The bill n°7945 aiming at implementing into national law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law has been voted by the Chamber of Deputies on 2 May 2023. The law has been published on 17 May 2023 and entered into force on 21 May 2023 ("the Law").
The Law :
- extends the material scope of the Directive to all national laws
- guarantees effective protection for whistleblowers by granted them a legal status
- provides three reporting channels: internal, external and public
The whistleblower protection
The Law introduces a whistleblower protection mechanism that protects whistleblowers from all forms of retaliation, including threats and attempted retaliation, that they may suffer as a result of disclosing "information on violations".
The Law defines violations as acts or omissions that (i) are unlawful, or (ii) defeat the object or purpose of directly applicable provisions of national or European law.
In addition to the direct prohibition of retaliatory acts, including the introduction of criminal penalties for those who commit them, the Law provides for legal remedies enable the person who has reported the violation to obtain the nullity of a retaliatory measure taken against him or her (such as dismissal, termination or demotion) and/or compensation for the damage suffered as a result of such retaliatory measures.
Reporting persons shall qualify for protection provided that :
(i) they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Law and,
(ii) they reported either internally, or externally, or made a public disclosure.
Shall also qualify for protection :
(iii) persons who reported or publicly disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation and,
(iv) persons reporting breaches to relevant institutions, bodies, offices or agencies of the Union breaches.
Protection is granted to reporting persons in private and public sectors such as independent contractors, shareholders, executives, volunteers, interns, contractors, and suppliers.
The protection also includes facilitators and third parties linked to reporting persons and legal entities affiliated with reporting persons.
- Internal reporting
Legal entities in the private and public sectors are subject to the obligation to set up internal reporting channels and their monitoring.
These internal channels must, among other things, allow for the secure receipt of reporting, guarantee the confidentiality of the identity of the reporting person and any third party mentioned in the reporting, and prevent access to these channels by unauthorized personnel.
Follow-up on reporting should be done by an impartial person or service in a timely manner, ensuring feedback to the reporting person within a reasonable timeframe, not to exceed three months.
It should be noted that this procedure will only become mandatory for private sector entities with 50 to 249 employees as of 17 December 2023.
- External reporting
Although the Law expressly encourages whistleblowers to use internal reporting channels, they may choose to report internally or externally to a competent authority: Commission de Surveillance du Secteur Financier, Commissariat aux Assurances, Commission National pour la Protection des Données, Inspection du Travail et des Mines etc.
The procedure and follow-up for external reporting are similar to internal reporting.
Competent authorities may, however, decide that a reported violation is minor and does not require further follow-up, or may decide not to act on a repeated reporting containing no new information.
A person who makes a public disclosure, i.e., who makes "information about violations available in the public sphere," enjoys the same protection if one of the following conditions is met :
(i) the person first reported internally and externally, or directly externally, but no appropriate action was taken in response to the report within the timeframe; or
(ii) the person has reasonable grounds to believe that :
- the breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage or,
- in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.
A reporting office is created, under the authority of the Minister of Justice, to inform and assist any person wishing to report, by specifying the procedures to follow and to educate the public on the rights and obligations introduced by the Law.
Entities that do not establish channels and procedures for internal reporting and follow-up are subject to an administrative fine of 1,500 to 250,000 euros. The maximum fine may be doubled in the event of repeat offences.
In order to discourage abuses, the Law also provides that the reporting person who has knowingly reported or publicly disclosed false information may be subject to a penalty of imprisonment of eight days to three months and a fine of 1,500 euros to 50,000 euros.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.