What Are The Whistleblower Rights And Protections In The EU?

The economic benefits of encouraging whistleblowers are staggering. The European Commission suggests that the “loss of potential benefits due to a lack of whistleblower protection, in public procurement alone” is between €6 and €10 billion a year. 

At the same time, the EU Whistleblowing Directive is about to come into force in the European Union, protecting people who witness and report breaches of union law during the course of their work.

So, what whistleblower rights and protections will the directive bring in order to make reporting persons feel more comfortable coming forward with details of wrongdoing?

This article explores what constitutes a whistleblower, which breaches they can report, the legislation in place to protect them from retaliation and how they can make their report in order to protect the public interest. 

1. Employees and the EU Whistleblowing Directive

1.1 What is a whistleblower?

A whistleblower, also known as as ‘reporting person’, is described by the directive as:

“a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities”

For the purposes of the EU Whistleblowing Directive, this includes:

• Employees
• Freelance workers
• Contractors
• Subcontractors
• Suppliers
• Board members
• Shareholders
• People in management roles
• Former employees
• Prospective employees
• Volunteers
• Trainees.

In order to be protected under the new directive, they do not have to be proved correct when their report on criminal behaviour is investigated. However, they must have believed the information they gave to be true at the time of making the report. 

1.2 What concerns should be reported?

The legislation allows whistleblower protection for reporting violations of EU law in the following fields: 

• public procurement
• financial services, products and markets, and prevention of money laundering, terrorist financing and the financial interests of the EU
• product safety and compliance
• transport safety
• protection of the environment
• radiation protection and nuclear safety
• food and feed safety, animal health and welfare
• public health
• consumer protection
• protection of privacy and personal data, and security of network and information systems
• areas relating to the internal market of the EU, including breaches of state aid rules, competition laws and corporate tax.

Within these areas, it could relate to fraud, bribery, corruption or any other criminal offence. 

However, member states are allowed to extend the scope of the directive to cover other aspects of union rules as well as areas of national law. Groups such as Transparency International are calling on governments in member states to allow whistleblowers protection when reporting breaches of domestic legislation, too. 

Businesses in the EU will not only have to study the bloc’s directive but also their country’s individual rules on whistleblowing when they are implemented. This will help them understand the exact scope of the regulations within those borders. 

1.3 When does protection apply?

Protection for the reporting person applies from the moment they make a qualifying disclosure about a breach of EU laws in the areas mentioned above (or in any other areas stipulated in that country’s own laws). This must be reported in good faith, with them believing the information to be true, and through internal, external or public channels in any method laid out by the directive. These are termed protected disclosures and allow the whistleblower to enjoy the protections laid down in the act. 

Whistleblowers are encouraged to report internally within the organisation in the first instance but, if they feel that they cannot for any reason, there are other options:

2. Whistleblower rights and protections

Whistleblowers have the following rights and protections as a result of the EU Whistleblowing Directive. 

2.1 Confidentiality

The reporting person has a right to confidentiality when they make a report. This is extended to their family members and colleagues who have supported them in making their report. Any party named in the report in relation to committing a criminal activity should also have their identity kept confidential throughout the investigation process. 

2.2 Legal advice

Companies should provide access to free legal advice for any whistleblower making a report in the prescribed manner. This should be comprehensive and impartial. It should guide them through the procedures relating to the making and investigation of the reports as well as the remedies to which they are permitted. 

2.3 Protections against retaliation

For the purposes of the directive, ‘retaliation’ refers to demotion, blacklisting, harassment, dismissal, limited career opportunities or any other ‘punishment’ for making a report. In the event that the organisation, or a worker within that organisation, retaliates against the whistleblower, there are protections and remedial measures available. They include: 

• Interim relief to prevent dismissals during protracted legal proceedings
• Reversal of the burden of proof, meaning that someone accused of retaliation has to offer evidence that they weren’t doing so.

2.4 No liability for disclosure

Even if there are nondisclosure agreements or confidentiality agreements in place, or if the report relates to classified information, the reporting person will not be held liable or face sanctions. They are still allowed to disclose the facts that they believe to be true and that fall within the scope of the whistleblowing legislation in their country. 

2.5 Legal protections

If companies or individuals take legal action in court, for defamation, copyright infringement or at an employment tribunal, for example, the whistleblower is still afforded legal protection by using the directive in their defence in this particular case.

2.6 Timeframes

The reporting person has a right to receive confirmation of receiving their report within seven days of making it. They must also receive a “diligent follow-up” within three months. 

If the whistleblower is unsatisfied with the investigation through the internal reporting channel, they can move to the external authority, which has three months to reply. Following this, they can then escalate the issue to the public realm.

3. How should concerns be reported?

The EU Whistleblowing Directive will eventually require all organisations employing over 50 staff and municipalities with more than 10,000 citizens to implement an internal reporting system for whistleblowers. They can choose to run one or more different channels, which must allow for written or oral reporting. 

There are a number of considerations to make when choosing the right reporting channels for a business, particularly when it comes to considering how they will enable you to protect the rights of whistleblowers under the directive. For example, asking reporting persons to drop their reports into a mailbox might negate their right to confidentiality because, by its nature, the box would be situated in a public place where someone could see them making the report. 

An effective, efficient and compliant reporting channel is an online system such as IntegrityLog. It allows whistleblowers to access it from anywhere at any time, enter their details and be certain that their information will be kept securely in a confidential manner.

4. Data protection issues

Whistleblowing reports are subject to the General Data Protection Regulation (GDPR), which means that the reporting channel you use should take this into consideration and allow you to easily maintain compliance. 

With solutions where an operator is required to take notes, such as on a telephone hotline, there is a double risk. The operator could collect more data than is necessary and struggle to restrict access to the information to unauthorised parties. 

IntegrityLog only collects the necessary data and ensures unauthorised people do not access the information held in the report. In addition, when using just one channel, it is easier to comply with GDPR’s Right to Be Forgotten, which requires the anonymising or destruction of data in some circumstances. If you have multiple channels, it becomes more difficult to ensure you have erased all the relevant data.

5. FAQs

5.1 Should you protect whistleblower anonymity?

It is up to individual member states to decide whether businesses and public bodies must accept anonymous reports. If there is no specific ruling, organisations can choose whether or not to allow them. If an anonymous report is made and the reporting person’s identity is later revealed, they will also qualify for the protections described above.

What kind of whistleblowing channel needs to be implemented?

The whistleblowing channel or channels should allow for oral, written or both types of reporting. They could include face-to-face interviews, a special email, a phone line, an online compliance tool or anything else that allows for reporting in these methods. 

5.2 What is considered retaliation?

Retaliation against a whistleblower can include:     

• Suspension, termination of contract or dismissal
• Unfair dismissal
• Demotion or preventing a promotion
• A change of duties
• Pay cuts
• Withholding of training  
• Imposing penalties
• Imposing disciplinary measures
• Cancelling contracts for goods or services
• Negative references or appraisals
• Harm to the reputation of the whistleblower, especially on social media
• Coercion, intimidation, harassment, ostracism.

It can also include any other type of discrimination, prohibition and detrimental treatment, complaints and personal grievances from colleagues, and abuse of authority by management.  

5.3 Are there penalties for whistleblowers?

There are no penalties for whistleblowers under the EU Whistleblowing Directive, provided they made the report in the belief that what they said was the truth. Whistleblowers are protected by law from negative acts of whistleblower retaliation performed as punishment for making their report. Organisations have a legal obligation to ensure this is so.

6. Conclusion

It is the duty of organisations affected by the EU Whistleblowing Directive to understand the whistleblower rights and protections within the union. They should put in place systems to make sure all reports remain confidential, the follow-up responses are sent in due time and no retaliation is entered into. In addition, there is a requirement to provide an internal reporting channel that not only allows for whistleblowing but also complies with data protection laws. 

IntegrityLog is GDPR-compliant, secure and even provides a dashboard that informs the investigation team when they have a deadline approaching. Try IntegrityLog for free or request a 14-day free trial today. 

7. References and Further Reading

• Examples of whistleblowing
• Why whistleblowers are important
• IntegrityLog features
• Whistleblowing in the UK (including the Employment Rights Act and the Public Interest Disclosure Act)
• Whistleblowing in the US (related to occupational safety and enforced by OSHA)
• Whistleblower Protection Enhancement Act of 2012
• The whistleblower who exposed a multinational