EU Member States have two years to transpose a new whistleblowing directive into national law.
- Companies with over 50 employees, and local authorities which provide services for more than 10,000 people, must create internal reporting procedures;
- Reporting persons will include not only employees, but also the self-employed, volunteers, trainees and shareholders. Whistleblowers must be protected from retaliation both directly and indirectly, including colleagues and relatives;
- The directive provides an extensive list of prohibited behaviours that constitute retaliation, including providing negative performance ratings, discrimination and transfer of duties;
- The directive extends protection to those who “had reasonable grounds to believe that the information on breaches reported was true at the time of reporting”. Whistleblowers who report matters anonymously but are subsequently identified qualify for protection under the directive; and
- A three-tier reporting system is created by the directive: internally to the employee’s organisation, externally to authorities and publicly to the media. Companies have a three-month deadline to respond and follow up with the reporting person after the report. Whilst internal reporting is encouraged, the directive does not penalise whistleblowers who report externally in the first instance.
Affected organisations are well-advised to create an environment in which employees feel comfortable reporting concerns internally. Notwithstanding that misconduct is likely to be costing companies money, internal reporting reduces the risk that employees will report matters directly to regulatory or law enforcement agencies or the press, resulting in a loss of control and the risk of an official investigation or adverse publicity.
On 25 September 2019, the EU formally adopted a new directive (the “Directive”) on the “protection of persons who report breaches of Union law”, designed to enhance protection for whistleblowers within the EU. EU Member States now have two years until October 2021 to transpose the Directive into national law. As a departing Member State, the United Kingdom has confirmed to the EU that it will not be implementing the Directive, albeit the British Government has stated that it will, in due course, conduct its own review of the whistleblowing regime in the U.K. However, the Directive will result in changes that will affect companies with operations in other Member States.
The Directive is designed to provide common minimum standards across Member States, and is the first EU legislative piece of its kind. Prior to the Directive, protection for whistleblowers across Europe was disparate. For instance, the France law, Sapin II, of 2017 provided broad protection to whistleblowers, whereas countries like Germany and Spain provided whistleblowing protection only through employment legislation. Other European countries granted partial protection covering only public servants, specific sectors or specific offences.
The Recitals to the Directive begin as follows:
Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context. By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.
The recitals also note that protection for whistleblowers is currently “fragmented” and “uneven” across Member States. Indeed, the EU Commission carried out a study in 2017 estimating the economic benefits of whistleblower protection to be between EUR5.8 to 9.6 billion relating to the area of public procurement alone.
Organisations with over 50 employees as well as local authorities providing services for more than 10,000 people must create reporting procedures for employees to flag misconduct, including bribery and money laundering. Organisations with 250 or more employees must comply with the Directive by October 2021. However, by way of derogation, organisations with between 50 and 249 employees have two further years until October 2023 to comply.
The Directive creates safeguards to protect whistleblowers both directly and indirectly. For example, colleagues or relatives of the reporting person are covered by the protections. Indirect retaliation also includes actions taken against a legal entity in relation to which the whistleblower is either owner or an employee.
The remit of the Directive is wide. Common minimum standards for the protection of whistleblowers are provided across a large number of areas including areas such as public procurement, financial services, product safety and competition law. Additionally, a large number of individuals are covered by the Directive; not only employees, but also the self-employed, volunteers, trainees and shareholders.
The Directive creates a three-tier reporting system:
- Internal reporting, which is encouraged in the first instance for “early and effective resolution of risks to the public interest”. However, there is no loss of protection for those who choose to report externally. Indeed the Directive states that the decision as to whether to report internally or externally should be for the whistleblower to choose “depending on the individual circumstances”; for example, if the whistleblower believes that internal channels will not reasonably be expected to function properly. Organisations must acknowledge receipt of reports to the reporting person within seven days, respond to disclosures within a “reasonable timeframe” and provide feedback to the reporter within three months.
- External reporting processes which must also be made “clear and easily accessible” by the competent authorities (such competent authorities being designated by Member States). Authorities must also respond and follow up within three months. However, this can be extended to six months in duly justified cases dependant on the “nature and complexity of the subject of the report, which may require a lengthy investigation”.
- Whistleblowers can finally report publicly where they have “reasonable grounds to believe that there is an imminent or manifest danger to the public interest, or a risk of irreversible damage, including harm to a person’s physical integrity”. This still, however, offers limited protection to whistleblowers, particular in relation financial impropriety or tax evasion. Notably, the Directive, had it been in force, would not have protected the convicted whistleblowers, Antoine Deltour and Raphael Halet, for reporting to the media in the “LuxLeaks” 2014 scandal.
Points to Note
There are various points worth noting in relation to the Directive.
- The Directive extends protection to those who “had reasonable grounds to believe that the information on breaches reported was true at the time of reporting”. What constitutes a “reasonable ground” in this context will likely require clarification in due course. 
- Whistleblowers who report matters anonymously but are subsequently identified nonetheless qualify for protection. This may have been included as a result of various recent high profile cases in which attempts have been made to identify an anonymous whistleblower.
- The Directive creates a specific duty of confidentiality towards whistleblowers, preventing their identity from being revealed beyond authorised staff members competent to receive or follow up on reports. However, the Directive goes on to provide that, by way of derogation from this principle, the identity of a reporter may be disclosed “only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned”.
- The Directive provides an extensive list of prohibited behaviours that constitute retaliation, and requires that Member States make available to whistleblowers “comprehensive and independent information and advice, which is easily accessible to the public and free of charge, on procedures and remedies available, on protection against retaliation, and on the rights of the person concerned”.
- The Directive requires Member States to “provide for effective, proportionate and dissuasive penalties” (i) against those who retaliate against whistleblowers; and (ii) “in respect of reporting persons where it is established that they knowingly reported or publicly disclosed false information”.
Affected organisations may wish to consider the following in relation to their obligations under the Directive:
- Create or update internal reporting channels which allow whistleblowers to report via an online system, email, post or a telephone hotline. Upon the request of the reporting person, such channels must allow for a physical meeting within a reasonable timeframe;
- These internal channels should ensure compliance with the relevant timeframes conferred by the Directive and provide for a process of diligent follow-up. It is suggested that the system is thoroughly tested and that there are contingencies in place to enable deadlines to be met;
- Designate an impartial person or department for following up on reports and maintaining communications, such as the Head of HR or Compliance;
- Ensure that all personal data of the whistleblower and any third party mentioned in a report are held confidentially and in accordance with the EU General Data Protection Regulation (GDPR). Reports and associated data should be kept secure so that information on the internal investigation may be provided to competent authorities if necessary;
- Update company and employee handbooks with respect to changes to internal reporting proceedures. Information should also be provided concerning external reporting processes to competent authorities. Organisations should ensure that these documents are easily accessible, e.g. on an intranet; and
- Ensure that information is captured in an accurate manner, bearing in mind that it is unlikely to be privileged and may be subject to voluntary or compulsory disclosure at a later stage.
The Directive seeks to harmonise rules across EU Member States and create a clear reporting structure, without fear of retaliation, for whistleblowers. Some Member States already have existing protections for whistleblowers but will certainly need to enact further improvements. Affected companies must ensure that they have implemented robust internal reporting structures which are compliant with the requirements of the Directive.
More broadly, companies should use the Directive as an opportunity to promote a culture in which employees feel comfortable reporting concerns. This is likely to have a significant range of benefits for companies. For example, they may be put on notice of a range of misconduct which could be costing the company money (e.g. internal frauds and conflicts of interest) or creating material legal, regulatory or reputational risks (e.g. bribery and corruption or environmental or competition issues). Early warning of such issues is a critical part of allowing companies the first opportunity to address a potential problem, failing which there is a risk that employees will report matters directly to regulatory or law enforcement agencies—at which point the risk is that matters may be taken out of the company’s hands.