On April 16, 2019, the European Parliament approved by great majority (591 votes, with 29 votes against and 33 abstentions) new rules aiming at more extensively protecting whistleblowers within the European legal space.

The text has been presented to the Council for its approval and, after its publication on the Official Journal of the European Union, Member States will have to comply with the new European minimum standard of protection within two years.

The genesis of the new rules lies on the 2014 Council of Europe Recommendation encouraging “member states (to) have in place a normative, institutional and judicial framework to protect individuals who, in the context of their work based relationship, report or disclose information on threats or harm to the public interest”.[1]

As it is almost general knowledge, “whistleblowers” are individuals—generally, employees, but also self-employed persons, shareholders, volunteers, trainees, contractors or even someone going for a job interview—who, in the context of their work-based relationship, come across information about wrongdoings (regarding, for instance, fraud, tax evasion, corruption, etc.) and that they decide to report.

Recent scandals—such as the Dieselgate, LuxLeaks, Panama Papers, and Cambridge Analytica developments—have highlighted the key role played by whistleblowers in disclosing illicit activities.

I. Why protecting those who “blow the whistle”

As reported by the first Vice President of the European Commission, Frans Timmermans, “many recent scandals may have never come to light if insiders hadn’t had the courage to speak out. However, those who did took enormous risks. There should be no punishment for doing the right thing”.

Reporting wrongdoings may not be an easy decision, both personally and professionally, due to the huge asymmetry between whistleblowers as individuals, and managers or corporations committing or having committed unlawful activities. In fact, whistleblowers face risk of retaliation, from being demoted to being brought to court, losing their jobs and economic stability, or having their reputation sullied. Often, retaliatory measures are adopted on grounds other than the reporting: for this reason, it can be extremely difficult for whistleblowers to prove the link between the reporting and the reprisal measure.

It goes without saying that the fear of suffering retaliation has a powerful deterrent effect on potential whistleblowers. According to the Special Eurobarometer on corruption of 2017, over eight in 10 respondents (81%) said they did not report episodes of corruption they experienced or witnessed. [2] Also, the Commission’s 2017 public consultation reports that 85% of respondents believe that workers very rarely or rarely report concerns about threat or harm to the public interest and that individuals are more likely to state that workers very rarely report their concerns (46% against 29%), [3] mainly because of fear of legal and financial consequences.

As acknowledged in the preamble to the Commission’s proposal[4] , so far, only some Member States provide for certain rules protecting whistleblowers, and in a variety of ways. In this fragmented legislation, “breaches of EU law with cross-border dimension uncovered by whistleblowers illustrate how insufficient protection in one Member State not only negatively impacts on the functioning of EU policies in that Member State[5] but can also spill over into other Member States and into the Union as a whole”[6].

In this context, the new European legislation aims at guaranteeing a higher and more uniform level of protection for whistleblowers who report breaches of EU law, in specific determined areas, also with a view to strengthen the enforcement of EU legislation . [7]On the one side, the text of the directive provides for determined means of reporting the information, and, on the other side, it ensures specific protection measures.

II. Reporting the information under the directive

The new rules provide for a wide material scope, protecting whistleblowers who report breaches of EU law in wide areas such as public procurement, financial services and prevention of money laundering and terrorist financing, data protection, food and feed safety, animal health and welfare, public health and consumer protection, environmental protection, and nuclear safety. Furthermore, it applies also to reporting breaches affecting the financial interests of EU and breaches relating to the internal market.

As per its personal scope, the directive shall apply to “reporting persons working in the private or public sector who acquired information on breaches in a work-related context” (Art. 4), even if the work-related relationship has ended or where it is yet to begin—in the latter case, where the person has come across the information disclosed during the recruitment or pre-contractual phase.

These provisions already show the intention of expanding the field of application of the directive as widely as possible, putting public and private sectors on the same footing, and acknowledging potential protection to individuals other than employees .[8]

Then, on the one side, the directive rules on the means by which reporting persons could disclose unlawful activities, namely by:

A. Internal reporting and follow-up of reports (Chapter II)

In this regard, private and public legal entities shall establish internal channels and procedures for reporting and following up on reports. These procedures shall include channels for receiving the reports that grant the confidentiality of the identity of the whistleblower, and an impartial person or department competent for following up on the report. In addition, they shall provide for the acknowledgement of the report, within seven days from its receipt, and a time limit of three months from the receipt is set up to provide feedback to the reporting person about the follow-up.

B. External reporting and follow-up of reports (Chapter III)

According to the text of the directive, Member States themselves shall designate authorities to whom whistleblowers may report information after recourse to internal channels or in the first instance. These authorities shall establish independent and autonomous external reporting channels—whose procedures shall be reviewed regularly, at least once every three years—as well as diligently follow-up on the received reports, give feedback to the reporting person, and transmit in due time the information to competent institutions, offices, or agencies of the Union for eventual further investigation.

In addition, the directive requires that the external reporting channels shall be set up in a manner that ensures the completeness, integrity and confidentiality of the information and that enables a durable storage of the information for further investigation.

C. Public disclosures (Chapter IV)

The directive finally acknowledges public disclosure, as “last resort” means of reporting, where, following internal or external reports, no appropriate measure or action has been taken. In this case, the directive requires that the reporting person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger for the public interest or, in case of external report, there is a risk of retaliation or it is unlikely that the breach is going to be effectively addressed.

Finally, the directive provides for some general rules, applicable to both internal and external reporting channels, that shall ensure that the identity of the reporting person is kept confidential (art. 16) and discipline the processing of personal data (art. 17).

It is remarkable that the reporting person may choose between the internal or the external reporting channels as first means of reporting, without having to first internally report. [9]

III. Protection measures under the directive

The second part of the directive refers specifically to the protection of whistleblowers.

First of all, Member States shall under the directive adopt measures to prohibit any form of retaliation (including, for instance, demotion, transfer of duties, coercion, intimidation, discrimination, damage to the person’s reputation, Art. 19, etc.).

Secondly, Member States shall adopt measures of support, in order to ensure that reporting persons have access to information and advice on procedures and remedies against retaliation, but also access to effective assistance from competent authorities and to legal aid in criminal and in cross-border civil proceedings. In addition, the directive provides for the possibility for Member States to grant also financial and psychological support (Art. 20).

Thirdly, Member States shall adopt the necessary measures to ensure effective protection to reporting persons. With this regard, the directive specifies that reporting persons shall not incur in any kind of liability because of the reporting or the disclosure. Furthermore, in proceedings before a court or authority relating to a detriment suffered by the reporting person, the directive provides for a shift of the burden of proof. It shall be presumed that the detriment was made in retaliation for the reporting, so that it is for the person or entity that has adopted the detrimental measure to prove that it was based on duly justified grounds other than the reporting. Finally, Member States shall ensure remedies and full compensation for damages suffered by reporting persons (Art. 21).

A final clause provides that a system of effective, proportionate, and dissuasive penalties shall be set up by Member States in order to punish any eventual breaches of the directive (Art. 23).

IV. Final remarks

As recent scandals have highlighted, whistleblowers can play a prominent role in detecting and disclosing corrupt, illegal, fraudulent, and harmful activities with great benefits at all levels of society. According to the International Consortium of Investigative Journalists,[10] Panama Papers have helped governments to recover more than USD1.2 billion around the world. A recent Commission’s report on whistleblowing and public procurement[11] shows that the potential benefits deriving from whistleblowers’ protection might be estimated to be between Euro 5.8 and Euro 6.9 billion each year, [12] and only with reference to public procurement area.

In addition, companies themselves can directly benefit from whistleblowing: the 2018 ACFE Report to the Nations on Occupational Fraud and Abuse[13] show that “tips are the most common detection method”, with more than half of all tips (53%) coming from employees of the victim organizations.

In this direction, the efforts showed at the European level shall be more than welcomed, even if some critical points remain open. For instance, above all, the text does not provide for an obligation to take into consideration anonymous reports. It remains, however, to be seen how Member States are going to enforce the directive and most of all, whether and how this protective legislation will ultimately affect the phenomenon of whistleblowing.