Compliance in France in 2020
2019 and early 2020 proved very eventful for compliance and white-collar crime in France, especially for anti-bribery. Agencies are continuing to build on the 2016 ‘Sapin II’ law by incrementally defining anti-corruption standards and stepping up their enforcement efforts on both the administrative and judicial fronts.
- French anti-bribery compliance law is now being built by improving on the 2016 Sapin II law with the AFA’s various guidance documents and case law
- The first cases referred to the AFA’s sanctions board in 2019 and 2020 confirm that bribery-related risks are now also administrative
- Recent judicial enforcement confirms the ‘tough on white-collar crime’ strategy and the success of CJIPs in enforcement actions
- France is considering updating its 1968 ‘blocking statute’ to better supervise cross-border evidence collection
- The 2017 ‘Duty of vigilance’ law is becoming a source of liability for large companies as NGOs organise to monitor compliance with the law
- Covid-19 disruptions are expected in courts and government agencies throughout 2020 and beyond
Referenced in this article
- 9 December 2016 ‘Sapin II’ law
- 2019 AFA draft guidance on ‘gifts and invitations’ policies
- 2020 AFA guidance on anti-bribery verifications in M&A
- 2020 CNIL guidance on personal data in whistle-blowing procedures
- AFA sanctions board cases Sonepar (4 July 2019) and Imerys (7 February 2020)
- 29 January 2020 Airbus CJIP agreement
- 9 January 2020 AFA ‘National Multi-Year Plan against Corruption’
- 26 June 2019 report on extraterritorial laws and measures (the Gauvain Report)
2020 is the year of maturity for France’s investigations and white-collar crime landscape. After making great strides since the country heightened its anti-corruption standards with the 2016 Sapin II law, France and its authorities demonstrated in 2019 and early 2020 that they are now key players in the global white-collar crime and anti-bribery landscape.
In anti-bribery compliance in particular, the recently created French Anticorruption Agency (AFA) keeps building on Sapin II by providing guidance on specific topics, auditing compliance programmes and for the first time in 2019 and 2020 bringing cases in front of its sanctions board.
The judicial part of this effort also proved newsworthy this year, with the National Financial Prosecutor’s Office reaching new heights in the amounts of fines levied as part of judicial public interest agreements with corporations investigated for bribery.
While bribery and corruption occupied the centre stage of the compliance and white-collar crime landscape, some other areas of compliance law underwent substantial changes recently – many of which inspired by anti-bribery law – and are also expected to be key issues in 2020. Environmental, social and governance (ESG) issues are now a staple of French compliance law, ever since the 2017 ‘Duty of vigilance law’ mandated large corporations to create and publish a dedicated ‘vigilance plan’ and exposed corporations not complying with the law to a potentially large liability risk that may finally be tested in 2020.
Overall, and considering the foreseeable disruptions throughout 2020 caused by the covid-19 crisis that slows down the French economy and judicial system at the time of writing, we expect the French compliance landscape to continue evolving incrementally this year, with case law and guidance documents of varying legal force helping define more precisely the standards of French compliance law.
Building on the paradigm change of the Sapin II law since 2016
The 9 December 2016 law on ‘transparency, corruption and modernisation of the economy’, commonly referred to as ‘Sapin II’ after the minister in charge at the time, is France’s comprehensive anti-corruption reform and a response to laws such as the FCPA and the UK Bribery Act. The law toughened corruption sanctions, imposed stringent compliance obligations on large corporations and created the AFA.
As a reminder, since June 2017, companies incorporated in France and exceeding a certain size threshold are required to have an anti-corruption compliance programme that meets certain specifications. Under the law, presidents, directors and managers of qualifying companies may be held personally liable for failure to implement such a compliance programme.
Compliance programmes under the Sapin II law must be tailored to prevent acts of bribery and influence peddling, and must include the following measures aimed at preventing corruption:
- a code of conduct;
- an internal whistle-blowing mechanism;
- regularly updated corruption risk mapping;
- a risk assessment (‘risk mapping’) process;
- third-party due diligence procedures;
- accounting controls;
- training programmes for employees exposed to high risks of corruption and influence peddling;
- a disciplinary procedure; and
- an audit mechanism to assess the effectiveness of the compliance programme.
Based on the AFA controls and sanctions procedures to date (see below), the agency pays extremely close attention to the risk mapping process and the code of conduct. Corporations subject to the above-mentioned requirements should be aware that merely having the required measures in place is not sufficient, as the agency controls their quality and practical implementation.
This law also introduced major procedural changes for white-collar cases, with the creation of the deferred prosecution agreement (DPA) equivalent called the ‘judicial public interest agreement’ (CJIP), which gives prosecutors transactional tools to negotiate with corporate plaintiffs for a limited number of offences. These notably include:
- active public agent bribery and influence peddling offences (eg, active foreign public agent bribery);
- active and passive private bribery offences (private ‘commercial’ bribery or sports bribery); and
- tax fraud (since 2018) and tax fraud laundering.
These instruments are now a key part of the French anti-bribery enforcement effort (see below for commentary on the current doctrine and the recent Airbus case).
Anti-bribery compliance requirements: corporations now incur a real risk of administrative sanctions by the AFA
Throughout 2019, the AFA continued its audits at corporations that are mandated by article 17 of the Sapin II law to have anti-corruption compliance programmes. Carried out at the initiative of the AFA’s director or upon request of authorities or approved NGOs, the audits verify that the company has proper compliance programmes in place.
Although AFA investigators do not have the police powers required for coercive searches (unlike competition, tax or judicial police dawn raids), they can request any information or professional document useful for the audit, and conduct interviews with managers and employees. Audited corporations cannot claim professional secrecy to decline to answer questions or requests for documents, and individuals or entities may be fined in case of obstruction.
In addition, pursuant to article 40 of the French Criminal Code, the AFA can – and must – report any wrongdoing it discovers as part of its mission. This means, the agency’s audit questionnaires being extremely broad, that it frequently refers to prosecutors (either the national financial prosecutor’s office (PNF) or local prosecutors) wrongdoing it discovers. According to the latest data available, the agency referred cases five times in 2018.
In 2020, and despite the slowdown in its inspection activity because of covid-19 related issues in France, the AFA is expected to continue carrying on its mission across industries, now with a heightened level of risk for corporations as the agency has demonstrated in 2019 and 2020 its willingness to seek sanctions after audits.
Indeed, landmark events of 2019 and early 2020 were undoubtedly the two cases brought by the AFA’s director to its independent sanctions board, for their allegedly defective anti-bribery compliance programmes.
The agency’s first case was brought against Sonepar, a non-listed corporation specialised in distribution of electrical products, for five counts of non-compliance with the Sapin II law, regarding notably its allegedly defective risk mapping, code of conduct and third-party evaluation procedure. The sanctions board dismissed the AFA director’s case, noting for some charges that the corporation had taken swift and appropriate remedial actions after the AFA inspection pointed out some flaws in its programme. The decision also confirms the non-binding status of the AFA’s recommendations, but the sanctions board advises that corporations follow them or be ready to document the effectiveness of their programme if they choose a different approach.
The agency director brought his second case against Imerys, a listed industrial minerals company, on multiple counts of non-compliance with the Sapin II law. The sanctions board cleared the company of charges relating to its risk mapping, but chose for the first time to enjoin the company to adapt its code of conduct and accounting controls under penalty of a fine. The sanctions board decided it would reconvene in 2021 to assess the corporation’s progress (and, as the case may be, the need for monetary sanctions). The sanctions board noted in particular that the company’s code of conduct did not comply with the Sapin II law as it did not contain the required elements and merely redirected to a more comprehensive document that was not part of the corporation’s internal regulations.
The two cases did not reach the heights of recent judicial enforcement actions by the PNF (see below), but the amount of attention they received shows that the AFA has managed, despite not being an independent administrative agency, to establish itself as a key player in the French compliance space and as a credible threat to investigated entities.
Through these decisions, which are thoroughly motivated and sometimes refute the AFA director’s approach, the sanctions board appears willing to use its independence from the rest of the agency when needed, and to develop a body of case law that helps corporations better comply with the law.
Anti-bribery as a key part of the M&A process
The recent development this article qualifies as ‘maturity’ for the French anti-bribery environment means that, while the most important bribery laws have remained stable since the Sapin II law, the AFA and other agencies keep consolidating this base with regulatory and most importantly ‘soft law’ (ie, non legally binding) guidance tools.
A first example of the latter is the AFA’s recently issued guidance on mergers and acquisitions, which confirms the now-established (but not legally mandated) practice of assessing a target corporation’s situation vis-à-vis bribery issues, for both compliance aspects and possible identified acts of corruption.
The guide, which the agency amended to be more ‘pragmatic’ after some industry pushback on the draft version, offers some advice on the verifications to conduct at every stage:
- before signing (during the due diligence process if possible);
- between signing and closing (continuing the due diligence, with a focus on the riskier third-party relationships, accounting controls and the effectiveness of the internal whistle-blowing programme); and
- post-closing (to fully integrate the target’s compliance programme and investigate issues identified at earlier stages).
In the past year we have seen some major investors implement these verifications as a default item in their M&A due diligence process (eg, in the form of questions and document requests). Given the AFA’s efforts to provide a framework for these verifications, and although we do not yet know to what extent they may protect an investor in case an AFA audit reveals a problem, we expect that the agency will eventually consider these verifications a quasi-requirement in the long term.
Through this process, the AFA also expects that investors who identify issues or wrongdoing early on will have their target conduct an internal investigation, and eventually come forward for a DPA to avoid liability.
Towards a more precise framework for gifts and invitations policies in France
Another illustration of the AFA’s approach is its recently released draft guidance on gifts and invitations: until very recently, there was no official guidance and corporations often modelled their policies on standards applicable in other countries or used a single global policy without any local adaptation.
In our experience, this ‘copy and paste’ approach sometimes failed to account for local specificities, such as the explicit prohibition by the French Criminal Code of ‘private-to-private bribery’.
The AFA published in July 2019 a draft version of its upcoming ‘Guide on gifts and invitations policies for corporations, associations and foundations’ to help entities draft their anti-corruption policies on that matter. The definitive version, while non-binding, will serve as a useful reference tool.
In its draft, the AFA offers step-by-step guidance on the items to consider when drafting a policy (eg, whether to set fixed maximum amounts, transparency and accounting considerations, etc) alongside examples of problematic conduct a good policy should prevent.
The AFA is currently collecting industry and stakeholder feedback and will very probably issue a definitive version in 2020.
More precisions on whistle-blowing procedures and data protection
In addition to the ‘whistle-blower’ aspect of the mandatory compliance programme laid out above, the Sapin II law also introduced a new legal framework that has enhanced the status and protection of whistle-blowers in France.
This framework provides for:
- a broad definition of the whistle-blower status;
- protection against potential retaliation and discriminatory measures (such actions would be considered null and void under French labour law);
- criminal penalties for anyone who tries to prevent a whistle-blower from making a report (a year’s imprisonment and a fine of up to €15,000 for an individual or up to €75,000 for a company); and
- a three-stage reporting process that enables individuals to blow the whistle anonymously internally or, in case of inaction or imminent danger, directly to judicial, administrative or professional authorities and, as a last resort, directly to the public.
These measures were supplemented on 19 April 2017 by a decree aimed at implementing this framework, which came into force on 1 January 2018. Under this decree, all companies having at least 50 employees in France are required to set up ‘clear and confidential’ reporting procedures.
Before implementing or modifying existing whistle-blowing procedures, companies are advised to undertake a prior consultation of the relevant employees’ representative bodies (eg, works council, health and safety committees). AFA guidance of October 2017 allows these broader whistle-blowing obligations to be ‘bundled’ with the whistle-blowing part of the mandatory compliance programme at qualifying large corporations.
The French data protection agency (CNIL) officially released on 10 December 2019 additional guidance on personal data in whistle-blowing programmes, which updates its previous documents that pre-dated the 2016/679 General Data Protection Regulation (GDPR). The CNIL worked with the AFA on this topic to tailor its guidance to all whistle-blowing regimes in French law, especially for corruption matters.
We expect this framework to be supplemented soon with guidance from the AFA, as a joint AFA-CNIL guide on anti-bribery compliance and personal data protection is said to be in the works.
The next steps: the AFA’s new 2020–2022 plan against corruption
On 9 January 2020, the AFA released, as mandated by its organisational decree, a ‘National Multi-Year Plan to Fight Corruption’ for government, non-profits and businesses. Indeed, the AFA also has important missions in the public and non-profit sectors, where it trains civil servants and audits government administrations and agencies on corruption issues such as bribery, conflicts of interest and favouritism.
In addition to public sector and sports-focused initiatives (in contemplation of the 2024 Olympic Games in Paris), the AFA notably plans to:
- improve anti-corruption detection through data mining, by accessing corruption-related data from administrations and public agencies (or releasing it as open data) and developing dedicated tools; and
- further promote ‘French anti-bribery standards’ to corporations (by providing sector-specific training) and investors (to facilitate access to financing for compliant companies).
While the plan only provides broad objectives at this point, the fact it was drafted in collaboration with the Ministries of Justice and Budget and received public support from them means that actors can expect significant changes in agency processes (eg, data mining for detection of bribery) and reform attempts in the medium term.
Judicial enforcement: the Airbus case confirms the CJIPs’ success four years after their creation
The Sapin II law’s creation of the AFA and its capacity to audit and administratively sanction corporations does not mean that judicial enforcement (ie, by prosecutors, in contemplation of a trial or an agreement when available) is a lesser legal risk.
On the contrary, last year this chapter presented judicial white-collar enforcement as getting tougher for the foreseeable future, in view of the €3.7 billion fine for UBS (2018, appeal pending) after the bank refused a CJIP deal for a substantially smaller amount.
Since then, joint guidelines by the AFA and the PNF issued in June 2019 offered a noteworthy consolidation of the agencies’ doctrines on the prosecution of corruption offences. In the guidelines, the agencies cite the implementation of an effective compliance programme and cooperation of the targeted entity as key factors to reach a CJIP agreement with prosecutors. Although ‘cooperation credit’ is not presented as automatic, the agencies explicitly say that cooperation can reduce penalties. They cite self-reporting and cooperation through internal investigations (turned over to the government) as essential factors for the prosecutors not only to decide whether to allow a transactional outcome, but also to determine the sentence or fine.
Our view this year for 2020 is no different, and the record-breaking sanction in the Airbus case confirms that French prosecuting authorities and jurisdictions are now a force to be reckoned with in foreign bribery enforcement. The major event of anti-bribery compliance this year was indeed undoubtedly the much-awaited transactional resolution of the case after several years of investigation in France, the UK and the US.
The investigation involved not only governmental agencies – the French and British authorities forming a ‘joint investigation team’ – but also an extensive internal investigation conducted by the targeted company itself to cooperate with the authorities.
The agreements – DPAs in the UK and US and a CJIP in France – were discussed at length in the media for the sheer size of the fines imposed: a combined €3.6 billion in fines, including a public interest fine of more than €2 billion for the French CJIP. Some takeaways from this agreement are worth noting as part of a global view of French compliance law:
- For the French compliance and white-collar crime community, this case confirms the credibility of the PNF as a key prosecuting agency in the global white-collar enforcement space. Starting with its role in the Société Générale DPAs (2018) where it managed to include itself as an equal to the DOJ, the PNF’s willingness to work on transactional agreements allows France to assert its role in French-centric cases where US extraterritorial jurisdiction would have gone unchallenged in the past.
- It also evidences the success of the CJIP. Introduced in 2016 by the Sapin II law as a DPA equivalent, the CJIP gives prosecutors transactional tools to negotiate with corporate defendants for a limited number of offences. The tool was once frowned upon by the French legal world, which has traditionally been reticent to transactions in criminal law, but they are now widely accepted and have proved essential to the resolution of many high-profile cases each year since the Sapin II law was adopted, especially when they involve international cooperation. Including Airbus, CJIPs have allowed France to levy more than €3 billion in fines since 2017.
- The case also highlights the benefits of cooperation efforts by corporations charged with corruption-related wrongdoing. By conducting an internal investigation of a scale rarely seen in Europe, the company displayed a cooperation that was taken into account as a mitigating factor even though it did not self-report the wrongdoing. Self-reporting and cooperation are not yet part of the French legal culture, but are increasingly used and promoted in white-collar cases in conjunction with transactional tools, as what one might call an ‘Americanisation’ of prosecutorial practices. We expect that this case will be an important step in future efforts by the AFA and prosecutors to promote such conduct (and conversely, to seek larger sanctions when corporations do not cooperate).
- Finally, the case should remind corporations engaging in business in France or with French residents in other countries concerning ‘private-to-private’ or ‘commercial’ bribery. While other anti-bribery statutes mostly focus on ‘foreign officials’, this is not the case for French law. France has long prohibited active (ie, offering or agreeing to pay a bribe) and passive (ie, requesting or agreeing to receive a bribe) ‘private-to-private’ bribery through specific offences in the French Criminal Code. This is why the PNF CJIP in Airbus not only lists five counts of bribery of foreign public agents, but also three counts of active private-to-private bribery. This is, to our knowledge, the first time the PNF has listed such private-to-private bribery charges in a case ending in a CJIP, broadening its scope to all types of bribery contexts. Corporations engaging in business in France, and in particular multinational corporations with ‘global’ policies should therefore remember to take into account the risks of private-to-private bribery in their compliance materials such as their ethics codes, anti-bribery policies and employee training programmes.
Towards a reform of the French blocking statute?
Heavy fines on French corporations on international sanctions matters (such as the US$8.9 billion fine for French Bank BNP Paribas in 2014) or anti-bribery (like Alstom’s 2014 US$772 billion fine) based on extraterritorial jurisdiction have become a very sensitive issue in the French political space. Several congressional investigations on that matter, ongoing or completed since 2014, and a recognition, across party lines, of the need for more protection of French companies’ data and documents have incited the government to act upon the issue.
Since 1968, the French have had a blocking statute designed to prevent the abuses of entering discoveries or subpoenas on French entities or individuals. It criminalises the transmission of information to foreign courts outside the channels set forth by treaties (such as the 1970 Hague Convention for civil matters or the Mutual Legal Assistance Treaties (MLAT) for criminal issues). Although it was applied recently (in an attempt to conduct depositions in the Executive Lifecase), it is widely considered as not strictly enforced (noticeably by the US Supreme Court in its 1987 Aerospatiale decision).
After several failed reform attempts by previous legislatures, French MP Raphaël Gauvain was tasked by the Prime Minister with writing a report on measures to limit the impact of extraterritorial assertions of jurisdiction, which included a possible reform of the French blocking statute.
Mr Gauvain’s work, which was eventually published on 26 June 2019, proposes, among others:
- A stricter enforcement of the statute, with heightened sanctions in case of transmission of evidence in civil or criminal proceedings (up to two years’ imprisonment and a €2 million fine for physical persons, €10 million for legal entities).
- Mandatory registration with the Ministry of the Economy’s economic intelligence office (SISSE) of corporations targeted by foreign investigations. The government may directly conduct the dialogue itself in certain important cases where strategic issues are at stake.
- Administrative sanctions of up to €20 million for physical persons and up to 4 per cent of the global turnover for legal entities (eg, cloud service providers) that unlawfully transfer data abroad in anticipation of litigation. This provision aims at limiting the extraterritorial effects of the US CLOUD Act and its coercion power on French or European companies.
- Finally, Mr Gauvain suggests extending the legal privilege to in-house counsel, as only attorneys currently enjoy that protection. This would allow France to align itself with other jurisdictions on the issue, giving corporations the opportunity to assess frankly the legal implications of a situation (ie, without creating incriminating evidence with their work product).
The spirit of the proposed changes is not to block cooperation, but to limit extensive information-gathering operations that may have unwanted effects when target entities are deemed ‘strategic’ for the French economy. These follow extensive debates in Parliament and in the media on assertions of jurisdiction by the US sometimes seen as attacks on strategic players of the European economy.
The Prime Minister reacted favourably to some of Gauvain’s propositions but, to date, the government has not yet released a time frame for the implementation of such a reform. The reform will be sensitive, as it will have to balance fundamental national economic interests with the necessary leeway companies need to defend themselves.
A draft bill containing some of Mr Gauvain’s recommendations would be the next logical step, to which Mr Gauvain alluded as ‘possible’ in 2020, but we do not yet know whether the significantly delayed French legislative agenda will allow for it this year.
In addition to Mr Gauvain’s proposals, EU-level solutions are also in the works:
- While the EU has the 1996 ‘Blocking Regulation’ (created in reaction to the US Helms-Burton Act of 1996 and reactivated in 2018 after the US’ withdrawal from the Joint Comprehensive Plan of Action with Iran), it is considered by many as ineffective against extraterritorial measures.
- EU projects, including the upcoming e-evidence regulation are intended to pursue this effort, and offer a common defence of EU companies and data while still providing a framework for cooperation against crime.
- Finally, following its experience with the Sapin II law, France is expected to be spearheading an EU-level push to adopt common legislation on the detection and prevention of corruption. This may imply a new role for the newly founded EU prosecutor’s office (recently appointed in 2019 but for now limited in scope to the financial interests of the EU).
The ‘Duty of vigilance’ law is still a France-specific liability risk to monitor for large corporations
Enacted on 27 March 2017, the Duty of vigilance law is France’s initiative to promote the accountability of large corporations regarding the prevention of social, environmental and governance risks related to their operations (including their subsidiaries and business partners such as subcontractors or suppliers).
While norms on this topic, such as the UN Guiding Principles on Business and Human Rights of 2011, have long remained non-binding ‘soft law’, simply encouraging companies to regulate themselves the voluntary adoption of internal rules, France’s initiative was original as it initiated a ‘hardening’ of human rights obligations for businesses.
The law applies to companies with at least 5,000 employees within their company and in their direct and indirect subsidiaries when their registered office is in France, and 10,000 employees when their registered office is located abroad. This includes French subsidiaries of foreign companies or global groups insofar as they meet the above-mentioned requirement.
The ‘vigilance plan’ is the key measure of the Duty of vigilance law, requiring qualifying companies to set up a plan containing measures designed to identify and prevent risks of human rights violations, of serious physical or environmental damage and safety risks.
In line with the spirit of the Sapin II-mandated compliance plan for bribery, the vigilance plan must cover items such as:
- risk mapping;
- procedures for evaluating subsidiaries, subcontractors and suppliers with whom an established commercial relationship is maintained;
- appropriate actions to mitigate risks or prevent serious violations;
- a mechanism for alerting and collecting alerts; and
- a mechanism for monitoring the measures implemented to assess their effectiveness.
The plan must be published in the corporation’s annual report, which can be enjoined to establish and publish a plan if it fails to do so.
Last year, we saw NGOs organising to actively track qualifying corporations’ compliance with the law, and some have started to issue official demand letters to corporations (there have been at least five demands so far as of April 2020). Proceedings were initiated in 2019 against oil company Total, alleging insufficiencies in the vigilance plan regarding extraction operations in Uganda and pursuing – as a first remedy – an injunction to correct the plan. The case hit a procedural roadblock on 30 January 2020 as the Nanterre civil court declined jurisdiction in favour of the commercial court, which plaintiffs consider less likely to support their case. An appeal of the decision is ongoing.
According to a January 2020 government report citing external studies, some eligible corporations are not yet compliant with the law, exposing themselves to major liability and damages in case an incident happens.
Indeed, failure to comply with the law (ie, to effectively implement the plan described above) exposes the corporation to a new form of fault-based civil liability in the event of an incident, where it can be liable for damages ‘repairing the harm that [its] compliance with the law could have avoided’.
This means that, while the occurrence of an accident in a subsidiary or subcontractor does not necessarily mean that the corporation is liable (as a fault is required), companies are bound by a duty of care that consists in thoroughly implementing the vigilance plan.
The very broad writing of the law means that only the first liability cases will allow us to grasp its real extent, and assess whether it reached its goal to foster accountability without creating an overly burdensome liability regime.
Criminal and administrative procedure: anticipate covid-19 related disruptions throughout 2020
Starting in March 2020, and to comply with the government’s confinement strategy, jurisdictions and agencies have partially closed and significantly reduced their in-person operations. Based on the situation at the time of writing this article and on emergency laws and ordinances taken in late March 2020, three major consequences are likely to be of importance for compliance and white-collar in 2020:
- Courts and prosecutors will have accrued significant backlogs, as they can only take on in-person ‘essential cases’ and work remotely on others during the confinement period. At the time of writing this article, many cases had already been delayed by several months, and significant disruptions are expected throughout 2020 because of the crisis.
- To take into account this lowered capacity and reduce the need for in-person hearings or investigative acts for procedural reasons, an ordinance on criminal procedure introduced several important changes. Among them is a freezing of criminal statutes of limitations from 12 March 2020 until one month after the end of the ‘state of health emergency’ period declared by Parliament. This measure alone will have lasting effects, even after the crisis, on the computation of statute of limitation periods, and litigants can expect procedural debates on that aspect.
- Administrative agencies such as the AFA will also be affected this year: AFA investigations that were already under way continued during the confinement, but in-person investigative acts (audits and interviews) were postponed or cancelled and no new investigations have been started. Much like the courts, some agencies will need time in 2020 to fully go back to their normal operations.
 This requirement, according to article 17 of the law, applies to any private company or public entity of an industrial or commercial nature, which has (i) more than 500 employees or is part of a corporate group whose parent company is headquartered in France and employs more than 500 people; and (ii) whose annual turnover or annual consolidated turnover exceeds €100 million.
 French Criminal Procedure Code, article 41-1-2. For more information on AFA audits, see also AFA’s ‘Investigation Charter’ (last updated in April 2019) on the rights and duties of AFA auditors and audited entities (https://www.agence-francaise-anticorruption.gouv.fr/files/files/charte_droits_devoirs_unique%20controles.pdf).
 Law No. 2016-1691 dated 9 December 2016 (Sapin II), article 4.
 AFA, 2018 annual report, p. 41 (https://www.agence-francaise-anticorruption.gouv.fr/files/files/RA%20Annuel%20AFA_WEB_0.pdf).
 See our paragraph on covid-19 disruptions below.
 AFA, Guide pratique : Les vérifications anticorruption dans le cadre des fusions-acquisitions (‘Practical guide on anti-bribery audits in the mergers and acquisitions process’), 17 January 2020 (https://www.agence-francaise-anticorruption.gouv.fr/fr/guide-pratique-verifications-anticorruption-dans-cadre-des-fusions-acquisitions).
 AFA, Guide pratique : Politique cadeaux et invitations dans les entreprises, les associations et les fondations (‘Practical guide on gifts and invitations policies for corporations, associations and foundations’), draft released for comment on 18 July 2019 (https://www.agence-francaise-anticorruption.gouv.fr/files/files/2019-06-21-Guide%20pratique%20Cadeaux-VCS.PDF).
 Decree No. 2017-564 dated 19 April 2017.
 CNIL, Délibération n° 2019-139 du 18 juillet 2019 portant adoption d’un référentiel relatif aux traitements de données à caractère personnel destinés à la mise en œuvre d’un dispositif d’alertes professionnelles (‘Decision No. 2019-139 dated 18 July 2019 adopting a new framework for personal data processing for the implementation of a professional whistle-blowing programme’).
 AFA, ‘Plan national pluriannuel de lutte contre la corruption’. Also available in English on the AFA’s website (https://www.agence-francaise-anticorruption.gouv.fr/files/files/PlanVAnglais.pdf).
 These offences are punishable by five years’ imprisonment a fine of up to €500,000 (€2.5 million for legal persons) or the double the proceeds of the offence.
 See for example the 2016 report by MPs P Lelouche and K Berger ‘on the extraterritoriality of US law’ following cases on major French companies in the early 2010s.
 At a conference in January 2020 (https://www.affiches-parisiennes.com/le-developpement-de-l-avocat-dans-le-nouveau-monde-en-question-9610.html).
 As the sanctions originally present in the law were declared unconstitutional.
 For context in English, see for example Reuters article ‘Campaign groups accuse Total of breaching French corporate duty law in Uganda’, 25 June 2019 (https://www.reuters.com/article/us-total-uganda-ngos/campaign-groups-accuse-total-of-breaching-french-corporate-duty-law-in-uganda-idUSKCN1TQ1OQ).
 Duthilleul, A and De Jouvenel, M, Report to the Ministry of the Economy ‘Evaluation de la mise en œuvre de la loi n° 2017-399 du 27 mars 2017 relative au devoir de vigilance des sociétés mères et des entreprises donneuses d’ordre’ (‘Implementation assessment of Law No. 21017-399 dated 27 March 2017 on the duty of vigilance of parent companies’), January 2020, p. 28.
 id., p. 30.
 French Commercial Code, article 225-102-5.
 The agency released on 19 March 2020 its protocol adapting audits to comply with the confinement orders, noting that it would not initiate new audits or conduct in-person audits or interviews, but that document transmission could continue remotely with the consent of audited entities (https://www.agence-francaise-anticorruption.gouv.fr/fr/covid-19-adaptation-des-operations-controle).