BY: ComplyLog|March 28, 2021|Whistleblowing
Directive (EU) 2019/1937 of the European Parliament, commonly known as the ‘EU whistleblowing directive’ requires member states to create laws to protect people who come forward with information relating to breaches of union law and threats to the public interest.
Table of Contents
6 What Organisations Need To Know About The EU Whistleblower Directive
The EU whistleblowing directive states that, without specific protections, whistleblowers can often suffer recriminations for going public with their information.
It reports that “potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level.”
Transparency International, one of the leading advocates for the whistleblowing directive, offers a stark insight into potential retaliation that reporting persons can face: “whistleblowers risk their career, their livelihood and sometimes their personal safety to expose wrongdoing that threatens the public interest. They may be fired, sued, blacklisted, arrested, threatened or, in extreme cases, assaulted or killed.”
The directive seeks to create a minimum standard across the union that will level the playing field and provide protection for whistleblowers in all member states. In October 2019, only ten of the 28 EU nations had robust whistleblower protections on their statute books. There was not even a word for ‘whistleblower’ in some of the languages of the union. This illustrates the need for the directive that entered into force at that time.
The key takeaways from the EU whistleblower protection directive are:
The European Union has admitted that there was not sufficient protection for whistleblowers before the creation of this new ruling. The directive states:“
Whistleblower protection currently provided in the Union is fragmented across Member States and uneven across policy areas. The consequences of breaches of Union law with a cross-border dimension reported by whistleblowers illustrate how insufficient protection in one Member State negatively impacts the functioning of Union policies not only in that Member State, but also in other Member States and in the Union as a whole”.
This was highlighted in a number of recent, high-profile whistleblowing cases. ‘John Doe’ anonymously handed over the Panama Papers to German investigative journalist Bastian Obermayer in 2016. The 11-and-a-half million documents related to large scale tax evasion through a law firm in Central America, and Doe claimed that they needed to remain anonymous as “my life is in danger if my identity is revealed”.
The LuxLeaks scandal in 2014 involved Antoine Deltour. He leaked documents from his employer that showed businesses were avoiding tax. They claimed to be based in Luxembourg and moved profits around different arms of their organisations with the help of some big-name accountancy firms. Rather than being celebrated for drawing attention to the practice, Deltour was prosecuted and received a six-month suspended sentence and a €1,500 fine.
Neither Germany nor Luxembourg offered full protections to whistleblowers, which is why the EU was keen to introduce the directive. At its most basic, it seeks to ensure all organisations across the bloc offer reporting systems to potential whistleblowers and that they put in measures to prevent retaliation against these reporting individuals, their supportive colleagues and their families.
Directive (EU) 2019/1937 affects all businesses and government organisations with 50 or more employees. It also applies to local authorities and municipalities with more than 10,000 inhabitants. These bodies must provide a way for employees to report wrongdoing and to have systems in place to monitor and act on the reports they file.
They should also be able to protect that person’s identity and ensure they do not suffer any recriminations for reports they make in good faith.
Currently, there are no plans to mandate that businesses with 49 or fewer employees implement these new rules.
The directive reaches across the EU, however, individual organisations should be aware that it presents the minimum level of cover for whistleblowers expected. If member states want to create even more rigorous laws inside their own country, they are able to.
The directive applies equally to public bodies as it does for private firms. As long as there are 50 or more workers involved in the organisation, it must abide by the new rules. In the case of local authorities, if they serve more than 10,000 inhabitants, they are also included.
One of the key areas of public governance in which whistleblowing is important is procurement. With vast sums of money flowing through the public procurement sector, there are myriad opportunities for corruption. Reports estimate corruption costs taxpayers across the union up to €120 billion every year, around 1% of the EU’s GDP. This in turn can push the cost of government contracts up by as much as 15%.
When member states put in place robust protection measures for whistleblowers, it means that more insiders are likely to feel safe coming forward with information that can help reduce corruption levels and save money across the 27 nations.
Here is the timeline of the EU whistleblowing directive, from the seeds of its creation to the dates by which businesses and government bodies must comply with the new rules.
The directive protects whistleblowers who make reports on wrongdoing in good faith. In the words of the document, anyone who “had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of this Directive” should be afforded protection from retaliation.
In general, protection is offered to anyone who has professional relations with the organisation. According to Section 39, this includes:
Section 40 also protects volunteers and trainees, whether paid or unpaid, from retaliation.
Retaliation can mean anything from being dismissed to being blacklisted for future employment, being blackmailed, losing out on contracts and a range of other punishments for raising awareness of rule breaches.
The directive offers protections to whistleblowers, their families and colleagues who supported them in making their report. Chapter 6 of the directive lists protections against retaliatory actions by affected organisations or individuals. These actions include, but are not limited to:
In addition, the directive ensures that the whistleblower is not legally seen to have breached any agreements on disclosure of information in the act of making their report. This means that they are free to report even if their employment contract, a non-disclosure agreement, a confidentiality clause, any copyrighted material or any other document states that they are bound to silence. This protects them from legal recriminations.
Article 20 details the measures of support available to whistleblowers. This includes the provision of free comprehensive information about their rights, legal aid for fighting retaliation, financial assistance and access to psychological support.
This protection is given from the moment the whistleblower comes forward and makes their report, whether they do so internally to the organisation, externally to the authorities or through public channels such as the media.
The whistleblowing directive provides for violations of EU law in the following fields:
The directive also makes clear that member states can extend the scope of their own individual whistleblower protection laws to cover any other areas they wish to include.
To make an internal report, the reporting person should have the option to do so orally, in writing or both. Oral methods include telephone call, another voice messaging platform or, if they wish, a physical meeting. Written methods include letter, email or through a secure online platform, such as IntegrityLog.
The affected organisation should appoint a person or department to receive reports who is able “to ensure independence and absence of conflict of interest”. An impartial person or a competent department should follow-up the reports. They can be, but do not have to be, the person or department that receives the report in the first place. The directive suggests this should be an “organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.”
Article 90 of Directive (EU) 2019/1937 provides a number of elements that should form part of the internal reporting process. These are:
As long as the affected organisation covers these points, they can include any other steps they wish into the process. Although all actions must fall within the articles of the directive on dealing with whistleblowers.
The directive encourages the implementation of internal reporting channels as “it is vital that the relevant information reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible.”
If the reporting person broaches the issue with the organisation in the first place, there could be a swift and satisfactory resolution. In addition, organisations that actively promote their whistleblowing reporting channels show themselves to value their corporate social responsibilities, good communication and their commitment to excellence and self-correction.
The channels can take the form of written or oral forms and must respect the confidentiality of the whistleblower and anyone mentioned in the report.
Here are the obligations for establishing internal reporting channels, based on the sector in which the organisation sits:
|Sector||Rules on Establishing Internal Reporting Channels|
According to Chapter III of the directive, whistleblowers can opt to make their report through an external reporting channel if they wish and still remain covered by the EU whistleblowing directive. This could be an external counsel, trade union representative, auditor or any other third party that can ensure it will deal with reports in an independent and confidential manner, whilst also ensuring the confidentiality of the reporting person and other individuals named in the report. It is for the individual EU nations to designate official external reporting channels and to provide them with the resources they need to accept and feedback on reports.
Reasons for opting for an external reporting channel include a lack of confidence in the internal reporting system, dissatisfaction with the outcome of the internal process or if the organisation in which the wrongdoing occurred had fewer than 50 employees and was not obliged to provide a reporting channel.
Reporting persons should be able to submit their reports orally or in writing.
These channels must:
The systems involved must guarantee anonymity and prevent unauthorised people from accessing the information.
There are a number of situations in which a whistleblower may go directly to a public body to make their disclosure and still remain protected by the directive. These are:
In this case, public reporting means exposing wrongdoing in the press or media in general.
The directive requires the 27 EU member states to create laws to prevent retaliation against reporting persons. It cites examples of potential retaliatory acts, as listed above, which cover those that occur within the workplace as well as acts against their reputation, those that prevent them working in the future and those that affect the whistleblower’s psychological or medical health. In order to fulfil this, the new rules require states to ensure:
Any whistleblower who is the victim of retaliation for their report should be able to access legal remedies from the affected organisation, including compensation. The directive states that the redress “should be determined by the kind of retaliation suffered, and the damage caused in such cases should be compensated in full in accordance with national law.”.
In terms of compensation, organisations should cover actual losses as well as future losses, caused by demotion, cancelled contracts and similar. They should also pay for costs involving changing jobs, for legal costs incurred by the retaliation, medical treatment, and for “pain and suffering”.
Although there are differences between the legal systems of the member states, the directive obliges them to make sure any compensation and reparations are “real and effective”.
The directive details that there should be penalties for both affected organisations or individuals who attempt to hinder whistleblowers and those who knowingly make false reports.
|Affected Organisation or Individuals||There should be “effective, proportionate and dissuasive penalties” against organisations or people that attempt to hinder a report, carry out retaliation, bring “vexatious” proceedings against whistleblowers or who breach the confidentiality of the reporting person.|
|Reporting Person||Member states should ensure “effective, proportionate and dissuasive penalties” against people who are proven to have knowingly reported false information. They should also be liable for any damages caused by the report.|
Affected organisations should keep a record of every report for no longer than is necessary for completing their investigations. Member states may have varying rules on how long companies must keep records, and this will also form part of the consideration of when to dispose of them.
The organisation should ensure that they maintain the confidentiality of the whistleblower and other named individuals at all times. This includes any named people implicated in the wrongdoing, as well as friends and colleagues of the reporting person. In addition to this responsibility, the company must comply with GDPR on the control of data processing.
Organisations should not collect personal information not relevant to the report and, if they do so accidentally, they should delete it immediately.
For recorded voice reports, the organisation must gain the permission of the reporting person to either make a hard copy of the recording for their records or to produce a “complete and accurate transcript of the conversation prepared by the staff members responsible for handling the report.”
In the case of unrecorded voice reports or face-to-face meetings, the organisation or competent authority should ensure they accurately represent the conversation in meeting minutes. The whistleblower should have the opportunity to check the minutes for accuracy and sign them to show they are happy with them before the document is filed.
The organisation must acknowledge receipt of the report within seven days. They then have three months to report back on the progress of the investigation. Along with this requirement and the need for confidentiality and adherence to GDPR, it can prove a challenging administrative job for any organisation.
This is why using whistleblowing systems such as IntegrityLog helps organisations stay compliant and speed up reporting. The automated system accepts the report, alerts the designated person to receive the report and keeps track of the status of the case as it moves on. You can see where investigations are and when the next deadline is. It also provides confidentiality, prevents unauthorised people from accessing details and complies with GDPR.
Organisations should appoint a person or department to accept reports as well as to follow up on them. Both actions can be completed by the same person or department if the organisation wishes. However, the organisation must be able “to ensure independence and absence of conflict of interest” with the appointment.
Businesses and public bodies can opt to investigate the claims internally or to appoint an external body to do so on their behalf. Some organisations might look to set up an independent Ombuds function. This is a body that is neutral and can be seen as transparently fair in the way it deals with reports. It has no vested interest and can provide impartial advice to both sides, helping the reporting person find the support they need and helping the organisation improve its systems.
The Ombuds function should:
In order to prepare fully for the whistleblowing directive, there are some steps you should take right now.
Organisations should show that they are serious about nurturing a culture of speaking up about wrongdoing. This commitment to proper governance instills confidence in employees and can lead to better morale and, in turn, greater productivity and less employment churn. By being proactive about protecting whistleblowers, you encourage any reporting persons to use your internal channels in the first instance, which helps nip problems in the bud before they get out of hand.
You should have your reporting channels in place well in advance of the rule change. These should allow for written reports, oral reports or both. You could set up a telephone line or other voice message functionality, a specific email address, the capacity for a face-to-face meeting and an online whistleblowing reporting system. The latter provides the easiest way to keep data confidential and secure.
You should designate an impartial and competent person to receive, review and investigate claims. It could be two different parties that receive and follow-up or organisations can use the same person or department. An Ombuds function allows for an independent and transparent process that can be trusted by both parties.
The directive requires you to acknowledge receipt of a report within seven days and to follow up within three months, but you may choose to shorten those timelines for your organisation. As long as you work within the framework of the directive, you can customise the process for your own requirements.
Openness is key in helping create the right environment for fair and just treatment of whistleblowers. You should inform your staff about the correct processes for reporting wrongdoing, what happens after the report and how you will treat their report. You should also be clear about what constitutes retaliation and the punishments for such behaviour. The directive suggests including information on the whistleblowing process in training courses and on the organisation’s website.
There are three tiers of whistleblower reporting – internally to the organisation itself, externally to a competent authority and public disclosure to the media. The directive encourages whistleblowers to report internally in the first instance, going to the source of the alleged problem. This is beneficial to organisations because it allows them to rectify situations adequately. However, reporting persons can use any method they like, if they feel that internal channels will not provide a satisfactory outcome or if there is imminent danger to the public interest.
To comply with data protection laws, organisations must only hold data that is necessary for investigating the report. If they unwittingly hold unnecessary information, they should delete it immediately. In addition, organisations must keep reporting details confidential and secure. To reduce compliance risk and meet these requirements, organisations can utilize an online reporting channel such as IntegrityLog.
The directive states in Article 6 that it is up to each EU country to decide whether organisations can accept anonymous reports in their jurisdictions. If an anonymous whistleblower makes a report and then has their identity subsequently revealed, they still qualify for the protection that it offers. Organisations should ensure they are up to date with their nation’s laws on anonymous reporting when preparing for the new directive.
The EU whistleblowing directive can be seen as an opportunity for organisations to prove that they are dedicated to constant improvements in their governance. By being proactive and providing clear and easy-to-follow guidelines for reporting wrongdoing, they can not only comply with the new rules, but they can also reassure their staff that they are committed to looking after them in the case of making a report.Using online whistleblowing tools such as IntegrityLog a safe, secure and intuitive way to manage your reporting workflow. If you want to learn more, book a demo for your organisation.