With the whistleblowing rules in Europe changing so fundamentally under the EU whistleblower directive, there is no question that companies, organisations and also local authorities need to take action now. Companies and organisations with more than 250 ‘workers’ (definition below) must comply with the legislation by 17th December 2021, and those with between 50 and 249 by 17th December 2023.
The need for the EU Whistleblower Protection Directive was triggered by a range of issues, such as high-profile whistleblower cases across the EU including LuxLeaks, Cambridge Analytica, the Panama Papers and Barclays. In the Barclays case, the bank was hit with a $15M (£12M) fine over attempts by senior management to unmask a whistleblower; the New York state department of financial services said its investigation found ‘shortcomings in governance, controls and corporate culture relating to Barclays’ whistleblowing function.’
In EU parlance, a directive specifies legislative results that must be achieved by each Member State (country), but they are free to decide how to transpose the directive into national laws within the following two years. For example, this EU whistleblower directive provides for minimum standards on how to respond and handle issues raised by whistleblowers.
The directive also gives Member States the authority to ‘encourage’ private sector companies and organisations with less than 50 workers to establish internal reporting channels and, if the Member State adopts this approach, then it can be less prescriptive in its requirements for these smaller entities, provided that these requirements maintain appropriate confidentiality and follow-up. It remains to be seen what encouragements might materialise, and also what the whistleblowing industry develops to cater for smaller entities, such as ‘helpline-lite.’
This article, the first of two, explains the key requirements of the Whistleblower Protection Directive, and highlights other crucial whistleblowing issues that European companies must now consider. Read Part 2 of this article series to discover the practical actions that you’ll need to take to comply with the directive.
Which companies, organisations and local authorities are caught by the EU whistleblower directive?
Companies, organisations & local authorities
Put simply, the scope of the directive—in all dimensions—is extensive. For example, the directive requires all companies and organisations with more than 50 ‘workers’ (together with local authorities that provide services for more than 10,000 people) to establish internal whistleblowing (‘reporting’) channels and processes. Clearly, this is a major change given that, at present, the majority of EU Member States do not legislate for whistleblowing processes, and even when they do, it is often limited to particular sectors such as financial services and public health.
The concept of a ‘worker’ in the EU is broad and includes not only regular employees, but also workers in a range of employment relationships, including part-timers, trainees, fixed-term contract workers and interns. The threshold of 50 workers may be problematic for companies and organisations whose headcount fluctuates around that level, but clearly, the safest option (and best from a governance viewpoint) would be to simply establish the necessary internal reporting channels.
The directive does not specify whether workers need to be physically located within the EU, although it is reasonable to assume that any legal entity established in the EU that employs more than 50 workers will need to comply with the EU whistleblower directive regardless of where the workers are located, be that inside or outside the EU.
Similarly, it is unclear whether non-EU entities that employ more than 50 workers who are located in the EU will need to comply with the directive, but given that their employees located in the EU are subject to a raft of EU labour laws, it is highly likely that that such entities will be subject to the directive, regardless of their employer’s location. Again, the safest option (and best from a governance viewpoint) would be to establish the necessary internal reporting channels, although it is expected that individual Member States will provide clarification on these points as and when the directive is enshrined in local law.
What scope of reporting will the EU whistleblower directive allow?
Currently, the scope of whistleblowing reports is both restricted and variable across the EU Member States, with several adopting the guidance specified by the Article 29 Data Protection Working Party Opinion 1/2006, which essentially limited internal whistleblowing schemes to the ‘fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime’. However, some Member States did not adopt this guidance, and also others have gone for increased scope, often to reflect international legislative developments particularly the US Sarbanes-Oxley Act. Additionally, some Member States limit—at least in theory—which role-types can be the subject of a report.
Scope under the directive
The directive has a focus on EU law and, as a consequence, the directive will allow whistleblowers to report, as a minimum, a very broad range of violations of the law including:
- Consumer protection
- Public procurement
- Financial services, products and markets, and prevention of money laundering and terrorist financing
- Public health
- Product safety
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food safety, animal health and welfare
- Protection of privacy and personal data, and security of network and information systems
- Violations affecting the financial interests of the EU
- Violations relating to the EU internal market, including violation of EU competition and State aid rules, and corporate tax law
Potential variations in scope under national laws
Under the EU whistleblower directive, Member States may extend the scope of reporting when they enshrine the directive into local law, and some may take this approach to reflect their own legislative developments in the area of whistleblowing.
The Netherlands, for example, previously established the ‘House for Whistleblowers’ Act which already requires companies and organisations with 50 workers or more to allow for reporting of ‘suspicious wrongdoing’ without limiting such wrongdoing to violations of EU law. As a consequence, the variability in current scope highlighted above is likely to continue, with several Member States taking their own approach. Clearly, knowledge and regular updating of scope is likely to prove very important to companies and organisations, as failure to do so could result in significant consequences. A ‘one-size-fits-all’ approach will simply not suffice. This will be covered in some more detail in Part 2 of this two-part article.
Is the reporting process specified?
The directive requires companies and organisations to support a range of reporting channels; these include post, physical complaint box(es), online, telephone and/or voice messaging. At the whistleblower’s behest, the company or organisation should also support reporting by physical meeting, which should be held in a ‘reasonable’ timeframe.
The EU whistleblowerdirective recognises that third-parties may also be engaged to receive reports on behalf of the company or organisation, and that these may range from external helpline providers right through to external counsel, recognised auditors, trade union representatives and/or other employee representatives including members of Works Councils; this recognises some of the existing approaches used within EU Member States.
However, regardless of the third-party that is selected to undertake this role, they must be able to demonstrate confidentiality, independence and compliance with data protection legislation. Clearly, this last requirement can be very challenging where global organisations and international data transfers are involved.
What does the EU whistleblower directive say about anonymous reporting?
At present, the EU Member States take a very wide range of approaches to anonymous reporting—from anonymous reporting not being allowed in Portugal, right through to the recommendation in Germany that all reports are made anonymously, under that country’s interpretation of the General Data Protection Regulation (GDPR). Other Member States, for example, allow anonymous reporting but place no obligation on companies and organisations to then investigate such reports, or allow anonymous reporting but require that the facility is not promoted.
Many of these approaches have their roots deep in individual country histories, and the EU whistleblower directive will not affect these nor the powers of individual Member States to decide their position on anonymous reporting. Given that this is a whistleblowing directive and not a regulation (which have binding legal force throughout every Member State and enter into force simultaneously across the EU), decisions on anonymous reporting will remain with the individual Member States as part of their national implementation.
However, regardless of the approach of individual Member States to anonymous reporting, the directive specifies that a whistleblower who reports or publicly discloses information on violations of EU law anonymously, and is then identified and retaliated against, will still be protected under the directive.
Who does the directive protect? The ‘work-based relationship’ concept
The protective scope of the directive has purposely been cast particularly wide, such that it offers protection to any and all whistleblowers who have acquired information on violations of EU law in what is termed a ‘work‑based relationship’ – regardless of the nature of their activities, whether it is paid and whether they are EU citizens or not. As a consequence, the directive protects:
- Individuals having the status of workers, such as current and former (part- or full-time) employees and temporary workers
- Individuals who are not workers but can play a key role in exposing violations of EU law and, in doing so, may find themselves in a position of risk (‘economic vulnerability’), such as contractors, sub-contractors, the self-employed, freelancers, suppliers, vendors, shareholders and members of professional-type bodies
- Job applicants or work applicants e.g. individuals seeking to provide services to a company or organisation, who acquire information as part of that process and then face retaliation, such as blacklisting, a ‘whispering campaign’, negative references or boycotting
- Trainees and interns (paid or unpaid)
As can be seen, this protective scope is very extensive, such that the directive is intended to provide protection to anyone who could become a whistleblower as a consequence of their ‘work-based relationship.’
Crucially, to be afforded protection under the EU whistleblower directive, the whistleblower only needs to have reasonable grounds to believe that what they are reporting is true, with their motives for reporting (good or bad) being considered irrelevant. This is a notable variation of the normal ‘good faith’ requirement.
Does the EU whistleblower directive address retaliation? Is there anything unique?
Given the purpose and nature of the directive, there is a significant focus on retaliation. The directive requires that Member States prohibit any form of retaliation, and also establish a range of protective measures. Although these are largely aimed at Member State-level, they clearly set a benchmark for processes in companies and organisations, and it is not unreasonable to expect that major whistleblowing cases will examine what protective measures, policies and suchlike were in place, and how effectively they were deployed.
The directive requires that Member States establish protective measures including independent advice services for whistleblowers, immediate remedial measures against retaliation, protection from liability, protection in judicial proceedings, and other support services, including financial and psychological.
The remedial measures are intended to stop ongoing workplace retaliation, and also to prevent dismissal (termination/firing) pending the outcome of any legal proceedings. Under the directive, whistleblowers will not be considered to have breached any disclosure of information restrictions imposed by law or contract and will not incur liability for making whistleblowing disclosures; whistleblowers will also be able to incorporate the requirements of the directive into their legal defence.
Almost uniquely, the EU whistleblower directive incorporates a ‘reverse burden of proof’ regarding retaliation—such that it is not up to the whistleblower to prove that they were retaliated against but, instead, the company or organisation has to prove that they did not retaliate. Given that in most companies and organisations, retaliation prevention extends only to a policy or, perhaps, periodic post-report follow-up, the reverse burden of proof will likely require a demonstrably more proactive and communicative approach to anti-retaliation, including analysis of whistleblower reports and their consequences for reporters, including effects on measures such as pay, bonus, annual review, overtime and shift allocations.
How could/should whistleblowers report? Is there a ‘hierarchy’ of reporting?
The directive stresses that that whistleblowers should be encouraged to first use their company or organisation’s internal reporting, provided that these channels are available to them and can reasonably be expected to work. This ‘first report’ is clearly a key opportunity, but also represents a challenge that will be considered in some more detail in Part 2 of this series.
Under the EU whistleblower directive, Member States will be expected to establish their own external reporting channels, and to follow up on reports and provide feedback to whistleblowers. The timing of the last requirement may vary depending on the complexity of the report. Whistleblowers have the right to report directly to the authorities where their company or organisation did not set up internal reporting channels, or they were set up but did not function, did not operate in a timely way, or did not deliver appropriate action.
Whistleblowers can also report (directly) to the authorities under a host of other circumstances; these include where they believe they will face retaliation or situations where the authorities are better positioned to take effective action. The latter would, for example, include circumstances where there is ‘nowhere to go’ i.e. the most senior person, board, owner etc is involved in the legal breach. Other similar circumstances include where there is a risk that that the breach or related evidence could be concealed or destroyed, where an investigation might be jeopardised (for example in competition law/anti-trust cases) or where urgent action is required, typically in health and safety and environmental cases.
Ultimately, a whistleblower can make a public disclosure (to the press and similar organisations) and still be protected by the directive. A public disclosure would be appropriate if, despite making a report internally and/or externally, the breach remains unaddressed or unresolved, or there is a risk of retaliation, or if there is collusion involving the external authority itself.
There is no question that the EU Whistleblower Protection Directive is a comprehensive piece of legislation, and its full 131-page text can be found in English at this link. Moreover, as a directive it allows individual EU Member States flexibility to extend the scope of reporting when they enshrine the directive into local law, and some may take this approach to reflect their own legislative developments in the area of whistleblowing. It also brings with it major change for companies and organisations – of all sizes – such that they will now need to address whistleblowing, helplines and whistleblowers in ways previously unseen, certainly in the EU.
The directive provides minimum standards on how companies and organisations should handle and respond to reports made by whistleblowers, and given its associated deadlines, requires that action in response to the directive’s requirements is taken now. This includes reviewing the performance of any existing whistleblower helplines and, critically, changing internal processes to align with the directive.
In Part 2 of this series, I’ll explain the practical actions that companies and organisations now need to take as a result of the EU whistleblower directive.