Bulgaria is already in delay with the transposition of Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the “Whistleblowers Directive” or the “Directive”): like several other member states, Bulgaria has so far failed to bring into force the laws, regulations, and administrative provisions necessary to comply with the Directive. The European Commission has already sent a formal notice for non-transposition of the Directive on the grounds of Article 258 TFEU - Article 260(3) TFEU.
The delay was mainly due to lack of operating parliament for more than eight months, in the context of three consecutive general elections in 2021, the first two failing to result in establishment of governing coalition out of the political parties elected. After the third elections, a four-party coalition government was formed in December 2021. This stabilization of the political situation in Bulgaria will accelerate many backlogged legislative processes, including the transposition of the Whistleblowers Directive. The process of preparing the transposition of the Directive is currently in its final stages, with an inter-ministerial working group with a wide range of experts preparing a Draft Bill on the Protection of Persons who Report or Publicly Disclose Information on Breaches (the “Draft Bill”).
The material scope of the Directive is relatively wide, including breaches of EU law, affecting a number of areas in which the business operates such as public procurement, financial services, products and markets, and prevention of money laundering and terrorist financing, product safety and compliance.
The list also includes the breaches affecting the EU’s financial interests as well as the breaches related to the Union’s internal market (e.g., competition and state aid). Member states may also provide for a wider material scope.
The protection provided by the Directive in respect of persons who report breaches of Union law (or whistleblowers) also covers a wide range of persons from the private or public sector who possess information on breaches in a work-related context. These can be employees, self-employed persons, shareholders, board members, subcontractors, suppliers, trainees and volunteers, as well as persons during a recruitment process or pre-contractual relations.
Persons reporting breaches of Union law receive protection where the following two conditions are met: 1) they have reasonable grounds to believe that the information they reported was true at the time of reporting; and 2) they have reported in one of the ways provided for in the Directive. The Directive provides protection also for those who submit anonymous reports but leaves the Member States to decide whether to introduce the acceptance of anonymous reports in their national law.
The Directive provides for three ways of reporting breaches: 1) internally (usually, “up-the-organization ladder” – by reporting breaches within a private or public sector undertaking; 2) externally – by reporting to a competent national authority; and 3) publicly – by disclosing the relevant information about the breach to the public. In order to be protected in case of public disclosure, whistleblowers must first report internally or externally, but such reporting has remained without a follow-up.
The introduction of adequate rules and procedures for internal reporting of breaches of EU law is an obligation of businesses. In this regard, the Directive provides that this obligation applies to private sector undertakings with 50 or more employees, except for undertakings covered by the EU acts governing the financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety and environmental protection. However, after carrying out a risk assessment, member states may also impose this obligation on undertakings with less than 50 employees.
For private sector undertakings that have between 50 and 249 employees, the Directive provides some flexibility, allowing resources to be shared between undertakings as regards the receipt of reports and any investigation to be carried out. It is expected that Bulgaria will opt for these shared channels of reporting.
It is likely that the final version of the Bulgarian Draft Bill will not provide for an extension of the material scope beyond that provided for in the Directive. It is also expected that no obligation will be introduced for undertakings with less than 50 employees to create channels for internal reporting of breaches. In addition, the Draft Bill is not likely to provide option for anonymous reporting.
However, only with the final Act of Parliament, once enacted, will Bulgaria decide: 1) whether to extend the material scope provided for in the Directive by introducing additional areas that may be affected by breaches; 2) which the institutions to which reports can be sent will be, as well as which institutions will have the powers to impose sanctions for breaches of the law; 3) what should the specific measures for protection of the persons reporting breaches be; 4) whether the obligation to introduce rules and procedures for internal reporting of breaches will apply to private undertakings with less than 50 employees; and 5) whether anonymous reports of breaches will be provided for.
The absence of an adopted transposition act, as a rule, should lead to direct application of the Directive, but in view of the still discussed seven main options for the member-states, of the advanced legislative process in Bulgaria, and the existence of the first Draft Bill, we do not expect sanctions for non-compliance with the Directive on the part of Bulgarian businesses.
By Eleonora Mateina, Managing Associate, and Rashko Stoyanov, Associate, Tsvetkova Bebov & Partners