1. Law no. 179/2017

On 14 December 2017 Law no. 179/2017 containing “Provisions for the protection of persons disclosing crimes or irregularities that they witnessed as part of a public or private working relationship” was published in the Official Gazette.

The new law, already renamed “Whistleblowing Law”, has introduced for the first time in Italy a specific legislation on whistleblowing in the private sector and amends the rules on whistleblowing previously introduced for the public sector.

2.  Whistleblowing worldwide

Italy is only the latest country to have provided for a specific legislation on whistleblowing. Indeed, forms of protection of whistleblowers – whether public or private – are provided for in numerous legal systems worldwide.

By way of example, in the United States, the protection granted to whistleblowers of the public sector (which dates back to the first years of the last century) was extend to those of the private sector by the Sarbanes-Oxley Corporate Reform Act (the so-called SOX) of 2002 and further strengthened, in 2010, by the Dodd-Frank Act. In particular, the SOX, provides for the obligation for all companies listed on the American market to arrange systems to receive disclosures and ratifies the so-called prohibition of “retaliation” against the whistleblower.

In the United Kingdom the legislation on whistleblowing is contained in the Public Interest Disclosure Act of 1998, and is characterised by the particular attention paid to the quality of the disclosure.

As regards the European Union, specific regulations on whistleblowing exist only in certain countries (among others, Luxembourg, Romania and Slovenia). Instead, no specific legislation has been adopted in France and Germany.

3.  Whistleblowing in Italy

Going back to the national framework, until 2012 Italy had no specific legislation on whistleblowing.

A first, although limited and still unexpressed, form of whistleblowing was introduced by Article 6, second paragraph, letter d) of legislative decree no. 231/2001, whereby it was established that the models of organisation should “provide for reporting obligations to the body in charge to supervise operation and compliance with the models”.

But only owing to Law no. 190/2012 (the so-called Anticorruption Law) a real legislation on the disclosure of wrongdoing was introduced. In particular, Article 1, paragraph 51, of Law no. 190/2012 introduced Article 54-bis, entitled “Protection of public employees disclosing wrongdoing”, in the body of legislative decree no. 165/2001.

Lastly, as we said at the opening, the introduction of the Whistleblowing Law, besides amending Article 54-bis of legislative decree no. 165/2001, extended to the private sector the forms of protection examined below.

4. Whistleblowing in private working relationships

More specifically, the Whistleblowing Law, in formulating said forms of protection, added paragraph 2-bis to Article 6 of legislative decree no. 231/2001, dedicated to the requirements of models of organisation.

According to new paragraph 2-bis of legislative decree no. 231/2001, models of organisation must satisfy four specific conditions, namely, in particular, they must provide for:

  1. one or more channels enabling senior managers and subordinates to raise detailed disclosures of unlawful conducts relevant pursuant to legislative decree no. 231/2001 and based on precise and congruous facts, or breaches of the model of organisation and management of the company, which they witnessed in the carrying out of their functions; such channels must assure confidentiality of the identity of the whistleblower when handling the disclosure;
  2. at least one alternative reporting channel suitable to assure, through IT means, the confidentiality of the identity of the whistleblower;
  3. prohibition against retaliation or discriminatory acts, whether direct or indirect, towards the whistleblower for reasons, directly or indirectly, connected to the disclosure;
  4. within the disciplinary system adopted, sanctions against those infringing the measures for the protection of the whistleblower, as well as those making, maliciously or negligently, disclosures that turn out to be unfounded.

With regard to the first two requirements, it is necessary to set up two reporting channels, of which at least one IT-related. By way of example, ordinary mail and dedicated e-mail (or a form on the company intranet).

The third requirement consists in the express provision, in the models, of the so-called prohibition against retaliation.

As to the fourth and last requirement, legislative decree no. 231/2001 requires that the disciplinary system, contained in the models, be integrated with specific disciplinary sanctions for those infringing the measure to protect the whistleblower and for those making unfounded disclosures.

5. Some open issues

The new provisions leave open a series of issues, which we may try to preliminary answer.

Is it compulsory to adopt a whistleblowing system and which are the consequences if it is not adopted? No, it is not compulsory. The non-adoption of a whistleblowing system has no consequences for companies that have not adopted a model of organisation. Instead, for companies that have adopted a model of organisation, the non-adoption may make the model unsuitable to prevent crimes: a model not providing for a whistleblowing system may be deemed unsuitable to prevent the commission of crimes and hence to exclude the liability of the company.

When a whistleblowing system has been adopted, is it compulsory for those witnessing wrongdoing to raise a disclosure? No. There is no obligation to raise disclosure for employees witnessing wrongdoing (or rather, such obligation existed in one of the version of the law examined by the Parliament but it was deleted in the last approved text of the Whistleblowing Law). However, it should be considered that, even if such an obligation is not provided for by law, often models of organisation (or codes of ethics) provide for the employee’s obligation (or duty) to disclose unlawful conducts witnessed by the same within the company activity. As a result, the failure to make a disclosure may represent, in itself, a breach of the model and, for this reason alone, it could be disclosed by another employee. Hence, a potential whistleblower who does not take action runs the risk of becoming the subject of a disclosure.

Who can make a disclosure? According to the new rules, only “senior managers” and “subordinates” may make disclosures, but the Whistleblowing Law does not prevent the company from allowing also other persons (collaborators, partners, suppliers, etc.) to make disclosures. On the other hand, companies that have adopted a model of organisation sometimes regulate relationships with their counterparties through mutual obligations to disclose unlawful conducts of which they become aware in the performance of the activity that one of them carries out in favour of the other.

To whom must the disclosure be addressed and how must it be handled? This is not mentioned in the Whistleblowing Law. However, it is possible to reach some conclusions on the basis of the general structure of legislative decree no. 231/2001. Should an internal function of the company (by way of example, the Internal Audit or the Compliance function) be identified as the addressee of the disclosure, it will be impossible not to provide for the involvement, from the moment the disclosure is received, of the supervisory body that, according to legislative decree no. 231/2001, is the body in charge to supervise the observance of the models. As regards handling methods, it is necessary to assure the confidentiality of the whistleblower’s identity.

What can a disclosure be about? Unlawful behaviours, relevant pursuant to legislative decree no. 231/2001 or performed in breach of the model of organisation, witnessed because of the duties performed. Although the law does not say it, also breaches of the code of ethics can be subject to disclosure to the extent that – as it happens in most cases – the code of ethics represents an “integral part” of the model.

What should a disclosure be like? The disclosure must be detailed and based on precise and congruous factual elements. Therefore, generic disclosures or disclosures based on hearsays are not admitted.

Are anonymous disclosures admissible? There is no express prohibition to raise anonymous disclosures.

Is it necessary to request the consent of the subject of the disclosure for the processing of his/her personal data? It was already discussed, before the entry into force of the Whistleblowing Law, if the processing of personal data of the subject of the disclosure required his/her consent or if instead the processing could be based on the fulfilment of a legal obligation or on the purposes of the legitimate interest of the controller. If, on the one hand, it is certain that, even today, the processing cannot be based on the fulfilment of a legal obligation (since the new rules do not introduce obligations but simple duties) or on the purposes of the legitimate interest of the controller (that occurs only in those cases indicated by the Data Protection Authority), on the other hand it is irrational and unrealistic that the company obtains the consent of its employees to the processing of their personal data within whistleblowing systems. The situation may change with the entry into force of Regulation (EU) no. 2016/279 (or “GDPR”) which provides that the evaluation as to the existence of a legitimate interest is referred to the controller (and not to the Data Protection Authority).

How can the right of the subject of the disclosure to obtain information as to the origin of his/her personal data be compatible with the protection of the confidentiality of the identity of the whistleblower? On this issue, the Article 29 Working Party (the group of EU data protection authorities) has already deemed admissible, in said event, a limitation of the data subject’s right to obtain information as to the origin of his/her personal data. From this point of view, the GDPR expressly provides that the extent of the right of access may be limited by Member States to protect interests such as “prevention, investigation, detection or prosecution of criminal offences” or “the protection of rights and freedoms of natural persons”.