In December 2016, the “Sapin II” law introduced comprehensive mandatory whistleblowing schemes (amongst other things) for certain private and public sector organizations in France. This law became effective in 2018 and was amended in 2022 to transpose the “EU Whistleblower Directive.” The legal changes came into effect on 1 September 2022, and the implementation decree of 3 October 2022 took effect on 5 October 2022.


On 21 March 2022, France enacted a law (the Law) “aiming to improve the protection of whistleblowers” by making numerous amendments to the Sapin II law, as well as to the labor code, the public service code, the criminal code and other laws.

Consistent with the previous version of the Sapin II law, the new Law is not restricted to breaches of EU law, as provided for in the EU Whistleblower Directive, but extends to breaches of French law or a “threat or prejudice to the general interest.” The Sapin II law also separately provides for reporting on breaches to the company’s anti-corruption code of conduct.

The Law does not apply in cases where French or EU law establishes specific reporting regulations (notably as set out under Part II of the Annex to the EU Whistleblower Directive, covering EU law in the fields of financial services, AML-CFT, transport and environment).

Moreover, transposing the EU Directive, the new Law expands the types of information falling outside its scope to include information protected by the secrecy of judicial deliberations and judicial investigations, in addition to information protected by national defense secrecy, medical secrecy, and lawyers’ professional secrecy.

Continue Reading France Updates its Whistleblower Protection to Transpose the EU Whistleblower Directive

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Our Team Joined the Discussion on the Stage of the Global Data Protection Congress 2022 | Consumer Privacy World

More than 10 Squire Patton Boggs European Data Privacy, Cybersecurity and Digital lawyers attended last week’s Brussels Data Protection Congress.

At the congress, Counsel Diletta De Cicco participated in a panel with journalists Luca Bertuzzi from Euractiv and Vincent Manancourt from POLITICO. They explored the topic: Is the Press the (Best) GDPR Enforcer? The discussion

Since October 1, 2022, new obligations relating to the warranties of conformity and of hidden defects, as well as new warranties for digital content and services, have come into force and require the update of the consumer Terms and Conditions.


The changes were made by the decree n°2022-946 of June 29, 2022, “relating to the statutory warranty of conformity for goods, digital content and digital services,” which came into effect on October 1, 2022.

This decree revises and completes the regulatory provisions of the French consumer code following the reform carried out by Ordinance No. 2021-1247 of September 29, 2021, which transposed European Directives (EU) 2019/770 “on certain aspects concerning contracts for the supply of digital content and digital services” and (EU) 2019/771 “on certain aspects concerning contracts for the sale of goods.”

The objective of these texts is to modernize the statutory warranty of conformity and consumer contracts to strengthen consumer protection and create a statutory warranty for the provision of digital content or digital services.

Continue Reading Have You Updated Your French B2C T&Cs Yet?

The discussions on the metaverse are heating up, with partner Charles Helleputte speaking at two specialist conferences in the coming week.

At the Abilways conference in Brussels on 28 November, titled Digital finance and transformation of banks, he will discuss the use of new technologies in the financial sector and examines challenges,

The Cybersecurity Law Report recently featured a guest article from CPW’s Diletta De Cicco and Charles Helleputte. The article sorts out the key aspects of the latest EU FAQs, offers interpretation insights around some more ambiguous provisions, and provides practical thoughts in areas where the FAQs are silent. Check out the full article (subscription

Burn After Reading is a black comedy spy movie by the Coen brothers. It could also be an extreme encapsulation of the core of data retention rules applicable to communications providers: data should only be kept for as long as:

  • There is an administrative need to keep it to carry out your business or support functions (e.g. billing); or
  • It is required to demonstrate compliance for audit purposes or for legislative requirements (e.g. in case of an order to intercept communications for law enforcement).

Continue Reading Burn After Reading… Data Retention Compliance

On October 20, 2022, the French data protection authority (the CNIL) announced a €20 million fine against Clearview AI Inc. (Clearview) for its processing of facial images of individuals residing in France. This is the fourth fine Clearview has received (so far) in Europe. It wraps up the investigation dating back to 2020, when the CNIL started the procedure based on multiple complaints from individuals and activist groups.
Continue Reading When AI-powered Tools Bring (EU) Privacy Troubles – Biometric Templates Identify First

Last week, CPW’s Alan Friel and David Naylor were joined by Squire Patton Boggs employment and immigration lawyers Gregory Wald, Michael Kelly and Annabel Mace for timely webinar in connection with the British American Business Counsel. A recording of the webinar is now available at this link.
Continue Reading Online Webinar Now Available: Navigating Cross-border Challenges Relating to HR Data Protection and Employee Right-to-Work Compliance

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations | Consumer Privacy World