What is the European Union Whistleblower Directive?
In 2019, the European Union (EU) passed a groundbreaking Whistleblower Directive (2019/1937) to enact greater protections for whistleblowers by shielding them from retaliation and creating “safe channels” to report violations of the law. All 27 European Union (EU) member countries must transpose the directive into their national law by December 2021. However, EU states are encouraged to enact greater whistleblower protections and incentives beyond the minimum standard set by the directive.
This directive is one of the first of its kind to define whistleblowers or “reporting persons” within the European Union. Its definition reads, “persons who work for a public or private organization or are in contact with such an organization in the context of their work-related activities,” including:
- persons having the status of worker, including civil servants;
- persons having self-employed status;
- shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees;
- any persons working under the supervision and direction of contractors, subcontractors and suppliers; and
- reporting persons who worked for a public or private organization which has since ended.
The Whistleblower Directive also applies to facilitators, defined as third parties who are connected with the reporting persons and who could suffer retaliation in a work-related context such as colleagues or relatives, as well as legal entities that the reporting persons own.
In order for a whistleblower to be protected under this directive, they must have reasonable grounds to believe that the information they have reported is true. However, this protection is not lost if the whistleblower reported inaccurate information on breaches by honest mistake. The motives of the whistleblower reporting a breach are also irrelevant in deciding whether they should receive protection or not.
What protections does the Directive offer?
Once a whistleblower makes a report, they should be protected against any form of retaliation, whether direct or indirect, by their employer/customer/recipient of services and by persons working for or acting on behalf of the latter. This includes retaliation from colleagues and managers in the same organization or in other organizations in which the whistleblower is in contact with in context of their work-related activities. Member States should enact provisions to hold perpetrators accountable for forms of retaliation.
It’s important to note that employers are not allowed to penalize a whistleblower for reporting information covered under contractual obligations such as loyalty clauses or non-disclosure agreements. This also applies when whistleblowers share documents to which they have lawful access to whether it means they made copies or removed them from the premise.
Should a whistleblower be retaliated against for reporting a breach, an appropriate remedy must be initiated whether this means:
- reinstatement to a job;
- restoration of a cancelled permit, license, or contract;
- compensation for loss of income, paid wages, and actual and future financial losses; or
- compensation for other economic damage such as legal expenses and costs of medical treatment
While the types of legal action may vary between Member States, each country should ensure that compensation and reparation is real and effective. Member States should also make available interim remedies to pending resolutions of legal proceedings in order to stop threats such as harassment and prevent forms of retaliation. Further, Member States should make available resources to assist whistleblowers with legal fees at the outset of proceedings.
What type of disclosures are protected?
Under this directive, whistleblowers will be protected from retaliation for reporting breaches within the following areas:
- public procurement;
- financial services, products and markets, and prevention of money laundering and terrorist financing;
- product safety and compliance;
- transport safety;
- protection of the environment;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection; and
- protection of privacy and personal data, and security of network and information systems;
They will also be protected for reporting breaches that affect the financial interests of the Union and breaches relating to the internal market such as breach of corporate tax rules or arrangements for the purpose of obtaining a tax advantage that defeats the purpose of applicable corporate tax law.
In order to safeguard freedom of expression and freedom of the media, whistleblowers will remain protected regardless if they report breaches internally within their organization (internal reporting), to any outside authority (external reporting), or through online platforms or social media. The EU also believes that whistleblowers are important sources for investigative journalists as they are crucial for safeguarding the ‘watchdog’ role of investigative journalism in democratic societies.
What internal reporting provisions are included?
This directive encourages whistleblowers to report any breaches internally as long as they believe the breach can be effectively addressed and there is no risk of retaliation. As a consequence, legal entities within the private and public sector with 50 or more employees must establish appropriate reporting channels and procedures for following up on reports. Member States are encouraged to include additional provisions within their transposition of the directive to ensure legal entities within the private sector who have fewer than 50 employees also work also establish internal reporting channels.
Provided that whistleblower’s identity will be kept confidential, it is up to each individual legal entity to define the kind of reporting channels they wish to establish. According to the Directive, these reporting channels should enable a person to report in:
- submit reports by post in physical complaint box(es) or through an online platform,
- internet platforms,
- orally by telephone hotline or voice message system, and
- physical meetings.
Third parties can also be authorized to receive reports on behalf of the legal entity as long as they offer guarantees of confidentiality, data protection, and secrecy. Legal entities in both the public and private sector must ensure their employees are provided information on internal reporting procedures and external. Reporting information must also be made clear to any persons other than employees who come in contact with the entity through their work-related activities such as distributors and suppliers.
Once a whistleblower reports internally, the handler of the report must follow-up with the whistleblower in a timely manner or no later than three months. A follow-up could include a referral to other channels, closure of the investigation due to a lack of sufficient evidence or other grounds, launch of an internal enquiry, or possible findings. In all cases, the whistleblower should be informed of the investigation’s progress and outcome.
However, whistleblowers should remember that internal reporting channels exist to benefit the company, rather than the individual reporting misconduct. The National Whistleblower Center always recommends that whistleblowers should not make any disclosures internally until after they consult a whistleblower attorney. To read more about the risks of reporting to an internal reporting channel, read Rule 17 in the The New Whistleblower’s Handbook, the first-ever guide to whistleblowing, by the nation’s leading whistleblower attorney. The Handbook is a step-by-step guide to the essential tools for successfully blowing the whistle, qualifying for financial rewards, and protecting yourself.
What external reporting provisions are included?
In cases where whistleblowers do not consider internal reporting channels to be the best option for reporting wrongdoing, a whistleblower may report externally to competent authorities. It is up to each Member State to designate the authorities who will receive information on breaches and give appropriate follow-up reports. These authorities could be judicial authorities, regulatory, or supervisory bodies. As the recipient of the report, designated authorities must have the ability to:
- follow-up on reports,
- assess the accuracy of allegations made in the report,
- address the breaches reported by launching their own internal enquiry,
- launch investigations, and
- handle prosecution or action for recovery of funds or other appropriate remedial action.
Alternatively, authorities may refer the report to another authority for investigation, but they must ensure the appropriate safeguards are in place to satisfy the requirements of the directive. Authorities must follow-up with the whistleblower to inform them whether an investigation has been launched, whether more information is needed, whether their report lacked insufficient evidence, and so on. This follow-up should take place within three months but could be extended to six months when necessary due to specific circumstances of the case.
In order to enable effective communication with trained staff members who are responsible for handling reports, it’s necessary for authorities to enact user-friendly and secure reporting channels. Member States should ensure competent authorities have adequate protection procedures in place that ensure the identity of every reporting person, person concerned, and third persons referred to in the report are protected at all stages.
What public reporting provisions are included?
In terms of public disclosures, whistleblowers qualify for protection in cases where:
- internal and external reporting has left the breach unaddressed or no appropriate remedial action was taken
- they have reasonable ground to believe that there is imminent danger to the public interest or the risk of irreversible damage to a person’s physical integrity
- they believe if they report externally, there is a risk of retaliation due to particular circumstances in the case such as evidence being concealed, destroyed, or where any authority could be in collusion with the perpetrator of the breach.
Recommendations by NWC
At least half of EU countries have already begun formal discussions to comply with the Directive. Belgium, Bulgaria, Finland and Greece have set up legislative working groups, and draft laws are being developed in Czech Republic, Italy, Latvia, the Netherlands, Slovenia and Spain
The National Whistleblower Center applauds the European Union for implementing its first encompassing Whistleblower Directive, but there are still areas of ambiguity in the transposition requirements that could leave potential whistleblowers unprotected. NWC recommends that each Member State go beyond the directive and include the following:
- disclosures permitted under international anticorruption conventions signed by Member States;
- Adopting language and procedures that have proven effective in protecting whistleblowers when implementing Articles 6-7, 11, 14-16, 19-21, and 23-24;
- Narrowly interpreting Article 22 in order to ensure that whistleblowers are not chilled from making disclosures and their confidentiality is maintained;
- Enacting whistleblower reward laws to combat specific legal violations, including foreign bribery, money laundering, tax evasion, government procurement fraud, and ocean pollution.
Learn more about our campaign to further strengthen whistleblower protections in the European Union here.