What will be the impact of the transposition of the EU Directive on the protection of whistleblowers into French law?
Bastille Day Newsletter 2021 - Legislative, Regulatory & Policy updates
The transposition of the European Union (“EU”) Directive dated 23 October 2019 on the protection of whistleblowers into the laws of the member States must take place on 17 December 2021, thus impacting all companies comprised of more than 50 employees[i]. However, such transposition should not imply a major change in French law, which is already quite protective of whistleblowers. Some clarifications and reinforcements are nevertheless expected.
The European Directive is similar to the so-called “Sapin II Law”[ii] in some respects, notably with regards to the obligation to prohibit retaliation measures against the whistleblower[iii], which is codified in several areas of French law (Criminal Code, Labour Code, Monetary and Financial Code), and the statement of an immunity of whistleblowers’ from liability in the context of proceedings brought against them following an alert, for example in cases of business secrets’ disclosure, copyright infringement or defamation[iv].
It remains that the Directive clarifies and strengthens the scope of protection.
Firstly, the Sapin II law provides for the protection of whistleblowers for all breaches of probity[v]. The Directive specifies the scope of protection by listing the breaches, the report for which whistleblower will be protected, including those breaches affecting the financial interests of the EU, breaches relating to the internal market, or breaches falling within the scope of Union acts concerning various areas (public procurement, financial services, food and feed or transport safety, protection of the environment, public health, protection of privacy, and others)[vi].
It should be specified that mere suspicions, if reasonable, of potential breaches or attempts to conceal breaches, are sufficient to justify the protection of whistleblowers[vii].
Secondly, the European text extends the protection of whistleblowers to all “workers”, and not just the employees. This notion of “workers” includes civil servants, self-employed workers, but also shareholders and persons belonging of the administrative, management or supervisory body of an undertaking, including non-executive members, volunteers and paid or unpaid trainees, as well as any persons working under the supervision and direction of contractors, subcontractors, and suppliers. This is the case even where information on reported breaches was acquired in an employment relationship which has since ended or in a work-based relationship which has yet to begin (ongoing recruitment process or pre-contractual negotiations) [viii].
Protection is also extended to facilitators, third persons connected with the whistleblowers and who could suffer retaliation in a employment context (whistleblowers’ colleagues or relatives), but also to legal entities owned by whistleblowers, work for or are, in any other way, connected with in a work-related context[ix].
In addition, both the Sapin II Law and the Directive require private and public sector entities to establish internal reporting and follow-up channels and procedures for[x], which guarantee the confidentiality of the identity of the whistleblowers and persons referred to in the report, as wells as the information contained in the report[xi].
As for the private sector, these procedures are only required for legal entities with 50 or more employees[xii], although entities with 50 to 249 employees may choose to share resources for the receipt of alerts and the necessary investigations[xiii].
The Directive further strengthens the protection in this regard by allowing Member States to require private law entities with fewer than 50 employees, to implement internal channels following a risk assessment based on the nature of their activities and the level of risk to the environment and public health[xiv].
As for the public sector, unlike French legislation which only obliges municipalities with more than 10,000 inhabitants, all entities are subject to the implementation of whistleblowing systems, though member states remain free to exempt municipalities or entities with fewer than 50 employees from this obligation[xv].
Finally, French law provides that the reporting of an alert must follow a three-step process. It must first be relayed to the supervisor or the employer, and then, only in the event of a lack of diligence from the latter, to the judicial or administrative authority or to professional orders. As a last resort, it may be made public[xvi]. It may be directly brought to the attention of external bodies or the public, only in the event of serious and imminent danger[xvii].
In most cases, a whistleblower will feel more comfortable internally reporting behaviour in order for risks to be resolved potentially faster and in a more effective way, although he or she may also fear retaliation[xviii].
The European Directive therefore offers greater freedom of choice to the whistleblower, considering that the latter should be able to choose the most appropriate course of action considering the particular situation he or she is confronted to[xix].
The transposition of this Directive into French law should therefore open interesting avenues for greater whistleblower protection. In this respect, the conclusions published in June 2021 of a public consultation launched by the French Ministry of Justice show that most participants are in favor of whistleblowers receiving financial support (73.4%) and psychological assistance (78%)[xx]. The details of this greater protection should be known in the next few months.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.