On April 23, 2018, the European Commission issued a proposal for an EU Directive on the protection of persons reporting on breaches of EU law (the “Directive”). The Directive is designed to shield persons who report breaches of EU law that they have observed in their work-related activities. Safe reporting channels will have to be set up for a wide range of EU law breaches in various industries and activities, including data protection and privacy, security of network and information systems, financial services, product safety, and public health. As currently no such whistleblower protection rules exist at an EU level, this is a real novelty that companies active on the EU market will have to observe closely. 

Currently, only 10 EU countries (France, Hungary, Ireland, Italy, Lithuania, Malta, Netherlands, Slovakia, Sweden, and United Kingdom) have a comprehensive law protecting whistleblowers. In the remaining EU countries, the protection granted is partial: it covers only public servants or only specific sectors (e.g., financial services), or only specific types of wrongdoings (e.g., corruption). At the EU level, there is only a very limited number of sectors where measures have been put in place to protect whistleblowers (mostly in the areas of financial services).

Under the proposed Directive, companies will have to establish internal channels and procedures for reporting and following up on reports. These internal reporting channels and procedures must allow for reporting by employees as well as other persons who are in contact with the company in the context of their work-related activities. In addition, Member States shall designate the authorities competent to receive and handle external reporting channels. The proposed Directive protects whistleblowers against dismissal, demotion, and other forms of retaliation. Nevertheless, the Directive also provides for certain conditions for reporting: whistleblowers shall only qualify for protection if they had reasonable grounds to believe that the information reported was true at the time of reporting. Also, a person only qualifies for external reporting through authorities when he or she first reported internally but no appropriate action was taken in response, internal reporting channels were not available, or the use of internal reporting channels was not mandatory. In addition to these limitations, the proposed Directive also foresees the implementation of penalties against abusive reports.

The proposed Directive falls under the ordinary legislative procedure, also known as co-decision procedure.  The European Parliament and the Council will separately discuss the European Commission’s proposal and propose amendments.  Once the Parliament and the Council have adopted their respective positions, they will have informal three-way negotiations with the European Commission (the so-called “trilogues”) to agree on a final text. It remains to be seen how the proposed Directive will be received by the co-legislators and which topics will be subject to discussion.