The history of whistleblower protection under European Law is short. Ten European countries have provided effective protection for whistleblowers in their national laws. For the rest, protection remained fragmented and uneven across policy areas. Only since 2014 have EU institutions been obliged to introduce internal rules protecting whistleblowers who are officials of the EU institutions. By the end of 2015, the EU Parliament adopted similar rules. The EU Commission expressed general support of whistleblower protection in 2016, then being concerned with tax evasion, and in 2017 started a public consultation on the topic. The EP followed up with a resolution and an own-initiative report by its Committee on legal affairs, leading to the “Proposal for a directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union Law (COM(2018)0218).“ On 16 April 2019, this proposal was adopted by the European Parliament. It now needs to be approved by the Commission for Member States to have two years to transpose its rules.
Whistleblower protection has to strike a delicate balance. For the whistleblower to come forward, we need to provide him with safe reporting channels and efficient protection against negative consequences. Corporations have a legitimate interest to avoid reputational damage if the disclosed accusations are false. The Directive aims at reconciling both concerns by (1) defining the areas of the law eligible for whistleblowing, (2) framing a profile of the whistleblower qualifying under the new rules, (3) setting out the type of information, (4) the reporting channels and (5) the protection offered.
Breach of which laws?
Whistleblowing is to be encouraged in areas of the law where there is a need to strengthen enforcement, under-reporting is a key factor and breaches of EU law cause serious harm to the public.[1] The Directive’s Art. 2 para. 1 contains a list of ten such areas, comprising public procurement, financial services (including products and markets, prevention of money laundering and terrorist financing), product safety, transport safety, protection of the environment, radiation protection/nuclear safety, food safety (including feed safety, animal health and welfare), public health, consumer protection and data protection (including protection of privacy, security of network and information systems). In all of these, a breach of EU law only is addressed. According to Art. 2 para. 2, Member States are free to extend the regime to a breach of their national law. “Breach” of the law includes abusive practices, which do not appear to be unlawful in formal terms but defeat the purpose of the law.
Blowing the whistle is not to harm national security interests, hence the Directive’s Art. 3 excludes reporting a breach of procurement rules involving defence or security aspects. For a number of other areas of the law, it is made clear that the Directive shall not affect the application of the laws protecting classified information, legal and medical professional privilege, the secrecy of judicial deliberation and the rules on criminal procedure.
Who qualifies as a whistleblower?
The Directive’s scope on who qualifies is broad. Art. 4 covers any person working in the private or public sector, who acquired information on a breach of the law in a current, former, or imminent work-related context. Facilitators, private or legal persons, which are connected to the whistleblower, are protected as well.
The reporting person must reasonably believe that the matters reported are true, Art. 5. While an honest mistake does not hurt, penalties against knowingly disclosing false information have to be in place under national law.
What type of information?
Whatever is necessary to reveal past or imminent breaches of the law may be reported, this includes trade secrets if necessary. The information provided does not need to be conclusive evidence, raising reasonable concerns or suspicion will be sufficient. If, on the other hand, the information is already fully available in the public domain or unsubstantiated rumour, the Directive’s regime is not available.
Which reporting channel?
The Directive favours internal reporting channels to ensure that relevant information swiftly gets to the source of the problem, Art. 7. According to Art. 8, legal entities with 50 or more employees will have to establish internal reporting channels. This can be an entity within the corporation or a third party, if the latter offers appropriate guarantees of independence, confidentiality, and data protection.
However, if the person has valid reason to believe it will suffer retaliation and that the competent authorities would be better placed to take effective action, he or she may opt for an external reporting channel.[2] “External reporting” for those cases refers to disclosing information to national authorities, competent to receive reports.
Blowing the whistle publicly has been reserved for exceptional cases. If no appropriate action was taken in response to the initial report, the public may be alerted. The same is permitted, if the whistleblower believes there is an imminent danger to the public or a risk of retaliation, Art. 15.
Which protection offered?
The Directive states a clear prohibition of any type of retaliation, Art. 19. This protective measure is to be further strengthened by imposing penalties and personal liability for perpetrators under national law. Art. 21 asks Member States to give the whistleblower access to legal remedies, including interim relief, and allow for him to be compensated for any damage suffered. They will have to designate authorities, competent to receive reports. These can be judicial, regulatory, more general State agencies, law enforcement agencies, anticorruption bodies, or ombudsmen. As a guiding principle, they should have the appropriate capacities and powers to ensure follow-up, e.g. by launching an internal enquiry, by prosecuting or by referring the matter to another competent authority.
The envisaged retaliation can come in any shape or form. Art. 19 para 1 lists examples, e.g. being suspended, demoted or intimidated. If the whistleblower broke his duties of confidentiality or loyalty in the process of reporting, he may not be liable for damages on these grounds. This protection is intended to compensate for the economic vulnerability of the whistleblower, resulting from the work-related power imbalance between him and the entity on which he intends to report.[3]
As long as access to information was lawfully acquired, even if this raises an issue of civil, administrative or labour-law, the whistleblower does not incur liability. However, (mostly national) criminal liability remains in place. Should the whistleblower work as a supplier, measures such as denial of provision of services, blacklisting, or boycotting qualify as prohibited retaliation as well.
Footnotes
[1] Recital (5).
[2] Recital (63).
[3] Recital (37).
Dr. Katja Langenbucher is a Professor at Goethe-Universität Frankfurt.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.