Every business operating in the EU with 50 or more workers will have to take a hard look at its whistleblower policy and assimilate changes required by the new EU Whistleblower Directive. It is also something companies with connections to EU companies need to think about. The Directive marks a significant evolution in whistleblower protections. There are new concepts to confront such as the ‘reverse burden’ which introduces a presumption that any detriment suffered by a whistleblower is in retaliation for whistleblowing. It will be for the company to show otherwise. The category of persons entitled to protection under the Directive is extremely broad and includes anyone with a “work-based relationship” with the company (such as contractors, suppliers, and shareholders), paid or unpaid, EU nationals or not. The relationship can be past, present, or future with no expiry date. Companies may be haunted by reports from the distant past, the present, and from individuals who may have a future relationship with the company, such as a candidate for a role. To complicate matters further, the Directive is so far being approached in different ways across the EU, so it will be incumbent on companies to understand local laws and obligations. It is important for every business to whom it applies to get it right and consider how to overhaul, if necessary, existing policies and procedures.

The Whistleblower Directive (2019/1937) (“the Directive”) came into force in December 2019 and Member States had until 17 December 2021 to transpose it into national law for businesses with 250 or more workers. An extended deadline applies for organisations with between 50 and 249 workers (“medium-sized” organisations). However, the vast majority of Member States have missed the December 2021 deadline and national laws are at various stages of development and transposition. In addition, more than half of EU Member States have applied for an extension in relation to medium-sized organisations. Several Member States do not expect to be able to comply with the Directive until 2022. Despite these delays, there are things a company can do to prepare. In Member States with draft legislation in circulation, it may be wise to refer cautiously to the drafts as an indicator of the direction of travel in that particular Member State. In this alert, we look at what the transposition exercise across the EU tells us and what that means for companies. We also consider some practical concerns companies might have about the architecture of their whistleblower policies. In addition, we also consider the implications for U.K. companies with connections to the EU.

What is the Directive?

The Directive aims to provide a minimum level of protection for whistleblowers, who in many EU Member States were afforded insufficient and at times non-existent protection. Underpinning the Directive is the principle that whistleblowers play a key role in exposing and preventing breaches of law and in protecting the public interest and welfare of society. The Directive is concerned with breaches of EU law and is designed to enhance the enforcement of EU law and policies. The rationale being that the more people who feel safe to speak up, the higher the number of whistleblower reports and the greater the level of enforcement. A 2017 report carried out by the EU Commission concluded that only 10 EU countries had comprehensive legal protection for whistleblowers.^[1] The nature of the transposition exercise by necessity means there will be some variation across the region which may present a significant challenge to relevant companies and those with operations in several EU and non-EU countries seeking to ensure coherence and consistency within the organisation.

A striking feature of the Directive is that its protections are not limited to employees. The protections must also be afforded to any reporting person who acquires information on a breach in a work-related context. This includes ‘workers’, akin to employees, but also the self-employed, shareholders, third-party contractors, suppliers, volunteers, and those working under the supervision and direction of contractors, subcontractors, and suppliers. A reporting person is entitled to protection whether that work-based relationship is current, concluded, or prospective.

At its core, the Directive requires national laws to ensure that relevant public and private sector organisations establish a confidential “internal reporting channel” to which reports may be made and establish procedures for handling and following up on reports. The Directive also requires each EU State to establish confidential “external reporting channels”, namely a designated competent authority. The external channel may receive reports on breaches, even where the internal channel within a company has not been the first port of call. The Directive envisages whistleblowers being encouraged to report internally first before resorting to the external reporting channel, and it is in the interests of each business to encourage this.

The Internal Reporting Channel

The internal reporting channels must be confidential, set up within each company, and must be in place at a local level. The channels may be operated internally or outsourced (to some extent) to an external third party. The framework envisaged by the Directive includes a designated person/department responsible for handling and following up on reports, and time limits for acknowledgement and providing feedback. The responsibility for following up on reports and giving feedback remains with the internal designated person and cannot be outsourced. Information about the existence of the internal channel and how to access it must be made widely available to workers, but the Directive leaves it to Member States to decide to what extent this information is made available to the broader category of protected persons. These details highlight the minefield which may lay ahead for companies trying to navigate the various interpretations given to the Directive during the implementation process.

Internal reporting channel must be local

The Commission Expert Group^[2] on the Directive, which gives advice and guidance on interpreting the Directive, has made it clear that the internal reporting channel must be local, namely in the country in which the company operates. The internal channel may be in addition to any existing group-wide whistleblowing systems or channels but a global, central, or even regional whistleblowing system alone would not be compliant, although such additional channels are not discouraged.^[3] On its face, this means that each company, i.e. legal person, will be required to have its own internal channel and designated person.

In two letters published by the EU Commission in June 2021, written in response to inquiries from various large corporations, the EU Commission provided guidance on the interpretation of aspects of the Directive. It confirmed that a centralised whistleblowing solution and investigative capacities only at group level would be non-compliant.^[4] It also advised that under a proper interpretation of the Directive, in relation to medium-sized companies:

1. resources may be shared but each company remains responsible for complying with its obligations to maintain confidentiality, to give feedback, and to address the reported breach;
2. the parent company may provide investigative capacity but there must be a reporting channel at subsidiary level;
3. the whistleblower must be informed that the report could be accessed at parent or headquarter level, but the whistleblower has the right to object to this and demand that the report is only investigated at subsidiary level; and
4. the subsidiary remains responsible for any other follow-up measure and feedback.^[5]

The fact that a report made to the internal channel, i.e. locally, cannot be shared with or handled and investigated by the parent company without the whistleblower’s knowledge and agreement, may result in a parent company not being able to access the report or having any involvement in the investigation. In these circumstances, the investigation will remain the responsibility of the local subsidiary, something which is likely to have financial implications for a company that currently has a centralised system.^[6] Larger companies will need to rethink their current policies and consider how to create an environment in which whistleblowers are comfortable sharing their report with the parent company.

The guidance provides practical assistance for Member States and businesses but also shows the degree to which the Directive is expected to operate at a local level and highlights practical issues with which larger multi-national companies will have to grapple. The balance of power shifts under the Directive and it is a matter for the whistleblower whether to report a breach locally or at group/parent level. It is also open to the whistleblower to bypass the internal channel and report directly to the external reporting channel, at which point the report and its management are out of the company’s hands.

Outsourcing

The operation of the internal reporting channel may be outsourced to a third party, but the third party must be truly distinct from the company itself. Meanwhile, responsibility for investigating and addressing the report remains with the company.^[7]

Despite implementation being far from universal across the EU, companies should already be thinking about:

• how local internal channels will be established;
• to whom the internal channel will be made available and how access will be facilitated;
• how the internal channel will be operated; and
• how investigations will be handled.

Anonymity and public disclosures

The Directive does not impose a duty to accept and follow up on anonymous reports, but where an anonymous whistleblower is subsequently identified and/or suffers retaliation, they are entitled to full protection. The position in relation to anonymous reports is not to be presumed as it is open to a Member State to legislate otherwise.

A whistleblower who makes a public disclosure, i.e. makes a report to the media, is also entitled to protection under the Directive, but only in certain circumstances, e.g. the breach was reported internally and externally but no action was taken in accordance with the time limits, or the breach constituted an imminent danger to the public interest. This aspect of the Directive has been criticised by parts of the media as discouraging such disclosures. However, the national laws will be the final arbiters of how such reports are handled.

In both cases, companies have questions to address. It is in a company’s interests to ensure its culture is such that its internal channel is viewed positively and is the whistleblower’s chosen first port of call. An internal report allows the company to manage the report and to address it internally, thereby limiting any potential reputational damage and preventing recourse to the external channel or a public disclosure. The Directive makes clear that a company cannot compel a whistleblower to report internally.

Increase in reports

The strengthening of whistleblower protections across the EU is expected to lead to an initial increase in reports, some of which may be anonymous or made directly to the public; some may be groundless. It is in a company’s best interests to ‘get ahead’ of any potential problem by ensuring its own internal channels are accessible, secure, effective, and attractive to whistleblowers, as even baseless reports have the potential to cause reputational damage.

Reverse burden

Another significant feature of the Directive is the introduction of a reverse burden. Any detriment suffered by a whistleblower is presumed to be in retaliation for the report. It will be for the company to rebut the presumption. The reverse burden, in whatever form it is introduced into national law, is a significant protection for whistleblowers. It presents another issue companies must navigate carefully and ensure that sufficient training is given and measures put in place to protect against any form of action which may be presumed to be an act of retaliation. The Directive reinforces the reverse burden by requiring dissuasive penalties for acts of retaliation.

Penalties for companies

The Directive requires the introduction of effective, proportionate, and dissuasive penalties for conduct which hinders reporting, retaliation, bringing vexatious proceedings, or breaching the duty of maintaining confidentiality. The level at which these penalties are set is a matter for national law but in order to be proportionate and dissuasive, the fines are likely to be based on the size and turnover of a company.

Divergence across EU Member States

The vast majority of EU Member States missed the 17 December 2021 deadline. Although some countries such as Denmark and Sweden transposed the Directive in good time, the majority are ‘in progress’. At the time of writing, three EU Member States had not even started the process at all. Competing interests, consultation, and debate may be contributing to the delay, but irrespective of progress, there are things a company can do to prepare including:

• determine whether it is likely to fall within the scope of the Directive;
• review existing whistleblowing policies, guidelines, and procedures;
• establish protocols for receiving and handling subsidiary and parent level whistleblower reports;
• provide awareness training to workers and potentially others with whom it has/had/intends to have a work-based relationship in order to encourage use of the internal channels; and
• consider whether and to what extent the wider company policy/systems should be harmonised.

Until the Directive is transposed across the EU, there is a limited extent to which a company can prepare. However, it may be possible to get a sense of the direction by looking at how those who have made progress are implementing the Directive.

What is happening across the EU?

Although the Directive is concerned with breaches of specific sectors of EU law, a Member State may, and is encouraged to, avoid creating two separate systems—one for breaches of EU law and one for breaches of national law. Many EU Member States are taking on the challenge and proposing or implementing laws which create a single system which applies to both EU and national law.

Denmark was the first EU Member State to fully transpose the Directive by passing its Whistleblower Act in June 2021. Medium sized companies have until December 2023 to comply. Denmark provides an example of national law exceeding the requirements of the Directive. The Danish legislation applies to breaches of EU law and “serious offences and other serious matters” under national law (including bribery, corruption, and sexual harassment). The legislation also permits the sharing of resources between companies within a group, as part of a group scheme. This was included by way of amendment following objections from interest groups and is arguably not consistent with the Directive. This highlights the need to be vigilant about the details of each country’s transposition and consider how to approach a potentially non-compliant provision in a country in which a company within a group operates.

After Denmark, Sweden became the second EU Member State to transpose the Directive, passing its own Whistleblower Act on 29 September 2021. The Swedish Act also goes beyond the minimum requirements set out in the Directive, for example by extending the protection of whistleblowers to reports on “…misconduct in work-related contexts for which there is a public interest”. The Swedish Act also stipulates that municipalities with less than 10,000 inhabitants will have to implement internal reporting channels, whereas the Directive only imposes the obligation on populations of over 10,000. Examples of how other EU countries are approaching the transposition exercise include:

• Romania: The draft bill proposal includes extending protection in relation to virtually any breach of a legal obligation and rules governing regulated professions. The draft bill requires internal reporting channels to be made available to all categories of protected persons, not only to workers.
• Czech Republic: The draft bill protects whistleblowers who report on breaches of EU and national law, and applies to smaller private sector companies (with at least 25 employees instead of 50) as well as all public bodies.
• Netherlands: The protection for reporters of breaches of national law and EU law is the same under the Dutch bill with two exceptions: (1) the statutory requirements in relation to the external reporting channel only apply to breaches of EU law and not national law; and (2) reporters of a breach of EU law can make a report if the breach is “reasonably likely” to occur but this protection is not extended to those who report “probable” wrongdoing in relation to national law.
• Under the Swedish Act and the Czech draft bill, companies and authorities must follow up on anonymous reports; however, there is no such obligation under the Romanian draft bill.

The potential variance across the EU illustrates why it may become unfeasible and possibly unlawful to rely on a group-wide or central whistleblower policy. The EU Commission has stated that the proximity of local secure reporting channels to the whistleblower ensures efficient operation of the channels and enables the whistleblower to request a physical meeting, as is their right under the Directive. A local reporting channel is also beneficial to the company as it allows the company to understand and manage the issue in a way which minimises the appearance of remoteness to the whistleblower. It also enables the company to ensure the report is handled in an appropriate way and brought to the attention of the correct person.

It is not in the interest of a company for potential whistleblowers to ‘forum shop’, seeking out the most beneficial jurisdiction in which to report. Harmonisation of whistleblower protections and procedures across a group may go some way to protect against this but it should be borne in mind that the Directive envisages no limitations by reason of nationality.^[8]

Benefits of a strong internal reporting channel

A strong, harmonised approach should offer wide protection to whistleblowers, for many reasons not least of which is to encourage internal reporting. Studies appear to show that the more internal whistleblower systems are engaged with, the fewer the lawsuits and the smaller the settlements. This is because the internal systems are a resource that helps management identify and address concerns before they become more costly and damaging to companies.^[9] Offering wide protection across the entirety of a company or group may also have the benefit of being consistent with the shared culture and ethos, as well as ESG initiatives. The EU Commission has stated that a “corporate policy instilling trust in the group whistleblowing function, possibly accompanied by an information policy publicising its availability and encouraging whistleblowers to report directly to the central group whistleblowing functions may result in whistleblowers tending to report there”.^[10]

The U.K. regime

The U.K. has indicated that it will not be adopting the Directive. U.K. whistleblower protections are governed by the Public Interest Disclosure Act 1998 (“PIDA”). Although PIDA contains some similar features to the Directive, it is significantly narrower in scope. Under PIDA, for example, there is no requirement for a company to have a whistleblowing policy unless it operates in a regulated sector, or for a company to have an internal channel (or anything similar). There is also no reverse burden.

The Directive is clear that non-EU citizens should be protected under the Directive by virtue of their work-related activities.^[11] Protections offered to whistleblowers under the Directive may appeal to workers and others in a U.K. subsidiary of an EU company, who may seek to report to the EU parent company offering greater protections. Any EU-based companies with a footprint in the U.K. (and vice versa) should be aware of the potentially broad application of the Directive and put in place compliant protocols.

Conclusion

Although the deadline has now passed and the vast majority of EU Member States have missed the December deadline, there is enough information available for companies to prepare. It is likely that 2022 will see a large number of EU countries move closer to completing or complete the transposition exercise, and many will turn to focus on the application of the Directive to medium-sized companies by December 2023. This delay has the unintended benefit of allowing companies to whom the Directive is aimed to audit existing whistleblower policies and procedures, consider the impact of the Directive, examine how EU countries and industry are reacting, and make changes. The Directive is expected to lead to an increase in whistleblower reports including from those who are outside the EU.