Coronavirus COVID-19 - IPT Q&A: France

Par:

Substance

If we have a right to terminate for a continuation of a force majeure event, but are continuing to work with a supplier / customer to try to implement a work around / alternative solution, will we (and at what point) be considered or deemed to have waived or elected not to exercise that termination right? Can we preserve that right?

  • Under French law, if the contract does not provide otherwise:
    • a force majeure event is one where: (i) the event is beyond the control of the party with the affected obligations; (ii) it could not reasonably have been foreseen at the time the contract was entered into; and (iii) the effects of the event could not be avoided by appropriate measures and which prevents the affected party from performing its obligations under the contract;
    • the force majeure event will only be a cause for termination if: (i) the effect of the event in preventing the affected party from performing its obligations under the contract is or becomes permanent; or (ii) the delays as a result of the force majeure event justify the termination.
  • If the contract excludes any implicit waiver of rights, any discussions between the parties which aim to find an alternative solution to termination are not automatically a waiver of rights to terminate the contract on the ground of force majeure.

    Such discussion is part of the parties’ obligation to perform the contract in good faith. Any right to terminate on the basis of force majeure cannot be exercised if the parties have found an alternative solution.

    Before entering into any discussions, businesses should consider providing written notice to the other party reserving their right to terminate in the event that no alternative solution to termination is found and agreed upon.
  • Where there is no waiver of rights clause in a contract, businesses should be careful not to accidentally waive their right to termination and should consider providing written notice to the other party reserving termination rights, as mentioned above.
  • If an event is not a force majeure event as outlined above, and as per measures adopted in France on March 25, 2020, when a business claims that the other party has not performed its obligations under a contract within a definite time as specified in the contract (the “Time”), then any penalties, liquidated damages, termination clauses and other clauses triggering forfeiture of a right, are deemed not to have become effective if the Time expired between March 12, 2020 and June 24, 2020 (the “Period”). We note too that the French Government has indicated that the Period will actually expire one month from the cessation of the state of health emergency, (which is currently set by the Government until May 24, hence a Period expiring on June 24, however, this could be postponed by the Government as the situation develops and the Period would therefore be extended).

    The effect of clauses relating to penalties, liquidated damages, termination clauses and other clauses triggering forfeiture of a right will resume one month after the expiration of the Period.

Can my organisation share information with other organisations (customers / suppliers particularly) about our employees who have tested positive for coronavirus COVID-19, where our employees may have been in contact with employees of those other organisations? If so, how can that be done and what are the limitations / restrictions?

Where an employee tests positive for coronavirus COVID-19, and discloses this information to their employer, this information is subject to both the employer’s duty of confidentiality and to relevant data protection laws (including the GDPR and French Data Protection Law). From a data protection law standpoint, such information falls within the special category of personal data and is thus subject to restrictions on its use and disclosure.

An organisation may use and, where necessary, share this information only to the extent necessary to manage the situation and must minimise the amount of personal data shared and the people with whom it may be shared.

Only information which is needed to mitigate the risk of infection of other employees and to take additional precautions should be shared with another organisation and should only be shared where you have sufficient information on who had contact with the employee who tested positive Any information shared with another organisation should not include the name of a specific individual.

What privacy issues may arise by allowing our personnel to work from home? How can we manage these?

Several risks may arise from a remote working practices by employees working from home, which are as set out below together with potential measures to mitigate these risks.

  • Where the device used by the employee is their own device, the provisions of the Bring You Own device Policy, if any, should apply to their use of that device. If you do not have such a policy, we recommend that one is implemented. Such A Bring Your Own Device Policy, should provide that the use of any personal device is subject to prior authorization by the network administrator and/or employer and ensure that a partition is created on the personal device intended for professional use. For more information on the Commission on Informatics and Liberty (CNIL) see recommendations on Bring Your Own Device Policies.
  • If you undertake any monitoring of employees working remotely, you must ensure that such monitoring is done in compliance with the GDPR and French Data Protection law principles in terms of transparency, proportionality etc. This should include appropriate notification to employees where such monitoring is taking place and an appropriate Data Protection Impact Assessment will need to be carried out.
  • You must take appropriate measures are to ensure that the right to privacy of the personnel who is teleworking is respected and that the hours employees are working is in compliance with relevant labor law requirements.
  • Appropriate security measures must be implemented and employees should be reminded that your IT usage policy continues to apply where they are working remotely (e.g. implementing encryption measures for information flows (through VPN, HTTPS), and ensuring firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software), providing for a procedure in the event of terminal failure / loss, carrying out a regular audit to check the security strength, etc.); For more information on recommended security measures for remote working, please consult the CNIL’s guide on security.
  • Information system should be configured appropriately to allow for several employees to remotely access the system at the same time and that a robust user authentication solution is implemented to allow access to the organization’s information system remotely.
  • Implement a strong cybersecurity policy and governance to mitigate the consequences of any data breach which may occur when a large portion of the workforce is working remotely. This should include details on the following:
    • potential phishing attacks through electronic communications related to coronavirus COVID-19 virus; and
    • the importance of ensuring that any remote connection is always protected and not made from an unsecured or compromised connection in order to assist avoiding any malicious attacks.
  • All contracts with vendors or third parties should be reviewed where they access the data from employees’ devices to ensure that the vendors/third party suppliers are bound by appropriate Data Processing Agreements under the relevant data protection laws. This should include cross border transfer restrictions if information is transferred outside of the EEA where an employee is working remotely.

    For more information, read the recent guidelines on the security measures to be implemented in the context of remote working summarised by the CNIL.

Can I check the temperature of workers/visitors of my factory site?

French data protection laws provide that employers must refrain from systematically and generally collecting, information related to any symptoms presented by workers/visitors.

It is expressly prohibited under French law to:

  • impose mandatory body temperature readings for each worker/visitor which are then sent daily to the line management; or
  • collect medical forms or requests from workers/visitors.

If you do not retain the data collected, then you are entitled to randomly check the temperature of workers/visitors on your factory site, on a voluntary basis, but only for the purpose of management of exposure to the virus. For more information on CNIL's position on data processing in the context of the outbreak.

Can I ask employees whether they have visited “risk countries” or have been in contact with infected persons?

Pursuant to the French Labour Code, the employer must ensure the security and protect the physical and mental health of its employees but each worker must also preserve the health and safety of himself and of the other workers. Therefore, in the event of suspected contact with the virus, an employer may not collect directly from an employee the “risk countries visited” or any contact with infected persons but:

  • the employer should raise awareness and invite its workers to disclose to it or to health authorities, any potential exposure to the virus, and facilitate the transmission of such information by setting up, if necessary, dedicated channels; and
  • the worker should be reminded that he must also inform his employer of certain information in order to enable him to take appropriate measures to mitigate the risks of contamination and infection of other employees.

Am I allowed to share the name of infected employees with other staff as a measure of prevention?

As an employer, an organization is responsible for its employees/agents’ health and security in accordance with the French Labour Code. Thus, and regardless the measures of prevention that an organization should implement, the relevant staff who may have been in contact with the infected employee should be informed about such case. General information may also be provided more broadly to the organisation staff in general. Nevertheless, the information which is provided must be anonymised and in any case must not include the name and surname and any other information related to the person who has been infected and which is not necessary for a prevention purpose.

What are the impacts of coronavirus COVID-19 and working from home / remotely on outsourcing arrangements (including eg, in regulated sectors such as financial services)?

Most outsourcing agreements set out detailed stipulations regarding the conditions pursuant to which the service provider’s personnel (and any subcontractor’s personnel) access client sites and any client IT system/network/data for the purpose of the performance of the services under the agreement. Such requirements will vary depending on the geographic scope of the agreement and on the use of offshore service centers.

The parties should review the agreement for conditions around access, and if such provisions exist, the service provider must provide an assessment to the client of its ability to continue compliance with the requirements in the coronavirus COVID-19 situation and notably the impact of working from home. The client must assess the risk associated with the service provider’s inability to perform the services or ability to perform the services with personnel working from home whilst complying with such requirements notably in light of the potential regulatory requirements applicable.

Where the client cannot provide access to sites or systems or where the service provider cannot perform the services in compliance with access requirements, either party’s inability to comply with contractual obligations may constitute a breach and the party in breach may claim that coronavirus COVID-19 constitutes a force majeure event to exclude its liability in respect of its obligations under the contract (see question 1).

However, for the purpose of the business continuity of the services, and in the absence of regulatory constraints, the parties may decide to focus on continued performance. Parties may agree to amend the agreement for the duration of the coronavirus COVID-19 pandemic in order to operate in a different mode. You should ensure that the duration of the “event” is defined and agreed including how will the parties decide and agree that the “event” has ended and that the parties should revert to the initial agreement.

How do business continuity and disaster recovery provisions apply to the coronavirus COVID-19 situation and where there are government mandated lockdowns of business?

The parties should refer to the contract to determine whether it provides that business continuity can be suspended in the case of force majeure.

  • If it cannot be suspended, then business continuity must be assured;
  • If it can be suspended, then the parties should consider whether coronavirus COVID-19 and the government mandated lockdowns of business meet the contractual or legal criteria of force majeure?
    • If no, then business continuity must be assured.
    • If yes, and if the obligations taken under this plan cannot be performed because of the force majeure event, without the possibility to implement alternative measures, then the business continuity and disaster recovery provisions will be wholly or partly suspended.

Please note that even if the contract does not allow a party to suspend its business continuity obligations on the ground of force majeure, the affected party could seek to rely on the hardship mechanism provided under French law (however, the chances of succeeding in such an argument are low):

  • if the contract was executed after 1 October 2016;
  • if the performance of the business continuity and disaster recovery provisions is made excessively onerous; and
  • if the hardship mechanism has not been expressly excluded by the contract.

How can I mitigate exposure to e.g. fixed costs with my suppliers, if they are no longer providing a full service?

  • Where non-performance by the party suspending the contract / its obligation is based on a force majeure event that satisfies the requisite conditions, the other party can suspend its own obligations under the contract, as they have no more compensation and may also try to negotiate with the affected party (however this is not mandatory).
  • Where non-performance by a party is not based on a force majeure event that satisfies the requisite conditions and constitutes a contractual breach, then the other party can enforce all contractual and legal provisions relating to the non-performance (if they have not been contractually excluded). The other party can suspend its own obligations under the contract, seek for the enforcement of the performance of the contract and/or claim for compensation.

What steps should I be taking to ensure the resilience of my relationships with key technology and supply chain partners?

We recommend that the following provisions be included in arrangements to ensure the resilience of your relationships with your key technology and supply chain partners:

  • carefully drafted SLAs, with robust penalties/service credits mechanism to ensure effectiveness. This includes adopting appropriate drafting to ensure that the penalties/service credits are not the customer’s sole and exclusive remedy;
  • business continuity and disaster recovery plans should be required from suppliers that articulate properly with the customer’s own plans and which the customer may test;
  • audit rights;
  • a force majeure clause that is not overly extensive, and is drafted in a way that retains the requirements of force majeure under the French Civil Code, and which does not apply when the applicable event is one of the events covered by the business continuity/disaster recovery plan. For clarity, under French law,
  • a force majeure event is an event that is: (1) beyond the control of the debtor of the obligation; (2) was not foreseeable at the time the contract was entered into; (3) the effects of which could not be avoided by appropriate measures; and (4) prevents performance (i.e., makes it impossible and not only more onerous);
  • governance, reporting and mutual information mechanisms and requirements, to provide an adequate structure for contract management; flexibility in respect of termination, while complying in particular with the prohibition of abrupt termination of contracts/commercial dealings under French law.

From a contract management perspective, we recommend:

  • implementing rigorous contract management, with careful monitoring of contract performance, including the keeping of an audit trail;
  • making sure that all the information and communications required as per the governance provisions flow seamlessly between the parties;
  • keeping an open dialogue with key suppliers to gain an understanding of their market conditions and the measures taken on their side to ensure performance and mitigate or eliminate impact of any disruption (whether or not covered by the applicable business continuity/disaster recovery plan) and to inform key suppliers of performance difficulties arising on your end because of the same event;
  • if appropriate, discuss how to mitigate impact from a performance (e.g., reduced volume or revised SLA) and/or payment (e.g., reduced price, extended payment terms) perspective. Before entering into any discussions, you should consider providing written notice to the supplier reserving your rights in the event that no alternative solution to “normal” performance is found.

What will the impact be on RFP processes and transformation programs and who bears the risk of this?

The impact on the RFP process is likely to be limited, although some delay may be expected in service providers ability to provide responses to any RFPs.

In relation to transformation and transition programs, delays may also be expected in the implementation of such transition/transformation projects by service providers due to the inability of service providers’ personnel to travel/access client sites. Where this is the case, the following options may be available: 

  • depending on the clauses set out in the agreement, the service provider may invoke a force majeure event or hardship, and/or the client may claim damages for non-performance as well as apply penalties for delayed performance according to agreed upon service levels; or
  • amendment of the contract to modify the agreed upon planning of any projects or change their order of performance.