On 7 October 2019, the European Union adopted a Directive on the protection of persons reporting on breaches of Union law (the “Whistleblowing Directive” or the “Directive”).
The Directive covers both the public and the private sector by setting minimum standards and ensuring a uniform level of protection for whistleblowers reporting breaches of EU law in defined areas.
Currently, less than half of the EU Member States, including the United Kingdom, France, the Netherlands, Hungary, Italy, and others, have comprehensive whistleblower protection legislation. In the remaining countries, there is legislation in only a limited number of sectors (mostly in the areas of financial services), which include measures to protect whistleblowers.
A 2017 study carried out for the Commission estimated the loss of potential benefits due to a lack of whistleblower protection, in public procurement alone, to be in the range of EUR 5.8 to EUR 9.6 billion each year for the EU as a whole.
Who falls within the protection?
In general, persons protected include those who could acquire information on breaches in a work-related context, e.g. employees and civil servants at national/local level. The Directive goes even beyond by providing protection also to individuals outside the traditional employee-employer relationship, such as consultants, contractors, volunteers, shareholders/board members, former workers and job applicants. It also protects individuals who assist whistleblowers, as well as individuals and legal entities connected with whistleblowers.
The main elements of the protection include:
• A wide scope of application: the new rules will cover areas such as public procurement, financial services, prevention of money laundering, product and transport safety, nuclear safety, public health, consumer and data protection, etc. For legal certainty, a list of all EU legislative instruments covered is included in an annex to the Directive. Member States may go beyond this list when implementing the new rules.
• Support and protection measures for whistleblowers: the rules introduce safeguards to protect whistleblowers from retaliation, such as being suspended, demoted and intimidated. These persons are protected from dismissal, degradation and other discrimination. Whistleblowers cannot be held liable for breaching restrictions on the acquisition or disclosure of information, including for breaches of trade or other secrets. In addition, the possibility of contracting out of the right to blow the whistle, through, for example, loyalty clauses or confidentiality or non-disclosure agreements, is excluded.
• Protection of whistleblowers’ identity: the Directive protects the identity of whistleblowers in most circumstances. It grants protection to whistleblowers who have reported or disclosed information anonymously and who have subsequently been identified.
• Provision of hierarchized reporting channels: whistleblowers are encouraged to use internal channels within their organisation first, before turning to external channels which public authorities are obliged to set up. In any event, whistleblowers will not lose their protection if they decide to use external channels in the first place. In granting protection, the new rules do not in any way take into account the whistleblowers’ motive for reporting. Whistleblowers should be able to submit reports either in writing via an online system, a mailbox, by post,or orally via a telephone hotline or answering machine system. Companies are also obliged to offer a personal meeting should the whistleblower request it.
What shall the companies/administration envisage?
The EU Directive requires companies/administration to be compliant with the law, by the following measures:
• Creation of channels of reporting within companies/administrations: there is an obligation to create effective and efficient reporting channels in companies of over 50 employees (or more than EUR 10 million in annual turnover) or municipalities of more than 10 000 inhabitants. Companies with 250 or more employees will be expected to comply within two years of adoption, companies with between 50 and 250 employees have additional two years after transposition to comply.
• Feedback obligations for authorities and companies: the rules create an obligation to respond and follow-up to the whistleblowers' reports within 3 months (with the possibility of extending this to 6 months for external channels in duly justified cases). Companies must determine the "most suitable" person to receive and follow up on reports internally, e.g. compliance officer, head of HR, legal counsel, etc.
• Provision of information on the internal reporting process as well as on the reporting channel(s) to the competent authority. This information must be easily understandable and accessible, not only to employees, but also to suppliers, service providers and business partners.
• General measure for compliance with the GDPR: the companies/administration shall make sure that the system also complies with current data protection regulations such as GDPR.
The Directive provides for penalties to be applied to persons who hinder or attempt to hinder reporting, retaliate against reporting persons and breach the duty of maintaining the confidentiality of the whistleblowers’ identity. It is the job of national legislators to determine the severity of these sanctions.
The next steps
Following the formal adoption of the Directive by the EU Council on 7 October 2019, a two-year implementation period begins during which time the EU Member States will be obliged to implement the Directive into their own national laws. Member States should transpose those provisions in line with the spirit of the Directive, which is to provide a high level of protection for whistleblowers. However, companies are advised not to wait until the last minute and to take action at an early stage.
By Desislava Anastasova, Associate, CMS Sofia