All About The EU Whistleblowing Directive (Summary + Key Points)

Directive (EU) 2019/1937 of the European Parliament, commonly known as the ‘EU whistleblowing directive’ requires member states to create laws to protect people who come forward with information relating to breaches of union law and threats to the public interest. 

It reports that “potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.”

Transparency International, one of the leading advocates for the whistleblowing directive, offers a stark insight into potential retaliation that reporting persons can face: “whistleblowers risk their career, their livelihood and sometimes their personal safety to expose wrongdoing that threatens the public interest. They may be fired, sued, blacklisted, arrested, threatened or, in extreme cases, assaulted or killed.”

The directive seeks to create a minimum standard across the union that will level the playing field and provide protection for whistleblowers in all member states. In October 2019, only ten of the 28 EU nations  had robust whistleblower protections on their statute books. There was not even a word for ‘whistleblower’ in some of the languages of the union. This illustrates the need for the directive that entered into force at that time. 

1. Key takeaways

The key takeaways from the EU whistleblower protection directive are: 

• Member states must incorporate the majority of the minimum standards in the directive by 17th December 2021. 
• Businesses and government organisations of more than 250 employees and municipalities serving 10,000 people must implement an internal reporting system by this time. 
• Businesses and government organisations with between 50 and 249 staff need to have their internal reporting system in place by 17th December 2023.
• All affected organisations need to appoint staff to monitor and manage reports. 
• Organisations should train staff to understand exactly how to file a report. 
• Each organisation needs to take steps to protect whistleblowers’ identities as well as comply with the General Data Protection Regulation (GDPR). 
• Organisations must understand the steps they need to take to protect whistleblowers following their reports, as well as knowing which other individuals require protection. 

2. Background and purpose of the EU whistleblowing protection directive

The European Union has admitted that there was not sufficient protection for whistleblowers before the creation of this new ruling. The directive states:“

Whistleblower protection currently provided in the Union is fragmented across Member States and uneven across policy areas. The consequences of breaches of Union law with a cross-border dimension reported by whistleblowers illustrate how insufficient protection in one Member State negatively impacts the functioning of Union policies not only in that Member State, but also in other Member States and in the Union as a whole”.

This was highlighted in a number of recent, high-profile whistleblowing cases. ‘John Doe’ anonymously handed over the Panama Papers to German investigative journalist Bastian Obermayer in 2016. The 11-and-a-half million documents related to large scale tax evasion through a law firm in Central America, and Doe claimed that they needed to remain anonymous as “my life is in danger if my identity is revealed”.

The LuxLeaks scandal in 2014 involved Antoine Deltour. He leaked documents from his employer that showed businesses were avoiding tax. They claimed to be based in Luxembourg and moved profits around different arms of their organisations with the help of some big-name accountancy firms. Rather than being celebrated for drawing attention to the practice, Deltour was prosecuted and received a six-month suspended sentence and a €1,500 fine. 

Neither Germany nor Luxembourg offered full protections to whistleblowers, which is why the EU was keen to introduce the directive. At its most basic, it seeks to ensure all organisations across the bloc offer reporting systems to potential whistleblowers and that they put in measures to prevent retaliation against these reporting individuals, their supportive colleagues and their families. 

3. Who will be affected?

Directive (EU) 2019/1937 affects all businesses and government organisations with 50 or more employees. It also applies to local authorities and municipalities with more than 10,000 inhabitants. These bodies must provide a way for employees to report wrongdoing and to have systems in place to monitor and act on the reports they file.

They should also be able to protect that person’s identity and ensure they do not suffer any recriminations for reports they make in good faith. 

Currently, there are no plans to mandate that businesses with 49 or fewer employees implement these new rules. 

The directive reaches across the EU, however, individual organisations should be aware that it presents the minimum level of cover for whistleblowers expected. If member states want to create even more rigorous laws inside their own country, they are able to. 

4. The case for government organisations 

The directive applies equally to public bodies as it does for private firms. As long as there are 50 or more workers involved in the organisation, it must abide by the new rules. In the case of local authorities, if they serve more than 10,000 inhabitants, they are also included. 

One of the key areas of public governance in which whistleblowing is important is procurement. With vast sums of money flowing through the public procurement sector, there are myriad opportunities for corruption. Reports estimate corruption costs taxpayers across the union up to €120 billion every year, around 1% of the EU’s GDP. This in turn can push the cost of government contracts up by as much as 15%. 

When member states put in place robust protection measures for whistleblowers, it means that more insiders are likely to feel safe coming forward with information that can help reduce corruption levels and save money across the 27 nations. 

5. Timeline: when will it be implemented?

Here is the timeline of the EU whistleblowing directive, from the seeds of its creation to the dates by which businesses and government bodies must comply with the new rules. 

• Previously to April 2018: Just 10 EU nations provided robust protection for whistleblowers. Others offered no protection, partial protection or protection only to certain types of employees in select sectors. 
• April 2018: EU Commission proposed a directive to create minimum standards for whistleblower protection across the union. 
• March 2019: Member states and the European Parliament reached an agreement over the content of the directive. 
• 16th April 2019: European Parliament approved the directive. 
• 23rd October 2019: EU Council officially adopted the directive. 
• 16th December 2019: Directive 2019/1937 came into force, giving member states a year to update their national laws. 
• December 2021: Deadline for EU states to implement the directive into law. 
• 17th December 2021: All public and private bodies with 250 or more employees and municipalities serving more than 10,000 people must create an internal reporting system for whistleblowers by this date.
• 17th December 2023: All public and private bodies with 50-249 employees must create an internal reporting system for whistleblowers by this date.

6. What organisations need to know about the EU whistleblower directive 

Who Does the Directive Protect? 

The directive protects whistleblowers who make reports on wrongdoing in good faith. In the words of the document, anyone who “had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of this Directive” should be afforded protection from retaliation. 

In general, protection is offered to anyone who has professional relations with the organisation. According to Section 39, this includes:

• Employees
• Freelance workers
• Contractors
• Subcontractors
• Suppliers
• Shareholders
• People in management roles
• Former employees
• Prospective employees

Section 40 also protects volunteers and trainees, whether paid or unpaid, from retaliation.

Retaliation can mean anything from being dismissed to being blacklisted for future employment, being blackmailed, losing out on contracts and a range of other punishments for raising awareness of rule breaches. 

7. What protections does the directive offer?

The directive offers protections to whistleblowers, their families and colleagues who supported them in making their report. Chapter 6 of the directive lists protections against retaliatory actions by affected organisations or individuals. These actions include, but are not limited to:

• Suspension, termination of contract or dismissal
• Demotion or preventing a promotion
• A change of duties
• Pay cuts
• Withholding of training  
• Imposing penalties
• Imposing disciplinary measures
• Cancelling contracts for goods or services
• Negative references or appraisals
• Harm to the reputation of the whistleblower, especially on social media
• Coercion, intimidation, harassment, ostracism.

In addition, the directive ensures that the whistleblower is not legally seen to have breached any agreements on disclosure of information in the act of making their report. This means that they are free to report even if their employment contract, a non-disclosure agreement, a confidentiality clause, any copyrighted material or any other document states that they are bound to silence. This protects them from legal recriminations. 

Article 20 details the measures of support available to whistleblowers. This includes the provision of free comprehensive information about their rights, legal aid for fighting retaliation, financial assistance and access to psychological support. 

This protection is given from the moment the whistleblower comes forward and makes their report, whether they do so internally to the organisation, externally to the authorities or through public channels such as the media. 

8. Scope of whistleblowing reports

The whistleblowing directive provides for violations of EU law in the following fields: 

• public procurement
• financial services, products and markets, and prevention of money laundering, terrorist financing and the financial interests of the EU
• product safety and compliance
• transport safety
• protection of the environment
• radiation protection and nuclear safety
• food and feed safety, animal health and welfare
• public health
• consumer protection
• protection of privacy and personal data, and security of network and information systems
• areas relating to the internal market of the EU, including breaches of state aid rules, competition laws and corporate tax

The directive also makes clear that member states can extend the scope of their own individual whistleblower protection laws to cover any other areas they wish to include.

To make an internal report, the reporting person should have the option to do so orally, in writing or both. Oral methods include telephone call, another voice messaging platform or, if they wish, a physical meeting. Written methods include letter, email or through a secure online platform, such as IntegrityLog.

The affected organisation should appoint a person or department to receive reports who is able “to ensure independence and absence of conflict of interest”. An impartial person or a competent department should follow-up the reports. They can be, but do not have to be, the person or department that receives the report in the first place. The directive suggests this should be an “organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.”

9. Is the reporting process specified?

Article 90 of Directive (EU) 2019/1937 provides a number of elements that should form part of the internal reporting process. These are:

1. Organisations should provide a system for reporting in a manner that ensures the confidentiality of the reporting person and any other party mentioned in the report. Unauthorised individuals should not be able to access the information. A whistleblower making an internal report should file it in this system in the first instance.

2. The organisation must acknowledge that it has received the report within seven days of it being filed.

3.The impartial individual or competent department should follow up on the report, maintain communication with the whistleblower, ask them for more information if needed and report back on the progress of the report.

4. The impartial individual or competent department must complete a “diligent follow-up” on the report.

5.They should provide feedback on the report within three months of acknowledging the report.

6. The impartial individual or competent department should provide clear details on how the reporting person can escalate the issue to relevant authorities either nationally or at EU level if required. 

As long as the affected organisation covers these points, they can include any other steps they wish into the process. Although all actions must fall within the articles of the directive on dealing with whistleblowers. 

10. Internal reporting channels

The directive encourages the implementation of internal reporting channels as “it is vital that the relevant information reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible.”

If the reporting person broaches the issue with the organisation in the first place, there could be a swift and satisfactory resolution. In addition, organisations that actively promote their whistleblowing reporting channels show themselves to value their corporate social responsibilities, good communication and their commitment to excellence and self-correction. 

The channels can take the form of written or oral forms and must respect the confidentiality of the whistleblower and anyone mentioned in the report. 

Here are the obligations for establishing internal reporting channels, based on the sector in which the organisation sits:

11. External reporting channels

According to Chapter III of the directive, whistleblowers can opt to make their report through an external reporting channel if they wish and still remain covered by the EU whistleblowing directive. This could be an external counsel, trade union representative, auditor or any other third party that can ensure it will deal with reports in an independent and confidential manner, whilst also ensuring the confidentiality of the reporting person and other individuals named in the report. It is for the individual EU nations to designate official external reporting channels and to provide them with the resources they need to accept and feedback on reports.

Reasons for opting for an external reporting channel include a lack of confidence in the internal reporting system, dissatisfaction with the outcome of the internal process or if the organisation in which the wrongdoing occurred had fewer than 50 employees and was not obliged to provide a reporting channel.

Reporting persons should be able to submit their reports orally or in writing. 

These channels must: 

1. Acknowledge reports within seven days unless requested not to by the reporting person or if they believe that doing so might hinder the confidentiality. 
2. Feedback within three months (or six months where it is justified), following diligent investigation. 
3. Provide the whistleblower with information on the result of the investigation. 
4. Inform the relevant authorities if there is additional investigation needed. 

The systems involved must guarantee anonymity and prevent unauthorised people from accessing the information.  

12. Public disclosures

There are a number of situations in which a whistleblower may go directly to a public body to make their disclosure and still remain protected by the directive. These are: 

• The reporting person initially reported internally and externally, or solely externally, but there was an unsatisfactory response. 
• The reporting person believes that there is urgent danger to the public interest.
• The reporting person believes that by reporting externally they will face retaliation. 
• The reporting person believes that by reporting externally, there is a chance the wrongdoing will not be properly addressed. This could be due to a conflict of interest between the reporting authority and the accused or where the accused may destroy evidence. 

In this case, public reporting means exposing wrongdoing in the press or media in general. 

13. How the EU whistleblower directive addresses retaliation

The directive requires the 27 EU member states to create laws to prevent retaliation against reporting persons. It cites examples of potential retaliatory acts, as listed above, which cover those that occur within the workplace as well as acts against their reputation, those that prevent them working in the future and those that affect the whistleblower’s psychological or medical health. In order to fulfil this, the new rules require states to ensure: 

• There is no punishment for breaching confidentiality documents in making the report. 
• The organisation cannot pursue the reporting person for legal redress, for copyright breach, breach of data protection, defamation or similar if the whistleblower believed at the time that reporting or disclosing material was necessary to prevent wrongdoing. 
• Disclosing trade secrets is lawful, as long as the whistleblower meets the requirements for cover by the directive. 
• The whistleblower cannot be held liable for acquiring or accessing the material that forms the basis of the report. This is unless they committed a criminal act in order to find the material in the first place. 
• The onus of proof is reversed if there is some detriment to the reporting person. Authorities should assume it came as a result of retaliation for the report unless the organisation can prove otherwise. 

Compensation for Retaliation

Any whistleblower who is the victim of retaliation for their report should be able to access legal remedies from the affected organisation, including compensation. The directive states that the redress “should be determined by the kind of retaliation suffered, and the damage caused in such cases should be compensated in full in accordance with national law.”.

In terms of compensation, organisations should cover actual losses as well as future losses, caused by demotion, cancelled contracts and similar. They should also pay for costs involving changing jobs, for legal costs incurred by the retaliation, medical treatment, and for “pain and suffering”.

Although there are differences between the legal systems of the member states, the directive obliges them to make sure any compensation and reparations are “real and effective”.

14. Penalties

The directive details that there should be penalties for both affected organisations or individuals who attempt to hinder whistleblowers and those who knowingly make false reports. 

15. Record keeping

Affected organisations should keep a record of every report for no longer than is necessary for completing their investigations. Member states may have varying rules on how long companies must keep records, and this will also form part of the consideration of when to dispose of them. 

The organisation should ensure that they maintain the confidentiality of the whistleblower and other named individuals at all times. This includes any named people implicated in the wrongdoing, as well as friends and colleagues of the reporting person. In addition to this responsibility, the company must comply with GDPR on the control of data processing.

Organisations should not collect personal information not relevant to the report and, if they do so accidentally, they should delete it immediately. 

For recorded voice reports, the organisation must gain the permission of the reporting person to either make a hard copy of the recording for their records or to produce a “complete and accurate transcript of the conversation prepared by the staff members responsible for handling the report.”

In the case of unrecorded voice reports or face-to-face meetings, the organisation or competent authority should ensure they accurately represent the conversation in meeting minutes. The whistleblower should have the opportunity to check the minutes for accuracy and sign them to show they are happy with them before the document is filed.

15.1 Whistleblowing Systems

The organisation must acknowledge receipt of the report within seven days. They then have three months to report back on the progress of the investigation. Along with this requirement and the need for confidentiality and adherence to GDPR, it can prove a challenging administrative job for any organisation.

This is why using whistleblowing systems such as IntegrityLog helps organisations stay compliant and speed up reporting. The automated system accepts the report, alerts the designated person to receive the report and keeps track of the status of the case as it moves on. You can see where investigations are and when the next deadline is. It also provides confidentiality, prevents unauthorised people from accessing details and complies with GDPR. 

16. How should organisations handle a whistleblowing report?

Organisations should appoint a person or department to accept reports as well as to follow up on them. Both actions can be completed by the same person or department if the organisation wishes. However, the organisation must be able “to ensure independence and absence of conflict of interest” with the appointment.

Businesses and public bodies can opt to investigate the claims internally or to appoint an external body to do so on their behalf. Some organisations might look to set up an independent Ombuds function. This is a body that is neutral and can be seen as transparently fair in the way it deals with reports. It has no vested interest and can provide impartial advice to both sides, helping the reporting person find the support they need and helping the organisation improve its systems. 

The Ombuds function should: 

• Feature staff without connection to the organisation and with no conflict of interest. 
• Gain support from the management and executives of the organisation and have the ear of the leadership team. 
• Make recommendations but not directly make decisions on behalf of the company relating to whistleblower reports. 
• Be responsible for maintaining confidentiality. 
• Ensure there is no retaliation. 
• Have the tools necessary to carry out the job. This includes a specific whistleblowing portal like IntegrityLog, with a dashboard to help keep track of cases and related data. 

17. What can your organisation do now? 

In order to prepare fully for the whistleblowing directive, there are some steps you should take right now. 

17.1 Establish Whistleblower Protection Measures

Organisations should show that they are serious about nurturing a culture of speaking up about wrongdoing. This commitment to proper governance instills confidence in employees and can lead to better morale and, in turn, greater productivity and less employment churn. By being proactive about protecting whistleblowers, you encourage any reporting persons to use your internal channels in the first instance, which helps nip problems in the bud before they get out of hand.

17.2 Set Up Your Reporting Channels

You should have your reporting channels in place well in advance of the rule change. These should allow for written reports, oral reports or both. You could set up a telephone line or other voice message functionality, a specific email address, the capacity for a face-to-face meeting and an online whistleblowing reporting system. The latter provides the easiest way to keep data confidential and secure. 

17.3 Designate an Impartial Person to Receive, Review and Investigate Claims

You should designate an impartial and competent person to receive, review and investigate claims. It could be two different parties that receive and follow-up or organisations can use the same person or department. An Ombuds function allows for an independent and transparent process that can be trusted by both parties. 

17.4 Implement a Process to Respond to Claims

The directive requires you to acknowledge receipt of a report within seven days and to follow up within three months, but you may choose to shorten those timelines for your organisation. As long as you work within the framework of the directive, you can customise the process for your own requirements.

17.5 Inform and train employees 

Openness is key in helping create the right environment for fair and just treatment of whistleblowers. You should inform your staff about the correct processes for reporting wrongdoing, what happens after the report and how you will treat their report. You should also be clear about what constitutes retaliation and the punishments for such behaviour. The directive suggests including information on the whistleblowing process in training courses and on the organisation’s website. 

18. FAQs

18.1 How should whistleblowers report? Is there a ‘hierarchy’ of reporting?

There are three tiers of whistleblower reporting – internally to the organisation itself, externally to a competent authority and public disclosure to the media. The directive encourages whistleblowers to report internally in the first instance, going to the source of the alleged problem. This is beneficial to organisations because it allows them to rectify situations adequately. However, reporting persons can use any method they like, if they feel that internal channels will not provide a satisfactory outcome or if there is imminent danger to the public interest. 

18.2 How will data protection laws intersect with whistleblower protection laws?

To comply with data protection laws, organisations must only hold data that is necessary for investigating the report. If they unwittingly hold unnecessary information, they should delete it immediately. In addition, organisations must keep reporting details confidential and secure. To reduce compliance risk and meet these requirements, organisations can utilize an online reporting channel such as IntegrityLog.

18.3 How should anonymous reports be handled?

The directive states in Article 6 that it is up to each EU country to decide whether organisations can accept anonymous reports in their jurisdictions. If an anonymous whistleblower makes a report and then has their identity subsequently revealed, they still qualify for the protection that it offers. Organisations should ensure they are up to date with their nation’s laws on anonymous reporting when preparing for the new directive. 

19. Conclusion

The EU whistleblowing directive can be seen as an opportunity for organisations to prove that they are dedicated to constant improvements in their governance. By being proactive and providing clear and easy-to-follow guidelines for reporting wrongdoing, they can not only comply with the new rules, but they can also reassure their staff that they are committed to looking after them in the case of making a report.Using online whistleblowing tools such as IntegrityLog a safe, secure and intuitive way to manage your reporting workflow. If you want to learn more, book a demo or request a 14-day free trial for your organisation. 

20. References and further reading

• Panama Papers
• LuxLeaks
• EHRC Information on Whistleblowers
• Eucrim on the Directive
• Transparency International Analysis