Photo of Stéphanie Faber

Stéphanie Faber

In December 2016, the “Sapin II” law introduced comprehensive mandatory whistleblowing schemes (amongst other things) for certain private and public sector organizations in France. This law became effective in 2018 and was amended in 2022 to transpose the “EU Whistleblower Directive.” The legal changes came into effect on 1 September 2022, and the implementation decree of 3 October 2022 took effect on 5 October 2022.


On 21 March 2022, France enacted a law (the Law) “aiming to improve the protection of whistleblowers” by making numerous amendments to the Sapin II law, as well as to the labor code, the public service code, the criminal code and other laws.

Consistent with the previous version of the Sapin II law, the new Law is not restricted to breaches of EU law, as provided for in the EU Whistleblower Directive, but extends to breaches of French law or a “threat or prejudice to the general interest.” The Sapin II law also separately provides for reporting on breaches to the company’s anti-corruption code of conduct.

The Law does not apply in cases where French or EU law establishes specific reporting regulations (notably as set out under Part II of the Annex to the EU Whistleblower Directive, covering EU law in the fields of financial services, AML-CFT, transport and environment).

Moreover, transposing the EU Directive, the new Law expands the types of information falling outside its scope to include information protected by the secrecy of judicial deliberations and judicial investigations, in addition to information protected by national defense secrecy, medical secrecy, and lawyers’ professional secrecy.

Continue Reading France Updates its Whistleblower Protection to Transpose the EU Whistleblower Directive

Since October 1, 2022, new obligations relating to the warranties of conformity and of hidden defects, as well as new warranties for digital content and services, have come into force and require the update of the consumer Terms and Conditions.


The changes were made by the decree n°2022-946 of June 29, 2022, “relating to the statutory warranty of conformity for goods, digital content and digital services,” which came into effect on October 1, 2022.

This decree revises and completes the regulatory provisions of the French consumer code following the reform carried out by Ordinance No. 2021-1247 of September 29, 2021, which transposed European Directives (EU) 2019/770 “on certain aspects concerning contracts for the supply of digital content and digital services” and (EU) 2019/771 “on certain aspects concerning contracts for the sale of goods.”

The objective of these texts is to modernize the statutory warranty of conformity and consumer contracts to strengthen consumer protection and create a statutory warranty for the provision of digital content or digital services.

Continue Reading Have You Updated Your French B2C T&Cs Yet?

On October 20, 2022, the French data protection authority (the CNIL) announced a €20 million fine against Clearview AI Inc. (Clearview) for its processing of facial images of individuals residing in France. This is the fourth fine Clearview has received (so far) in Europe. It wraps up the investigation dating back to 2020, when the CNIL started the procedure based on multiple complaints from individuals and activist groups.
Continue Reading When AI-powered Tools Bring (EU) Privacy Troubles – Biometric Templates Identify First

After the first use of cloud-based services by the public sector, second topic of EDPB’s coordinated enforcement action, will concern the designation and position of the data protection officer.

In a coordinated action, the EDPB prioritizes a certain topic for data protection authorities (DPAs) to work on at the national level. The results

The French data protection authority, the CNIL, has published its annual report for 2021 (in French)  which contains some useful information and figures notably on complaints, investigations and sanctions as well as standards of references issued by the CNIL in relation to specific processing activities.

  1. Complaints, Investigations and Sanctions


In 2021, the CNIL received

By amending the “Sapin II” law, France has become the fourth EU country to transpose the EU Whistleblower Directive as of 21 March 2022, following Denmark, Sweden and Portugal.

Sapin II introduced, in December 2016, mandatory whistleblowing schemes (amongst other things) for certain private and public sector organisations.


On 21 March 2022, France enacted

The UK’s Competition and Markets Authority (“CMA”), Information Commissioner’s Office (“ICO”) and Google have agreed legally binding commitments from Google on the development of its Privacy Sandbox proposals.

These proposals relate to the removal of third-party cookies – to be phased out by 2023 – in the Chrome browser and Chromium browser engine, which will

On February 15, 2022, the European Data Protection Board (“EDPB”) issued a press release announcing the launch of its first coordinated enforcement action, under the Coordinated Enforcement Framework (“CEF”) established in 2020 (see section 3 below). The initiative will focus on the use of Cloud based services by the public sector and will involve 22

The French data protection authority, the CNIL, has undertaken a long-term campaign to ensure the effectiveness of such its cookie rules under the moto: “refusing cookies should be as easy as accepting them”.

Its investigation and enforcement program started in October 2020, first based on the old 2013 version of the cookies rules