Whistleblowing

Numerous recent global scandals have highlighted the important role that whistleblowers can play in exposing breaches of EU law. In particular, the workplace is often central to the identification of wrongdoing since individuals who work for, or have work-related contact with, a business are often the first to learn of alleged misconduct within the organisation. At the same time, fear of retaliation, and lack of legal protection against retaliation, can discourage them from reporting their concerns.

Previously, whistleblowing laws were implemented on a national basis across the EU, which meant that protections were fragmented, inconsistent, or even non-existent. To address this, the EU passed the Whistleblower Protection Directive, which had a deadline of 17 December 2021 for Member States to incorporate into their national laws.

The Directive reflects the European Commission’s view that Member States should have a legal and institutional framework to protect persons who, in the context of their industrial relations, draw attention to violations or to threats to the public interest or make information on them public.   The Directive provides minimum standards that must be adopted at national level. This means that EU Member States have been able to adopt provisions that strengthen the regime set out in the Directive,  but have not been able to implement rules that do not meet its minimum standards.

The EU whistleblower laws have heralded a significant change in approach to whistleblowing in many EU countries, as well as significantly altering the compliance landscape for companies operating in the EU. Employers must understand implementing laws to ensure they have an approach that works for their business and achieves local compliance. In addition, multinationals that have long adhered to the US “gold standard” Sarbanes-Oxley Act require programs that satisfy the extensive protections under the Directive, while continuing to meet US requirements.

While the EU framework requires many EU and multinational companies to adapt their approach to whistleblower programs, it also promises rewards. By ensuring that effective whistleblowing arrangements are in place, businesses have the opportunity to become aware of concerns at the earliest stages, helping to avoid or limit financial and reputational risks.

The protection provided by the Directive applies to individuals who report a breach of EU law in any of the following areas:

• Public procurement
• Financial services, products and markets, and prevention of money laundering and terrorist financing
• Product safety and compliance
• Transport safety
• Protection of the environment
• Radiation protection and nuclear safety
• Food and feed safety, animal health and welfare
• Public health
• Consumer protection
• Protection of privacy and personal data, and security of network and information systems
• Breaches affecting the financial interests of the EU
• Breaches relating to the EU internal market.

The Directive permits Member States to extend their national provisions to cover areas beyond those listed above, with a view to promoting a comprehensive and coherent whistleblower protection framework at national level.

The Directive applies protection to individuals working in the private or public sector who acquire information on suspected breaches in a work-related context. This definition specifically includes current and former:

• Workers – this is a wide definition that includes not only employees but any individual who performs services for and under the direction of another person, in return for remuneration. Protection will therefore cover workers in non-standard employment relationships, including fixed-term workers, agency workers and other atypical relationships;
• Self-employed individuals, including freelance workers, contractors and subcontractors;
• Shareholders;
• Members of an undertaking’s administrative, management or supervisory body;
• Volunteers;
• Trainees (paid or unpaid);
• Those working under the supervision / direction of contractors, sub-contractors and suppliers;
• New recruits who have not yet commenced work;
• Facilitators (someone who assists a person in the reporting process in a work-related context);
• Third persons connected with a reporting person who could suffer work-related retaliation (e.g. colleagues or relatives); and
• Legal entities that the reporting person is connected to in a work-related context.

An individual who meets the conditions for protection under the Directive is safeguarded from any form of retaliation and from threats of or attempt at retaliation. Member States must implement necessary measures to ensure this protection, including:

• It must be assumed that there has been retaliation and, in court proceedings, the burden of proof is on the organisation to show that it has not retaliated. Where there is an allegation of retaliation for making a report, it is for the person that has taken the detrimental measures to prove that this was, in fact, based on justified grounds.
• Effective remedies must be available, including the possibility of interim relief, as well as remedies and full compensation for any damage suffered by a person who makes a report.
• Penalties for those that hinder reporting or retaliate against, disclose the identity of,  or bring vexatious proceedings against someone who has made a report must be effective, proportionate and dissuasive.
• The rights of someone who makes a report and the remedies available to them cannot be waived or limited by any form of agreement.

The Directive defines retaliation broadly to include:

• Suspension, lay-off, dismissal or equivalent measures
• Demotion or withholding of promotion
• Transfer of duties, change of location of place of work, reduction in wages or change in working hours
• Withholding of training
• A negative performance assessment or employment reference
• Imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty
• Coercion, intimidation, harassment or ostracism
• Discrimination, disadvantageous or unfair treatment
• Failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that they would be offered permanent employment
• Failure to renew, or early termination of, a temporary employment contract
• Harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income
• Blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry
• Early termination or cancellation of a contract for goods or services
• Cancellation of a license or permit
• Psychiatric or medical referrals.

To enjoy protection under the Directive the reporting person must:

• Report either internally (within their employer’s organisation) or externally (to a competent authority) or make a public disclosure (place information in the public domain); and
• Have reasonable grounds to believe, given the circumstances and the information available to them at the time of reporting, that the matters they report are true. This requirement is intended to safeguard against malicious, frivolous or abusive reports as it withholds protection from individuals who deliberately report wrong or misleading information. At the same time, the requirement ensures that protection is not lost where someone reports inaccurate information because of an honest mistake. The motives of the person in reporting are irrelevant in deciding whether they should receive protection.

The Directive leaves it open to individual Member States to decide whether businesses and competent authorities are required to accept and follow up on anonymous whistleblowing reports. Whichever approach a Member State takes, an individual who makes an anonymous report must be given the protection of the Directive if they are subsequently identified and suffer retaliation.

Member States are to encourage internal, rather than external, reporting where a breach can be effectively addressed internally and where the individual reporting does not feel at risk of retaliation.

Entities, including private sector employers with 50 or more workers, must establish channels and procedures for internal reporting and for follow-up.  Where required by national law, this should be done after consultation and agreement with social partners.

Reporting channels and procedures must:

• Enable individuals who fall within the scope of the Directive to report information on breaches;
• Provide for reports to be made either in writing, orally or both. Oral reporting should be possible by telephone or voice messaging system or in a physical meeting when requested by the reporting person;
• Be secure and ensure the confidentiality of the reporting person and anyone mentioned in the report;
• Provide for acknowledgement of receipt of a report within seven days;
• Designate an impartial person / department to diligently follow up on reports (including anonymous reports if provided for in national law). The designated person / department must maintain communication with the reporting person, ask for further information if necessary, and provide feedback to them;
• Provide for feedback to be given within a reasonable timeframe – not exceeding three months from receipt of the report. Feedback must include information on action taken or envisaged as follow-up and the grounds for such follow-up; and
• Provide information on procedures for reporting externally to competent authorities or EU entities.

Records of every report received must be kept, but for no longer than is necessary and proportionate to comply with the Directive and other legal requirements.

Under the Directive, an individual may make an external report whether or not they have first made an internal report.

Member States must designate competent authorities to receive, follow up and give feedback on external reports. The Directive prescribes various requirements which Member States must implement in relation to reports to designated authorities. In particular, a designated authority must establish an independent and autonomous reporting channel which must, for example, provide for:

• Reports to be made either in writing, orally or both;
• Acknowledgement of receipt of a report within seven days in most circumstances;
• Confidentiality of the identity of the reporting person, with very limited exceptions;
• Reports to be diligently followed up and for feedback to be given within a reasonable timeframe – not exceeding three months or six months where this is justifiable;
• The final outcome to be communicated to the reporting person; and
• Reported information to be transmitted to other relevant EU bodies for further investigation in certain circumstances.

Records of every report received must be kept, but for no longer than is necessary and proportionate to comply with the Directive and other legal requirements.

The Directive provides protection for an individual who makes a public disclosure of information will only if:

• They first made a report internally or externally, but no appropriate action was taken in response to the report within the three / six-month timeframe; or
• They reasonably believe that:
  • the breach they are reporting is a matter where there is imminent or manifest danger to the public interest; or
  • if they reported externally there is a risk of retaliation or a low prospect of the breach being effectively addressed.

For several years, there has been a significant global variation in the extent to which different countries have developed national laws to provide for whistleblowing reporting channels, to ensure that reports are followed up, to protect whistleblowers against retaliation, and to strengthen accountability. For various reasons, including a cultural hostility towards whistleblowing, many European nations were among those countries that had not implemented rigorous whistleblowing protections. These variations can make it tricky for multinational employers, including those subject to the US Sarbanes-Oxley regime (SOX), to implement a global approach to whistleblowing and, in particular, to use whistleblowing hotlines that allow employees to report concerns confidentially and anonymously.

The arrival of the EU Whistleblower Protection Directive has changed the global whistleblowing dynamic given that, in many respects, its provisions are wider than those that apply under SOX (see comparison table below). Although the Directive has brought the EU in line with SOX by providing for the use of whistleblowing hotlines, one aspect where uncertainty remains is in relation to the handling of anonymous reports. SOX requires anonymous reports be accepted/addressed, but the decision as to whether this is required is left to each individual EU Member State. Global employers should consider this aspect of local country implementation and, more broadly, consider the scope of the Directive and any expanded Member State protections in any review of their global whistleblowing arrangments.

Recommended actions for businesses operating in the EU to take for workplace whistleblowing compliance include:

• Monitoring implementation laws and additional regulatory guidance in each EU country in which the company operates, taking particular note of any aspects where there is differentiation from the requirements set by the Directive.
• Reviewing current whistleblowing arrangements or introducing new arrangements to ensure clear reporting channels are available. This will be the best way to avoid the risks associated with external reporting or public disclosure. Particular aspects of the Directive which may not form part of existing whistleblowing policies and procedures and should be factored in, include:
  • the requirement to provide a local entity reporting option which, according to the European Commission, is required for proper compliance;
  • the obligation to provide information about procedures for reporting to external authorities;
  • the wide scope of matters on which reports can be made;
  • the extended scope of individuals who are protected against retaliation under the Directive;
  • the specific timeframes for handling reports – seven days to acknowledge receipt and three months for providing feedback; and
  • the need for demonstrable follow-up to a report and feedback to the individual who has made the report.
• Implementing / reviewing an escalation policy so it is clear throughout the organisation when a report should be escalated / shared with a central function. The policy must contain appropriate safeguards to ensure compliance with confidentiality and data privacy requirements.  
• For businesses that provide a telephone / automated hotline as part of their whistleblowing procedures, ensuring these arrangements are configured to meet any particular jurisdictional requirements implemented by Member States. Local language considerations are likely to be important.
• Preparing for the “reverse burden of proof” included in the Directive, which requires the employer to prove that any alleged retaliatory actions were based on justified grounds.
• In addition to ensuring that all whistleblowing reports are diligently investigated and responded to by individuals who have been fully trained for the role, businesses should also ensure continued monitoring of, and record keeping as regards relationships with individuals who have made reports even after their matter is closed. This will enable a business to ensure there is no retaliation or that any adverse action subsequently taken is justifiable on legitimate grounds.