What’s new?

Bill No. 249 proposing amendments to the existing Protection of the Whistle-blower Act (Chapter 527 of the Laws of Malta) has finally been published.

What is a Bill?

A Bill is a proposed draft law which is yet to be discussed before being enacted as law. Therefore, this may not necessarily be the final approved law.

What is the scope?

The scope is that of transposing the new Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law.

A Directive sets minimum common standards which must be enforced by the EU Member States. Therefore, Member States are free to legislate and extend further protection to whistle-blowers, provided that those minimum standards are not undermined.

As Malta already has a law protecting whistle-blowers to an extent, the legislator is proposing amendments to that law, to widen its scope.

What can the disclosures relate to?

The Directive sets out certain areas which must necessarily be covered by Member State Law such as disclosures regarding breaches or abuses of EU law concerning, transport safety, public health, consumer protection, environmental protection, financial services, and the prevention of money laundering and terrorist financing. The Directive also seeks to cover disclosures concerning breaches which harm the European Union’s financial interests and, in view of their negative impact on the proper functioning of the internal market, breaches

relating to EU competition and corporate tax rules or arrangements whose purpose is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

The Directive however allows Member States to extend the scope to other areas and sectors, in fact, the Bill has notably retained the concept of an ‘improper practice’ as currently defined under our Act, but has also integrated the areas necessitated within the Directive to form an all-encompassing new definition of an ‘improper practice’.

When will the new law come into force?

The Bill does not specify the date on which the provisions of same will come into force, rather it merely states that the provisions will come into force on such date/s as the Minister for Justice and Governance may establish, and different provisions may be enforced on different dates.

When should the new law come into force?

The Directive requires EU Member-States to transpose the Directive by 17th December 2021.

It is understood that protected persons will benefit from the protection with immediate effect, so long as the conditions for protection are satisfied and no exclusions apply.

The Directive requires legal entities that employ more than 50 employees to introduce internal reporting channels and procedures for follow up. Legal entities that employ 250 workers or more must set this up with immediate effect, while with respect to legal entities that employ between 50 to 249 workers, the Directive provides that this obligation must come into force by not later than the 17th December 2023.

Whilst the Bill suggests that the Minister may introduce certain obligations at different dates, it does not yet expressly clarify when organisations employing more than 50 but less than 249 employees shall be required to set up internal reporting channels.

What does this mean for legal entities with less than 250 workers?

Whilst the obligation to set up an internal reporting channel may be postponed to the 17th December 2023 for legal entities in the private sector who employ less than 250 workers, workers within such entities who satisfy the criteria for protection may nevertheless be entitled to report externally (and in certain instances to make public disclosures) and to receive protection under the law.

Such legal entities should still consider the immediate impact and implications of this law as despite the obligation for an internal reporting channel being delayed, the law will impact on existing policies and contractual clauses. Essentially, handling reports of breaches internally as opposed to externally will most likely be a preferred route, therefore, the rolling out of an internal reporting channel despite there not being a mandatory obligation at law may be worth considering.

Can the new law ever apply to legal entities that have less than 50 workers?

Yes, by way of exception.

The Directive permits Member States to require entities in the private sector having less than 50 workers to set up internal reporting channels. This would have to be done following an appropriate risk assessment taking into account the activities of the entities (especially when there are risks on the environment and health), which decision would have to be communicated to the EU Commission and to other Member States.

The Bill replicates this possibility but does not yet seem to be proposing any decision to impose the obligation on legal entities in the private sector with fewer than 50 workers.

Are there other regimes that protect whistle-blowers?

Yes.

This Directive sets a minimum standard and should not serve to reduce the protection granted under other whistleblowing regimes.

Apart from the existing Protection of The Whistle-blower Act (Chapter 527), some organisations will remain regulated by other laws which cater for reporting of breaches and whistle-blower protection, such as Regulation (EU) No 596/2014 applicable to the field of financial services, as well as Regulation (EU) No 1286/2014 applicable in the context of packaged retail and insurance-based investment products. These laws shall continue to apply, complemented by this new Act.

Who will be protected by the law?

In summary, protection will be granted to persons who acquire information on breaches in a work-related context, irrespective of the size of the legal entity to which the disclosure relates, and irrespective of whether the legal entity is in the private or public sector.

This protection applies to persons having the status of a worker, including self-employed persons, contractors and civil servants, shareholders, persons in management (as well a non-executive members), volunteers and unpaid trainees.

Protection may also extend to circumstances where the work-based relationship has ended or is yet to begin.

Aside from protecting workers who make protected disclosures, protection will also extend to persons who facilitate a protected disclosure, persons who are connected with the reporting person and could suffer retaliation in a work-related context (such as colleagues or relatives), as well as third-persons and legal entities connected to the reporting person.

Whistle-blowers who report breaches will be protected as long as the conditions for protection are satisfied, and provided that the several exceptions or exclusions do not apply. For instance, the Bill does not propose to amend an existing exclusion in the Act, which provides that it does not apply to members of a disciplined force, members of the security service, or persons employed in foreign, consular or diplomatic service, until otherwise regulated.

Does the Bill alter the current conditions for protection of reporting persons?

Yes.

Currently disclosures are protected if (a) they are made in good faith, (b) the whistle-blower reasonably believes, at the time of disclosure, that the information disclosed and allegations made are substantially true, (c) that the information tends to show an improper practice being committed, and (d) that the disclosure is not made for purposes of personal gain. These conditions must all be satisfied in order for protection to be granted.

The Bill proposes to do away with several of the conditions, in that it proposes that a disclosure shall be a protected one where (a) the whistle-blower had reasonable grounds to believe that the information on breaches disclosed was true at the time of the disclosure, (b) that such information fell within the scope of the Act, and (c) the whistle-blower disclosed internally or externally, or made a public disclosure as permitted in terms of law. Once more, these conditions must all be satisfied in order for protection to be granted.

Does the Bill protect anonymous reports?

Under the existing Act (Chap. 527), anonymous disclosures may be investigated, but they are not considered to be protected disclosures.

The Directive allows EU Member States to decide whether anonymous reports of breaches must be accepted and followed up. Nevertheless, even if anonymous reports need not be accepted in terms of a Member State Law, persons who report or publicly disclose information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall qualify for protection.

The Bill proposes that anonymous disclosures will not be protected, yet if following a public disclosure that is made anonymously the whistle-blower is subsequently identified and suffers retaliation, that disclosure shall be a protected disclosure (as long as the disclosure satisfies the conditions established for normal protected disclosures). Whether this is fully aligned with the Directive is questionable, in that the protection in the Directive seems to apply not only to situations where the whistle-blower is identified after an anonymous public disclosure but also after anonymous reporting.

What type of disclosures does the Bill envisage?

The Bill recognises three types of disclosures, (i) internal, (ii) external, or (iii) public disclosures.

Public disclosures will only be protected if despite an internal disclosure and/or an external disclosure having been made, no appropriate action was taken. Nevertheless, a public disclosure would be protected upon reasonable or justifiable grounds to bypass the internal and/or external reporting channels, such as manifest danger to public interest.

Will the new law only apply to new breaches?

The Bill does not propose to amend Regulation 23 of the current Act, which provides that it applies to disclosures made after the coming into force of the Act, irrespective of whether or not the improper practice being the subject of a disclosure has occurred before or after the coming into force of the Act.

Does the Bill provide for Data Protection & record keeping obligations?

The Bill makes specific reference to the processing of personal data throughout the internal, external and public reporting process, with a strong emphasis on confidentiality and integrity/security of the data.

All processing of personal data, including the retention of such data, is to be carried out in accordance with the General Data Protection Regulation, as well as Chapter 586.

Whistleblowing reporting units/officers shall also be required to keep records of every report received. Oral disclosures, including face-to-face meetings, must be recorded. The whistle-blower shall be afforded the opportunity to check, rectify and confirm the record of the disclosure.

Legal entities must therefore balance out their record retention obligation with the obligation of not retaining personal data for longer than is strictly required.

The implementation of an internal policy and reporting channel requires an understanding of the legal parameters within which reports of breaches must be handled, as well as the practical considerations from an organisational and security perspective. Various conditions must prevail for disclosures to be protected, and there are instances where protection would be exempted despite the basic conditions being satisfied. Legal entities and whistle-blowers must therefore equally act cautiously in the application of this law.

We continue to monitor developments on this front and shall be issuing further updates on the subject.