The recent news

Compliance Law, like Regulatory Law, of which it is an extension, is an Ex Ante Law.

It translates into a set of obligations that companies must perform to ensure that harmful behavior does not occur, such as bribery, money laundering, pollution, etc.

This results in "structural" obligations, such as the establishment of a risk map, a third-party vigilance system, internal controls, the adoption of codes.

The practical question that arises is whether to punish a company, it is necessary but it is sufficient that the company has not adopted these structural measures, or if it is also necessary that within it or through the persons whom it must be accountable (through the corporate officers and the employees, but also the suppliers, the sub-contractors, the financed operators, etc.) there were behaviors that Compliance Law prohibits, for example corruption, money laundering, pollution, safety-related accident, etc.

The question is probative. Its practical stake is considerable.

Because to obtain the conviction the prosecuting authority will have to demonstrate not only a failure in the structural device but also a behavioral failure.

Si l'on considère que le Droit de la Compliance est à la fois sur l'Ex Ante et sur l'Ex Post, alors l'autorité de poursuite qui requiert une sanction doit démontrer qu'il y a un comportement reprochable (Ex Post) et qu'à cela correspond une défaillance structurelle (par exemple le compte bancaire anormal n'a pas été signalé) ; si l'on considère que le Droit de la Compliance est purement en Ex Ante, alors même s'il n'y a pas de comportement reprochable en Ex Post, la seule défaillance structurelle suffit pour que l'entreprise qui doit l'organiser en son sein soit sanctionné.

If we consider that Compliance Law is both on the Ex Ante and the Ex Post, then the prosecuting authority that requires a sanction must show that there is a reprehensible behavior (Ex Post ) and that this corresponds to a structural failure (for example the abnormal bank account has not been reported); if we consider that Compliance Law is purely Ex Ante, then even if there is no reprehensible behavior in Ex Post, the only structural failure is enough for the company to be sanctioned, even if it does its best efforts, even if no prohibited behavior will have accured in Ex Post.  

The second system, which is much more repressive and places a considerable burden on companies, even if there is no proven illicit behavior, is that of French Law, probably because of a tendency towards Ex Ante organization. ..

Mais il faut garder mesure. Et cette mesure est probatoire.

But we must keep measure. And this measure is probative.

This is what the Commission des Sanctions of the Agence Française Anticorruption -AFA (French Anti-Corruption Agency's Sanctions Committee) has just said, in its decision of 4 July 2019, SAS S. et Madame C.,(written in French) contradicting the position of its director, who acted as the prosecuting authority. This is yet another general proof of the autonomy of the Sanctions Committee vis-à-vis to the Administrative Authority of which it is a part, and in relation to its director, who nevertheless governs it. But, jurisdictional model obliges, he has here the status of prosecuting authority, is subject to the regime of this one and not to the regime of head of the entity. Demonstration of the "functional autonomy" of the sanctioning bodies within the administrative regulatory and compliance authorities.

Indeed, this important decision expresses with precision and reason the distribution of the "burden of the allegation" and the "burden of proof" on the prosecuting body and on the company pursued, as well as the role of presumption that the recommendations issued by the French Anti-corruption Authority can play.

Read the analysis below.

Europe is definitely the zone of the world in which the protection of persons is thought.

Elle le fait par des textes, dont le très fameux Réglement adopté en 2016 relative à la protection des personnes physiques à l'égard du traitement à caractère personnel et à la libre circulation de ces données, dit "RGPD", recopié par exemple en Californie par la loi du 12 juillet 2018, par des initiatives nationales, comme la prochaine loi française contre les discours de haine dans l'espace numérique, par de nombreuses études et rapports - le droit souple étant aussi importante que le Droit pénal en Droit de la Compliance, mais encore par des décisions de justice.

Europe does this by texts, including the very famous Regulation adopted in 2016 relating to the  treatment of personal data for their free circulation and the protection of peope concerned by them ( known as General Data Protection Regulation - GDPR ), copied for example in California by the Act of 12 July 2018, by national initiatives, such as the next French law against hate speech in the digital space, by numerous studies and reports - Soft Law being as important as Criminal Law in Law of Compliance  system -, but also by court decisions.

Indeed, judicial decisions were at the origin of the movement of the person protection, with the creation of a "right to be forgotten" by the 2014 Google Spain decision of the Court of Justice of the European Union.

The judgment of the CJEU on 29 July 2019, Fashion ID, is just as important. Like the previous one, it clearly settles an essential question: who must police consents in the digital space?

And the answer is: all the digital players who benefit from it.

As a result, there is an "intermesh" (on this notion which is the future of Compliance Law in the digital world, see Frison-Roche, M.-A., The contribution of Compliance Law in the Governance of Internet, 2019 ).

See below the analysis of the judgment.