EU Parliament Approves Draft Whistleblowing Directive at First Reading

On April 16, 2019, the EU Parliament approved a draft directive for new harmonized rules on the protection of whistleblowers. The Directive of the European Parliament and of the Council on the Protection of Persons reporting on Breaches of Union Law (the “Whistleblowing Directive”) creates EU-wide minimum standards to protect persons disclosing information to which they are privy in the context of their work and which relates to certain breaches of EU law. These include breaches of the rules on public procurement, financial services, money laundering, environmental protection and nuclear safety, EU competition law, food and product safety, consumer and data protection law.

The EU Council and the Parliament have now reached a provisional agreement on the final act. After formal approval, the Whistleblowing Directive will be published in the Official Journal of the European Union, after which Member States have two years to implement the Directive into national law. The below is based on the current version of the draft, which may of course still undergo changes before the final approval.

What is required?

The Whistleblowing Directive requires Member States to ensure the creation of effective, confidential and secure reporting channels, both internally within organizations as well as externally with competent authorities and to create safeguards to protect whistleblowers against any retaliation measures resulting of their reporting. The draft also requires to provide information regarding the possible reporting channels and remedies against retaliation, free-of-charge and in an easily understandable language.

Who is protected?

The Whistleblowing Directive protects “reporting persons” – i.e. those who acquired information on breaches in a work-related context and report or disclose such information. This protection applies regardless of whether the work-relationship has already ended or is yet to begin. Moreover, it also extends to those people assisting reporting persons, such as facilitators, colleagues, or relatives.

As a condition for protection under the Whistleblowing Directive, the reporting persons must have had reasonable grounds to believe that the information they reported was true at the time of reporting and that it fell within the scope of the Whistleblowing Directive. Malicious reports can be subject to penalties to be determined by the Member States.

As an additional condition, persons who disclose trade secrets acquired in a work-related context can only benefit from the protection if the disclosure was necessary to reveal the breach. Competent authorities have to avoid using or disclosing such trade secrets for other purposes beyond what is necessary for the proper follow-up of the reports.

How are whistleblowers protected?

The identity of the reporting person has to be held confidential. Reporting mechanisms should be structured in such a way that the confidentiality is always warranted.

Legal or contractual obligations, such as loyalty clauses or confidentiality/non-disclosure agreements, cannot be relied on to preclude reporting, to deny protection or to penalize reporting persons for having done so where providing the information falling within the scope of such clauses and agreements is necessary for revealing the breach.

When the reporting person demonstrates prima facie that he or she made a report or public disclosure in line with the directive and suffered retaliation, the burden of proof shifts to the person who took the detrimental action. The latter must then demonstrate that the action taken was based on duly justified grounds – i.e. that it was not linked in any way to the reporting or the public disclosure.

If no such proof can be provided – and thus retaliation is established – the reporting person (as well as the facilitator) is entitled to legal remedies and compensation. This should be a real and effective compensation, in a way which is dissuasive and proportionate to the detriment suffered.

Which organizations need to have an internal reporting system?

Internal reporting channels are obligatory for public entities, and for private entities that either have 50 or more employees. Member States may require also other undertakings to establish internal reporting channels, e.g. due to the significant risks that may result from their activities. Irrespective of size, internal reporting channels are also obligatory for financial services providers and firms that are vulnerable to money laundering or terrorist financing.

How should the whistleblower report?

As a principle, reporting persons should be encouraged to first use the internal reporting channels and report to their employer, if such channels are available to them and can reasonably be expected to work. This is the case, in particular, where the reporting persons believe that the breach can be effectively addressed within the relevant organization, and that there is no risk of retaliation. At the same time, however, the whistleblower should always be able to choose the most appropriate reporting channel depending on the individual circumstances of the case at hand. Obviously, for those private legal entities that do not need to have internal reporting channels, reporting persons should be able to report directly externally – i.e. to the competent authorities – and still be protected against retaliation under the directive.

Whistleblowers can also turn to the media with their information and make a public disclosure. Because of the potential reputational damages that such public disclosures could entail for an organization, this should always be a last resort. Hence, the whistleblower will only be protected, for instance, when there is an imminent or manifest danger for the public interest, or where there are valid reasons to believe that the breach was not adequately assessed or investigated or that no appropriate remedial action was taken in earlier reporting proceedings.

What are the sanctions?

The Whistleblowing Directive requires Member States to provide effective, proportionate and dissuasive penalties, which may be imposed on individuals or organizations that hinder reporting, take retaliatory measures, start vexatious proceedings against the whistleblower, or breach the confidentiality of their identity. Penalties shall also be applicable to persons that knowingly make false reports or public disclosures.