On 7 October 2019, the EU Council approved the wording of the "Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law", also known as the Whistleblowing Directive. Member States have two years to implement the Directive into the national legal systems.
At present, only 10 European states have comprehensive regulations in place protecting individuals reporting work-related violations.
Who is a whistleblower?
The Directive defines a “reporting person” (whistleblower) as a person who reports or discloses information on breaches identified in the context of his or her work-related activities.
The Directive therefore introduces a broad circle of whistleblowers entitled to protection – they may be employees, former employees or job applicants, self-employed individuals and company shareholders. Volunteers and unpaid trainees may also be whistleblowers. The new regulations cover both the private and the public sector.
The list of breaches covered by the Directive is also broad and includes, among other things, competition rules, personal data protection, consumer protection, environmental protection, money laundering, public procurement and product safety. In addition, the Directive provides for Member States to choose to extend the list of breaches if they wish.
What does the Directive require businesses to do?
The new regulations enable whistleblowers to report irregularities through a company’s own internal channels or directly to the relevant authorities (i.e. externally).
Businesses employing at least 50 employees are required to put in place appropriate channels and procedures for reporting breaches and taking remedial actions. The Directive introduces a number of requirements in this regard, such as guaranteeing the confidentiality of the whistleblower’s identity and the safety of the information provided, and also appointing an impartial person or team to undertake any remedial action. Importantly, the person or team responsible will be obliged to diligently follow up on the received report and provide timely feedback. Reporting can be done in writing or orally.
Also, to guarantee that the control mechanisms are efficient, the Directive lays down criteria for assessing whether the internal reporting channels are sufficiently independent and autonomous. Another important issue addressed in the Directive is the necessity to protect the identity of whistleblowers and to guarantee their personal data a level of protection compliant with EU law.
How will a whistleblower be protected?
Whistleblowers will be protected against retaliatory action and threats of retaliatory measures. In this context, the Directive contains a presumption that retaliatory action has taken place if the whistleblower asserts they have suffered any damage.
The European legislator has provided a list of examples of retaliatory measures, but this list is by no means exhaustive. Member states are required to provide support to whistleblowers such as legal assistance and advice in legal proceedings. The Directive introduces far-reaching protection of whistleblowers, with the presumption that by disclosing the information they do not violate of the company's rules regarding information protection and cannot be held accountable for that. Whistleblowers will not be held responsible for having gained access to the information they disclose, unless they have done so by committing an unlawful act.
The Whistleblowing Directive introduces Europe-wide minimum standards for whistleblower protection whilst the ultimate shape of the local regulations will be decided by national legislators. The upcoming changes will have a significant impact on the activities of businesses, particularly those in jurisdictions in which there is currently no whistleblowing legislation - they will have to ensure appropriate procedures and practices are put in place. The implementation of new requirements will need to be reconciled with the existing regulations, such as criminal corporate liability regulations, AML, regulatory compliance (obligations imposed by MAR) and banking regulations (obligations imposed by CRD IV). The experience of organisations in those member states which already afford protection to whistleblowers will be invaluable to business dealing with this for the first time.