On 23 October 2019, the European Parliament and the European Council adopted the Whistleblower Protection Directive (Directive) to set a minimum standard for the protections EU member states must provide to whistleblowers.
For the first time, whistleblowers are protected under EU law, but implementation at the member state level has been slow. While 19 of the 27 member states had prepared draft legislation by the one-year anniversary of the Directive coming into force, no member state has implemented the new regime at a national level. A report by Transparency International in March 2021 ranked only the Czech Republic as having made substantive progress in transposing the Directive into national law.1 France adopted a law in 2016 to protect whistleblowers but has yet to transpose the Directive in full. Having left the EU on 31 January 2020, the UK currently has no plans to implement the Directive, but UK companies with a footprint in the EU must consider whether their whistleblower policies and procedures implemented pursuant to UK law are sufficient to meet new standards in the member states in which they operate.
With just over six months until the deadline by which member states are required to introduce national legislation to implement the Directive (i.e., 17 December 2021), companies operating in the EU should ensure their policies and procedures are compliant with the new regime. This note sets out the key provisions of the Directive and the steps businesses should take now to update or introduce whistleblower reporting channels.
To whom does the Directive apply?
The Directive affects all businesses and government bodies with 50 or more employees. Companies with 250 or more employees must comply with the Directive beginning 17 December 2021. Businesses with between 50 and 249 workers will have to begin complying with the Directive by 17 December 2023. There currently are no plans at the EU level to apply the Directive to companies with fewer than 50 employees.
Whom does the Directive protect?
Any person working in the private or public sector who, having received information related to a breach of EU law in a work-related context, makes a report regarding alleged wrongdoing will be afforded protection from retaliation under the Directive. The person must make the report in good faith and have reasonable grounds for believing that the content of the disclosure is true at the time of making the report.
The scope of the protection is wide, including current, former and prospective employees, as well as contractors and unpaid trainees or volunteers. The Directive also extends protection beyond the whistleblower to individuals who may have facilitated the whistleblowing, such as colleagues and relatives, in a work-related context.
What protections does the Directive introduce?
Member states must implement measures to prohibit retaliation against whistleblowers. Retaliation is interpreted broadly, including dismissal, demotion, suspension, disciplinary action, intimidation, discrimination or the withholding of training. Companies should ensure their policies and procedures protect the identity of the whistleblower to safeguard against potential retaliation. The Directive is silent on the issue of anonymous reports.
The Directive does not define “whistleblowing” but refers to protecting individuals who report breaches of EU law. The scope of the Directive, while broad, is limited to public procurement, financial services, money laundering, corporate tax, transport, environment, food and animal welfare, public health, consumer protection, privacy, financial interests of the EU and the internal market.
The broad but finite scope is in contrast to UK law, where whistleblowing protection applies across all sectors, with more stringent provisions imposed on particular sectors (e.g., financial services). Similarly, the protection granted to whistleblowers in France applies to the reporting of any crime or misdemeanor, serious and manifest violation of the law, or serious threat or harm to the public interest. However, in order to benefit from French protection, whistleblowers must, in addition to acting in good faith, act selflessly, i.e., they must not seek to benefit from any advantage (including financial compensation, which French law does not generally provide for) from blowing the whistle. There is the potential for conflict of law issues to arise where a whistleblower reports wrongdoing relevant to multiple jurisdictions with differing approaches under national law as to whether financial rewards are available when coming forward.
Member states also are required to ensure that there is a competent authority with responsibilities related to whistleblowing, including the handling of external reports by a whistleblower.
The Directive reflects the minimum level of protection the EU requires member states to implement. It is possible that member states could go further by introducing a more rigorous regime than required under EU law or extend the requirements to companies with fewer than 50 employees.
Are there penalties under the Directive?
The Directive provides that there should be penalties imposed on organisations and individuals who retaliate against whistleblowers, individuals who make false reports and companies that fail to keep confidential the identity of whistleblowers. It leaves the scope of any sanctions to be determined by national legislatures.
In the UK, the reputational and financial consequences of retaliation against a whistleblower can be significant. Whistleblower claims against employers generally fall into two categories: claims for detrimental treatment and claims for unfair dismissal. In contrast with other UK employment law claims, the amount of compensation a whistleblower can be awarded is not limited to a set maximum.
In contrast with current UK law, where, with limited exceptions, the focus is on preventing retaliation, the Directive requires a company to take positive steps to facilitate whistleblowing by establishing reporting channels. Companies must establish reporting channels that allow a whistleblower to submit a report either in writing or orally, and the identity of the whistleblower must be kept confidential.
Organisations must designate an individual or department to receive and investigate reports. This role could be performed by a compliance officer, the head of HR, an in-house lawyer, the CFO or a company executive (e.g., a member of the board or management). Alternatively, a company may outsource this function to an appropriate person, such as an ombudsman. The person or department must acknowledge a report within seven days and provide a response to the whistleblower within three months.
Companies with fewer than 250 employees may share resources for the handling of reports. Although this may create cost efficiencies, it could give rise to other potential concerns, particularly where it relates to sharing sensitive personal data.
The Directive allows for external disclosures to be protected where internal reporting channels do not exist, are not mandatory or were used but did not work effectively. For example, this could arise where the whistleblower complaint relates to senior management and the same individuals are designated by the company to receive and investigate reports. In limited circumstances, protection will be extended to public disclosures where the internal or external reporting channels do not function effectively.
This approach is in line with current French law, which provides for a three-stage alert procedure: first an internal alert, then, without measures taken by the employer to verify the admissibility of the alert, the alert can be addressed to the authorities. If they do not process the alert within three months, a public disclosure may be made.
The Directive, and new national regimes implemented pursuant to it, are likely to result in challenges for businesses seeking to ensure their policies and procedures are compliant. These challenges may be exacerbated for multijurisdictional companies due to the "minimum standard" nature of the Directive. Member states adopting varying "gold plate" standards may create a patchwork of different protections across the EU, adding extra difficulty for companies seeking to create a whistleblowing policy suitable for all EU jurisdictions in which they operate.
These requirements are likely to create logistical complexities not only for companies with a footprint in the EU but also for foreign companies seeking to acquire an EU target or doing business with an EU company. Companies acquiring an EU target will have to consider whether their whistleblowing policy is sufficient to comply with EU standards and, if not, how this impacts the integration of the target into their business. Non-EU suppliers and agents working with EU companies also may find themselves being required to comply with EU standards in respect of whistleblowing. It is likely that, given the potential for member states to go beyond the requirements of the Directive in their whistleblower policies and procedures, companies will approach compliance in a similar way to the AML regime. Companies operating Europe-wide may consider that a gold-plated standard for their whistleblowing policy is the simplest route to ensure both a unified approach across their business as well as compliance with the Directive and differing standards at the national level.
Firms should start assessing the likely impact of the Directive on their operations and implement appropriate policies and procedures to ensure they are compliant. This may include:
- Mapping the obligations of the Directive (and where possible, laws proposed at a member state level) against firms' current whistleblowing policies and making relevant updates on a global and/or country-by-country basis. This also should include a consideration of the interplay between the new legal requirements with respect to whistleblowing and any legal or regulatory obligation to make reports to law enforcement or regulatory bodies of alleged wrongdoing.
- Implementing secure and confidential reporting channels and designating appropriate personnel to investigate reports. Businesses also should ensure whistleblowing policies and procedures safeguard the confidentiality of the whistleblower.
- Ensuring new whistleblower policies and procedures are consistent with the firm’s data protection policy and GDPR requirements.
- Updating employees on the new whistleblowing rules through targeted and ongoing training and communication. Businesses should ensure that employees (including volunteers and trainees) are aware of the reporting channels to raise concerns about potential wrongdoing.
- Updating disciplinary procedures to provide for sanctions in case of retaliation.
- Implementing investigation procedures and policies, including effective record retention.
- Implementing a clear tone from the top that retaliation will not be tolerated against reports of wrongdoing.
- Considering providing management information to the board on whistleblowing-related metrics.