Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the “Directive”) came into force in December 2019 and EU Member States are required to transpose it into national law by December 2021. Below are answers to some key questions that companies will have in relation to the Directive:

  • What kinds of whistleblower reports are caught by the Directive? The Directive’s requirements apply to whistleblower reports that allege breaches of EU law or affect the financial interests of the EU or relate to the internal market (including, among others, public procurement, financial services, the prevention of money laundering and terrorist financing, product safety, protection of the environment, consumer protection, data privacy, breaches of EU competition and State Aid rules, and breaches of corporate tax law). Member States will have the discretion to extend the Directive to a broader range of reports.
  • What do companies have to do (and by when)? Legal entities in the private sector with more than 50 employees will be required to establish internal, confidential reporting procedures for information on breaches of laws within the scope of the Directive. Legal entities in the private sector with 250 or more employees will be required to do so by December 2021, and companies with between 50 and 249 employees will be required to do so by December 2023 (subject to any earlier deadline imposed under national law). Member States have the discretion to extend the requirement to companies with fewer than 50 employees, following an “appropriate risk assessment taking into account the nature of the activities of the entities and the ensuing level of risk for, in particular, the environment and public health.”
  • Who must be able to make reports? The internal reporting channel must enable the entity’s workers to report breaches and may also enable other parties who are in contact with the entity in the context of work-related activities to do so (e.g., self-employed individuals, shareholders, volunteers, paid or unpaid trainees, and any persons working under the supervision and direction of contractors, subcontractors and suppliers).The reporting person must have reasonable grounds to believe the information about the breaches was true at the time of making the report.
  • What duties of confidentiality / data privacy do we owe to whistleblowers and must we accept anonymous reports? The Directive states that the identity of the reporting person must not be disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person. This also applies to any information from which the reporting person’s identity may be deduced. Any processing of personal data carried out pursuant to the Directive must be carried out in accordance with the EU General Data Protection Regulation (2016/680). The Directive leaves it up to Member States to decide whether legal entities are required to accept and follow up on anonymous whistleblowing reports.
  • What if we already have whistleblowing procedures? Companies should be able to leverage existing whistleblowing processes but will likely need to make adjustments to comply with the requirements of the Directive—for example, by making reporting channels accessible to report breaches of all in-scope laws, ensuring that the identity of those making reports is subject to appropriate confidentiality measures and updating policies and procedures to comply with the other prescriptive requirements described below.
  • What practical measures do we need to put in place as part of the internal reporting procedures? The Directive provides that internal reporting procedures must enable reporting in writing or orally, or both. Oral reporting must be possible by telephone or through other voice messaging systems, and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe. Acknowledgement of the receipt of a report must be provided within seven days and a person or department must be designated to follow up on the report. That person or department must diligently follow up and provide feedback to the reporting person within three months. Practical measures should also be put in place to ensure the confidentiality of the identity of the reporting person, as explained above.
  • Which corporate function should we designate to follow up on reports? Companies will have flexibility as to which individual or corporate function is designated to follow up on reports. Recital 56 of the Directive provides that the “function should be such as to ensure independence and absence of conflict of interest,” and that the function could in a smaller entity “be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.” For larger organisations that have HR and Compliance departments, these may be appropriate options.
  • What do we need to do to raise awareness of internal (and external) whistleblowing procedures? Companies should be prepared to take steps to publicise, in a clear and accessible way, the procedures that are put in place to comply with the Directive, both to workers (including line managers who may receive reports) and third parties such as service providers, distributors, suppliers and business partners. Recital 59 suggests that such information could be posted at a visible location accessible to all such persons and on the website of the entity, and could also be included in courses and training seminars on ethics and integrity. Companies will also be required to clear and easily accessible information regarding procedures for reporting externally to competent authorities.
  • How does the Directive protect whistleblowers against retaliation? The Directive requires Member States to establish a range of protections against ‘retaliation’ for whistleblowers. Retaliation includes dismissal, demotion, transfer of duties, reduction in wages; withholding of training; discrimination; harassment; negative performance reviews or references, etc. Protection against retaliation may apply not only to the reporting person, but also to:
    • individuals who facilitated the whistleblowing (i.e., any person who assists a reporting person in the reporting process in a work-related context and whose assistance should be confidential);
    • third parties who are connected with the reporting person and could suffer retaliation in a work-related context (such as colleagues or relatives of the reporting person); and
    • legal entities that the reporting person owns, works for or is otherwise connected with in a work-related context.

    Protections may vary across Member States but must at a minimum include protection against various types of potential liability and compensation for damage suffered by whistleblowers, such as termination of their employment. Member States must provide for ‘effective, proportionate and dissuasive penalties’ for individuals or companies that retaliate against whistleblowers, hinder or attempt to hinder reporting, bring vexatious proceedings against whistleblowers or breach the duty to keep the identity of reporting persons confidential.

  • Will the Directive harmonise whistleblowing laws across the EU? The Directive will to some extent harmonise requirements across Member States, but there may be areas of divergence in how its provisions are ultimately transposed into national law. For example, Member States are permitted to enact or retain laws that afford more protection to the rights of whistleblowers than the Directive (although they cannot enact laws that would be less protective of whistleblowers). These areas of divergence will create challenges for organisations with a presence in several Member States that wish to create a single harmonised, EU-wide whistleblowing process for administrative ease and in order to facilitate the monitoring of compliance; such a unified approach will require levelling-up whistleblower protections in some countries.
  • Will this affect companies operating in the UK? Since the UK is no longer part of the EU it will not be bound by the Directive. As UK legislation already provides comprehensive protection for whistleblowers, it remains to be seen whether the UK government will consider future reforms to align UK law with the Directive. However, organisations seeking to create a standardised whistleblowing policy that covers both the EU and UK may nonetheless decide to update their existing UK policies and procedures to match those available in the EU, thereby enhancing the level of protection under UK law.
  • Is there anything else companies should consider as they implement or update whistleblowing procedures? The EU and various Member States are currently considering or have recently passed human rights and environmental due diligence legislation (see our recent alert). It is likely that some of these laws will frame due diligence obligations by reference to existing international standards such as the UN Guiding Principles on Business and Human Rights, which recommends that companies implement “grievance mechanisms” through which impacted individuals can raise concerns about the human rights impact of an organisation’s activities. Companies should keep an eye on these related developments, which could effectively extend the obligation to provide channels for reporting non-compliance to human rights issues.