Measuring Diversity at Work in France: the CNIL Launches a Public Consultation on a Draft Recommendation
Wednesday, August 7, 2024
CNIL diversity measurement survey recommendation
Print Mail Download info_icon_img/>i

Context

Businesses are under pressure from a range of internal and external stakeholders to create and maintain genuinely diverse and inclusive workplaces. Consequently, more and more businesses want to collect and track Diversity and Inclusion (“D&I”) data about their staff. This may include information about gender, sexual orientation, race, ethnic origin, religion, socio-economic background health, and disability. This information may help organizations better understand the current profile of their workforce, assess the impact of their equal opportunities policies, determine what steps they may need to take to address any barriers to change and measure progress against any objectives/targets set.

However, in some countries, collection and tracking of such data is regulated by various laws and it is socially and culturally inappropriate to ask certain questions in this area.

In France, various regulations and case law restrict the collection of such data, including the EU General Data Protection Regulation (“GDPR”). There is a particular sensitivity in relation to origin/race/ethnicity data (as notably stated in a decision from the French Constitutional Council of 15 November 2007 sanctioning the collection of such data in this context).

Draft recommendation

To guide organizations wishing to implement diversity measurement surveys, the CNIL is submitting a recommendation for public consultation until September 13, 2024 (the “Draft Recommendation”).

It notably includes GDPR-specific recommendations that were not in the guide “Measuring to progress towards equal opportunities” that the CNIL had published with the Defender of Rights twelve years ago (the “Guide”).

The recommendation addresses the following issues in relation to diversity surveys.

Type of survey and purpose

Surveys must remain optional.

The legitimate interest of the organization should be the legal basis for the survey.

However, so-called “special categories of data” (as defined by GDPR, e.g.: health status, sexual orientation, religion, race, ethnic origin, etc.) are considered sensitive data and may only be collected with consent. Under GDPR, this consent must be freely given and can be withdrawn at any time.

The survey should more generally be carried out in the context of an equality program it should also only be used to take collective measures within the organization (and not any address an individual situation).

Our practical tips: Be clear about why you want to collect D&I data and how it fits into your wider D&I strategy.

Rights of participants

Participants must be properly informed in compliance with the requirements of GDPR and their rights respected.

Workers’ representatives should, and in some cases must, be involved (in compliance with labor law requirements).

Our practical tips: Word the information carefully. Take into account the type of relationship the organization has with the local staff and their representatives.

Confidentiality and anonymity

Surveys should favor anonymity as far as possible and, in any event, should ensure confidentiality.

Surveys should not collect data that allows organizations to identify participants nor ask questions that, when put together, can allow to identify indirectly a participant (in this context the size of the relevant organization plays an important role).

The results of the survey must be anonymized and aggregated.

Robust security measures should be in place. For online surveys, specific technical measures may also have to be put in place in the case of online surveys.

Using a trusted third party may constitute a valid guarantee, by ensuring that the employer does not have access to the raw data collected.

Our practical tips:

Ensure you have the right software/systems in place to enable you to collect and store the necessary data and that the confidentiality and security of such data can be guaranteed.

Not all app or survey service providers can be considered as a trusted third party. It is recommended that you carefully read the terms and conditions and the privacy policy of any vendor(s).

Be careful about cross-border transfers of data under GDPR.

The data collected should be limited

In particular, as regards race and ethnicity, such data cannot be collected, but it is possible to address the issue by collecting (i) certain types of objective data such as name, place of birth of employees or that of his/her parents; and (ii) if necessary, subjective data relating to, for example, the feeling of belonging, or how the person considers themselves as perceived by others.

Unfortunately, the Draft Recommendation does not cover other types of sensitive data.

Our practical tipsYou must also explore the cultural sensitivities and legal constraints around other special categories of data such as gender, sexual orientation and/or disability. Questions may need to be tweaked/tailored for different jurisdictions, e.g. where it may be inappropriate or unsafe for an individual to be required to disclose certain information. Remember that inappropriately worded questions may cause offence, deter people from answering and/or lead to misleading resultsWhen possible, give staff the option “Prefer not to say” in any questionnaire/survey.

Retention

Data should be anonymized and aggregated, and raw data should be deleted within a reasonable period of time.

Our practical tips: In France, it is not possible to create an actual D&I database of the employees (e.g. the data cannot be retained).

Role of the parties

The employer is a data controller and where it uses a trusted third party the latter can be a processor or a joint controller

Our practical tips: In a group and, depending on the context and content of the survey, the controller could be an affiliate of the employer.

Data Protection Impact Assessment is strongly recommended.

Our practical tips: A DPIA helps you identify and minimize the data protection risks of a project and involves consideration of issues such as the nature, scope, context and purposes of the processing, compliance and proportionality measures and assessment of risks to individuals. Under the GDPR, businesses must carry out a DPIA where they are processing special category data, which will almost always be the case with a D&I monitoring exercise.

Next steps

The public consultation is open until September 13, 2024. Following this consultation, the CNIL will publish its final recommendation.

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Public Notices

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Reflections on The UK Pensions Regulator’s (TPR) Powers that Could See Insolvency Practitioners Facing £1 Million Fines
by: Rachael Markham
Malaysia Pushes Out Groundbreaking Amendment to Personal Data Protection Act – Impact on Businesses
by: Charmian Aw , Brendan Lai
Eighth Circuit Clarifies Arbitrability of Sexual Harassment Claims (US)
by: Laura Lawless
New ANPD Resolution on the Statute of Data Protection Officers in Brazil
by: Bartolome Martin
Medicare Part D Preemption: Supreme Court Review Uncertain
by: Michele Munk
Election Season is Upon Us: Navigating Politics in the Workplace in 2024 (US)
by: Melissa Legault
BIPA Amendment Reduces Potential for Massive Damages Awards
by: Alan L. Friel
All the Fun of The Fair – New Tips Code Offers Bumpy Ride to Service-Sector Employers (UK)
by: David Whincup

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins