The EU’s new whistleblowing protections (the Whistleblowing Directive) is due to implemented into national law by 17 December 2021.
The purpose of the Whistleblowing Directive is to establish uniform minimum protections to ensure that whistleblowers who want to report breaches of EU law are afforded legal protections against retaliation from their employers or colleagues.
In addition to these minimum standards, as each individual country puts in place implementing national legislation some countries are going above and beyond the requirements of the directive to offer further protections to whistleblowers.
Organisations with EU-based operations will need to decide whether (and how) to change their whistleblowing arrangements to comply with a potential patchwork of new rules.
Who does it apply to?
Private and public entities with 50+ employees who are operating in the EU. The whistleblower will be entitled to protection under the Whistleblowing Directive when reporting on breaches of EU law. The directive does not extend to whistleblowers of breaches of non-EU laws.
What does it require?
A whistleblower (or a ‘reporting person’) is broadly defined as a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities. This will include self-employed persons, shareholders, personnel of (sub)contractors, former employees, job applicants, and others.
Whistleblowers will be entitled to protection, provided that person had both:
- reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Whistleblowing Directive; and
- reported, either internally or externally, in accordance with the Whistleblowing Directive, or made a public disclosure in accordance with the Directive. Note – the Whistleblowing Directive does not prescribe any cascade of reporting channels and leaves the choice of how to report up to the whistleblower (so it will not just apply to specific channels of types of report).The Directive also prohibits retaliation and attempts at retaliation (for example, dismissal, change of employment conditions and blacklisting) against the whistleblower (or persons/entities connected to the whistleblower) by providing for:
- an exemption from liability for acquiring or accessing information that is reported or publicly disclosed, provided that such acquisition or access did not constitute a ‘self-standing criminal offence’;
- a reversal of the burden of proof in cases of alleged detrimental treatment, i.e. if a whistleblower can – on the face of it – show they suffered a detriment after reporting breaches or making a public disclosure in accordance with the Whistleblowing Directive, the person who took the detrimental action must ‘prove that that measure was based on duly justified grounds’ and was not connect to the whistleblowing itself; and
- access to appropriate remedial action (for example, interim relief pending the resolution of relevant legal proceedings).
Policies and procedures
Operationalising the Whistleblowing Directive will present a number of challenges for organisations that operate cross-border as they will face a patchwork of newly-implemented and existing whistleblowing laws which they must comply with.
One of the key issues is whether to apply a single whistleblowing framework and whistleblowing policy or whether to adopt country-specific or region-specific approaches. If some Member States gold-plate the Whistleblowing Directive, organisations who choose to apply a single framework, will need to comply with the aspects of each Member State’s whistleblowing rules that give the highest protection, to ensure full compliance with all applicable local laws.
Another potential challenge, particularly in our remote working environment, is how to deal with reports made by internationally mobile employees who report concerns and identifying which national legislation will apply to the whistleblower. This will matter from both an employee and employer perspective, with both possibly taking a divergent approach.
As whistleblowing policies and procedures may have been refreshed (or entirely new frameworks put in place) to comply with the Whistleblowing Directive, employers should offer training from all employees, managers and support functions such as compliance and HR to ensure that new requirements are fully understood and implemented.