The EU whistleblower protection directive

On Oct. 7, the EU adopted a legal framework aimed at providing a comprehensive EU approach to whistleblower protection. (See Whistleblower protection to be boosted under new EU directive, Oct. 8, Government Europa.) Starting in 2021, all 28 EU member states will have to meet minimum standards as provided by the EU Whistleblower Protection Directive. Here’s some background of the current landscape and some of the main elements of the new law.

Current legal landscape

Less than half of all EU member states had whistleblower protection legislation in place before this directive, which means potential whistleblowers were facing a real risk of retaliation. This risk was confirmed when Luxembourg courts sentenced the LuxLeaks whistleblowers. (See Whistleblowers found guilty in LuxLeaks trial, by Amelia Schwanke, June 29, 2016, ITR.)

The new directive addresses this fear, stating that “the importance of providing balanced and effective whistleblower protection is increasingly acknowledged both at European and international level.” In the EU, there’ve only been a very limited number of sectors where measures have been instituted to protect whistleblowers, mostly in the areas of financial services.

The European Commission’s factsheet on whistleblower protection shows that 49% of EU citizens don’t know where to report corruption. A mere 15% are aware of the existing frameworks regarding whistleblower protection. These numbers underline the importance of bringing the new directive to the attention of the public and underlining its potential for employees and employers.

In the fact sheet, the European Commission states: “The new law will establish safe channels for reporting both within an organisation and to public authorities. It will also protect whistleblowers against dismissal, demotion and other forms of retaliation and require national authorities to inform citizens and provide training for public authorities on how to deal with whistleblowers.”

Material scope

The new law protects whistleblowers from liability related to reporting breaches of law in accordance with the directive. The Whistleblower Protection Directive includes a wide array of EU law that whistleblowers might report on including anti-money laundering and corporate taxation, data protection, protection of the EU’s financial interests, food and product safety, and environmental protection and nuclear safety. Moreover, member states are free to extend these rules to other areas. The European Commission encourages them to establish comprehensive frameworks for whistleblower protection based on the same principles.

Personal scope

The new directive has a broad scope, including private and public sectors. A wide range of individuals might rely on the new law — from employees and volunteer workers to so-called facilitators, colleagues and family members of the person issuing the report. The directive’s scope covers whistleblowers who haven’t commenced their work-based relationship to those whose job has already ended. Although consumers aren’t explicitly mentioned as eligible for protection under the law, there’s no prohibition to report on breaches perceived by a consumer, as long as knowledge of the breach was gathered in a work-related context.

Procedures for internal reporting and whistleblower management

Regarding internal whistleblowing and follow-up, the Whistleblower Protection Directive states that the following elements should be included:

1. Channels for receiving the reports. These channels should be designed, set up and operated in a secure manner that ensures the confidentiality of the whistleblower’s identity and any third party mentioned in the report, and should prevent access to non-authorized staff members. Whistleblowers should be able to report through written and/or oral means using the telephone or other voice messaging system. If a whistleblower requests a physical meeting they should get one within a reasonable time frame.
2. A receipt of the report acknowledgment within no more than seven days. Feedback should be provided to the whistleblower within a reasonable time frame, not exceeding three months from acknowledgment of receipt.
3. The designation of an impartial person or department to follow up on the reports, maintain communication, ask for further information and provide feedback to the whistleblower.
4. Diligent report follow-up by the designated person or department.
5. Diligent anonymous report follow-up where provided for in national law.
6. A reasonable time frame for providing feedback to the whistleblower about the report follow-up, not exceeding three months from the acknowledgment of receipt.
7. Clear and easily accessible information regarding the conditions and procedures for reporting externally to competent authorities.

Regarding external whistleblowing, the Whistleblower Protection Directive states that public authorities must establish independent and autonomous external reporting channels for receiving and handling information provided by the whistleblower. This means that such channels need to be designed, set up and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access to non-authorized staff members of the competent authority. Channels must keep information available and usable to allow for further investigations.

Anonymous reporting

Member states can still decide whether private or public entities and competent authorities need to accept and follow up on anonymous reports of breaches.

A recent study by Transparency International finds that only 11 member states offer the possibility of anonymous reporting. (See Mapping the EU on legal whistleblower protection, April 2019.) Often, fear of not being able to hold a whistleblower accountable for malicious reporting leads to a ban on anonymous reporting. However, this approach doesn’t consider the importance of offering effective protection to the whistleblower and doesn’t acknowledge the value of anonymity as a protection against retaliation. It would seem that legislators prefer to deter malicious whistleblowers rather than to increase chances of becoming aware of a breach.

Even if member states don’t impose an obligation to process anonymous reports, whistleblowers might still benefit from the law. Under the new law whistleblowers are offered protection when their identity becomes known over time; a whistleblower can issue an anonymous report even if there’s no national obligation to deal with it. After three months of quiet time, the whistleblower could make the breach public by going to the press. If this discloses whistleblower’s identity, the whistleblower might still enjoy legal protection.

No compulsory reporting sequence

The Whistleblower Protection Directive states that member states should encourage whistleblowers to use internal reporting channels first. It also says whistleblowers can choose the most appropriate channel depending on the individual circumstances of the case. This means that whistleblowers might report internally or externally to competent authorities, and as a last resort, whistleblowers might make a public disclosure, including to the media.

It’s more important than ever for organizations to offer a secure and effective internal whistleblowing channel. After all, from an organization’s perspective it’s better to deal with a wrongdoing internally rather than risk sensitive information ending up in the public domain.

Penalties for non-compliance

Many countries lack sanctions for not complying with whistleblower protection legislation, which results in a de facto hostile environment for whistleblowers to report breaches. The Whistleblower Protection Directive will introduce sanctions on retaliation against whistleblowers. Anyone who attempts to hinder reporting, retaliate against whistleblowers, attempt to bring proceedings or reveal the identity of the whistleblower will be penalized. Any threats or attempts to retaliate against whistleblowers are also prohibited. The new law doesn’t set minimum penalties nor does it determine whether sanctions should be based on civil or penal law.

Keeping whistleblowers safe

EU member states now offer more far-reaching protection to whistleblowers. Practice will show whether this will lead to side effects like whistleblowers “forum shopping” for protection in various national jurisdictions.

Member states must transpose the Whistleblower Protection Directive no later than two years after adoption. Legal entities with more than 50 and less than 250 employees have another two years after transposition to comply.

Jan Tadeusz Stappers, LL.M, is the legal counsel of WhistleB, a provider of professional whistleblowing systems. Stappers is assisting in the development of the new ISO 37002 standard on whistleblowing management systems. He’s a frequent professional speaker. Contact him at jan.stappers@whistleb.com.