On 7 October 2019, the European Council adopted the EU Whistleblower Protection Directive (the “Directive”). The Directive seeks to accomplish two goals: (1) the creation of a number of mandatory reporting channels for whistleblowers to raise concerns around breaches of EU law; and, (2) a higher level of protection against retaliation for whistleblowers who report breaches of EU law.

At present, the status of whistleblower protection in Europe is fragmented. Only around ten Member States have strong legislative protections for whistleblowers (for example, Germany has only limited protections) and, at the EU level, protection for whistleblowers is sector specific, with protection focussed on financial services. Against the backdrop of an increasing number of high profile corporate scandals, the Directive is part of a wider drive to ensure that whistleblowers are heard and protected and that companies involved in wrongdoing are held to account. The Directive can also be viewed in the context of inappropriate uses of confidentiality clauses and non-disclosure agreements in employment matters.

Member States now have until October 2021 to transpose the Directive into their national law. Companies should have anonymous reporting mechanisms in place before this date. As a result of Brexit, the UK has indicated in open correspondence with the Government’s European Scrutiny Committee that it will not transpose the Directive. However, the UK already has certain protections in this area under the Employment Rights Act 1996 and the Public Interest Disclosure Act 1998, and commitments have been made in respect of legislation around confidentiality clauses and non-disclosure agreements.

1) Mandatory Internal Reporting Channels

The Directive applies to all public and private companies in the EU with more than 50 employees and regional municipalities with over 10,000 inhabitants. For the first time, under the Directive, an internal reporting program will be mandatory for these entities within the EU. Although the internal reporting requirement is the most crucial for corporate entities, it is a single limb of a three-tiered reporting system which is as follows:

  1. Internal reporting of disclosures;
  2. External reporting of disclosures to competent Member State authorities;
  3. Reporting to the media in certain restricted circumstances.

Internal reporting obligations require that organisations establish designated channels for receiving reports of wrongdoing (by phone, electronically, or in person) so that they can be received anonymously. Receipt must be acknowledged within seven days and the whistleblower must be provided a status update of follow up measures within three months. The company can either establish and operate an internal reporting channel itself, such as an internet-based whistleblower tool, or have a reporting channel provided and operated by an external third party.

Member States are to establish independent and confidential external reporting channels within their respective governments, which are required to acknowledge receipt of reports within seven days and follow up within three months (extended to six months in justified cases). External reporting mechanisms are generally to be used once internal mechanisms have been exhausted. Whistleblowers can then finally make their reports publicly in the media in certain extreme circumstances. The Directive may also mean that, in some cases, confidentiality clauses or non-disclosure agreements cannot be relied upon to prevent disclosures as having available reporting channels will become a legal requirement.

The Directive applies to reports of a wide range of violations of EU law. These include EU laws covering fraud, money laundering, safety, national security, protection of the environment, consumer products, public procurement, competition, tax, and data privacy, among others. Though not exhaustive, the Directive sets out a specific list of relevant laws to which it applies. Member States may go beyond this list when implementing the Directive.

Reporting channels must be designed and operated in a secure manner that ensures the confidentiality of whistleblowers and of anyone mentioned in their report. Anonymous reporting must be possible, but the Directive leaves it to the recipient to decide whether any particular report should be accepted and followed up after independent analysis. Notwithstanding this discretion, anonymous whistleblowers must be protected from retaliation.

2) Protection Against Retaliation

Irrespective which channel is used to make a report, the Directive requires that those who bring concerns forward in good faith must be protected against retaliation. Potential retaliation includes suspension, termination, demotion, withholding of a promotion, workday restructuring, negative performance assessments, as well as coercion, harassment, intimidation, and discrimination.

The range of individuals protected by the Directive is broad, applying to all “reporting persons”. This covers workers, self-employed persons, shareholders, managers, and those supervised by contractors, among others. It also applies to people whose work-based relationship has ended or has not yet started, as well as certain third parties.

Retaliation is to be prevented by ensuring that whistleblowers do not incur personal liability and that they have access to certain remedial measures, among other things. Support for whistleblowers shall take the form of information and advice, effective assistance from competent authorities, and legal aid in criminal and cross-border civil proceedings, as well as financial assistance and other support measures. Penalties shall be imposed for the hindering of reporting, retaliation, the bringing of vexatious proceedings against whistleblowers, and for breaching confidentiality obligations.

The protection against retaliation requires Member States to adopt effective, proportionate and dissuasive penalties for any person who tries to hinder the reporting or who retaliates against reporting persons, including by bringing vexatious proceedings or by breaching the duty of maintaining the confidentiality of reporting persons. These sanctions should drive EU companies to be proactive in their obligation to prevent retaliation acts from its management, its subordinates or employees in order not to be held accomplice or responsible for such acts of retaliation.

3) Next Steps

The exact shape of whistleblower protection in the EU will be understood more concretely once it is implemented in each Member State. At this point it is clear that the scope of the Directive is broad, and will require many EU companies to implement, or upgrade, whistleblower programs. Indeed, many companies across the EU will need, for the first time, to carry out risk assessments and establish formal whistleblower processes to comply with the new Directive. Even if companies already have a whistleblowing process, they will need to review the existing structure to ensure full compliance with the new standards.

Having an anonymous reporting hotline, along with investigation and case management systems, has long been considered to be best practice; going forward, it will also be a requirement. In addition to establishing formal, confidential internal channels for reporting, companies will need to build into their HR, legal, and compliance structures mechanisms to ensure that whistleblowers are not prejudiced during or after reports are made, that reports are kept anonymous, and that reports will be independently investigated and acted on if genuine. Companies will also have to be aware that if internal structures are not satisfactory, external or media reports may be made by whistleblowers.