France: Major changes to whistleblowing laws
Until recently, there was no obligation to implement a whistleblowing policy in France. However, when such a policy was put in place very strict regulations applied. These included obtaining prior authorisation, which was only very reluctantly granted, from the French data protection agency (the “CNIL”). Law of 9 December 2016 on transparency, the fight against corruption and the modernisation of the economy (referred to as “Sapin II”) created general protection for whistleblowers. It also introduced the following new compliance obligations for companies.
New mandatory obligations
As from 1 June 2017, “large” companies are required to implement an anti-corruption policy. This obligation applies to private companies and public establishments that have (i) at least 500 employees or belong to a group of companies with at least 500 employees whose parent company’s head office is in France and (ii) a turnover or consolidated turnover exceeding €100M.
The anti-corruption plan must include specific measures and procedures, including: a risk assessment, a code of conduct that must be submitted to the employee representative bodies for consultation and be appended to the company’s Internal Rules (“règlement intérieur”), a formalized whistleblowing policy that allows employees to report acts or behaviours that violate the company’s code of conduct, a training program as well as disciplinary procedures.
As from 1 January 2018, companies with at least 50 employees must have a whistleblowing policy in place. A ministerial decree issued on 19 April 2017 (relating to whistleblowing policies implemented by legal entities in the private and public sectors) provides details on the content of the mandatory whistleblowing policies, including those put in place by “large” companies.
Special obligations apply to companies in the insurance, finance and banking sectors that are subject to regulatory monitoring.
Consequences of “Sapin II” on whistleblowing policies
Implementing a whistleblowing policy in France has and will continue to require compliance with several steps, including submission of the policy to the CNIL.
This submission can be made by means of a simple notification (“declaration simplifiée”), if the whistleblowing policy complies with the requirements set forth in the CNIL’s authorisation (“autorisation unique”) no. AU-004. Otherwise, a request for authorisation must be submitted to the CNIL.
On 26 August 2017, the CNIL published a new deliberation that modified authorisation no. AU-004 as follows to take into account Sapin II’s new anti-corruption provisions:
The scope of the whistleblowing policies covered by authorisation no. AU-004 was expanded; they can now be used by employees and “external and occasional collaborators” to report information relating to: a misdemeanour (“délit”) or a felony (“crime”), a serious and obvious breach of an international commitment duly ratified or approved by France, a unilateral act of an international organisation based on a duly ratified international commitment or any law or regulation, a serious threat or danger to the public’s interest of which the whistleblower has personal knowledge, or acts or behaviours that violate provisions of the company’s code of conduct concerning corruption or influence peddling;
Whistleblowing policies must comply with new additional conditions: the company must provide detailed information to its employees and “external and occasional collaborators” on the policy; this information must include a presentation of the different steps of the procedure and identify the person(s) to whom and the conditions under which whistleblowing reports must be made; data making it possible to identify the whistleblower or the person who is the subject of a report may not be disclosed without their consent, except where the information is communicated to judicial authorities; and security measures should be taken to protect personal data and ensure confidentiality, including protection against unauthorised access.
A company that has an obligation under Sapin II to have a whistleblowing policy must:
- If it already has a whistleblowing policy: verify that its policy complies with the new anti-corruption legislation and, if needed, modify it and re-submit it to the CNIL by means of a simplified notification or a request for authorisation.
- If it does not have a whistleblowing policy: put one in place before 1 January 2018 following the appropriate procedures (consultation with relevant employee representative bodies and submission to the CNIL).
A “large” company as defined by Sapin II, if it does not now have a compliant anti-corruption plan in place, must implement one as soon as possible.
Lastly, for a company in the insurance, finance and banking sectors that is subject to regulatory monitoring, ensure that it is in compliance with the new obligations applicable to it under Sapin II.