This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields Risk & Compliance

| 6 minutes read

Whistleblowing in the EU, what now ?

Friday 17 December is an important date for speak-up culture and whistleblowers in Europe. It marks the deadline for Member States to implement the 2019 EU Directive on the protection of reporting persons.

There isn’t much to celebrate unfortunately as only a few countries have fully implemented the Directive within the deadline. Kudos to Denmark, Sweden, Portugal and a few others!

It is not uncommon for Member States to be late with the implementation of EU directives and the Covid-19 pandemic did not help. To be fair, a number of countries have made good progress. France for example seems to be on track for an early 2022 adoption of its implementing law, the National Assembly having voted the text in November and the Senate being expected to do so in January. The coalition agreement of the recently appointed German government has a section on whistleblowing and one can expect a new draft implementing law in the next few months. But still, the vast majority of Member States are late in implementing what was largely viewed as a key development in the EU legal landscape, one that the Commission was keen to promote as a new global standard.

Global businesses are left struggling with potential operational challenges and sometimes conflicting views on what exactly the Directive means for their existing whistleblowing systems and compliance obligations towards other (non-EU) rules.

This blog post recaps the key issues arising from the Directive and highlights next steps for global businesses.

What happens from 18 December? 

As noted above, key EU jurisdictions such as France and Germany have missed the deadline. They are not alone, with Austria, Italy, Spain, The Netherlands, most of CEE and others in the same boat. We can only hope for things to speed up in the new year.

The Commission may help by following up on the implementation across Member States and may even open an infringement procedure against countries for the lack of implementation, but we are told that the latter is unlikely to happen in the short-term.  

The next question is whether the Directive will have any (direct) effect in Member States that have missed the deadline? Unlike the GDPR, which is a regulation and has full direct effect, directives require transposition into Member States’ national laws. However, a directive may still have limited direct effect when its provisions are unconditional, sufficiently clear and precise. Furthermore, local judges may interpret national laws (where there is room for such interpretation) in accordance with a directive even if not (yet) fully implemented. This is an incentive for global businesses not to wait until the full transposition in each Member State before complying with the Directive’s key provisions, eg on reporting, feedback or protection against retaliation.

What about the impact of the Brexit? Technically the Directive doesn’t have to be implemented in the UK. But it is likely that many large employers who have operations in both the EU and UK will choose to implement some or all of the additional requirements of the Directive for reasons of efficiency and/or consistency. Separately, there are ongoing discussions about reform of UK whistleblowing law, and EU developments are likely to feed into this. Read more in this blog post.

As a final point, a number of countries already have whistleblowing laws (eg France and The Netherlands), so irrespective of the delay, businesses will need to continue complying with these rules (including those going beyond the Directive’s requirements).

Scope and more 

The personal scope of the Directive protects reporting persons who acquired information on breaches in a work-related context. The material scope, however, is rather narrow as it only covers reporting of breaches related to a limited number of EU policy areas (public procurement, AML, public health and a few more). Nevertheless, Member States have been encouraged to broaden the Directive’s material scope on implementation, which a number will most likely do, including Belgium, France, Germany, The Netherlands and others. Denmark and Sweden have already done so.

A summary of the key provisions in the Directive, including internal and external reporting, confidentiality and anonymity, feedback requirements and protection against retaliation, can be found here and here.

It is important to remember that the Directive’s requirements for an internal reporting system in the private sector only apply to legal entities with 50 plus workers. However, employers will need to consider existing local whistleblowing laws and/or implementing laws as local thresholds may be lower. Also, the threshold will not apply to certain industries e.g. financial services.

Impact on corporate groups’ whistleblowing systems 

As previously reported, the reference to 'legal entities' in the Directive (and in some of the implementing legislation eg the Swedish Act) leads to questions around how international corporate groups should interpret the terminology. For example, is a centralised approach at group level still allowed for reporting or is an entity-by-entity approach required (with potentially distinct reporting channels for each legal entity exceeding the relevant threshold)? The Commission’s view is that internal reporting channels cannot be established only in a centralised manner at group level. However, a centralised whistleblowing system within a group can co-exist with legal entity-level channels as long as the choice is left to the whistleblower whether to use the local or central channel, the rationale for this interpretation being proximity. Businesses may find some comfort in the fact the Commission has made it clear that group-level reporting channels may remain in place and be actively promoted by employers.

Denmark took a different view allowing for group arrangements to continue (without the need for additional channels at legal entity-level), with the caveat that this will only be possible if the Danish interpretation is compatible with the EU's and other Member States’ positions.

In many countries, it seems that the issue went unnoticed as the draft implementing laws that are currently available simply use ‘legal entity’ without discussion.

One thing businesses may want to focus on is internal comms and promotion of existing group-level arrangements, if any.

Separately, the Commission continues to highlight that there are a number of flexibilities provided for by the Directive, including the possibility for legal entities with between 50 and 249 employees to pool resources (which appears to be viewed by the Commission as distinct from reliance upon a centralised arrangement) or the possibility of outsourcing the operation of reporting channels to third parties.

What happens to a corporate group’s branches? 

As things stand – and unless a specific local law provides otherwise – EU-based branches of a non-EU group appear to be out of scope of the Directive because of the reference to legal entity.  This outcome seems unlikely to be what the authors of the Directive intended, nor is it a good thing for the protection of whistleblowers and the efficiency and proximity the Commission is aiming for. Of course, many employers will already have a global reporting channel in place capturing all workers, whether they sit in a branch or a subsidiary, and which would be capable in any event of capturing employees who are otherwise out of scope of the Directive.

Two more years

Corporate groups will pay attention to the way Member States are making use of the 'deferral' option provided for by the Directive: legal entities in the private sector with 50 to 249 workers may benefit from an additional two years to comply with the requirement to establish internal reporting channels, which will come as good news to corporate groups, allowing them to phase the establishing of legal entity-level reporting channels, focusing on the large entities first and looking at small and medium entities from 2023.

Denmark and Sweden have confirmed the deferral for SMEs and most countries are due to follow suit, including Belgium, The Netherlands, Poland and Romania. A potential source of concern is France, where the draft implementing law as adopted by the National Assembly and which now sits with the Senate is silent on the deferral point.

Next steps for global employers 

Since most Member States are late with implementation, global businesses may want to continue discussions with their relevant local business associations and governments, asking them to take a close look at some of the above issues.

The other important point is around internal communication for organisations wishing to continue to promote and encourage use of their centralised reporting channels.

Many businesses have already updated the relevant policies and systems so as to comply with the main provisions of the Directive. If you haven’t yet started, now is the right time.

Please reach out to any of us at Freshfields should you wish to discuss this further, including the state of implementation in any given country. In the meantime please visit our WorkLife2.0 website for more material on whistleblowing.

Global businesses are left struggling with potential operational challenges and sometimes conflicting views on what exactly the Directive means for their existing whistleblowing systems and compliance obligations towards other (non-EU) rules.