Despite some last minute push back by a few member states, EU negotiators agreed the final content of the new directive on whistleblower protection on March 11, concluding the so-called “trilogue” phase in just a few weeks‘ time.
The deal was welcomed by the European Parliament and by the Commission and the directive, once formally adopted by the Council and the Parliament (the plenary vote being scheduled to take place on April 17), will mark the first time a regional legal framework is established to protect whistleblowers. This is a major achievement for the Parliament – and the Commission - in the run up to the European elections in May, as whistleblower protection was a key priority.
The directive, whose initial draft was published in April 2018 by the EU Commission, aims at better protecting whistleblowers who report breaches of EU law - as current protections are fragmented or only partial across member states, with only about 10 countries offering a comprehensive system. More specifically, the draft directive looks at introducing ‘common minimum standards’ to protect people working in the private or public sector from retaliation for reporting breaches of laws in specific EU policy areas, where such violations or abuses may cause serious harm to the public interest or where there is an identified need to strengthen enforcement. These policy areas include public procurement, financial services, environmental and consumer protection, product and transport safety, food safety, public health, nuclear safety, protection of privacy and personal data, as well as violations of competition law and tax evasion and avoidance, including VAT.
More about the initial EU proposal and current levels of protections in key jurisdictions in our July 2018 analysis and about the negotiations at EU level in our previous blog post.
Key points resulting from the trilogue and which are now confirmed as part of the final compromise text released last week are as follows:
- Attempts by the Parliament to include labour and employment in the material scope of the directive got rejected. Such reference was absent from the initial proposal for the reason that labour and employment laws generally provide for their own redress mechanisms. Also, a new article 1bis makes it clear member states will remain able to protect national security interests (with procurement rules involving defence and national security potentially being out of scope of the directive).
- The final text confirms the broad personal scope of the directive: it covers reporting persons who acquired information on breaches in a work-related context being workers (defined by reference to the European Court of Justice case law and including those having an employment contract or those in non-standard forms of employment, eg gig workers, temps etc), civil servants, self employed, shareholders and members of the senior management, volunteers, trainees, persons working for contractors, sub contractors and suppliers. EU negotiators further agreed that reporting persons will be protected even if the work relationship has ended or has yet to start. Also, the final text extends the scope to people assisting the reporting persons (‘facilitators’) and third persons connected with the reporting persons and who may suffer retaliation.
- All companies of 50 employees or more will be required to establish internal reporting channels, however SMEs (between 50 and 250 employees) will have up to 4 years to adjust to the new rules and companies with less than 250 employees will be able to share resources for the handling of complaints. No threshold will apply to companies providing financial services.
- The final text confirms that whistleblowers will be protected as long as they had reasonable grounds to believe that the information reported was true at the time of the reporting (and that it fell within the material scope of the directive).
- Whistleblowers will be protected whether they first report internally to the legal entity concerned or directly to competent national authorities, as well as to relevant EU institutions, bodies, offices and agencies this “depending on the circumstances of the case”. This choice was not that obvious as the initial proposal seemed to favour a hierarchy and as some member states - including France and Germany - wanted to give priority to internal reporting over external disclosure. But the Parliament won and there is no such thing in the final agreement. It is only noted that member states are to encourage whistleblowers to use internal channels first “since internal reporting contributes to the early and effective resolution of risks for the public interest as well as to preventing unjustified reputational damage which may result from public disclosure”. It will be interesting to see what member states will do of all this when implementing the directive. Experience shows that implementation may differ from a country to the other. Furthermore, “In cases where no appropriate action was taken in response to the whistle-blower’s initial report, or if they believe there is an imminent danger to the public interest or a risk of retaliation, the reporting person will still be protected if they choose to disclose information publicly”. Finally, anonymous whistleblowers whose identity has been revealed will be protected as well.
Also worth nothing that:
- The agreed text contains a long list of prohibited retaliatory measures, ranging from negative performance assessment to harassment or dismissal.
- Companies will need to acknowledge receipt of an internal complaint within 7 days and have a duty to provide feedback to the whistleblower about the follow up to the report within 3 months.
- NDAs cannot be opposed to whistleblowers acting in compliance with the rules and procedures as set out in the directive.
Members states will have two years from adoption to transpose the directive into national law (thus until spring 2021 – as noted above, SMEs will have two more years to put internal reporting channels in place).