Whistleblowing: a new regulation in France in January 2018

Published on 10th Jan 2018

While members of the European Parliament are calling for a whistleblowing program to protect whistleblowers who contribute to protect the EU financial interests, France recently enacted the Sapin II Act on transparency, tackling corruption and modernisation of business life, which regulates whistleblowing programs aiming at ensuring whistleblowers protection. The detailed new legislation imposes a specific obligation on companies with more than 50 employees to ensure they have in place a whistleblowing programme that complies with certain requirements.

While some protection measures already existed under French law, they were limited to certain specific fields, such as corruption or crimes an employee had been aware in their functions, public health and environmental issues or public officials’ conflicts of interests.

These measures have been repealed or amended by the Sapin II Act (and decree n°2017-564 dated 19 April 2017), which provides for a general whistleblowing regulation.

Definition of a whistleblower:

The Sapin II Act defines whistleblowers as individuals (thus excluding legal entities) disclosing or reporting, in good faith, a crime, an offence, a violation of an international commitment, a law or regulation infringement, a threat or an important prejudice to the general interest he or she became aware of.

The law specifies that the whistleblower acts in a desinterested way, only in consideration of the general interest. Such rule clearly rejects the US approach where some pieces of legislation as the Dodd Franck Act allow whistleblowers to be financially rewarded for their alert (the reward can amount to 30% of the sentenced financial sanctions, which exceed $1 million).

The alert recipients:

The Sapin II Act determines who are the alert recipients, on a step-by-step basis.

The first recipient should be the whistleblower’s direct or indirect supervisor, their employer or a referent appointed by the employer. The referent may be an individual or an entity having or not the legal personality, and may either be part of the organization or external to such organization. It shall have the skills, the authority and sufficient power/means to carry out its missions.

Should the first recipient fail to verify within a reasonable time the alert’s admissibility, the alert should be filed to judicial or administrative authorities or professional orders.

Finally and as a last resort, if those authorities have not dealt with the alert within three months, the alert may be made public.

In any case, in the event of a serious and imminent danger or of a risk of irreversible damage, the alert can be directly filed to judicial or administrative authorities or to professional orders.

Obligation for companies with more than 50 employees to implement an in-house whistleblowing program:

According to the Sapin II Act and the decree n°2017-564, companies employing more than 50 individuals were required to implement an appropriate whistleblowing program by 1 January 2018. A single alert collection procedure can be implemented in a group of companies after decision of the competent entities’ bodies.

Such whistleblowing in-house program should not be mixed up with the obligations to implement an internal anti-corruption program, which must be adopted by some companies (meeting defined criteria) under the Sapin II Act. Such internal program shall, however, comply with the rules regarding the protection of whistleblowers.

The decree n°2017-564 has specified the requirements applying to the whistleblowing in-house schemes:

  • The alert collection procedure shall provide for the modalities and conditions according to which the whistleblower may file an alert, evidence it, or if applicable, communicate with the alert recipient.
  • The alert collection program shall specify the measures taken by the company to:
    • inform without delay the whistleblower of the receipt of their alert, of the reasonable timeline to examine its admissibility and the conditions under which they will be informed of the consequences;
    • guarantee the strict confidentiality of the whistleblower identity, the reported facts and targeted individuals; and
    • destroy the pieces of the alert identifing the whistleblower and the individuals involved when no action has followed such alert.
  • The company must mention the existence of an automated processing for the alerts, which must only be put in place after authorisation by the French Data Protection Authority (the CNIL). Indeed, an authorisation from the CNIL to process whistleblowers and targeted individuals personal data is required under French law, as the processing could result in a disciplinary sanction, termination of the employment contract or diminution of the whistleblower or targeted individual rights.Prior to adoption of the Sapin II Act, as some companies had already implemented internal whistl-blowing schemes, the CNIL had adopted a “unique authorisation 004” or “AU004” applicable to such schemes: If a data controller met the unique authorisation conditions (which were notably related to the processing purpose, the proper data flow scheme, safeguards for the international transfers and security measures), it could simply file to the CNIL a declaration stating it complied with the conditions (a simplified process) and could then lawfully process the data in relation to the whistleblowing scheme. If the data controller did not meet the applicable conditions, they had to file a standard authorisation application, on which the CNIL would rule within 2 months.

    In order to take into account the Sapin II requirements, the CNIL is currently drafting a new unique authorisation, which should be made public in the coming months and provide for some guidelines as regard to data processing in relation to whistleblowing schemes.

    Disclosure and information regarding the alert whistleblowing scheme can be made by any means, including notification, display or publication on the company website, in conditions allowing its employees, agents or external and occassional collaborators to access this information.

Despite the deadline for implementation, though, the Act has not provided for any sanction if the required measures are not implemented before 1 January 2018.

Protection of whistleblowers and confidentiality obligations:

  • Confidentiality obligations. The Sapin II Act provides that the alert recipient shall keep the alert, the communicated information, the identity of the whistleblowers and the identity of the targeted individuals confidential. In this regard, the whistleblower’s identity should only be communicated to judicial authorities with the whistleblower’s consent. The whistleblower alert can be anonymous. Transparency International, in its guidelines regarding the Sapin II Anti-corruption program, recommended that France allow anonymous alerts. The CNIL has warned that as anonymous alerts reinforced risks of false accusations, they should only be authorised provided some precautions are taken: the seriousness of facts is established (factual elements being sufficiently detailed) and the alert is carefully handled, including by examining the opportunity of its processing.In addition, elements identifying the targeted individuals shall only be communicated to judicial authorities once the validity of the alert has been established.

    Breach of such confidentially obligations is punishable by up to 2 years’ imprisonment and a criminal fine of up to €30,000 for individuals and €150,000 for legal entities.

  • Whistleblower protection. Whistleblowers will not be criminally liable for disclosure of legally protected secrets such as trade or banking secret (excluding information or documents protected by medical secrecy, national defence or attorney-client privilege), provided such disclosure is necessary and proportionate to the involved interests.Employees also must not be subject to any sanction or discrimination from their employer because of such disclosure.Employees also benefit from the protection of the Labour code and its favourable burden of proof regime: the employer must prove that the disciplinary sanction was based on objective reasons unrelated to the whistleblower alert. In addition, in case of termination of the employment agreement following a whistleblowing alert, the employee can bring their case before labour courts using a fast-track procedure. The court will have power to order the end of any discriminatory measure, annul the dismissal and order reinstatement of the whistleblower in his work position.

    Whistleblowers acting in bad faith will, however, could have liability under tort and face disciplinary sanctions, including dismissal for fault, or criminal sanctions for slander (up to 5 years of imprisonment and a criminal fine of up to €45.000).Preventing the transmission of an alert to the competent recipients is punishable by one year of imprisonment and a criminal fine up to €15.000.


France has now a very detailed regulation regarding whistleblowers. Companies with more than 50 employees need to ensure that they have in place a whistleblowing programme that complies with the new regulation. Only the future will tell how efficient these programs are and if they allow companies to improve their risk management.

Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?