While members of the European Parliament are calling for a whistle-blowing program to protect whistle-blowers who contribute to the protection of EU financial interests, France recently enacted the Sapin II Act on transparency, the fight against corruption and modernisation of business life, which regulates whistle-blowing programs and is aimed at ensuring whistle-blowers’ protection.
If some protection measures already existed under French law, they were limited to some specific high risk areas, such as corruption or crimes an employee becomes aware of through his role, public health and environmental issues and public officials’ conflicts of interest.
These existing measures have been repealed or amended by the Sapin II Act (and decree n°2017-564 dated 19 April 2017), which provides for a general whistle-blowing regulation.
- Definition of a whistle-blower:
The Sapin II Act defines whistle-blowers as individuals (thus excluding legal entities such as companies) disclosing or reporting in good faith, a crime, an offence, a violation of an international commitment, a law or regulation infringement, a threat or an important prejudice to the general interest he or she becomes aware of.
The law specifically provides that the whisteblower cannot receive financial rewards for making a report, and so must act only in consideration of the general interest. This rule clearly rejects the US approach where some pieces of legislation (such as the Dodd Franck Act) allow whistle-blowers to be financially rewarded for their actions.
- The alert recipients:
The Sapin II Act determines who are the alert recipients, on a step-by-step basis.
The first recipient shall be the whistle-blower’s direct or indirect supervisor, his employer or a referent appointed by the employer. The referent may be an individual or an entity having or not the legal personality, and may either be part of the organization or external to such organization. It shall have the skills, the authority and sufficient power/means to carry out its duties as referent.
Should the first recipient fail to verify the admissibility of the alert within a reasonable time, the alert may be filed with judicial or administrative authorities or professional orders (Doctors’, architects’ or lawyers’).
Finally, and as a last resort, in case one of those authorities does not handle the alert within 3 months, the alert may be made public.
In any case, in the event of a serious and imminent danger or of a risk of irreversible damage, the alert can be directly filed with judicial or administrative authorities or to professional orders.
- Obligation for companies with more than 50 employees to implement an in-house whistle-blowing program:
According to the Sapin II Act and the decree n°2017-564, companies employing more than 50 individuals are required to implement an appropriate whistle-blowing program before 1 January 2018. A single alert collection procedure can be implemented in a group of companies after decision of the competent entities’ bodies.
Such in-house whistle-blowing programs should not be confused with the separate obligation to implement an internal anti-corruption program which must be adopted by some companies (meeting defined criteria) under the Sapin II Act.
The decree n°2017-564 has specified the requirements applying to in-house whistle-blowing schemes:
- The alert collection procedure shall provide for the modalities and conditions according to which the whistle-blower may file alert, evidence it, or if applicable, communicate with the alert recipient.
- The alert collection program shall specify the measures taken by the company to:
(i) Inform without delay the whistle-blower of the receipt of his alert, of the reasonable timeline to examine its admissibility and the conditions under which he will be informed of the consequences.
(ii) Guarantee the strict confidentiality of the whistle-blower identity, the reported facts and targeted individuals.
(iii) Destroy the pieces of the alert identifying the whistle-blower and the individuals involved when no action followed such alert.
- The company shall mention the existence of an automated processing for the alerts, which must only be put in place after authorisation by the French Data Protection Authority (the “CNIL”). Indeed, an authorisation from the CNIL to process whistle-blowers and targeted individuals personal data is required under French law, as the processing could result in a disciplinary sanction, termination of the employment contract or diminution of the whistle-blower or targeted individual rights.
Prior to adoption of the Sapin II Act, as some companies had already implemented internal whistle-blowing schemes, the CNIL had adopted a “unique authorization 004” or “AU004” applicable to such schemes. If a data controller meets the unique reduced authorization conditions (which principally related to the processing purpose, the proper data flow scheme, safeguards for the international transfers and security measures), it could simply file to the CNIL a declaration stating it complied with the prescribed conditions and lawfully process the data in relation to the whistle-blowing scheme. If the data controller did not meet the applicable conditions, it had to file a standard authorisation application, on which the CNIL would rule within 2 months.
In order to take into account the Sapin II requirements, the CNIL is currently drafting a new unique authorization, which should be made public in the next few month and provide for some guidelines for data processing in relation to whistle-blowing schemes.
- Disclosure and information regarding the alert whistle-blowing scheme can be made by any means, including notification, display or publication on the company website, in conditions allowing its employees, agents or external and occassional collaborators to access this information.
Finally, it must be noted that the Act has not provided for any sanction if the required measures are not implemented before 1January 2018.
- Protection of whistle-blowers and confidentiality obligations:
Confidentiality obligations. The Sapin II Act provides that the alert recipient shall keep the alert, the communicated information and the identity of the whistle-blowers and of the targeted individuals confidential. In this regard, whistle-blowers’ identity shall only be communicated to judicial authorities with the whistle-blower’s consent. The whistle-blower alert can be anonymous. The CNIL warns that as anonymous alerts reinforced risks of false accusations, they should only be authorised provided some precautions are taken: that the alert is handled only if the seriousness of the facts is established (factual elements being sufficiently detailed).
In addition, elements identifying the targeted individuals shall only be communicated to judicial authorities once the validity of the alert has been established.
Breach of such confidentially obligations is punished by 2 years of imprisonment and a criminal fine up to 30,000 € for individuals and 150,000 € for legal entities.
- Whistle-blower protection. Whistle-blowers shall not be criminally liable in case of disclosure of legally protected secrets such as trade or banking secrets (excluding information or documents protected by medical secrecy, national defence or attorney-client privilege), provided such disclosure is necessary and proportionate to the involved interests.
In addition, employees shall not be subject to any sanction or discrimination from their employer because of such disclosure. Employees also benefit from the protection of the Labor code and its favourable burden of proof regime: the employer must prove that the disciplinary sanction was based on objective reasons unrelated to the whistle-blower alert. In addition, in case of termination of the employment agreement following an alert, the employee can bring his case before labour courts using a fast-track procedure. The court will have power to order the end of any discriminatory measure, annul the dismissal and order reinstatement of the whistle-blower in his work position.
Whistle-blowers acting in bad faith will however engage their tort liability and face disciplinary sanctions, including dismissal for fault, or criminal sanctions for slander (5 years of imprisonment and a criminal fine up to 45.000 €).
- Preventing the transmission of an alert to the competent recipients is punishable by one year of imprisonment and a criminal fine up to 15.000 €.
France has now a very detailed regulation to protect whistle-blowers. Only the future will tell how effective these programs are in encouraging whistle-blowing and if they allow companies to improve their risk management.