with regard to the processing of data in the provision of whistleblowing services. Until provisions are finalised and passed, a focus on transparency and consent will be integral to maintaining a GDPR-compliant service.