Clifford Chance

Many global organizations carry out D&I surveys either to meet legal requirements or to ensure social, ethnic or sexual minorities are adequately represented internally. However, in France these surveys encounter significant legal challenges. For instance, the French Constitutional Council (Conseil Constitutionnel) prohibits the collection of ethnic origin information, and there is a risk that courts may view such surveys as (positive) discrimination, which is criminally punishable.

On 9 July 2024, the French Data Protection Authority (the CNIL) issued a draft recommendation that could potentially ease some of the  barriers to conducting D&I surveys,  particularly concerning the collection of ethnic and sexual life / sexual orientation data.

In this article, we analyse the practical steps to consider when conducting such surveys, based on CNIL's draft recommendation.

Anonymised surveys

Given the sensitivity of the data collected in the context of D&I surveys, the CNIL recommends  conducting anonymous surveys. In such circumstances, no personal data is processed and the GDPR would not apply. To maintain anonymity, the CNIL recommends:

• Excluding the collection of data that allows identification, such as the employee's name or identifier.
• Providing for closed-ended questions with broad answer options. For instance, use age ranges (e.g. "between 25 and 35 years old") rather than asking for the exact age of each participant.
• Relying on trusted third-party vendors to conduct surveys, in order to ensure employers will only have access to anonymised and consolidated data.

The CNIL also outlines additional practical precautions for online and postal surveys:

• Online: create a dedicated web page, avoid using personal identifiers or employees' email addresses, ensure that participant's connection data (e.g. logs) is only accessible by technical teams, for cybersecurity purposes.
• By post: use prepaid envelopes with pre-filled recipient's address (e.g. that of the employer or the third-party vendor).

Non-anonymised surveys

Though the CNIL recommends anonymity, it is conscious that it may not always be possible (e.g. because the organisation is too small or because precise answers are necessary to adequately analyse diversity). The draft CNIL recommendation specifies that non-anonymized D&I surveys can be conducted, subject to implementation of material data protection guarantees.

Define a legitimate purpose

According to the CNIL, the purpose of D&I surveys shall be to identify information related to diversity, in order to enhance the same at the recruitment or HR management stage.

However, these surveys should not be used as grounds for taking individual decisions about any particular employee.

Respond to the survey on a voluntary basis

Employees  should not be compelled to participate in the surveys and there should be no reward or sanction for doing so.

Be very careful when dealing with ethnic origins or other 'sensitive' questions

Despite French Constitutional Council case law which prohibits referring to employees' alleged ethnic origins, the CNIL considers that it is possible to ask subjective questions such as:

• "How do you think others perceive you?" With possible answers: "As a French person? As a non-French EU person? As a non-EU Person? I don't want to respond."

Moreover, less intrusive questions can be raised, regarding e.g. place of birth, nationality.

With respect to other 'sensitive' data, the CNIL gives the following example of possible question:

• "Do you think that you have been the subject of discrimination?" With possible answers: "Do you think this was because of your religion? Your gender? Your sexual orientation? Your skin colour? Other?"

Obtain consent when asking questions on 'sensitive' information

Pursuant to the GDPR, explicit consent of the individual is required to collect and process 'sensitive' data, such as ethnic origin, a person's sex life or sexual orientation.

However, a majority of EU Data Protection Authorities (including the CNIL) consider that consent cannot be freely given (and thus does not work) in the employment ecosystem, because the employer / employee relationship is unbalanced. As a result, it is generally considered that questions relating to 'sensitive' information cannot be asked – which significantly reduces the usefulness of D&I surveys, in particular under French law.

In the draft recommendation, the CNIL surprisingly admits exceptions to this doctrine by taking the view that 'sensitive' data can be processed on the basis of the explicit consent of the individual, provided that certain guarantees are taken. Notably, the CNIL recommends using a third-party vendor to ask sensitive questions, as this would 'dilute' the imbalanced relationship issue. Moreover, third-party vendors shall ensure that employers only get aggregated information, thus preventing the identification of employees.

Perform a data protection impact assessment (DPIA)

Given the sensitivity of the data at stake, the CNIL strongly recommends that DPIAs are conducted.

DPIAs have to be carried out when a processing presents high risks for an individual. Its aim is to identify such risks and elaborate on measures to mitigate such risks. If these are not sufficient to reduce the risks, the organization has to consult the relevant Data Protection Authority.

Define a data retention period

The CNIL indicates that personal data shall be kept for the period of time necessary to convert the results of the survey into statistics. The regulator considers that a 6-month period from the moment the survey is closed is sufficient to analyse the data collected, transform these into anonymous statistics and ensure there are no errors.

Other GDPR requirements

These include notably:

• defining GDPR roles (controllers / joint-controllers / processors) and implementing appropriate data processing agreements as the case may be (e.g. with third-party vendors)
• informing individuals on the processing of their data (and consider involving staff representatives) 
• implementing adequate security measures.  

The draft recommendation is open for public consultation until 13 September 2024.

Whilst it is likely that many stakeholders will welcome the openness of the CNIL and push for even more flexibility, the conduct of D&I surveys will remain subject to legal uncertainty in France until a law expressly allows or imposes such surveys.