EU Whistleblower Protection Directive: be prepared!
EU Whistleblower Protection Directive: be prepared!
Amid scandals like the Panama Papers, Cambridge Analytica and LuxLeaks, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged. In this context, the EU has (in 2019) adopted the Whistleblower Protection Directive (DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report breaches of Union law) providing for common minimum standards ensuring that whistleblowers are protected effectively. Member States must transpose the Directive into national law by 17 December 2021.
At present, Belgium does not provide for a general statutory whistleblower regulation. Only specific regimes are currently in place (e.g. for staff members of the Flemish and federal public administrations, for the financial sector and money laundering). Belgium will thus have to introduce a more comprehensive legal framework on whistleblowing. It remains to be seen if Belgium will limit itself to the minimum requirements imposed by the Whistleblower Protection Directive or whether it will go beyond.
1. Material scope
The Directive’s material scope is rather restrictive. It only applies to whistleblowers reporting violations of an exhaustive list of matters, such as public procurement, product safety and compliance and protection of the environment. More in general, it also applies to violations affecting the financial interests of the EU and violations relating to the internal market (e.g. competition and state aid rules).
Reports concerning interpersonal grievances exclusively affecting the reporting person, namely grievances about interpersonal conflicts between the reporting person and another employee, do not fall within the scope of the Directive.
It remains to be seen if Belgium will extend the protection of the Directive to violations of other matters (e.g. specific national legislation).
2. Personal scope
The Directive shall apply to reporting persons working in the private or public sector who acquired information on breaches in a work-related context (e.g. employees, self-employed contractors, shareholders, volunteers, etc.), irrespective of whether or not the work based relationship is yet to begin (candidates) or has ended.
The Directive’s protection also extends to facilitators, third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context (e.g. colleagues) and legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context.
a) Internal reporting channels
All legal entities in the private sector (with 50 or more employees)* and public sector** must establish channels and procedures for internal reporting and for follow-up.
The Directive subjects the internal reporting channel to a number of substantive (confidentiality, processing and record keeping obligations) and procedural requirements (inter alia with regard to acknowledgement of receipt, diligent follow-up and a reasonable timeframe to provide feedback).
* Member States have the possibility to grant companies with more than 50 and fewer than 250 employees additional time until 17 December 2023 (instead of 17 December 2021).
** Member States may exempt from this obligation municipalities with fewer than 10.000 inhabitants or fewer than 50 employees.
b) External reporting channels
Member States must ensure the establishment of independent and autonomous external reporting channels for receiving and handling information on breaches.
The Directive subjects the external reporting channel to substantive and procedural requirements aligned with the ones applicable to the internal reporting channel.
Even though Member States should encourage reporting through internal reporting channels before reporting through external reporting channels, where the breach can be addressed effectively internally and where the reporting person considers that there’s no risk of retaliation, there’s no obligation to go through the internal procedure before having access to the external procedure.
A person who makes a public disclosure (e.g. via the media) shall qualify for protection under the Directive not only when it reported the breach internally or externally but no appropriate action was taken in response to the report, but also when i) the breach may constitute an imminent or manifest danger to the public interest or ii) in the case of external reporting, there’s a risk of retaliation or there’s a low prospect of the breach being effectively addressed, due to the particular circumstances of the case (such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach).
Reporting persons shall qualify for protection under the Directive provided that:
i) they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Directive; and
ii) they reported either internally, externally or made a public disclosure.
It is up to the Member States to decide whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches.
Member States must take the necessary measures to prohibit any form of retaliation against reporting persons, including threats and attempts of retaliation, such as suspension, lay-off, dismissal, demotion, transfer of duties, change of location of place of work, reduction in wages, change in working hours, etc.
In order to ensure that reporting persons are effectively protected against retaliation, Member States must take appropriate measures, including inter alia an exemption from liability (unless when the acquisition or access to information constitutes a self-standing criminal offence, e.g. hacking) and a presumption that a detriment suffered by the reporting person was made in retaliation for the report or the public disclosure (reversal of the burden of proof).
Aside from the reporting persons, Member States must also ensure that the persons concerned (i.e. the alleged perpetrator(s)) fully enjoy the right to an effective remedy and to a fair trial, as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file. Their identity should be protected for as long as investigations are ongoing.
According to the Directive, criminal, civil or administrative penalties are necessary to ensure the effectiveness of the rules on whistleblower protection.
Penalties against those who take retaliatory or other adverse actions against reporting persons can discourage further such actions. Penalties against persons who report or publicly disclose information on breaches which is demonstrated to be knowingly false are also necessary to deter further malicious reporting and preserve the credibility of the system. The proportionality of such penalties should ensure that they do not have a dissuasive effect on potential whistleblowers.
As it remains to be seen how Belgium will transpose the Directive into national law, it is still too early to assess its true impact.
Forward-thinking employers should however already assess obligations under the Directive and, if applicable, put in place an internal reporting channel or review existing reporting procedures.
Ambos’ employment department will be happy to assist you with any questions you might have on this subject.