Following the law of December 9, 2016, known as Sapin 2, and the introduction of the concept of whistleblower protection in France, French lawmakers took a step back in favor of European lawmakers. The latter unified whistleblower protection across the European Union through Directive 2019/1937 of October 23, 2019. It was in order to transpose this directive into French law that the law of March 21, 2022 (also known as the Waserman Law) was introduced, amending the initial legislation on the topic.

Now that the implementing decrees (Decree of April 16, 2022, and Decree n°2022-1284 of October 3, 2022) have been published, what steps must companies take to comply with the new legislative provisions?

Key Changes Brought by the Laws of March 21, 2022

A New Definition of a Whistleblower

Following Sapin 2, which introduced and defined the concept of a whistleblower for the first time, the laws of March 21, 2022, refined the definition of the term.

Gone is the concept of a "disinterested" whistleblower, the condition requiring personal knowledge of the facts, and the limitation on the types of facts that can be reported. The new law now defines the whistleblower as a natural person who reports or discloses, without direct financial compensation and in good faith, information regarding:

• A crime,
• A misdemeanor,
• A threat or harm to the public interest,
• A violation or attempt to conceal a violation of international law, European Union law, national laws, or regulations.

In fact, the notion of "disinterested manner" was considered ambiguous in the previous definition, now replaced by the absence of "direct financial compensation." Additionally, in the professional context, a whistleblower is no longer required to have personal knowledge of the facts and can report facts that have been brought to their attention. However, this condition remains in a personal context. Finally, this new definition broadens the scope of facts that can be reported by the whistleblower:

• A threat or harm to the public interest no longer requires the concept of severity.
• Violations no longer need to be "serious and manifest."
• Attempts to conceal violations can also be reported.

Enhanced Protection

In addition to the evolution of the whistleblower concept, the laws of March 2, 2021, strengthen the protection of whistleblowers and third parties who report internally, externally, or disclose publicly in accordance with the law. These laws:

• Expanded the list of prohibited retaliations in the professional setting,
• Relieve the whistleblower of criminal responsibility if they remove, divert, or conceal internal documents that they accessed lawfully. This measure also applies to accomplices of the offenses,
• Protect the whistleblower from civil liability for any damages that may result from their good faith report,
• Modify the regime of civil fines for anyone (individual or corporate) who acts dilatorily or abusively against a whistleblower, with civil fines now reaching up to €60,000 (up from €30,000 previously),
• Include whistleblowers in the list of discrimination grounds, with penalties of up to 3 years in prison and €45,000 in fines,
• Allow the judge to grant a provision for legal fees to a whistleblower contesting retaliatory actions or undergoing a gag order procedure.

Moreover, the Waserman Law now protects certain individuals close to the whistleblower (family members, colleagues), as well as facilitators. These facilitators are defined as any private or non-profit entity offering assistance to the whistleblower in making their report.

The organic law, adopted alongside the main law, strengthens and clarifies the role of the Defender of Rights in handling reports, particularly to guide, inform, and advise the whistleblower, as well as defend them.

The End of Cascade Reporting

Another major change from the Waserman Law is the end of cascade reporting. Whistleblowers are no longer required to use internal reporting channels before resorting to external ones. Whistleblowers can now, at their discretion:

• Make an internal report if they believe it can effectively address the violation and there is no risk of retaliation,
• Make an external report regardless of whether they have already made an internal report,
• Disclose publicly, under certain conditions.

Lastly, the Waserman Law formalizes the obligation for companies with more than 50 employees to have an internal reporting procedure. This procedure has been further detailed in the implementing decree of October 3, 2022.

Clarifications from the October 3, 2022 Decree

Procedure for Collecting and Handling Reports

The October 3, 2022 decree provides practical clarifications on the implementation of the law, primarily concerning internal and external reporting procedures.

The first chapter defines the scope of the internal reporting procedure:

• The reporting channel must allow whistleblowers to make their reports either orally or in writing,
• If the report is oral, it must be accurately recorded via audio, transcription, or a written report. The whistleblower must be able to verify, amend, and approve the transcription of their report,
• The whistleblower must be able to submit any evidence, regardless of form, to support their report,
• The whistleblower must be informed in writing within 7 days of receiving their report,
• Upon request, a physical or video conference meeting may be arranged within 20 working days after the request,
• The procedure may (except in the case of an anonymous report) require the whistleblower to provide proof that they belong to one of the categories covered by the law,
• Externalizing the management of reports to a third party is allowed, as long as the third party complies with all applicable obligations.

Once the report is received, the procedure for handling the report is defined in Article 4-1 of the decree:

• If the report is deemed admissible, the organization may request additional information from the whistleblower to assess the accuracy of the facts reported,
• If the allegations are substantiated, the entity must take the necessary steps to address the reported issue,
• The whistleblower must be informed in writing within a reasonable period (less than 3 months from the acknowledgment of receipt) of the measures taken or planned to address the issue and the reasons behind them,
• If the allegations are found to be false or unfounded, or if the report is no longer relevant, the report can be closed, and the whistleblower must be informed in writing of the closure.

The decree also requires that the internal reporting procedure be made publicly available through appropriate means (notifications, postings, publications, etc.), as well as clear and accessible information about external reporting procedures.

These clarifications on the implementation of internal reporting procedures help companies ensure compliance.

The 250-Employee Threshold and Its Impact on Corporate Groups

The Waserman Law provided that for companies with fewer than 250 employees, as well as corporate groups, the option exists to share their reporting procedures. The implementing decree clarifies the terms for this shared reporting procedure.

For companies with fewer than 250 employees, the shared procedure can only occur after a consensus decision from the competent bodies of the entities. Furthermore, the 250-employee threshold is assessed based on the closure of two consecutive fiscal years. The goal of this shared procedure is to pool resources for receiving reports and verifying the facts. However, entities sharing resources must ensure compliance with the GDPR. Entities must also ensure that shared procedures do not interfere with other obligations, such as remediation, confidentiality, integrity, publicity, etc.

For corporate groups, the Sapin 2 Law had already stated that the reporting procedure could be common to several or all the companies in the group. The decree sets out the specifics for sharing reporting procedures within a corporate group. It is now possible for groups to:

• Delegate the reception of alerts to a third party (e.g., the parent company),
• Delegate both the reception and handling of alerts for companies with fewer than 250 employees.

Additionally, when an entity in a group believes the report concerns facts that occurred or are likely to occur within another group entity, it may invite the whistleblower to submit the report directly to that entity. If the entity believes the report would be more effectively handled by this other entity, it may invite the whistleblower to withdraw the report from its own entity.

How to Ensure My Company Complies with Whistleblower Protection Regulations?

To comply with the new regulations, several steps must be taken:

Update Your Procedures : First, ensure that your reporting procedure is up to date or created if it wasn’t already in place. This requires selecting an appropriate system, reviewing or drafting an alert procedure, deciding whether to create a group-wide procedure, and raising awareness among your teams about the issue.

Ensure Compliance with GDPR: The new or updated alert system must comply with the General Data Protection Regulation (GDPR), particularly regarding the handling of information about the people involved (including facilitators and third parties). A Data Protection Impact Assessment (DPIA) may be conducted to ensure that the reporting procedure complies with current regulations. Also, if the procedure is outsourced, an agreement concerning data protection must be established with the third party.

Deploy the Procedure:  After creating or updating the procedure, ensure it is officially deployed. This involves giving the procedure the status of internal regulations by informing and consulting the CSE (Social and Economic Committee), obtaining the Labor Inspectorate’s opinion, and filing it with the Labor Court registry. Additionally, consider displaying the procedure and ensuring a follow-up process to guarantee that whistleblower protection is effectively implemented.