EU Whistleblower Protection Directive: Consequences and Practicalities

Unpack the “reverse burden of proof” of retaliation and how it relates to third parties and employees, as well as relationships and management of external reporting bodies and the consequences of the Directive.

There are a wide array of articles about the EU Whistleblower Protection Directive swirling around the internet, but despite the saturation of our feeds, some significant issues have largely gone unnoticed. With every good intention, such as the EU establishing increased protections for whistleblowers, comes some consequences. Today, we will be focusing on the nuances and unseen consequences, issues, and practicalities behind the Directive, unpacking hot-button issues such as the “reverse burden of proof,” the role of third parties, and what management of external reporting bodies will look like under the scope of the Directive. 

Tune into our weekly blogs and masterclass webinars focusing on the Directive. So far, we’ve covered the vital few actions you must take to comply, how to evaluate a hotline vendor and determine who will support you best, the Who, What, Where, When, Why, and How behind the Directive, and so much more.  

Unpacking the “Reverse Burden of Proof” of Retaliation 

One of the most discussed elements of the Directive is the “reverse burden of proof” requirement. Before the Directive, many whistleblowers who experienced retaliation because of their reporting had to prove that they were retaliated against, adding an additional layer of bureaucratic red tape and potentially retraumatizing the whistleblower. The reverse burden of proof requirements in the Directive are so groundbreaking because now, the company will have to prove that they did not retaliate against an employee. This shift is radically unique and forces organizations to establish protective measures, internal/external policies, and meticulous documentation processes.  

Not only does the Directive set out to protect individual whistleblowers, but it also addresses indirect retaliation, or retaliation focused on facilitators (who assist a reporter) and third parties (associated persons) connected with the reporter. Because most companies don’t already have these retaliation prevention measures in place, the reverse burden of proof will likely require a demonstrably more proactive and communicative approach to anti-retaliation. Simply addressing retaliation prevention in an internal policy or in a periodic post-report follow-up is no longer sufficient after the December 17th deadline. Take the time to polish up your anti-retaliation plans in order to escape any costly infractions in the future. 

Where Do Third Parties Fit In? 

The EU intentionally defines “worker” as broadly as possible, casting the widest net in order to extend protections to the largest number of individuals in “work-based relationships.” A local employee, with decades of full-time employment, is just as protected as a subcontractor or an international volunteer. The Directive acknowledges that our global marketplace includes a wide array of third-party relationships that extend far beyond industry or border. 

The EU Whistleblower Protection Directive protects a wide range of third parties including: 

  • Suppliers 
  • Vendors 
  • Former employees 
  • Temporary workers 
  • Fixed-term contract workers 
  • Subcontractors 
  • The self-employed 
  • Freelancers 
  • Job applicants 
  • Work applicants 
  • Trainees 
  • Interns (paid or unpaid) 
  • Volunteers 
  • Third-parties or facilitators 
  • Joiners/Leavers 

Take a close look at those last two bullet points. Protection is extended to third parties or facilitators, such as relatives or colleagues, because they could also be affected by a disclosure report. Protections also apply to “joiners,” or individuals whose work-based relationship has yet to begin. A joiner could be an individual who is still in pre-contractual negotiations. “Leavers” are also covered by the scope of the Directive, extending protections to individuals who have ended their employment period at a company.   

Now that we know that we must cover a significantly longer list of workers, how do we make sure that your effective reporting channels and processes support them all? Your external communications are of paramount importance when interacting with third parties and putting up a few posters in company washrooms will simply not suffice. This is the first real example of consequences and practicalities of the Directive that are not fully thought through. External access to a helpline will require more thought and deliberate action, to actually be useable, repeatable, and documentable.  

Does your organization use a supplier or vendor portal? Access outside your company firewall can be incorporated into your current channels, and you can use them to publish specific phone numbers or email addresses. Could you publish your hotline number on your website, or make it an item alongside your modern slavery statement? These creative solutions come with one major caveat: Your hotline might inadvertently collect complaints of varying types, such as customer complaints or personal grievances not covered by the Directive. Does your company have processes in place to address that situation? 

Third Parties and the Reverse Burden of Proof 

A bulk of the conversation revolves around extending whistleblowing protections to individual employees, but the fact that the reverse burden of proof also applies to third parties means that we must consider retaliation in regards to third-party entities. Imagine you’re a vendor and you make a whistleblowing report and consequently face retaliation, losing your contract. The Directive extends the same coverage to you, a third-party vendor, as it does to an individual employee. 

Most companies already have some sort of anti-retaliation policy in place, but most are woefully inadequate; most ranging from 16 words to 16 pages. How many of these existing policies even mention third parties at all? The reality of the situation is that a third-party report of retaliation can’t be treated like another report. Don’t assume that you are already set up to handle these kinds of reports, stressing your current policies and internal reporting mechanisms to their breaking point. Does your current anti-retaliation policy also cover joiners, leavers, and facilitators who assist those who speak up, such as colleagues or relatives? Flex your compliance muscles and strengthen your current anti-retaliation policy to include third parties. 

Employees and the Reverse Burden of Proof 

As you can tell by now, the hypothetical situations regarding retaliation can add up and easily overwhelm even the most experienced ethics and compliance professional. The consequences and practicalities of the Directive continue as we cover the whole process, from start to finish, around retaliation following the receipt of a report. Simply put, what processes are in place at your company to address retaliation once a report is received? For example, do you have analytics in place to document every step and cover your reverse burden of proof responsibility? Covering all of your bases may make you feel a bit like Sisyphus, but by doing your heavy lifting now, you’ll prevent surprise boulders rolling down the hill and taking you with them.   

Relationships and Management of External Reporting Bodies 

Under the Directive, whistleblowers can submit their reports via a three-tier reporting process: internal channels, external channels, and public channels. In some EU nations, a nominated body or regulator for external reporting may already exist, but for most countries, they are in the process of being established. At a practical level, it’s important to recognize that these bodies will be different and will no longer be passive recipients of reports; they will potentially receive reports that require their active follow-up. Because some of these bodies are going to be very active and others will be low touch/involvement, companies will need to think about how and who will deal with these bodies. Will your organization nominate compliance, legal, regulatory affairs, or someone else to fulfill the role? Hopefully, your company won’t face any external reports, but since there is no obligation for reporters to report internally first, we may see a surprising level of external reporting. The key to managing these reports will be establishing strong processes and identifying/training appropriate individuals. 

Regardless of your organization’s size, implementing a hotline now will prevent whistleblowers without other internal options, from reaching out to these external bodies or the media. Take back as much control as you can and make sure that your internal helpline and related internal communications are strong. Test your helpline by making test reports and follow up on any cracks in the process. Better to catch a weakness now than in the future, when an external body takes matters into their own hands. 

What are the Consequences of the EU Whistleblower Protection Directive?  

Since the Directive is not a regulation, it is not a legal act that will automatically and uniformly apply to all EU Member States without needing to be transposed into national law. In contrast, a Directive requires a certain result, but leaves Member States free to choose how to achieve it. This obviously leaves the door wide open for 27 different interpretations, compounding issues for cross-border cases, international acquisitions, and global suppliers. 

Given the potential for Member States to go above and beyond the requirements of the Directive in their whistleblower policies and procedures, companies operating Europe-wide should consider that a gold-plated standard for their whistleblowing policy is the simplest route to ensure both a unified approach across their business and compliance with the Directive. Although the UK has the Public Interest Disclosure Act (PIDA) and has decided not to implement the Directive, many companies are nevertheless including the UK in their compliance programs. It is expected that the UK will implement many of the Directive’s requirements into its own version. 

Anonymous reports are currently a hot button issue for Member States. They will potentially take up to four forms: some nations will accept all, some will accept none, some nations will accept them but will be under no obligation to investigate, and some nations will accept them, but will not publicize that they do. Denmark has implemented a “no obligation” approach, but their plan has backfired already, receiving international criticism for their minimalistic implementation.    

Although the EU Whistleblower Protection Directive leaves responsibility for penalties and fines with Member States, some likely penalties include: 

  • Maximum fine of approx. 40,000 euros or 5% of net turnover if employer fails to prevent retaliation 
  • Damages and compensation for a person subject to retaliation (unspecified so far). Up to 24 months’ salary for employees unlawfully terminated for whistleblowing 
  • Breaching confidentiality risks penalties of up to 21,750 euros or imprisonment (similarly for defaming a whistleblower) 
  • Damages for a person subject to retaliation, unspecified so far. Fines for failing to establish internal channels, hindering reporting and breaching confidentiality 
  • Employers failing to comply risk fines and paying compensation (unspecified so far) 

Master the Requirements of the EU Whistleblower Protection Directive   

Prepare to comply with the requirements of the EU Whistleblower Protection Directive by the deadline of December 17, 2021 with this free series of eight expert-led webinars. 

Sign up for the Masterclass Series