How will the approaching EU Whistleblower Directive impact companies?

What is Happening?

In light of the increasing importance of whistleblowers and the decreasing levels of uniformity within EU legislation, the European Commission has created the: “Directive on the Protection of Persons who report Breaches of Union Law (Directive 2019/1937)” or more commonly known colloquially as “the whistleblower directive”. The directive entered into force on the 16th of December 2019 and EU member states are required to transpose the directive into national legislation by the 17th of December 2021. The main goal of the directive was to send EU member states a clear signal; whistleblowers are important, necessary, and will be protected. This means that the EU has created minimum standards that all states must abide by as a starting point, encouraging each individual state to flesh out and increase the national protection/scope in its own legislation. In broad strokes, the minimum standards establish a large protection scope for whistleblowers and concrete requirements on companies for their own whistleblowing obligations. This blog post will highlight the important legislative details of the directive, changes companies should know of in their legal obligations, and the state of transposition into EU national legislation.

The Directive in Short:

Looking at who is protected and how they are protected under the new directive, the following categories are crucial:

Regulatory Scope: Breaches that can be reported under the whistleblower directive can be summed up as all those relating to EU law and its competencies. National legislation is encouraged to expand upon this but this is seen as the minimum standard.
Personal Scope: To be protected as a whistleblower, the reporting person does not necessarily need to be an employee of a company, protection applies to all workers in the public and private sector, paid and non-paid workers, third persons connected to the whistleblower, citizens and journalists.
Conditions for protection: The reporting person must have had reasonable ground to believe that the information was true at the time, they reported either internally, externally, or made a public disclosure and even if the information is disproved later, protection will not cease. This further applies to people that were anonymous and then identified.
Prevention of retaliation: No entity is allowed to threaten, punish, retaliate, dismiss, discriminate or coerce a whistleblower in any way or form.

Requirements for Companies:

Looking at the general requirements created for all European legal entities, the following is a short recap of the important points:

All entities with more than 50 employees must establish internal reporting channels irrespective of their types of activities. A smaller company might be forced to establish reporting channels after appropriate risk assessments.
Entities with larger than 250 employees will need to bring into force laws, regulations, and administrative provisions to comply with the directive by 17 December 2021. Entities with 50-249 workers will have until 17 December 2023.
Internal reporting can be operated by an internally designated person or third parties can be authorized to receive reports on behalf of legal entities.
To comply with the directive, internal reporting mechanisms must be established. These channels must include three types of options, written, oral, and in person reporting.

Further, internal mechanisms must comply with the following duties:

Time frames: 7 days for acknowledgment and 30 days to follow-up with the whistleblower.
Confidentiality: The identity of the whistleblower must be kept confidential at all times, except when consent is given or the information is required by the authorities for investigations. When this occurs, the whistleblower must be informed.
Processing of data: All data processing must be done in line with the rules in the GDPR.
Record keeping: Confidential records must be kept of every report received and be stored no longer than is necessary and proportionate to comply with EU and national obligations.

The EU has further warned that failures to establish appropriate, visible and accessible internal reporting channels will be punished as though the company was actively preventing whistleblowing.

The State of Europe:

The Benelux as a region demonstrates how the process and effects of transposing the directive will have vastly different impacts on each EU member state. Some states such as The Netherlands will have less extensive changes made to their legislation due to its prior existing whistleblowing laws (Wet Huis voor Klokkenluiders), while on the opposite spectrum, Luxembourg and Belgium both have no separate whistleblowing laws and will have to make wholescale changes to its legislation.

When looking at where the EU stands with its national translation, it is beyond obvious that a lot of work needs to be done for states to meet the December deadline. Currently, only two states (Denmark and Sweden) have implemented the directive, with most other states still either in; discussions (Austria, Belgium, Bulgaria, Croatia, Germany, Greece, Italy, Luxembourg, Poland, Slovakia, Slovenia & Spain), working on a draft law (Czech Republic, Estonia, Finland, France, Ireland, Latvia, Lithuania, Netherlands, Portugal & Romania) or haven’t stated at all (Cyprus, Hungary & Malta).

The directive can be found here.

Bram Burger | 28. Oktober 2021 | Gesetzesänderungen, Internationaler Datenschutz | English Posts, EU Whistleblower Directive, Whistleblower