Whistleblowing in the spotlight – how to prepare for the EU directive’s implementation

Whistleblowing will continue to be in the spotlight in 2021 as both employers and employees deal with the fallout of the pandemic, including long-term changes to the workplace. One such change, home working, is likely to become a common phenomenon, even if only on a part-time basis. This, in turn, demands a review of a range of HR policies, including those relating to whistleblowing and investigations.

Yet, the pandemic is not the only reason to review your whistleblowing policy this year: 2021 will be an important year for businesses operating in the EU as member states are due to implement the 2019 directive on whistleblower protection by December. As the region prepares itself for a raft of local implementing laws, we have put together a list of the directive's key points that employers need to know:

Scope

: the personal scope of the directive protects reporting persons who acquired information on breaches in a work-related context. The material scope, however, is rather narrow as it only covers reporting of breaches related to a limited number of EU policy areas (public procurement, AML, public health and a few more). Nevertheless, member states have been encouraged to broaden the material scope of the directive when implementing it, which a number may do (eg Germany, Luxembourg and Sweden). The EU has always intended to set a new international standard using this directive. Depending on the content of the relevant implementing laws, employers may want to align your global whistleblowing policy to the directive’s requirements for the sake of consistency.

Timing

: December 2021 is often referred to as the deadline for businesses to adjust policies and procedures. However, this date is actually the deadline for member states to implement the directive – an employer’s only duty will be to comply with the implementing laws (which may possibly contain a different timeline or may even be enforced after December 2021 if a particular member state misses the deadline, which is not unusual). Discussions are ongoing and draft implementing laws have been published in many of the key EU jurisdictions, including Germany, Spain, Luxembourg, Sweden and Poland. Some member states will find implementing the provisions of the EU directive easier than others, especially where existing local regimes are already broadly aligned with the directive (eg France). Another important point to keep in mind is that member states can have another two years (thus, until the end of 2023) to implement the requirements for legal entities with 50 to 249 workers. Again, employers will need to look at the existing local laws and/or at the local implementing laws in the relevant jurisdictions in case the threshold/timing differs.

Internal vs external reporting

: although the directive encourages whistleblowers to report internally first, they can choose to report externally to public authorities and – if certain conditions are met – even the media). This is a different approach than what has generally been practised in some EU member states (such as Germany) where internal report has often been prioritized over external reporting. The approach under the EU directive may therefore differ from existing processes and may require employers to review their policy. Again, it is to be double check what the relevant implementing laws will do with this flexibility. Not all member states were happy with the absence of a clear prioritisation between internal and external reporting at the time of the directive’s adoption. Also, many employers will already have an internal reporting system, but attention should be paid to the details provided in the relevant implementing laws.

Thresholds

: the directive’s requirements for an internal reporting system in the private sector only apply to legal entities with 50 or more workers. However, employers will need to consider existing local whistleblowing laws and/or implementing laws as local thresholds may be lower than what the directive provides for. Also, the threshold will not apply to certain industries e.g. financial services. Furthermore, entities with between 50 and 249 workers may be allowed to share resources for the handling of reports. A question is whether intra group compliance structure will be impacted by this new threshold, i.e. whether large international groups with thousands of workers will be able to operate a centralised system or whether they will need separate systems, one for each entity with 250 or more workers. Finally, the possibility to report externally – and the protection attached – applies to all entities, irrespective of their headcount.

Other relevant points for employers to consider when preparing for the directive’s implementation include:

Confidentiality vs anonymity

: the directive requires confidentiality to be guaranteed, but it is silent in respect of anonymity. Once again, employers will need to check the relevant local laws. In some jurisdictions, such confidentiality may be compromised by the GDPR information rights of data subjects. The directive includes in its recitals a call for member states to address this issue.

Feedback

: the directive requires for compulsory feedback to the whistleblower about the report they made, within a certain timeline (3 months for internal reporting). This does not mean that employers will have to come to any conclusion in relation to a report misconduct within the 3-month period, but only that they will need to provide an update on the follow up to the report so far. This will increase the need for a proper case management system.

Shifting the burden of proof/protection against retaliation

: the burden of proof is reversed in the case a protected report is being made. It will be for the employer to prove that a decision (eg disciplinary action) is not linked to the report.

Malicious reports

: the directive requires member states to provide for sanctions that can be imposed on persons who make malicious reports, as well as to provide that the respective individuals should pay compensation to the parties damaged by malicious reports.

The above are just a selection of some of the important requirements arising from the directive.

Please contact us should you wish to discuss the EU directive’s implementation, and how to review your existing whistleblowing policies and processes in anticipation of the December deadline.