Worldwide: EU Compliance Developments That Parent Companies Should Tackle In 2023

Foreign parent companies, including US parent companies, are increasingly subject to extraterritorial legislations and are likely to face new compliance challenges coming from the European Union in 2023. Similarly, US subsidiaries of French groups should beware of both the applicable US rules and French compliance framework that they are subject to. Compliance regulations have exploded this year with 11 successive waves of EU sanctions issued against Russia. The French Anticorruption Agency (the "AFA") has issued several publications which clarify the position of the French administration. We could not explain all these new major developments in this short article, but have selected three important topics which we dive into below.

I) The need to update the anti-corruption investigation procedures for companies owned by a French parent company

Who is concerned? Since December 2016, French Sapin II¹ law makes internal anti-corruption compliance procedures mandatory for French companies with 500 employees and consolidated sales in excess of €100 million. This includes foreign and French subsidiaries when their head office is located in France with consolidated annual sales of more than 100 million euros.

Authorities may take serious civil, criminal and administrative sanctions both against the company and individuals (legal representatives and directors) who are noncompliant with the Sapin II Law and/or with the French Criminal Code regarding active or passive corruption and influence peddling.

What is new? Internal measures and strong compliance procedures have been in force since June 2017. Companies can rely on the guidelines from the French Anti-Corruption Agency (AFA) to implement the required anti-corruption measures which, since 2021 are based on the following three pillars:

• The commitment of the management body to compliance. The choice of executives' commitment as the first pillar reflects the AFA's emphasis that the implementation of the compliance program is the responsibility of its leaders.
• Precise risk mapping for the group. Providing detailed information of the risks to which the group entities in each country are exposed to for each type of business activity; and
• the management of these risks by means of prevention, detection and remediation measures and the issuance of adapted compliance procedures such as the Code of Conduct.

The French Anticorruption Agency (the "AFA") and the French National Financial Prosecutor's Office (the "PNF") collaborated to publish on 14 March, 2023 a guide relating to internal anti-corruption investigations. The guide aims to support companies in implementing their relevant internal investigations and to assess facts that shall trigger investigations. The goal of these authorities is to encourage companies to fully cooperate and to report non-compliant facts. Like in the USA, the French authorities are also placing cooperation from companies at the heart of their new criminal policy.

II) The need to conduct corporate sustainability due diligence: The French and EU duty of care ("devoir de vigilance")

Foreign companies can be caught under French law for breaches of the duty of care provided by the "Law on the duty of care of parent companies and ordering companies"². Indeed, the French duty of care is binding on companies employing (i) at least 5,000 employees in their own organization and in subsidiaries with head offices located in France, or (ii) having at least 10,000 employees in their own organization and in subsidiaries with head offices located in France or abroad.

Foreign parent companies which meet these criteria shall be required to implement a corporate sustainability due diligence plan which complies with five pillars provided by French Law³, including risk mapping and relevant implementation procedures. Non-compliance with these rules can lead to a court order to put in place an efficient due diligence plan, but more importantly, compensation for the damage caused as a result of the lack of an adequate due diligence plan and reputational damage.

A number of companies have already been subject to formal notice on this basis in France for various reasons, including: (i) Total for climate objectives insufficient to meet the objectives of the Paris Agreement" in relation to business activities in Russia where sanctions are imposed and its oil project in Uganda; (ii) Truck transport and logistics multinational XPO Logistics Europe (a subsidiary of the American group XPO Logistics) concerning workers' rights in the truck transport multinational's subcontracting chain, and (iii) McDonald's France concerning workers' rights in Brazil and France.

No doubt future litigation will shape this particular area of law. Big companies should therefore carefully draft their corporate sustainability due diligence plan since they can be held liable on this basis.

In the European Union, only France and Germany have adopted laws on duty of care. However, duty of care should be implemented at the EU level in the following months, once adopted by the EU Council. Indeed, on 1^st June 2023, the European Parliament adopted a proposal for a Directive on corporate sustainability due diligence which aims to establish harmonized European legislation on the duty of care, in an effort to improve corporate respect for human rights and to strengthen environmental protection.

This EU duty of care will target more companies than the French one with decreased thresholds of applicability, i.e. (i) European companies employing more than 250 people on average and generating more than 40,000,000 euros in sales or (ii) companies that are the ultimate parent company of a group that employed 500 persons and generates more than 150,000,000 euros in sales worldwide during the last financial year.

Thus, contrary to French law, the EU duty of care should also apply to big SMEs. In addition, this new Directive should lead to the adoption of new sanctions against companies for non-compliance with the due diligence framework, and the creation of a new regulator to monitor compliance with the EU duty of care.

III) Implementation of the GDPR

The well-known General Data Protection Regulation ("GDPR") applies to any organization established in the EU territory which processes personal data, as well as those the activity of which directly targets European residents. Foreign companies should therefore pay particular attention to these very specific rules, the violation of which can result in severe sanctions.

Companies must guarantee protective rights to persons whose data is being processed, whether employees or customers. The GDPR also binds foreign companies as it places regulations on the transfer of data outside the EU, which is of particular interest to international groups.

The CJEU ruled in its Court judgment (Grand Chamber) of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd and Schrems that the GDPR requires data exporters to assess the conditions framing transfers and to put in place suitable measures to ensure that such data is subject to protection substantially equivalent to that guaranteed in the European Union. Both data controllers and data processors transferring data are accountable for these requirements.

Since the invalidation by the CJEU on the 16 July 2020 of the EU-US Privacy Shield, the data transfer agreement between the EU and the US, such transfer has become a sensitive operation and required the implementation of strict safeguards ensuring sufficient guarantee, such as, according to the text of the GDPR, the implementation of Binding Corporate Rules and Standard Contractual Clauses.

However, it seems that the respect of these rules is not sufficient since the Irish Data Protection Authority has very recently stated, on Monday, May 22, 2023, that META's recourse to "standard contractual clauses" was insufficiently protective of data transfers and fined it 1.2 billion euros, as well as ordering the US firm to cease all transfers of data from European Internet users to the USA as of October 12. The data collected since 2020 must also be repatriated to European data centers by November 12.

It appears in practice that organizations transferring data under U.S. surveillance legislation are the first to be affected by this ruling and that the strengthening of their data protection procedure is urgent whenever they are transferring personal data from the EU to the U.S.

Conclusion: Foreign parent companies are responsible for ensuring that their subsidiaries in France and the EU are able to meet these multiple compliance challenges, and must navigate a complex and international compliance framework.

Footnotes

1. Law n°2016-1691 of 9 December 2016 on transparency, fight against corruption and modernization of the economic life.

2. Law n° 2017-399 of 27 March 2017 on the duty of care of parent companies and ordering companies

3. Article L225-102-4, I, of the French Commercial Code)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.