Whistleblowers have been making headlines almost every month these past years – and this follows a string of scandals such as LuxLeaks, Panama and the Paradise Papers as well as Dieselgate and Cambridge Analytica, which have exposed the limited assistance available for people seeking to expose wrongful corporate behaviour in the public interest. Only 10 EU Member States have comprehensive legislation in place, with others offering partial protection at most. At EU level, there are some existing instruments in place that provide for whistleblower protection, but these have varying levels of detail and remain predominantly limited to financial services, transport safety and environmental protection.
On 7 October 2019 the European Council approved the Whistleblower Protection Directive, which was first adopted by the European Parliament in April 2019, to further protect whistleblowers (the Directive). The Directive specifically states that there are lessons to be learnt from these scandals that necessitate this protection.
FRAGMENTED PROTECTION OF WHISTLEBLOWERS ACROSS THE EU
The protection given to whistleblowers in the EU is currently fragmented and inconsistent. A study commissioned by the Directorate-General Justice and Consumers assessed the national legislative frameworks on whistleblowing in all EU Member States. According to their analysis, only 10 EU Member States (France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden and the United Kingdom) currently ensure that whistleblowers are fully protected. In the remaining EU Member States, whistleblowers are at most only partially protected: protection is only available to specific sectors, to specific categories of employees (eg financial services, public sector) or there are only limited types of wrongs that can be reported (eg corruption). In Estonia and Finland, whistleblowers have no legal protection against retaliation and in many other EU Member States (eg Italy and Portugal) there is only protection from some forms of retaliation in the workplace such as unfair dismissal or discrimination. Finally, some countries (eg Germany) have just suggested new laws which aim at protecting whistleblowers more effectively although they do not go so far as to provide for a full protection. At EU level, there is only a very limited number of sectors where measures have been put in place to protect whistleblowers (mostly only in the financial services sector).
According to the EU Commission, experience shows that a piecemeal approach, which results in the fragmented protection of whistleblowers, does not provide a sufficient level of protection.
EU DIRECTIVE: THE PROVISIONS OF THE DIRECTIVE IN DETAIL
The Directive seeks to strengthen the legal protection of whistleblowers regardless of their employment status (whether in the public or private domain) and throughout all EU Member States. It looks to create a genuine system to protect whistleblowers within the European Union.
Protection for wide range of disclosures and reporting persons
The Directive sets out common minimum standards for the protection of persons reporting on breaches of EU law, in particular in the following areas:
- Public procurement
- Financial services, products and markets and prevention of money laundering and terrorist financing
- Product safety and compliance
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food and feed safety, animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data and security of network and information systems
- Breaches affecting the financial interests of the EU
- Breaches relating to the internal market
According to the Directive, whistleblowers are defined as reporting persons working in the private or public sectors who acquired information on breaches in a workrelated context. This includes, besides those persons who are workers (including civil servants) or self-employed, shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees and any persons working under the supervision and direction of contractors, subcontractors and suppliers. The Directive also applies to reporting persons whose work-based relationship is yet to begin (in cases where information has been acquired during precontractual negotiations), or has since ended.
Those assisting whistleblowers, such as facilitators, or third persons who may suffer retaliation in a workrelated context (colleagues or relatives) are also protected – as well as legal entities that the reporting person owns, works for or is otherwise connected with in a work related context.
Internal and external reporting channels
The Directive provides for the implementation of an internal whistleblowing reporting process which gives employees, as well as external persons, the opportunity to report breaches of EU law and ensures that such reports will be followed-up on. This must be done following consultation and in agreement with the social partners, where provided for by national law.
All reporting means are to be offered, ie besides written and electronic reporting, this will also be possible via telephone and in a personal meeting. What is unusual is that the Directive does not seek to only target breaches that have already occurred, but also those that are “very likely to occur”. This raises questions over when breaches may be considered as “very likely to occur” and from whose perspective. The Directive contains no clarification on this.
The obligation to implement this whistleblowing reporting process will apply in the private sector to companies with 50 or more workers as well as to all financial services firms or firms that are vulnerable to money laundering or terrorist financing irrespective of their size. Of course, the Directive allows EU Member States to go further and impose these obligations on smaller companies after prior assessment.
As far as the reporting and follow-up process is concerned, the Directive provides for the following:
- Secrecy of the identity of the whistleblowers: the system must safeguard the identity of the reporting person and of any third party mentioned in the reports and unauthorised persons must not have access to their identity. Note that the Directive does not affect the power of Member States to decide whether private or public entities and competent authorities should accept and follow-up on anonymous reports of breaches.
- Acknowledgement of receipt of the report to the whistleblower within 7 days of that receipt.
- Restricted access to the information: an impartial person or department must be designated for following-up on the whistleblowing report.
- Feedback within a maximum period of 3 months: companies are basically free to choose a follow-up method and this only needs to ensure that the reporting person will receive feedback on their report within 3 months from acknowledgement of receipt of the report.
- Clear and easily accessible information on how and under what conditions and procedures reports may be made externally to competent authorities (see below).
In addition to this internal whistleblowing reporting process, EU Member States must provide for an external whistleblowing reporting process in the context of which whistleblowers may contact competent authorities. This whistleblowing reporting process must also allow for all forms of reporting (written, electronic, via telephone, face-to-face contact) and ensure absolute confidentiality. In this case, whistleblowers may also expect feedback within 3 months, and in exceptional cases, within 6 months.
Protection against retaliation
All persons who had reasonable grounds to believe that the information they have reported falls within the scope of the Directive and was true at the time of the reporting, are protected.
Contrary to what was first provided for when the Commission proposed the Directive last year, protection is not conditional on the whistleblowers first reporting internally. Whistleblowers qualify for protection whether they first used the internal channel, or directly reported to competent authorities. Member States should however encourage the use of internal reporting before external reporting, where the breach can be effectively addressed internally and where the whistleblower considers that there is no risk of retaliation.
However, persons who publicly disclose information on breaches are only entitled to protection subject to additional conditions – for example, an existing internal or external whistleblowing reporting system should be used first unless it is unreasonable (for example, risk of retaliation or low prospect of the breach to be addressed) or was not expedient (for example, because no feedback was received on the report within the 3- or 6-month period), or when there is an imminent or manifest danger for the public interest.
A wide range of acts have been classified as retaliation under the Directive, including termination, discrimination, the non-extension of employment contracts (removal of the time limit), bad evaluations, denial of training measures, downgrading or omitting promotion, etc. This also covers threats and attempts of retaliation, whether direct or indirect.
The Directive also reverses the procedural burden of proof in certain circumstances. If the reporting person claiming retaliation establishes that he or she made report and suffered a detriment, it shall be presumed that the detriment was made in retaliation for the report or disclosure. The accused company has the onus of rebutting this accusation and must prove that this measure was based on duly justified grounds. In practice, this will obviously be hard to fulfil. It has to be expected that employers should become even more careful when it comes to ensuring that the decision process with respect to any measure which affects individual employees is extensively documented.
Finally, the Directive states that persons who make a report or public disclosure within the meaning of the Directive shall be exempt from accusations of a breach of legal or contractual confidentiality rules, breach of data protection obligations, disclosure of trade secrets, etc and shall not incur liability arising from the acquisition of the relevant information, provided that there has been no criminal offence committed.
The Directive will now be published in the Official Journal giving the EU Member States 2 years to implement and comply with the Directive, although employers with more than 50 but fewer than 250 employees would have an additional 2 years to set up internal reporting channels.
The EU Member States will have to comply with the Directive, subject to reasonable penalties, in particular, in cases when reporting is prevented or obstructed, when whistleblowers are disciplined or when the identity of the whistleblower is disclosed. Likewise, penalties for abusive reporting are also envisaged. Important to note is the lack of significant financial incentives (compared to the SEC’s regime in the US which allows monetary awards for whistleblowers – with the largest awards to date up to 50 million USD). However, the scope of the Directive is extremely broad. Such protection of whistleblowers should be reasonable, though, taking into account the interests of the whistleblower but also of the companies and the public. It is also noteworthy that the personal scope of the Directive is broad, however, any disclosure of internal company information is privileged, which means privilege takes priority over other confidentiality provisions. The reversal of the burden of proof and the catalogue of possible acts of retaliation and therefore, ineffective measures (removal of the time limit of employment contracts!) gives rise to questions and to growing concerns of abusive reporting.
HOW CAN YOU PREPARE?
National laws implementing the Directive will be key to assessing the impact on your business. In anticipation thereof, companies can start revisiting and assessing their existing whistleblower policies as to implement appropriate reporting channels where needed. Or they can decide on a third-party reporting channel rather than an in-house system.
An earlier version of the text of the Directive was discussed in detail by us in Global Benefits Vision issue 34, which you can find here.