From January 1, 2018, there will be an obligation on almost all employers to implement reporting/whistleblowing schemes.
France has historically been very reluctant to support workplace whistleblowing, especially anonymously. Whistleblowing schemes were effectively only authorized in 2005 to permit US companies to comply with their SOX obligations. Those regulations were very restrictive, limited to employees and only in relation to certain legal breaches.
However, since December 2016, we now have a law relating to “transparency, the fight against corruption and modernization of business life,” also known as “Sapin 2.” This has introduced a number of changes, including the obligation to implement whistleblowing schemes and anti-corruption compliance programs.
Definition of Whistleblower
Sapin 2 Law defines a whistleblower (in French “lanceur d’alerte”) as:
-
Any individual (i.e., not limited to employees)
-
Acting in good faith
-
Reporting or revealing a crime, a serious and manifest breach to an international treaty, a serious breach of a law or regulation, or a serious threat or harm to the public interest
-
Of which he or she has personal knowledge
Tiered Reporting
The whistleblower must:
-
First make his or her disclosure to a direct or indirect supervisor or another person appointed by the employer for this purpose
-
Only if this is not followed up with any action, then disclose to the relevant judicial or administrative authority, or to his or her professional adviser
-
And then as a last resort, the report may be made public, e.g., to the media
The disclosure may also be filed with the Defender of Rights (“Défenseur des droits”) and directed to the organization responsible for collecting them in the relevant industry sector.
Interfering with the making of a whistleblowing disclosure to the employer or to the courts is punishable by up to one year’s imprisonment and a €15,000 fine (€75,000 for corporates).
Mandatory Implementation of Reporting Schemes
The new law requires that:
-
As of January 1, 2018, companies with more than 50 employees must implement schemes that protect whistleblowers
-
Businesses with more than 500 employees (or that belong to a group whose parent company is in France and has more than 500 employees) and turnover of more than €100 million must implement internal reporting procedures for bribery and corruption as part of a more extensive compliance program
-
Companies providing financial services (as defined under the French Monetary and Financial code) must implement reporting schemes for breaches of EU or French financial market regulation, including the Financial Markets Authority
Principles Governing Reporting Schemes
-
Reporting schemes must protect the identity of the whistleblower, the identity of any person incriminated and the information collected. The disclosure of any of these details carries up to two years’ imprisonment and a €30,000 fine (€150,000 for corporations).
-
The organization shall appoint a person responsible for receiving whistleblowing reports (“référent”) who may be an employee or an external service provider.
-
The procedures used must be adequately publicized and should note that they are authorised by the CNIL.
-
The procedure shall specify how the whistleblower (i) may make his or her disclosure; (ii) provides supporting information or documents; and (iii) provides the necessary contact information to allow an exchange with the recipient.
-
The procedure must also specify how the organization will (i) provide certain information to the whistleblower and the incriminated person; (ii) guarantee strict confidentiality; and (iii) destroy information after a set period of time.
Breach of Secrecy by the Whistleblower
A whistleblower will not be liable for breaching a secrecy obligation by law provided that:
-
The disclosure is necessary and proportionate for the protection of the interests at stake, and
-
The reporting procedures provided by law are complied with
However, Sapin 2 does not allow a whistleblower to disclose information covered by doctor/patient or client/lawyer professional secrecy or national security.
No Retaliation
Whistleblowers are protected from retaliation in the hiring process, in terms of access to an internship or professional courses or in salary or otherwise. However, where the report is made in bad faith, the employee can:
-
Face disciplinary sanctions by the employer
-
Be held liable for “slanderous denunciation” punishable by up to five years’ imprisonment and a fine of up to € 45,000
-
Be subject to private individual or corporate claims for damages (damages to the public image, reputation, etc.)
Data Protection Issues
For a Sapin 2 procedure to be compliant with French data protection rules, the employer must obtain prior authorization from the CNIL. It can either:
-
Apply for an ad hoc authorization, which is time consuming and burdensome, or
-
Opt for self-certification to the CNIL, stating that the whistleblowing scheme conforms with the CNIL’s AU-004 rules
However, AU-004 does not currently actually permit total compliance with changes introduced by Sapin 2 with regard to the scope of permitted reporting and the people allowed to whistle blow. Changes to AU-004 are, therefore, expected before January 1, 2018. Some of these may evolve under the General Data Protection Regulation, which comes into effect on May 25, 2018.
Labor Law Issues
There are several preliminary steps that must be followed by a business implementing a whistleblowing scheme. These may include:
-
Prior information and consultation with the employees’ representatives and consultation with the Hygiene and Safety Committee (if any)
-
A possible modification of the “Règlement intérieur” (internal disciplinary rules). They need to be submitted to the Works Council and as the case may be, to the Health and Safety Committee, as well as to the Labor Inspectorate
Non-compliance could prevent the organization from taking disciplinary measures against employees based on the information collected through the scheme.