Overview
The Panama Papers, the FIFA scandal, Cambridge Analytica, Wikileaks—these are all well-known examples of whistleblower cases in the United States. There, whistleblowing is an accepted—and even encouraged—practice due to the stringent laws that provide a safe harbor for reporting wrongdoing, both within an organization and to public authorities, regardless of anonymity.
The primary law used to assist those blowing the whistle on bad behavior is the federal False Claims Act (FCA). The Securities and Exchange Commission (SEC) also has a whistleblower program that has grown significantly over the past decade. The last year has brought a record number of whistleblower claims under the FCA and SEC programs. In 2021, the SEC received almost 12,000 whistleblower tips. That’s a 75% increase from the year prior and almost a three-fold increase since the program’s inception.[3] Stemming from whistleblower lawsuits, the SEC has awarded almost $1.3 billion to more than 278 individuals since issuing its first award in 2012.[4] In August 2022, the SEC announced an award of more than $17 million to a whistleblower who provided information and assistance in a covered action and related action.[5]
While Americans have had some sort of avenue to safely and anonymously voice concerns about corporate misgivings since the Civil War, whistleblowers have been much less common in the European Union (EU). In the absence of EU incentives for speaking out against corporate wrongdoing, corporate scandals and fraudulent activities are far less likely to be brought to light in the court of public opinion.
In fact, according to a 2017 European Commission poll on corruption, “81 percent of respondents said they did not report the corruption they had experienced or witnessed because they did not believe they had adequate protection. Similarly, 85 percent of respondents believed workers ‘very rarely’ or ‘rarely’ report concerns about threat or harm to the public interest due to fear of reprisals.”[6] That is, until recently.
Background of the EU Whistleblower Directive
Whistleblowers help to prevent damage and detect threat or harm to the public interest that may otherwise remain hidden. However, they are often discouraged from reporting their concerns for fear of retaliation. For these reasons, the importance of providing effective whistleblower protection for safeguarding the public interest is increasingly acknowledged both at European and international level.[7]
In April 2019, the European Parliament voted to overhaul whistleblower regulations and standardize protections across its 28 member countries against retaliation for speaking out.[8] The deadline to implement the EU Whistleblower Directive (the Directive) was December 17, 2021.
The Directive is intended to offer more resources for whistleblowers to act and is meant to protect all individuals involved, including those affected by the report or disclosure. It expands the scope of whistleblower protection and will protect regular employees, civil servants, interns, volunteers, external contractors and suppliers, previous employees, and any individual who has become aware of violations prior to the start of their employment. Applicable organizations are obliged to establish both internal and external reporting channels with certain procedural requirements. This new legislation will also enhance confidentiality to ensure that all identities involved are protected and will prohibit whistleblower retaliatory measures.
Given the fact that minimum standards are provided by the EU Directive, it is possible that certain member states decide to create more stringent legislation.[9] In fact, many member states have taken the opportunity to broaden the scope for their local implementation of the Directive. As a result, there is a large degree of variation across the EU regarding how the Directive is implemented, including different levels of protection as well as different requirements or thresholds for such protection.
Additionally, due to variations in member states’ local laws and regulations, there are numerous challenges and questions around implementation for multinational employers who want to apply a consistent approach across all their regions.[10] Due to these challenges, the majority of member states failed to meet the December 17, 2021, deadline.[11]
Minimum Standards of the EU Whistleblower Directive[12]
The EU Whistleblower Directive outlines the following minimum standards for member states within the European Union:
-
Timeline: As mentioned above, implementation by national legislators should have been completed in all member states by December 17, 2021.
-
Purpose: The purpose of the Directive is to enhance the enforcement of EU law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of EU law.[13]
-
Required participants: All legal entities in the private and public sections are required to comply with the Directive. However, this only applies to companies with more than 50 employees and authorities and municipalities with more than 10,000 inhabitants who are obliged to set up channels for reporting legal violations.[14]
-
Material scope: The Directive requires the reporting of violations of EU law. This includes, but is not limited to, the following areas:[15]
-
public procurement;
-
financial services, products and markets, and prevention of money laundering and terrorist financing;
-
product safety and compliance;
-
protection of the environment;
-
food and feed safety, animal health, and welfare;
-
public health;
-
protection of privacy and personal data, and security of network and information systems; and
-
violations of national law.
-
-
Personal scope: The personal scope of the Directive is expansive and includes a wide variety of individuals who are subject to whistleblower protection. The Directive applies to individuals working in the private or public sector or who have acquired information on violations in a work-related context.[16] This includes part-time or self-employed workers; persons working under the supervision of contractors and suppliers; shareholders; and job applicants.[17] Additionally, such work-related context must be interpreted broadly. It includes persons whose employment relationship has already ended or has not yet begun and is in a pre-contractual stage.[18] Furthermore, protection should be provided to others who can experience (indirect) retaliatory measures due to a report. This may include vis-à-vis facilitators, colleagues, or relatives of the reporting person.[19]
-
Conditions for protection of reporting persons: As mentioned above, one of the primary objectives of the Directive is to provide better protection to whistleblowers from retaliation. The Directive outlines various conditions for qualifying for this protection, including requiring that they had reasonable grounds to believe that the information reported was true at the time of reporting.[20]
-
Internal reporting channels: The Directive requires companies and public authorities to establish channels and procedures for internal reporting of violations which promotes the reporting of violations and follow-up of those reports.[21] The new legislation outlines numerous procedural requirements regarding internal reporting channels, including:[22]
-
Reporting channels which are designed, established, and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person;
-
These channels should enable reporting in writing or orally, or both. Oral reporting shall be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.
-
-
Acknowledgment of receipt of the report to the reporting person within seven days of that receipt;
-
The designation of an impartial person or department competent for following up on the reports, which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person;
-
Diligent follow-up by the designated person or department;
-
Diligent follow-up, where provided for in national law, for anonymous reporting;
-
A reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made; and
-
Provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities.
External reporting channels: The Directive requires member states to establish independent and autonomous external reporting channels and outlines numerous requirements for the design and operation of those channels.[23] Specifically, member states are required to designate authorities competent to receive, give feedback, and follow up on reports, and are required to provide them with adequate resources.[24] Member states are also required to ensure that those authorities:[25]
-
Establish independent and autonomous external reporting channels, for receiving and handling information on breaches;
-
Promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise, or the competent authority reasonably believes that acknowledging receipt of the report would jeopardize the protection of the reporting person's identity;
-
Diligently follow up on the reports;
-
Provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;
-
Communicate to the reporting person the final outcome of investigations triggered by the report, in accordance with procedures provided for under national law;
-
Transmit in due time the information contained in the report to competent institutions, bodies, offices, or agencies of the Union, as appropriate, for further investigation, where provided for under Union or national law.
As it relates to external reporting channels, the new legislation also:[26]
-
Provides criteria for ensuring that external reporting channels are independent and autonomous;
-
Requires reporting channels than enables reporting in writing and orally; and
-
Requires specific training for staff members regarding the handling of reports.
-
-
Information regarding the receipt of reports and their follow-up: The Directive requires that specific information is clearly published and accessible. This includes, for example, the conditions for qualifying for protection under the Directive; contact details for external reporting channels; and procedures applicable to the reporting of violations.[27]
-
Duty of confidentiality: The Directive requires that the identity of the reporting person is not disclosed to anyone beyond the authorized staff members competent to receive or follow-up on reports without the explicit consent of that person.[28]
-
Processing of personal data: Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be carried out in accordance with relevant laws and regulations. Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay.[29]
-
Record keeping of whistleblower reports: The Directive outlines various requirements regarding reports received, specifically how those reports should be stored and to ensure compliance with laws and regulations.[30]
-
Prohibition of retaliation: The Directive requires that member states take the necessary measures to prohibit any form of retaliation, including threats of and attempts at retaliation. This may include a wide range of activities including suspension, layoff, dismissal, or equivalent measures; demotion or withholding of promotion; transfer of duties, change of location of place of work, reduction in wages, change in working hours; discrimination, disadvantageous or unfair treatment; and others.[31]
-
Measures for protection against retaliation: Member states shall take the necessary measures to ensure whistleblowers are protected against retaliation and to ensure that remedies and full compensation are provided for damage suffered by whistleblowers in accordance with national law.[32] Furthermore, there is a reversal of the burden of proof during labor law proceedings which favors the whistleblower.[33] This means that during labor law proceedings, the employer must prove that the dismissal of a whistleblower was not due to their blowing of the whistle, rather than the whistleblower.[34]
-
Penalties for whistleblower blockers: The Directive provides for “effective, proportionate and dissuasive penalties” for individuals or companies who hinder or attempt to hinder reporting; retaliate against whistleblowers; or breach the duty of maintaining the confidentiality of the identity of reporting persons.[35] The Directive further allows whistleblowers to claim compensating damages in such cases.