The EU Whistleblower Directive and its obligations for businesses
The “Whistleblower Protection Directive”, on the protection of persons who report breaches of Union law, entered into force on December 16, 2019 (Directive 2019/1937). The Directive is a call addressed to individuals working in either the public or private sector to report their concerns or suspicions (i.e., reporting persons) about alleged breaches of EU law carried out by the bodies that are employing them (i.e., person concerned).
This Directive lays down reporting procedures for these persons who are in a “privileged position” to disclose and report such breaches. Furthermore, it establishes guarantees against potential retaliation that could arise as a consequence of their reporting to help whistleblowers and support such reportings. The protection by this Directive is broad: it is available to whistleblowers who are either EU nationals or third-country nationals (recital 37). In any case, those who have suffered from retaliation should have access to legal remedies and compensation, as provided by national law (recitals 94 and 95).
Member States have until December 17, 2021 to transpose this Text into their national legislation (until December 17, 2023 with regard to private legal entities employing 50 to 249 workers). The German Government was planning the so-called Hinweisgeberschutzgesetz, which would have contained even stronger provisions than the EU law. But the German law will not be ready until the deadline, since the last government could not agree on a final version. This text aims to give an overview on the EU Directive to help companies prepare for the local laws.
Objectives of the Directive
Since whistleblower protection has not been harmonised across the European Union so far, important EU policy areas were lacking effective and uniform implementation due to the lack of adequate safeguards against retaliation by the employer against the employee. This Directive thus lays down minimum standards ensuring that whistleblowers are protected effectively (Recital 5).
Under this Directive, any form retaliation taken against whistleblowers is strictly forbidden, including threats and attempts to retaliate (Article 19). A non-exhaustive list of measures considered as retaliatory includes e.g.:
- early termination of a temporary employment contract,
- withholding of promotion, or
- harm to the person’s reputation.
Member States shall ensure effective whistleblower’s protection, notably through effective, proportionate and dissuasive penalties against companies in case of breaches (Article 23) and, the provision of remedies and full compensation for the damage suffered. Effective assistance, legal aid or even financial assistance should also be provided (Article 20).
Thus, by ensuring a minimum level of protection harmonised throughout the EU, the Directive aims to incentivise people to report breaches of EU law that are harmful to the public interest (Recital 1), to the benefit of transparency, uniformity, and coherency in the application of EU law.
Applicability of the Directive
The Whistleblower Protection Directive may apply under certain conditions relating to the reporting person’s status, the areas concerned by the potential breach, as well as the respect of certain procedures laid down into it.
- Personal Scope
Covered by this Directive (i.e., protected by this Directive) are the persons who report information on breaches of EU law acquired in a work-related context and having the status of e.g., employees, self-employed persons or volunteers/trainees. This even includes persons who are about to get employed or are no longer employed at a company. In any case, the whistleblower’s motivations in reporting a potential breach of EU law is not relevant as regard to the Directive’s application.
- Material Scope
The Whistleblower Directive requires that reporting persons shall have reasonable grounds to believe that the information on breaches reported was true at the time of reporting. In that sense, information on breaches includes “reasonable suspicions about actual or potential breaches, which occurred or are very likely to occur […] [as well as] attempts to conceal such breaches” (Article 5 (2)).
In addition, such information shall be related to breaches of specific EU Directives and Regulations, which are listed in the Annex to the Directive. The fields include:
- Public procurement;
- Financial services, products and markets, and prevention of money laundering and terrorist financing;
- Product safety and compliance;
- Protection of the environment;
- Radiation protection and nuclear safety; or
- Protection of privacy and personal data, and security of network and information systems.
Importantly, whistleblowers shall not incur liability in case of lawfully acquired or accessed information (Article 21), including when such acquisition or access “raises an issue of civil, administrative, or labour related liability” (Recital 92). However, cases where the acquisition or access to the relevant information has been made through the committing of a criminal offence are not covered by the scope of the Directive.
On the other hand, the Directive does not apply to reports of breaches of procurement rules involving defence or security aspects, unless they are covered by relevant Union’s acts. In the same vein, the Directive does not affect the application of Union or national law relating notably to the protection of classified information. In any case, whistleblowers shall not incur liability, “provided that they had reasonable grounds to believe that the reporting or public disclosure […] was necessary for revealing a breach pursuant to this Directive” (Article 21 (2)).
- Reporting Procedures for Disclosure
When reporting breaches of EU law, whistleblowers should be guided by the procedures laid down in the Directive.
Under the internal reporting and follow-up channel (Articles 7 and following), Member States shall ensure that private and public sector entities of 50 or more workers keep a reporting system operated either internally to the company (by a person or a dedicated department) or entrusted to an external third party. Under certain circumstances, Member States may however require private legal entities with fewer than 50 workers to establish internal reporting channels and procedures. This may notably concern companies whose activity may affect the environment or public health. This decision should be the result of an appropriate risk assessment.
The entity having received the reporting shall provide feedback under a reasonable timeframe, that is, not exceeding three months.
The internal reporting channel should be the preferred means where the breach can effectively be addressed and without retaliation risk for the whistleblower. Alternatively, the whistleblower can choose to report externally (Articles 10 and following) to competent public authorities designated by the Member States, either directly or after having first made an internal report. These national authorities shall establish independent and autonomous external reporting channels and shall provide feedback to the reporting person under 3 months (6 months in duly justified cases). In case of high inflows of reports, Member States may provide alternatively that reports of serious breaches or breaches of essential provisions falling within the scope of this Directive should be dealt as a matter of priority, without prejudice to this timeframe.
Where required by Union or national law, the national authorities shall transmit the report to competent EU institutions, bodies, offices or agencies for further investigation (Article 11 (2) (f)).
In order to prevent retaliation, provisions common to both procedures guarantee the non-disclosure of the whistleblower’s identity to anyone beyond the authorized staff members competent to receive or follow up on reports without the former explicit consent. This provision may only be waived in cases necessary to safeguard the rights of defence in the context of investigations or judicial proceedings against the person or entity having allegedly breached EU law.
Entities receiving reports either from internal or external channels shall also acknowledge the receipt of such reports within 7 days and shall diligently follow-up of the procedure. The reporting can be done either in writing or orally and be recorded accordingly.
Furthermore, reporting channels should be convenient and known to the potential whistleblowers, for instance through the identification of the relevant procedures and conditions for reporting on the entity’s website.
Finally, whistleblowers may also enjoy protection under this Directive when they opt for public disclosure (Article 15), if:
- They first have reported internally and externally, or directly externally, but no appropriate action had been taken accordingly; or
- When they reasonably believe that the breach may constitute an imminent or manifest danger to the public interest (e.g., emergency situation or risk of irreversible damage) or in case of external reporting, there is a risk of retaliation, or it is unlikely that the breach will be addressed effectively due to the particular circumstances of the case. This may be the case for instance where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.
These conditions do not apply where a reporting person directly discloses information to the press pursuant to specific national provisions establishing a system of protection relating to freedom of expression and information. Importantly, when a breach is reported in accordance with the Directive procedures, the person who took the detrimental action (retaliation) bears the burden of proof to demonstrate that such action was not made in response to the whistleblower’s disclosure.
For undertakings and entities active in either the public or private sector, this Directive imposes extensive obligations that will have to be answered through substantial investments, notably when it comes to the setting up of internal reporting and follow-up channels, where applicable. This effort comes along the European Union’s endeavor to promote a better enforcement of its policies in areas essential to the public interest.
The Whistleblower Protection Directive establishes extensive protection against retaliatory measures taken against persons reporting breaches of EU law and who lawfully exercise their right to freedom of expression. Whistleblowers who fail to follow the reporting procedures laid down in this Directive or who knew that the reported or publicly disclosed information was wrong will however not be protected (Article 23 (2)). In that regard, the Directive is an appropriate tool encouraging people to report potential breaches while restricting calumnious or defamatory endeavors.
Your contact at BHO Legal: Dr. Matthias Lachenmann