Companies and public entities that are covered by the new French Anti-Corruption law, Sapin II, are required to adopt a compliance program that includes an internal whistleblowing mechanism “to allow employees to report acts or behaviors that violate the company’s Code of Conduct”.
Enhanced whistleblower protection under Sapin II
Sapin II prohibits retaliation against a whistleblower per international standards (Transparency International). A whistleblower acting in good faith is protected if the person reports a violation of French law or of an international treaty to which France is a party, or any issue that poses a threat or damage to the public interest. The protection includes reports on possible violations of the Code of Conduct.
A whistleblower is defined broadly as “an individual who reveals or reports, acting selflessly and in good faith, a crime or an offence, a serious and clear violation of an international undertaking which has been ratified or approved by France (…) the law or regulations, or a serious threat or loss for the general interest, of which the individual became personally aware“.. It is advisable to have a system for whistleblowing available to employees and also to third parties, such as suppliers and customers.
The new law introduces measures to ensure the confidentiality and non-liability of whistleblowers. Companies must implement procedures that:
- Enable whistleblowers to report internally to either direct (line manager) or indirect supervisors (for example compliance officer). If there is no appropriate internal response, or in case of serious and imminent danger, a whistleblower can turn to appropriate judicial or administrative authorities, as well as to the relevant professional association. The information may be made public only as a last resort.
- Ensure that whistleblowers’ identities remain confidential.
Individuals who do not respect these provisions of non-retaliation, or reveal a whistleblower’s identity may be punished by imprisonment and fines.
We will certainly learn more from the Anti-Corruption French Agency (AFA) which was recently created by the law Sapin II. The AFA has the mission to assist the competent authorities and the persons concerned in preventing and detecting corruption, trading in influence, bribery, unlawful taking of interest, embezzlement of public funds and favoritism.
What are some of the other regulations governing Whistleblowing in France?
Aside from the Sapin II law, other laws and guidelines related to data protection need to be taken into consideration:
- The Data Protection Act (based on EU Directive 95/46/). (In May 2018 The General Data Protection Regulation (GDPR) will enter into force. GDPR replaces the current Data Protection Directive 95/46/and will be directly applicable in all EU member states. The new regulation aims to provide greater harmonization as well as stricter data security provisions).
- CNIL Guidelines on the implementation of whistleblowing programs in compliance with the French Data Protection Act. Based on EU guidelines on corporate whistleblowing by the EU Article 29 Working Party, Working Paper No. 117.
- CNIL Decision (Single Authorization AU‐004), that authorizes the processing of personal data in a whistleblowing program that meets the requirements set out in the decision.
CNIL has defined the scope of what is considered as a whistleblowing matter:
- Finance, accounting, banking (for financial institutions) and the fight against corruption,
- Antitrust law,
- Harassment and discrimination,
- Health, hygiene and security in the workplace, and
- Protection of the environment.
It is important to note that Whistleblowing programs which are not limited to this scope will not benefit from the simplified declaration process and will need prior approval from the French Data Protection Authority (CNIL).
CNIL and anonymous reporting and processing of anonymous reports
Anonymous reporting is tolerated as long as it is not actively encouraged by the organisation.
As an exception, an anonymous report may be processed provided that:
- the seriousness of the facts involved has been proven and the factual evidence is sufficiently detailed, and
- specific precautions are taken (e.g., prior assessment by the first recipient of the information that it is appropriate to follow up on the report within the whistleblowing system process).
CNIL and restrictions on the transfer of data
If personal data is transferred outside of the EU, the transfer must comply with the Data Protection Act obligations regarding international data transfers. Pursuant to the Single Authorization, such obligations are fulfilled when:
- The recipient has entered a transfer contract containing the standard clauses issued by the European Commission, or
- The group to which the affected entities belong has adopted binding corporate rules which the CNIL has previously acknowledged as guaranteeing an adequate level of protection.
For the transfer of data to other EU countries, there are no restrictions. Data can be stored within the EU.
Consultation with Works Councils or Trade Unions
Consultation with the Works Council or trade union is required. The Works Council needs to be informed and consulted on the means and techniques that allow control of the employees’ activity before it is implemented within the company. Consultation with the Committee for Hygiene, Safety and Working Conditions may also be required, given the scope of the whistleblowing program.
WhistleB is a service provider for whistleblowing services. The service is compliant with the highest data security and data privacy standards (ISO 27 0001 and GDPR compliant). It is a user-friendly tool to increase your chances of receiving relevant reports.
Head of WhistleB France
Tel: 33 6 27 83 57 82
Partner and Senior Advisor
World Trade Centre
The ETHIC Intelligence Expert’s Corner is an opportunity for specialists in the field of anti-corruption compliance to express their views on approaches to and developments in the sector. The views expressed in these articles are those of the authors.