Facilitating and protecting those who report breaches of law at their workplace are the primary goals of EU Directive 2019/1937 on whistleblowers (the Whistleblower Directive) adopted on 23 October 2019. EU Member States have until 17 December 2021 to implement it into their national legislation.
The Whistleblower Directive will operate alongside certain existing sector-specific rules (i.e. aviation, shipping) and covers matters not already regulated under existing EU law. While Luxembourg regulations for financial institutions already include requirements to have whistleblower policies, the assessment of the market demonstrates that most entities will need to expand their efforts in this area not only to comply with the Whistleblower Directive but also to intelligently manage the anticipated increase in whistleblower complaints.
As a manager or director of a regulated or unregulated entity, you must consider the purpose of whistleblower protections and the different approaches which can be taken to encourage employees to report when appropriate and to avoid abuse. There are several aspects of the Whistleblower Directive which require attention before the end of next year.
Who can be a whistleblower?
Various individuals are eligible as whistleblowers under the Whistleblower Directive:
- EU citizens and third-country nationals who deal with EU companies;
- employees, self-employed workers, volunteers, unpaid trainees, shareholders, and members of supervisory bodies (including the board of directors);
- independent third-party contractors, subcontractors, and suppliers.
Internal Reporting Requirement
The Whistleblower Directive includes an internal reporting requirement which should be one of the priorities for businesses operating in the European Union.
All businesses with more than fifty employees must establish internal reporting mechanisms for whistleblowers. The exact requirements will vary based on the number of employees:
Mid-sized Businesses (50-249 workers): Mid-sized businesses will be able to pool their resources (including outsourcing) in order to jointly receive and investigate complaints. These pooled whistleblower reporting systems will be subject to additional regulations which are expected to be enacted in 2023.
Large Businesses (more than 249 workers): Large businesses must establish independent internal reporting mechanisms. Determining legally compliant and cost-efficient methods of implementation should be a priority for businesses of this size. It is likely that many large businesses may already have a whistleblower policy or belong to a group which has reporting mechanisms in place.
Small Businesses (fewer than 50 workers): Entities with fewer than fifty employees may be required to establish internal reporting mechanisms at the Member State´s discretion if they are at a high risk of breach. The Whistleblower Directive highlights public health and the environment as areas of concern. Small businesses should therefore continue to monitor legislative updates and budget for the possibility that they may be required to establish whistleblowing systems depending on their sector and the final risk assessment determined at a national level.
Requirements for Reporting Channels
The Whistleblower Directive foresees internal and external reporting. For both, these specific requirements apply:
- Confidentiality: Internal reporting mechanisms must protect whistleblowers' identities. Unauthorised staff members who are not explicitly referred to as recipients of reports in a whistleblowing policy should be precluded from viewing this information and a whistleblower’s identity must not be publicly disclosed without their explicit consent. However, the Whistleblower Directive does not impose any obligation on entities to provide anonymous reporting channels. Allowing a designated staff member to know a whistleblower’s identity is permitted.
- Processing of personal data: Any processing of personal data carried out pursuant to the Whistleblower Directive, including the exchange or transmission of personal data by the competent authorities must comply with GDPR and Directive 2016/680. Personal data which is manifestly not relevant for the handling of a specific report must not be collected or, if accidentally collected, must be deleted without undue delay.
It must be possible for staff to report concerns in a manner that preserves confidentiality including:
- Written complaints, including through an online platform intranet or internet);
- Oral complaints, which must be possible by telephone online or other voice messaging systems (such as automated voicemail);
- In person, upon request of the complainant, within a reasonable timeframe.
Protocol on the Receipt of a Report
The Whistleblower Directive also contains detailed provisions which must be followed by designated staff upon the receipt of a report:
- An acknowledgement of the report’s receipt must be made to the whistleblower within seven days;
- Follow-up steps must be taken where necessary to address the report through whichever means the situation requires. This may include reporting a breach to the authorities if appropriate;
- After the follow-up, feedback entailing the actions taken or lack thereof must be given to the whistleblower, not exceeding three months from the acknowledgement of a report’s receipt, or if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made.
Retaliation is defined as “any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person.” As “whistleblowing” is seen as an expression of an individual’s fundamental right to free speech, any form of retaliation, including threats of retaliation and attempts of retaliation, against whistleblowers is expressly prohibited.
Measures for protection against retaliation and the related sanctions will be determined by implementing legislation in Luxembourg.
Punishments and Remedies
The robust legal protection offered to whistleblowers under the Whistleblower Directive only applies if the information disclosed pertains to legal violations. The Whistleblower Directive calls for penalties against persons who knowingly disclose false information, in order to deter malicious reporting.
The Whistleblower Directive calls for effective, proportionate and dissuasive penalties for those who retaliate against whistleblowers. Luxembourg’s penalties in the context of this Directive have not yet been published.