Paris Litigation Gazette Issue 4

Contents

• Competition distribution
  • “Super Bock" ruling by the Court of Justice
• IP/IT/Data
  • Targeted advertising and GDPR
  • Minors’ online protection from pornographic content
• Commercial litigation
  • DGCCRF survey calls for vigilance of credit institutions regarding compliance with borrower's insurance rules
  • The Corporate Sustainability Due Diligence regime about to be aligned at the European level?
• Labor law
  • Evidence derived from the intervention of a “mystery client” is lawful as long as the employee has been informed of this scheme
  • Paid leave: bringing French law compliant with European law
• White collar
  • Delegations of powers: under what conditions are they really useful for criminal liability?
• Compliance
  • Whistleblowing and GDPR: what are the best practices?

“Super Bock" ruling by the Court of Justice

price maintenance does not necessarily constitute a restriction of competition by object

In an important judgment handed down on 29 June 2023 (Case C-211/22), the Court of Justice of the European Union (the "CJEU") ruled that a vertical agreement to fix minimum prices does not necessarily constitute a restriction by object. This decision runs counter to the position of the French Competition Authority (the "FCA") in this area, which systematically qualifies this type of practice as such, without analysing its harmful effect on competition in concreto. Although it is unlikely that the FCA will radically change its particularly severe assessment of resale price maintenance practices, it will nevertheless have to take into account the CJEU position and give more justifications for its condemnation decisions.

Is a price-fixing practice, by its very nature, an infringement "by object"?

Super Bock, a producer of alcoholic and non-alcoholic beverages, active in particular in Portugal, sent a monthly list of minimum resale prices to its distributors and monitored their effective application, if necessary by threatening reprisals, so that the minimum prices were generally respected.

In 2019, the Portuguese competition authority imposed a fine of €24 million on Super Bock, qualifying the sanctioned practice as a restriction by object within the meaning of Article 101 of the Treaty on the Functioning of the European Union (the "TFEU"). Super Bock contested this qualification.

On hearing an appeal against this decision, the Lisbon Court of Appeal decided to stay the proceedings and referred the following question to the CJEU: "Is the vertical fixing of minimum prices in itself an infringement by object which does not require a prior assessment of whether the agreement is sufficiently harmful?”

Whether a resale price maintenance practice is an infringement "by object" depends on the circumstances of the case

In an instructive judgment, the CJEU first recalls that, in order to fall within the scope of Article 101 TFEU, an agreement must have "the object or effect" of preventing, restricting or distorting competition in the internal market, so that where the anti-competitive object of an agreement is established, there is no need to investigate its effects on competition.

It then points out that :

• The essential legal criterion for determining whether a horizontal or vertical agreement contains a “restriction of competition by object” is the finding that such an agreement is in itself sufficiently harmful to competition.
• The concept of "restriction by object" is not the same as "hardcore restriction". The fact that the resale price maintenance is classified as a hardcore restriction by the Vertical Block Exemption Regulation does not, therefore, in itself mean that it also constitutes a restriction by object.

Finally, and this is the main contribution of the judgment, the CJEU ruled that a vertical agreement to fix minimum resale prices does not necessarily constitute a restriction by object, which can only be inferred from an analysis of "the content of its provisions, the objectives it seeks to achieve and all the factors characterising the economic and legal context in which it operates".

In other words, a competition authority can only reach the conclusion that a price-fixing vertical practice constitutes a restriction by object - and therefore not review its effects - by analysing the specific circumstances of the agreement in question.

It should be noted that this solution is consistent with the new Guidelines on Vertical Restraints of 30 June 2022, which state that, in certain circumstances, "resale price maintenance may also generate efficiencies" (for example, when launching a new product or organising a short-term coordinated low-price campaign).

The potential impact of the Super Bock ruling on the FCA’s practice

The CJEU's decision imposes on competition authorities a higher standard of proof of the “by object” nature of a resale price maintenance practice than that applied by the FCA, which considers that the vertical fixing of minimum prices constitutes, in itself, a restriction by object (see, for example, Decision 20-D-20 of 3 December 2020).

From now on, therefore, the FCA will have to examine in concreto the harmfulness for competition of the price-fixing practices referred to it and give more reasons for its decisions.

While this expected change is likely to be more favorable to companies, allowing them to usefully assert specific circumstances, it is not certain that it will lead to radically different solutions.

Indeed, the CJEU indicated that the fact that a vertical agreement to fix minimum resale prices is likely to fall within the category of "hardcore restrictions", constitutes an indication of the harmfulness to competition of this type of agreement. This would necessarily makes it difficult to prove that this type of practice is not harmful. In this respect, it should be noted that, on 21 September 2023, the Lisbon Court of Appeal upheld in full the penalty imposed on Super Bock by the Portuguese competition authority.

Targeted advertising and GDPR - CNIL, 15 June 2023

On June 15^th, 2023, the Commission Nationale Informatique et Libertés (CNIL) imposed a fine of 40 million euros on a company specializing in online advertising due to the following breaches of the GDPR, found during its control missions:

Failure to demonstrate that the data subjects have given their consent (Article 7.1 of the GDPR)

As part of its online advertising activity, the company collects users' browsing data via cookies placed on their terminals when they visit partner websites. The purpose of this collection is to determine their browsing habits and offer them personalized advertising.

However, Article 5(3) of Directive 2002/58/EC, amended in 2009 and transposed in France by law no. 78-17 of January 6, 1978 (Loi Informatique et Libertés) in its article 82, requires the user’s prior consent before the storage of information on their terminal unless this action is strictly necessary for the provision of an online communication service expressly requested by the user, or has the exclusive purpose of enabling or facilitating communication by electronic means.

The consent provided for by these provisions must meet the conditions laid down in articles 4 and 7 of the GDPR according to which it must be: free, specific, informed, unambiguous and the user must be able to withdraw it, at any time, with the same simplicity as he granted it.

In this case, it was found that the tracer was deposited by several of the company's partners on users' terminals without their consent. In fact, the contracts signed with the company's partners did not include clauses requiring them to provide proof of users' consent.

Failure to provide information and transparency (Articles 12 and 13 of the GDPR)

The company's privacy policy did not comply with the requirements of the GDPR. On the one hand, it did not mention all the purposes pursued by the processing and, on the other hand, some of the purposes were formulated in vague terms that did not enable the user to understand precisely what personal data was being used and for what purposes.

Failure to respect access rights (Article 15.1 of the GDPR)

As part of the exercise of the right of access, the company transmitted to the applicant, in the form of tables, some of the data contained in its database. This was done without providing sufficient information to enable the applicant to understand the sent data.

Failure to respect the right to withdraw consent and right to erasure (Articles 7.3 and 17.1 of the GDPR)

When an individual exercised their right to withdraw consent or erase their personal data, the process implemented by the company only had the effect of stopping the display of personalized advertisements to the user.

However, the company did not delete the identifier assigned to the person, nor did it erase the browsing events linked to this identifier.

Failure to provide for an agreement between joint data controllers (Article 26 of the GDPR)

The agreement entered into by the company with its partners did not specify some of the obligations of data controllers in relation to requirements contained in the GDPR, such as the exercise by data subjects of their rights, the obligation to notify a data breach to the supervisory authority and data subjects or, if necessary, the performance of an impact assessment under Article 35 of the GDPR.

In fine, and in order to pronounce this penalty, the CNIL took into account several criteria to assess its amount.

Firstly, it noted that the processing in question concerned a very large number of people (approximately 370 million identifiers across the European Union) and that, even though the company did not have the names of the Internet users, the CNIL considered that the data was sufficiently precise to enable them to be re-identified.

Secondly, the CNIL noted that the company's business model was based exclusively on its ability to collect and process data in order to offer users targeted advertising.

The last criterion taken into account, and which enabled the company to unduly increase its financial income, is the fact of processing people's data without proof of their valid consent.

Minors’ online protection from pornographic content

a request to block five pornographic websites that were allegedly negligent in their control of access by minors.

Indeed, the ARCOM considered that said websites had violated the provisions of article 23 of law no. 2020-936 of July 30, 2020 aimed at protecting victims of domestic violence.

This article stipulates that, when a person whose activity is to edit an online public communication service enables minors to access pornographic content, the president of the Conseil supérieur de l'audiovisuel (now ARCOM) sends a formal notice to the person in question, enjoining him or her to take any measures likely to prevent minors from accessing the offending content. In the event of non-compliance, the President of the ARCOM may refer the matter to the President of the Paris Court (tribunal judiciaire), with a view to ordering the suspension of access to the service.

It shall be noted, however, that the implementation of these new provisions has been hampered by a number of obstacles. The first delay was caused by the failure to notify the European Commission of the decree implementing the law. Then, in May 2022, the judicial court ruled that the summonses issued by ARCOM had lapsed, due to the failure to send copies on time. In addition, a mediation process that began in September 2022 was unsuccessful. Lastly, a first stay of proceedings was pronounced after a priority constitutionality issue was rejected by the Court of cassation.

On July 7, 2023, the summary proceedings department of the civil emergency section of the Paris Court once again issued a stay of proceedings on the appeal to annul decree no. 2021-1306 of October 7, 2021 on the implementation of measures to protect minors against access to sites broadcasting pornographic content.

Two appeals against the legality of this decree have been lodged with the Conseil d'Etat (the highest Court of the administrative order in France) by the publishers of the disputed sites. They point to the absence of any details on the technical procedures for identifying age verification solutions.

On the same day as the stay of proceedings was pronounced, the ARCOM issued a press release in which it stated that it had taken note of the court's decision and emphasized that there was a consensus on the need to act quickly to protect minors from pornographic content.

The case therefore remains on hold pending the decision of the Conseil d’Etat.

This specific case of adult sites nevertheless serves as a reminder of the difficulty of controlling the online age verification of platforms. The technical solutions remain unknown, making it difficult for operators to implement measures that balance the need to verify the age of Internet users against the risks associated with invasion of privacy.

A new constraint is thus introduced by Article 4 of Law no. 2023-566 of July 7, 2023 aimed at establishing a digital majority and combating online hate. This article states that social network providers on French territory are obliged to refuse registration to their services to minors under the age of fifteen, unless authorized by one of the holders of parental authority. A decree will specify the date on which this new law comes into force.

It is, however, relevant to note that one of the objectives of the bill introduced on June 27, 2023 and aimed at securing and regulating the digital space is to strengthen the ARCOM's sanctioning powers. According to the bill, the authority's agents would be able to directly observe infringements committed by pornographic sites and issue official reports. The ARCOM would then have the power to issue injunctions directly against the site publisher and, if this fails, against Internet service providers and search engines. This new provision would enable the ARCOM to take coercive measures without going to court.

September 19, 2023 marks the start of the National Assembly's committee examination of this bill.

The legal route taken by children's associations also appears to be a slippery slope.

As a reminder, in August 2021, the associations E-enfance and La voix de l'enfant applied to the interim relief judge of the Paris Court for an order requiring Internet service providers (ISPs) to take urgent technical measures to prohibit access to pornographic sites that were not complying with their obligations.

In a ruling handed down in October 2021, the interim relief judge ruled that there were no grounds for an interim injunction on the grounds that the provisions of article 6.I.8) of the French law "loi pour la confiance dans l’économie numérique" required applicants for a blocking order to establish that it was impossible to act effectively and quickly against the host, the publisher or the author of the disputed content before taking action against the ISPs, which the associations had failed to do in this case.

This rejection of the child protection associations' claims was confirmed by the Paris Court of Appeal on 19 May 2022 on the same basis (Paris Court of Appeal, Pôle 1, chamber 2, no. 21/18159).

However, this position was recently called into question by the Court of Cassation in a ruling dated 18 October 2023 (Decision no. 22-18.926), which overturned this ruling, stating that article 6.I.8) of the French law on confidence in the digital economy does not create a hierarchy between legal action taken against the host of pornographic websites and legal action taken against the ISP.

As a result of this ruling by the French Supreme Court, a child protection association can ask the courts to force ISPs to block a pornographic site without being required to first bring an action against the publisher of the content or its host.

In conclusion, while the procedures aimed at forcing pornographic sites to control the age of their users and prohibit access by the youngest among them appear to be long and perilous, it would appear that the noose is tightening on these publishers, whether on a civil, administrative or legislative level.

DGCCRF survey calls for vigilance of credit institutions regarding compliance with borrower's insurance rules

With the aim of improving the protection of consumers who have taken out a home loan, the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (DGCCRF) has conducted a survey of 144 credit institutions in 2021 and 2022 to assess compliance with the rules governing home loans and borrower's insurance.

Results of the survey on mortgages

For the record, in accordance with the power conferred by paragraph 5 of Article L.631-2-1 of the Monetary and Financial Code, on September 29, 2021 the Haut Conseil de Stabilité Financière issued a decision on the conditions for granting home loans (decision D-HCSF-2021-7) applicable from January 1, 2022. Under the terms of this decision, credit institutions are required to comply with two criteria when granting home loans:

• the borrower's affordability ratio must not exceed 35% ;
• the maturity of the loan must not exceed 25 years (with a tolerance of 2 years of deferred repayment in cases where the start of enjoyment of the property is delayed in relation to the granting of the loan).

Under the terms of a decision dated June 29, 2023, lending institutions may derogate from these criteria for a flexibility margin of up to 20% of new home loan production granted each calendar quarter.

The application of the rules governing the granting of mortgages was monitored by the DGCCRF. The results of the investigation show that the rules governing the granting of credit are generally well respected. This is also the case for the provision of standardised information sheets (FSI) prior to the signature of the credit offer. The investigation confirms that the FSAs were present in the files inspected.

On the other hand, the DGCCRF was able to identify the presence of unfair terms in some of the credit agreements inspected, particularly regarding the lender's right to cancel the loan. Indeed, the Commission des clauses abusives had recommended the elimination from home loan contracts of clauses whose purpose or effect "is to lead to the belief that the lender may declare the forfeiture of the term in the event of non-compliance with any obligation or in the event of a false or inaccurate statement relating to a request for information not essential to the conclusion of the contract, and without the consumer being able to have recourse to the judge to contest the validity of this forfeiture" (Recommendation no. 2004-3 issued by the Commission des clauses abusives relating to home loan contracts).

Furthermore, the DGCCRF has been monitoring credit renegotiations, which appear to be properly formalized by the credit institutions inspected, who systematically issue an amendment including the repayment schedule, the Total Effective Rate (TEG) and the cost of credit. Similarly, in the case of credit repurchases, the DGCCRF found that the new loan offer complied with the provisions of consumer law. However, the investigation revealed that credit institutions are not proactive in this area, and are simply responding to customer requests.

Finally, the DGCCRF noted that some borrowers were required to domicile their income in their establishment in return for renegotiating their loan. However, such an obligation should only be considered abusive when it does not include any consideration for the borrower (Recommendation no. 2004-3 issued by the Commission des clauses abusives relating to real estate loan contracts).

Results of the loan insurance survey

The DGCCRF survey shows that borrowers are generally well informed about the possibility of changing their loan insurance. According to the DGCCRF, a good practice in this area is to provide customers with a supplementary information document, as one of the credit institutions inspected did, on how to take out alternative loan insurance. This document identifies three situations: taking out insurance when the loan is taken out, taking out insurance during the first year of the contract, and changing insurance after the first year of the loan. However, the DGCCRF calls on credit institutions to be vigilant when it comes to borrowers' access to the list of documents required to change loan insurance: it must be easily accessible, exhaustive and must not complicate the operation.

According to the DGCCRF, too many credit institutions fail to meet the legal deadline of 10 working days for responding to requests to change loan insurance. Similarly, the DGCCRF has noted that the time between the letter accepting the request for insurance substitution and the letter containing the rider to the mortgage loan is too lengthy. As recommended by the Autorité de contrôle prudentiel et de résolution (ACPR), these two documents should be issued at the same time, to avoid the risk of the borrower paying two insurance fees.

The DGCCRF's investigation will enable credit institutions to identify areas for improvement, particularly in the field of loan insurance, which, in the event of an inspection, will avoid the need for a warning or compliance order.

The Corporate Sustainability Due Diligence regime about to be aligned at the European level?

The "French-style" corporate duty of care could soon evolve into a European obligation. On June 1, 2023, the European Parliament adopted its position on the proposed directive on corporate sustainability due diligence (CSDD) published on February 23, 2022 (see our previous Gazette).

On June 28, 2023, the French National Assembly published an information report submitted by the European Affairs Committee on corporate sustainability due diligence.

According to the report, the proposed CSDD directive completes the European regulatory puzzle and generalizes the principle of a Europe-wide corporate duty of care.

The report refers to the two orders rendered on February 28, 2023 by the Paris Judicial Court, noting that the court emphasized the absence of an independent supervisory body (the proposed CSDD directive plans to remedy), as well as the absence of any reference to guiding principles or pre-established international standards (the proposed CSDD directive proposed to list numerous international conventions in its annexes to ensure greater effectiveness).

The main subjects under negotiation in the trialogues between the representatives of the European institutions are then identified:

• The turnover and employee thresholds for companies in scope, and whether or not, as the Council proposed, there will be an initial restriction for the first three years of the Directive’s operation to only apply to companies with more than 1,000 employees and more than EUR300 million global net turnover.

The Commission proposed that CSDD will apply to companies in the EU with over 500 employees and global net turnover over EUR150 million; companies in the EU with over 250 employees and global net turnover over EUR40 million, provided that 50 percent of turnover was generated in high impact sectors, eg, textiles, agriculture, forestry, and extraction of minerals; and non-EU companies doing business in the EU with a turnover of the aforementioned thresholds. Based on these thresholds, it is expected that the Directive could directly impact approximately 13,000 EU companies and 4,000 non-EU companies ;

• The applicability of the CSDD Directive to financial actors, and whether this should be within the discretion of member states, or whether the Directive will include all financial service companies that meet the turnover and employee thresholds ;
• The scope of directors’ duties regarding due diligence, and whether due diligence responsibilities should extend to a “business relationship” or “business partner,” and how these terms are defined ;
• The liability for civil damages, and whether this should be dependent on proof of fault in the form of intent or negligence.
• The extent of sanctions for non-compliance : under the Commission’s Proposals, member states would designate supervisory authorities which would determine enforcement sanctions. The Parliament proposes that the upper limit for monetary sanctions should not be less than 5 percent of global turnover of the relevant concern in the financial year preceding the decision to impose such a sanction. It also proposes that third country undertakings may be excluded from public procurement processes if they fail to comply with the Directive ;
• The interaction of the Directive with existing legislation adopted in a number of member states, in particular in France and Germany.

Finally, the report makes the following recommendations:

• Support the European Parliament's ambitious position of extending the scope of application to companies with 250 or more employees, and to ultimate parent companies;
• Ensure that the annex to the future directive is regularly updated, so as to be able to incorporate new conventions and maintain a sufficiently open definition of the rights to be protected;
• Advocate, along the lines of the European Parliament's proposal, for sufficiently broad conditions for the civil liability of companies;
• Support the European Parliament's position that due diligence obligations should extend beyond supply chains to all "entities involved" in the sale, distribution or supply of products and services;
• Reintroduce provisions relating to the responsibility of directors for the implementation and supervision of due diligence in the final text of the "CSDD" directive;
• Ensure that the conditions for exempting companies from civil liability are strictly controlled, to avoid any "audit of convenience" phenomenon.

Trialogue negotiations began in June 2023 under the Swedish Council Presidency and have been ongoing since July 2023 under the Spanish Council Presidency. The three EU institutions hope to reach agreement on the final text by the end of 2023 at the latest.

Evidence derived from the intervention of a “mystery client” is lawful as long as the employee has been informed of this scheme

Cass. Soc., September 6, 2023, n° 22-13.783

In this case submitted to the French Supreme Court, an employee employed as a cashier in a restaurant chain was dismissed for misconduct after his employer observed, through the intervention of a “mystery client”, that the employee was not complying with cash-in procedures.

The company had appointed a service provider to carry out mystery-client checks in its restaurants. At the end of an intervention during which the employee was at the cash desk, the mystery client indicated that he had not received a receipt, which was contrary to the company's cash-in procedures and had led to a cask desk error.

Challenging the validity of his dismissal, the employee accused his employer of having used a ploy to trap him and of not having informed him before the implementation of this assessment method, invoking article L. 1222-3 of the French Labour Code, which provides that “The employee is expressly informed, prior to their implementation, of the professional assessment methods and techniques implemented with regard to him/her. The results obtained are confidential. Employee assessment methods and techniques must be relevant to the intended purpose”.

After noting that the facts had been established based on the mystery client's intervention sheet, the Court of Appeal rejected the employee's arguments, holding that he had been duly informed of the mystery client scheme beforehand, as the employer had produced:

• First, minutes of a Works Council meeting (now the Social and Economic Committee) mentioning the visits of mystery clients and how many times they had visited; and
• Secondly, an information memo to employees “for display” and explaining its operation and purpose.

The French Supreme Court upheld the decision of the Court of Appeal. As the employee had been informed in advance of the existence of the scheme, the French Supreme Court ruled that it was lawful, and that the employer was therefore entitled to use the results of the mystery client's intervention to sanction the employee:

“Having thus noted that the employee had been, in accordance with the provisions of article L. 1222-3 of the French Labour Code, expressly informed, prior to its implementation, of this professional assessment method implemented in his regard by the employer, which meant that the latter could use the results in support of a disciplinary procedure, the Court of Appeal, on these grounds alone, legally justified its decision.”

While this assessment method is often used in certain sectors (such as retail), employers should ensure that they provide the required prior information.

It should also be remembered that, to be lawful, the Social and Economic Committee must in principle be consulted in advance on the implementation of employee activity monitoring systems.

Paid leave: bringing French law compliant with European law

Cass. Soc., Septembre 13, 2023, n° 22-17.340 à 22-17.342, n°22-17.638, and n°22-10.529 et 22-11.106

In several rulings dated September 13, 2023, invoking Article 31 §2 of the EU Charter of Fundamental Rights on the right to rest, as well as Article L. 1132-1 of the French Labour Code on the prohibition of discrimination, the French Supreme Court set aside French law in favour of European law on paid leave, and now holds that an employee on sick leave continues to acquire paid leave as if he had worked during his period of sick leave.

Employees absent on sick leave due to non-occupational illness continue to acquire paid leave entitlements during their period of absence

The 1^stdecision related to employees claiming to have acquired paid leave during periods when their employment contract was suspended due to non-occupational illness.

According to the French Labour Code, these periods are not treated as actual work for the purpose of calculating paid leave entitlement, so the employee does not acquire paid leave during these periods.

On the other hand, according to the case law of the Court of Justice of the European Union (CJEU), European law makes no distinction between employees who are absent due to illness and those who are working, with regard to the acquisition of paid leave entitlement, and the right to paid leave cannot be made conditional on having actually worked.

Following the CJEU, the French Supreme Court has decided to set aside the provisions of the French Labour Code that did not comply with European law, and that employees on sick leave due to non-occupational illness were entitled to paid leave during the period of suspension of their employment contract.

In the event of an accident at work or occupational illness, paid leave is no longer limited to the first year of absence from work

In this 2^ndcase, an employee who had suffered a work-related accident had been absent on sick leave for around 1.5 years, and complained that the Court of Appeal had limited the period of paid leave entitlement to the first year of absence, as provided for in the French Labour Code.

As in the 1^stcase, the French Supreme Court found that this 1-year limit contradicted the position of the CJEU, which considers that European law makes no distinction between employees who are absent due to illness and those who are working.

Consequently, the French Supreme Court ruled that the acquisition of paid leave during sick leave due to an accident at work or occupational illness cannot be limited to 1 year. Consequently, the employee is entitled to paid leave for the entire period of suspension, even if it exceeds 1 year.

In addition to the need to set parameters of payroll softwares so that, from now on, the acquisition of paid leave is not stopped when an employee is on sick leave, these decisions are likely to generate claims for back pay for past periods of sick leave.

While the stakes are low for short-term sick leaves, the same cannot be said for employees who have been off sick for several years. The statute of limitations on salaries claims would a priori limit claims to the last 3 years, provided that the starting point of the statute of limitations has already begun to run. In the last ruling dated September 13, 2023 (n° 22-10.529 and 22-11.106), the French Supreme Court ruled that this starting point can only begin to run if the employer has put the employee in a position to effectively exercise his/her right to paid leave.

Delegations of powers: under what conditions are they really useful for criminal liability?

In its ruling of May 23, 2023 (No. 22-83.516), the Criminal Division of the French Supreme Court (Cour de Cassation) reminds us that in order for a legal entity to incur criminal liability under article 121-2 of the French Penal Code, an employee must benefit from an effective delegation of power, de jure or de facto. 

In this case, a company carried out renovation work on the premises of its branch, causing dust-related eye irritation to one of its employees. Following an investigation by the labor inspectorate and a preliminary inquiry, the company was convicted on appeal for violation of health and safety regulations.

On the basis of the labor inspector's report, the Court of Appeal considered that the employee who was in "permanent contact" with the company that had carried out the work, in order to organize it, was “an organ” of the legal entity being prosecuted within the meaning of Article 121-2 of the French Penal Code.

The question asked to the French Supreme Court was whether this mere employee could be considered as “an organ or a representative” of the legal entity and validly engage the company's criminal liability.

The Criminal Division took advantage of this decision to reiterate its case law on the issue:

• the criminal liability of a legal person can only be incurred by an organ or a representative of the legal person;
• the representative may be a simple agent if he or she has been delegated authority;
• the delegation of powers must be effective, i.e. the agent must have the necessary skills, authority and resources.

Thus, an employee may act as a representative of the legal entity within the meaning of Article 121-2 of the French Penal Code, provided that he or she has been effectively delegated powers, de jure or de facto.

In other words, a fault committed by a mere employee, who does not have delegated powers and responsibilities, cannot give rise to criminal liability on the part of the legal entity. Consequently the French Supreme Court overturned the appeal ruling.

While the position taken by the Criminal Division in its ruling of May 23, 2023 is nothing new, this decision does provide a good opportunity to reiterate the conditions for effective delegation of authority.   

First of all, it should be remembered that the delegation of powers is a legal mechanism by which the head of a company (the delegating party) entrusts one of his subordinates (the delegate employee) with part of his/her powers and the resulting criminal liability. In other words, the delegate assumes the obligations and responsibilities of the delegator within the delegated scope.

The purpose of delegating authority is to clarify the organization of a company when its operation and/or size (multiple sites, diversity of tasks, large workforce) prevents the head of the company from effectively monitoring compliance with the law and regulations. Delegation of powers therefore appears to be a sound management tool for the company, particularly with regard to the legal and administrative authorities. The Criminal Division has already ruled that the absence of delegation of powers within a structure in which the company director is no longer in a position to ensure compliance with obligations himself/herself may be considered as a fault likely to engage his/her criminal liability (Cass. Crim., Jan. 4, 1986, no. 84-94.274).

Secondly, it should be emphasized - as the Criminal Division did in its ruling of May 23, 2023 - that, to be valid, a delegation of powers must be granted to an employee of the company with the authority, means and competence required to carry out the tasks entrusted to him or her. With regard to authority in particular, it should be noted that the delegator must under no circumstances interfere with decisions taken by the delegatee. Otherwise, it is the delegator himself/herself who will be considered as the company's representative.

In practice, neither the law nor case law sets any formal requirements for the validity of a delegation of authority, and it can be proven by any means. However, a written document, distinct from the employment contract, is preferable.

In concrete terms, the delegation must be limited to specific missions, and cannot be general. Indeed, the head of the company cannot transfer all his/her prerogatives, nor his/her legal management functions. Otherwise, the delegation of powers will not produce an exonerating effect for the delegator (Cass. crim., Oct. 13, 2009, No. 09-80.857).

The delegation of powers must therefore be precise and reflect the reality of the functions delegated to the delegatee. To this end, it must describe in detail the employee's duties, scope of activity, decision-making room for maneuver, relationship with his or her superiors, and list other persons holding delegated authority over similar areas, in order to avoid any interference and limit the risk of the delegation of authority being called into question because two employees would consider themselves to have identical delegated authority.

The delegation of powers can also usefully provide for situations in which the effectiveness of the delegation could be undermined (absence of the delegatee, for example).

Finally, to ensure that these delegations are effective, they must be monitored and kept up to date. In concrete terms, this means regularly checking with the delegated employee that he or she is familiar with the tasks delegated to him or her, and that he or she feels he or she has the necessary authority, resources and power. It may be useful to document these regular meetings with the delegated employee, in order to demonstrate the validity of the delegation when necessary. In addition to these regular reviews, it is important to reconsider the delegation scheme in place in the event of company restructuring, or as soon as there is a change in management.

While the decision of the Criminal Division on May 23, 2023 is not particularly noteworthy, it is a good reminder for professionals, inviting them to question the relevance and effectiveness of any delegation of authority schemes they may have put in place.

Whistleblowing and GDPR: what are the best practices?

In the wake of the adoption of the new whistleblowing system resulting from the Waserman Act of March 21, 2022 and its implementing decree of October 3 of the same year, the CNIL (Commission nationale de l'informatique et des libertés) updated on July 6, 2023 its guidelines "relating to the processing of personal data intended for the implementation of an alert system", the previous version of which dated from July 18, 2019 .

The protection of personal data is an important issue when it comes to internal investigations, insofar as whistleblowing systems almost always involve the collection of personal data.

What are the key points of this updated standard?

A non-binding standard

As a preamble, the CNIL expressly points out that these guidelines are not binding, and companies may deviate from them. However, it immediately then stresses that it will be up to those who choose not to comply with it to justify and document that the provisions of the General Data Protection Regulation (GDPR) are being complied with. Conversely, companies that do comply with this standard will benefit from a presumption of compliance of the data processing they are likely to carry out in the context of receiving and processing business alerts.

A broad scope of application

Although updated to take account of the entry into force of the Waserman Act, the CNIL guidelines do not limit their scope to the internal alerts provided for in Articles 6 and 17 of the Sapin II Act. In fact, the standards cover all "professional alert systems" (DAP), which "receive, process and store any report made in good faith which reveals or indicates a breach of legal (whether French, European, international or foreign) or ethical rules".

Increased vigilance with regard to investigative resources in the event of an anonymous alert

In the previous version of its guidelines, the CNIL recommended that the author of the alert should not be anonymous. However, the Waserman Act has rightly enshrined the possibility for the whistleblower to remain anonymous. In practice, this means that an investigation can be carried out, and sanctions applied, while preserving the anonymity of the author of the alert.

Adjusting its position, the CNIL strongly recommends against the use of techniques enabling the author of the alert to be identified, such as cookies, trackers on the user's terminal, the collection and cross-referencing of information enabling users to be identified, such as IP addresses, etc.

The whistleblowing system must also "enable further exchanges with the person who has issued the alert, while preserving his or her anonymity".

The storage of personal data is strictly limited

In accordance with the GDPR, personal data must only be kept for the time strictly necessary to achieve the purposes pursued.

Thus, in the case of internal alerts, these data may be kept, depending on the case, (i) until a final decision has been taken on the action to be taken on the alert, or (ii) until the end of the procedure or the statute of limitations on appeals when a disciplinary or litigation procedure is initiated following the internal investigation.

However, the CNIL guidelines stipulate that anonymized data may be kept for longer than the time required for processing. The data controller may therefore store anonymized data indefinitely, but in this case must guarantee the anonymity of the data on a permanent basis.

Contractual prerequisites for outsourcing alert reception and processing channels

Companies may choose to delegate some of the operations involved in receiving and processing alerts to a third party, such as a law firm, a specialized platform or an e-mail service provider.

These service providers are then likely to receive the qualification of "controller", "processor" or "joint controller" within the meaning of the GDPR.

In such a case, the guidelines recommend first of all carrying out a "legal feasibility analysis", i.e. ensuring that in practice, service providers have sufficient resources to ensure data protection.

Once this analysis has been carried out, the CNIL recommends that the various obligations of the parties with regard to the protection of personal data be clearly set out in a contract.

In a nutshell, without being revolutionary, the update of this reference framework is a good incentive for companies to check that their internal procedures do indeed include this issue (either via a section on personal data in the internal whistleblowing policy, or via a section on the internal whistleblowing mechanism in their personal data protection policy).