In December 2016, the “Sapin II” law introduced comprehensive mandatory whistleblowing schemes (amongst other things) for certain private and public sector organizations in France. This law became effective in 2018 and was amended in 2022 to transpose the “EU Whistleblower Directive.” The legal changes came into effect on 1 September 2022, and the implementation decree of 3 October 2022 took effect on 5 October 2022.
On 21 March 2022, France enacted a law (the Law) “aiming to improve the protection of whistleblowers” by making numerous amendments to the Sapin II law, as well as to the labor code, the public service code, the criminal code and other laws.
Consistent with the previous version of the Sapin II law, the new Law is not restricted to breaches of EU law, as provided for in the EU Whistleblower Directive, but extends to breaches of French law or a “threat or prejudice to the general interest.” The Sapin II law also separately provides for reporting on breaches to the company’s anti-corruption code of conduct.
The Law does not apply in cases where French or EU law establishes specific reporting regulations (notably as set out under Part II of the Annex to the EU Whistleblower Directive, covering EU law in the fields of financial services, AML-CFT, transport and environment).
Moreover, transposing the EU Directive, the new Law expands the types of information falling outside its scope to include information protected by the secrecy of judicial deliberations and judicial investigations, in addition to information protected by national defense secrecy, medical secrecy, and lawyers’ professional secrecy.
Changes Regarding Who is Protected by the Law
Several changes have been made to the definition of whistleblowers (in French, “lanceur d’alerte”), being individuals who “report or reveal facts about: (i) a crime or an offence, or (ii) a threat or prejudice to the general interest, or (iii) a violation or an attempt to conceal a violation of an international commitment duly ratified or approved by France, of:
- a unilateral act of an international organization adopted based on such commitment; or
- EU or French legislation and regulation.”
Moreover, a protection-worthy whistleblower must report “without direct financial compensation and in good faith.”
The Law expands the scope of persons who can blow the whistle to include, in addition to employees and persons that occasionally collaborate with the company, the following persons:
- job applicants and former employees;
- shareholders and officers;
- business partners or subcontractors (or, as the case may be, their staff, shareholders and officers); and
- individuals who report anonymously and whose name is disclosed afterward.
Whistleblowers no longer need to have first-hand knowledge when reporting on facts that “have occurred or are very likely to occur within the organization” and that they have become aware of “in the course of their professional activities” (in other cases, first-hand knowledge is required).
As per the EU Directive, the scope of the protection has also been extended, in particular, to cover:
- “facilitators,” i.e., individuals or private non-profits, who help the whistleblower make his/her report;
- individuals who are connected with the whistleblower and who might suffer from retaliation in a work-related context (such as colleagues or relatives); and
- entities controlled by the whistleblower, or for which the latter works, or with which he/she is otherwise connected in a work-related context.
Changes to the Reporting Process
(1) Whistleblower’s Reporting Options
Moving away from the past strict three-tiered reporting model, whistleblowers will now be allowed to:
- report to “external channels” (with or without a prior internal report) to specific authorities or courts at the French or EU level. The implementing decree lists several authorities that are competent to receive reports on specific topics as well as set out the procedure to be implemented to this effect; and
- report publicly in certain cases set out by the Law (in some cases, after at least an external report that was made did not lead to appropriate follow-up actions).
This is a major change resulting from the transposition of the EU Directive.
(2) Internal Channels
The Law requires organizations that have more than 50 salaried employees to establish and operate internal whistleblowing channels.
The internal reporting must maintain confidentiality in relation to the identity of:
- the “reporting person” (i.e., the “whistleblower”);
- the “person concerned” (in relation to whom a report has been made);
- any person mentioned in a report; and
- any information collected by the recipient(s) of the report.
As before, the disclosure of such identities and the information collected is sanctioned by up to two years of imprisonment and a €30,000 fine. For companies that do not have a whistleblowing scheme, reports can be made to a direct or indirect supervisor, or a referee appointed for this purpose.
The implementation decree provides details on the required process for internal channels. Importantly:
- There can be different persons/services operating (i) the channel for receiving the report (including outsourcing to external service providers – which is not to be confused with “external channels” of reporting) and (ii) the performance of any follow-up actions.
- The organization must appoint an impartial person or department competent for following up on the reports tasked with maintaining communication with the reporting person. They must have the necessary skills, authority and means. Access to the information is strictly restricted to such person/department and any other person or service receiving a report must transfer it immediately to the designated person/service.
- French law allows for anonymous reporting, which comes with certain specificities.
- Information may only be retained for as long as strictly necessary or must be anonymized.
(3) Sharing of Resources
As provided in the EU Whistleblower Directive, organizations in the private sector with less than 249 employees can share resources regarding the receipt of reports and any assessment concerning the correctness of the allegations but “without prejudice to such entities’ other obligations.”
(4) Group Companies
Against expectations, the French law and implementation decree did not take a clear position with respect to the interpretation by the EU Expert Group and the European Commission that each subsidiary with 250 or more employees would have to have a separate impartial person or department at the local level, instead of a single centralized channel. The French stakeholders await an official position from the government and/or regulators.
The implementation decree does, however, provide for cases where a report can be referred to an affiliate company and allows for information to be provided on the process for reporting to the affiliate/group companies.
The organization must provide clear and easily accessible information on the procedures applicable for making reports, including information concerning external reporting channels. The information must also be accessible to potential reporting persons who are not employees but are outside of the organization. Information must also be provided in the internal regulations of the employer.
Enhancement of the Protection Measures
The Law augments the list of prohibited retaliation, including threats of retaliation and attempts to retaliate against whistleblowers and other protected persons listed above. In addition to discrimination at work or disciplinary sanctions for employees or job candidates, they include the following actions (amongst others):
- intimidation and harassment;
- damage to reputation (including online);
- financial loss (loss of business or revenue, penalties);
- inclusion on an industry-wide blacklist; early termination of business relations;
- cancellation of license; and
- improper referral to psychiatric or medical treatment.
The new Law provides that it is for the person who has taken a detrimental measure against a whistleblower to prove that their action was not linked in any way to the whistleblower’s reporting or public disclosure and would have been taken anyway.
Whistleblowers would not be subject to criminal or civil liability for damages caused by publicly reporting if they had reasonable grounds to believe that public disclosure was necessary to protect the interests at stake.
As before, interfering with the transmission of a report may be punishable by up to one year of imprisonment and a €15,000 fine (€75,000 for legal entities). However, the civil fine for abusive court action against a whistleblower has been increased to €60,000, and discrimination towards a reporting person or other associated persons carries a criminal fine of up to three years imprisonment and a fine of up to €45,000 (€225,000 for legal entities).
Moreover, criminal or civil courts have the power to allocate provisions for court costs or, when his/her financial situation has seriously deteriorated due to the report or public disclosure, a provision for financial assistance (in French, “subsides”) to the whistleblower. A labor court may order the employer to contribute to the whistleblower’s personal training account.
The Law also clarifies that the identity of the whistleblower can be disclosed to a court without his or her consent when necessary.
Implementation of the Legal Requirements
As well as having to make technical and operational choices, organizations must also follow several preliminary steps when implementing or amending a whistleblowing scheme. These steps include:
(1) Compliance with Labor Law
- prior information and consultation with the employees’ representatives and consultation of the Social and Economic Committee or CSE (if any);
- information of the employees; and
- modification of the “Réglement intérieur” (internal regulations that include internal disciplinary rules and potential sanctions for non-compliance). The Réglement intérieur cannot be implemented or changed unless it is submitted to the CSE as well as to the Labour Inspector and notified to the clerk’s office of the Labor Court.
(2) Compliance with Data Protection Regulations
French Data protection laws impose legal restrictions on the implementation of whistleblowing procedures. Implementation of, or changes to, such a procedure will require, amongst other things:
- performing or updating the Data Protection Impact Assessment (DPIA);
- providing adequate information to the data subjects;
- identifying the legal basis for processing; and
- implementing retention periods.
The French data protection authority, the CNIL, published in 2019 a standard of best practice or Referential (in French “référentiel”) and a FAQ on whistleblowing systems. Even though extremely useful in addressing some of the French data protection compliance issues, the Referential and FAQ have yet to be adapted to the latest changes to the Law and the implementation regulation.
We would be happy to assist you in interpreting and implementing the new whistleblower requirements in France and other EU Member States. For further information, please contact Stéphanie Faber at firstname.lastname@example.org or your usual contact within the Squire Patton Boggs Data Privacy, Cybersecurity and Digital Assets team.