The Directive on the protection of persons reporting on breaches of Union law (“Directive”) was approved by the European Union (“EU”) Parliament on 16 April 2019. The Directive has not yet been published to the Official Journal of the EU yet.
In recent years, whistle-blowers have played a key role in exposing and preventing breaches of the law that are harmful to the public interest and in safeguarding the welfare of society, such as in the case of the leaking of the Panama Papers, Luxleaks or Cambridge Analytica. However, the level of whistle-blower protection varies greatly among the EU Member States. This can lead to legal insecurity and risks of unequal treatment. In addition, when there is no legislation at the national level, potential whistle-blowers are often discouraged from reporting their concerns or suspicions for fear of retaliation.
In this context, the importance of providing balanced and effective whistle-blower protection is increasingly acknowledged. To this extent, the Directive lays down minimum standards aiming at protecting and encouraging reporting of breaches of EU law.
WHAT IS A WHISTLE-BLOWER?
Under the scope of the Directive, whistle-blowers are “reporting persons working in the private or public sector who acquired information on breaches in a work-related context”.
This includes workers, self-employed persons, board members, shareholders, job applicants, people whose employment has ended and those under the supervision or direction of a contractor, subcontractor or supplier.
The Directive shall also apply to facilitators, third persons connected with the reporting persons who may suffer retaliation, and legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context.
Conditions for protection
The Directive protects whistle-blowers revealing breaches of EU law in a wide range of areas including public procurement, financial services, money laundering, public health or data protection.
EU employment law is not covered by the Directive as Directive 89/391/EEC on safety and health of workers already requires Member States to ensure that workers or workers’ representatives shall not be placed at a disadvantage because of their requests or proposals to employers to take appropriate measures to mitigate hazards for workers and/or to remove sources of danger. To this extent, workers and their representatives are entitled to raise issues with the competent national authorities if they consider that the measures taken are inadequate for the purposes of ensuring safety and health.
Whistle-blowers shall qualify for protection under the Directive provided that they had reasonable ground to believe that the information reported was true at the time of the reporting and that the information reported falls within the scope of the Directive.
- Internal reporting channels
As a principle, reporting persons should be encouraged to first use the internal channels and report to their employer, where the breach can be effectively addressed internally and where the reporting person considers that there is no risk of retaliation.
To this extent, Member States shall ensure that legal entities with 50 or more employees in the private or public sector establish internal channels and procedures for reporting and following up on reports.
The reporting channel and procedure must be set up in a secure manner that ensures the confidentiality of the identity of the reporting person. The procedure shall include an acknowledgement of receipt of the report to the reporting person within seven days. It is also a requirement that a diligent follow-up to the report be set up. Indeed, the reporting person should be informed within a reasonable timeframe (maximum three months) about the action envisaged or taken as a follow-up to the report and the grounds for this follow-up. In all cases, the reporting person should be informed of the investigation’s progress and outcome.
- External reporting channels
Member States must also set up external reporting channels with relevant competent authorities, such as judicial authorities, regulatory or supervisory bodies, anticorruption bodies. These authorities are subject to the same requirements in relation to confidentiality and follow-up as with internal channels.
- Public disclosure
Whistle-blowers may qualify for protection under the scope of the Directive when they publicly disclose information on breaches if:
- they reported internally and/or externally, but no appropriate action was taken in response to the report, or
- they had reasonable grounds to believe that the breach constitutes an imminent or manifest danger for the public interest, or
- they had reasonable grounds to believe that, in case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed.
Reporting persons should be protected against any form of retaliation, whether direct or indirect, taken, recommended or tolerated by their employer or customer/recipient of services and by persons working for or acting on behalf of the latter.
Protection should be provided against retaliatory measures taken vis-à-vis the reporting person him/herself (e.g. suspension, dismissal, withholding of promotion etc.) but also vis-à-vis the legal entity that the reporting person owns, works for or is otherwise connected with (e.g. denial of provision of services, blacklisting, business boycotting etc.).
In addition, whistle-blowers shall not be considered to have breached any restriction on disclosure of information and shall not incur liability of any kind in respect of such reporting or disclosure provided that they had reasonable grounds to believe that the reporting or disclosure was necessary for revealing a breach pursuant to the Directive.
In proceedings before a court, it shall be presumed that the detriment was made in retaliation for the report or disclosure. In such cases, it shall be for the person who has taken the detrimental measure (e.g. the employer) to prove that this measure was based on duly justified grounds.
It should finally be noted that persons who disclose, within the scope of the Directive, trade secrets acquired in a work-related context should only benefit from the protection granted by the Directive, excluding the civil redress measures, procedures and remedies provided for in Directive 2016/943 on the protection of trade secrets against their unlawful acquisition, use and disclosure.
Member States shall provide for penalties to prevent the hindering of reporting, taking of retaliatory measures or bringing of vexatious proceedings against reporting persons, or breaching duties of confidentiality.
Member States should also provide for penalties to prevent false reports or false public disclosures.
From the publication of the Directive in the EU Journal, EU Member States will have two years to implement and comply with the Directive.