Whistleblowing, is a term which has been developed in the 1970s in the US and is the process of reporting wrongful, unethical or unlawful behaviour, misconduct internally or externally i.e. to a third party organisation.

A company may be seen as being more transparent and trust worthy by having a robust process and protections for people who wish to report misconduct.

It has become an increasingly relevant issue at work in the last few years as it implies labour law issues, data protection issues and regulatory since under CSSF Circular 12/552, banks are required to have appropriate whistleblowing procedures in place.

Whistleblowing remains a hot topic and has been formally enacted by a law of 13 February 2011 strengthening the means to fight against corruption.  This legislation is not dedicated solely to whistleblowing protection but does include provisions on the fight against corruption offences and criminal procedural rules. While the whistleblowing protection legislation amends pre-existing codes of laws or statutes, it is a standalone and comprehensive legislation providing whistleblowing protection.

Labour Law

The law dated 13 February 20111 strengthening the means to fight against corruption and amending the Luxembourg Labour law Code, the Code of criminal procedure law, the Criminal code Penal Code, the Law dated 16 April 1979 determining civil servants’ status and the Law dated 24 December 1985 determining local civil servants’ status.

The law of 13 February 2011 added a section to the Labour Code on the protection of the employees against corruption, traffic of influence and the misuse of privileged information.

There is no general obligation for private individuals to denounce criminal offences known to them.

Employees who report a colleague’s misconduct to the employer, or wrongdoing by the company to the competent authorities may face retaliation up to a dismissal.

  • According to this law, an employer is not authorised to retaliate against the person who has filed a complaint or informed the employer of any wrongdoing. Assuming that an employee is victim of an adverse reaction of its employer, the employer bears the burden of proof to justify that the negative influence on the employee does not stem from retaliation against the whistleblowing action.

Any wrongful retaliation give rise to damages covering the actual loss suffered.

An employee cannot be a victim of reprisals because of his/her protests or refusal opposed to a fact that he/she considers, in good faith, as being constitutive of illegal catch of interests, corruption or influence, that this fact is committed by his/her employer or any other senior in rank, colleagues, or external people in relation to the employer (article L.271-1(2) of the Luxembourg Labour Code).

Any termination of the employment contract because of whistleblowing is therefore null and void (article L.271-1 (3) of the Luxembourg Labour Code).

This solution has been confirmed by the European Court of Human Rights: see European Court of Human Rights “ECHR”, Heinisch v/Germany, 21 July 20112.

In this case, a geriatric nurse had been dismissed after having brought a criminal complaint against her employer alleging deficiencies in the care provided.

The ECHR had to deal with such a dismissal without notice of a whistleblower and examined if the refusal of reinstatement of the whistleblower infringed his right to freedom of expression protected by the European Convention on Human Rights.

The ECHR concluded that the employee acted in good faith and that the dismissal without notice, which was “disproportionally severe”, violated the employee’s human rights.On the other hand, a complaint is considered to be slanderous if, directed against a private person, the relevant facts prove not to be a criminal offence and are rejected as such by a court of law.

Data Protection

Anonymity and confidentiality of the whistleblower

The confidentiality and the anonymity of whistleblowers raise two difficulties.

  • Should whistleblowers be anonymous or their identity only be confidential?

The main idea is to find a balance between (1) the rights of the whistleblower – who must be protected against any possible retaliation and (2) the rights of the person being denounced – who must be promptly informed of any accusation against him/her to enable him/her to defend himself/herself.

Art. 29 WP provided that anonymity should not be a good solution for the whistleblower or for the organisation for the various reasons listed above:

  • Being anonymous does not stop others from successfully guessing who raised the concern;
  • It is harder to investigate the concern if people cannot ask follow-up questions;
  • It is easier to organise the protection of the whistleblower against retaliation, especially if such protection is granted by law, if the concerns are raised openly;
  • Anonymous report can lead people to focus on the whistleblower, maybe suspecting that he or she is raising the concern maliciously;
  • An organisation runs the risk of developing a culture of receiving anonymous malevolent reports;
  • The social climate within the organisation could deteriorate if employees are aware that anonymous reports concerning them may be filed through the scheme at any time.

Art. 29 WP had therefore considered in its analysis that only identified report should be communicated through whistleblowing schemes in order to justify this requirement.

This position is similar to the French position.

According to the CNIL, whistleblowing is not anonymous in principle.

The author of the alert should identify himself in order to:

  • Allow responsibility to the users of such system and reduce the risks of skidding towards denunciation;
  • Facilitate the protection of the author of the alert against retaliation;
  • Enable better treatment of the alert by opening the possibility to ask the author further details.

Therefore, whistleblowing should discourage anonymous disclosure in order to protect the person being denounced.

In order to ensure the security of the author of the alert, the CNIL decided that the author of the alert should identify himself to the organisation in charge with the warning device which will keep his identity confidential.

  •  However, to avoid that a whistleblowing system could be considered as unfair against the person being denounced and could lead to the implementation of a system of professional denunciation, art. 29 WP stated that he person accused in a whistleblower’s report shall be informed by the person in charge of the whistleblowing system as soon as practicably possible.

The person being denounced should have the possibility to defend himself and be protected against whistleblowers who have reported in bad faith. It also stated that the person accused also have rights of access, rectification and erasure if the report is inaccurate, incomplete or outdated (article 12 of Directive 95/46/EC).

The person accused in a whistleblower’s report will not obtain information about the whistleblower, except where the whistleblower maliciously makes a false statement. 

  • Luxembourg companies should follow the issued guidelines of the CNPD3 in combination with the recommendation of Art. 29 WP.

RECOMMENDATIONS

According to the CNPD4, the data protection agencies should advocate four main rules to deal with these issues:

  • Restricting the Whistleblowing proceeding to the countable, control of the accounts, banking field and of the fight against corruption;
  • Discouraging the anonymous denunciations while ensuring, as far as possible, the identification of the authors of the alarm;
  • Installation of a specific organisation to collect and treat alarms. The people in charge of such collection must be trained and are subject to confidentiality regarding the data they gain knowledge of;
  • The information of the person being denounced as soon as possible, in order to allow him/her to exert his/her rights of opposition, access and correction.

Thus, the CNPD is trying to establish a code to be followed by companies implementing a whistleblowing policy.

NEW CIRCULAR CSSF

In December 2012, the Luxembourg Financial Sector Supervisory (CSSF) issued a Circular 12/5525 applicable from 1 July 2013 amending the corporate governance practices.

As a risk and controls concern all staff, one of the key requirements of the Circular is the implementation of a whistleblowing procedure: the possibility for any member of staff to raise important and legitimate concerns on risks and governance issues outside the hierarchical reporting lines, up to the board of directors where necessary.

The Circular6 shall apply to:

  • Credit institutions and investment firms incorporated under Luxembourg Law;
  • On an individual basis;
  • On a consolidated basis (i.e. parent company);
  • Where the institution holds significant participations (between 20% and 50%), but is not the parent company;
  • Non-EU branches of credit institutions and investment firms in Luxembourg;
  • Luxembourg branches of credit institutions and investment firms (for matters where the CSSF has the supervisory responsibility) in the EU / European Economic Area; and
  • Professionals carrying on lending operations.

The circular emphasizes two important points7:

  • the system shall respect and preserve the confidentiality of the whistleblowers;
  • reporting shall be made in good faith and should not be exposed to any sanction, backlash or detrimental consequence.

CONCLUSION

Even though, the legislation is a huge step forward it lacks certain key elements as a definition of whistleblowing or of a whistleblower. 

However, despite this gap, the CSSF circular establishes standards and creates as such a market practice within the Luxembourg credit institutions.

Therefore, two situations may apply:

  • Companies covered by the CSSF circular have to implement a whistleblowing system, otherwise they could be facing penalties,
  • Luxembourg companies not covered by the CSSF circular may opt in for the implementation of a whistleblowing policy.

An external review of the whistleblowing procedure is highly advisable to confirm its compliance with the current guidelines and practices and enables to identify any legal risk related to its scope, unfair collection of data, infringement of confidentiality and to reduce potential future labour issues.