The new Directive on the protection of whistleblowers
On 16th April 2019, the European Parliament adopted the whistleblowing Directive, aimed at enhancing, through effective protection of whistleblowers, the enforcement of Union law and policies in specific areas where breaches can cause serious prejudice to the public interest.
NGOs and international institutions such as the OECD, the Council of Europe and the UN strongly encouraged the adoption of this Directive. They called on the European institutions to adopt minimum standards aimed at ensuring a high level of protection of whistleblowers, overcoming the differences existing between the Member States.
Following the formal adoption of the Consilium and the publication in the Official Journal, the Member States will have two years to adapt national regulations. They can introduce or maintain more favourable provisions for whistleblowers.
The figure of the whistleblowers.
According to the definition of the Directive, he/she is a person who reports or discloses information on breaches of Union law acquired in the context of his/her work-related activities, both in the public and private sectors.
They play a key role in exposing and preventing breaches of the law because they are often the first to know about threats or harm to the public interest which arise in this context. However, they are often discouraged from reporting their concerns or suspicions for fear of retaliation.
The Directive extends the protection to the broadest possible range of categories of persons, who, by their work-related activities, have privileged access to information about breaches and who may suffer retaliation if they report them. Protection should also be granted to persons whose work-based relationship ended and to candidates for employment or for providing services to an organisation who acquired the information on breaches of law during the recruitment process or other pre-contractual negotiation stage.
Protection should apply to persons who, for a certain period of time, perform services for and under the direction of another person, in return of which they receive remuneration, public employees, self-employed workers, shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, volunteers, paid or unpaid trainees and any persons working under the supervision and direction of contractors, subcontractors and suppliers.
The subject of the report.
Whistleblowers may report breaches (acts or omissions) or information or reasonable suspicions about actual or potential breaches, in many areas of EU law including public procurement, financial services, product and transport safety, protection of the environment, nuclear safety, public health and consumer protection. Breaches affecting the financial interests of the Union or relating to the internal market may also be reported.
Persons reporting information on breaches falling within the areas covered by this Directive shall qualify for protection provided that they had reasonable grounds to believe that the information reported was true at the time of reporting and that the information fell within the scope of this Directive. They must also have used the channels provided.
The reasons for the reporting person in making the report are irrelevant as to whether or not they should receive protection.
Anonymous reports.
The Directive does not require the Member States to follow-up anonymous reports. However, persons who reported or publicly disclosed information anonymously but were subsequently identified shall nonetheless qualify for protection in case they suffer retaliation.
Reporting channels.
Information on breaches falling within the scope of this Directive may be reported within the institution concerned (internal channel) and/or to the competent national authorities designated by the Member states (external reporting), as well as to the competent EU institutions or bodies.
Although the Directive requires the Member States to encourage the use of internal channels before external reporting where the breach can be adequately addressed internally and where the reporting person considers that there is no risk of retaliation, the whistleblower can choose the most appropriate reporting channel. This is a conquest of the Directive, since in the proposed version by the European Commission the reporting persons were generally required to use internal channels first; if these channels do not work or could not reasonably be expected to work, they could have reported to the competent authorities, and, as a last resort, to the public/the media.
The procedure.
The report can be made in written or oral form, through telephone lines or other voice messaging systems and, upon request by the reporting person, through a physical meeting.
Appropriate information relating to such use of internal and external channels and on the applicable procedures shall be provided by legal entities in the public and private sector and by competent authorities.
An acknowledgement of receipt of the report must be given to the reporting person within no more than seven days of that receipt, unless, in external reporting, the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging the report would jeopardise the protection of the reporting person’s identity.
Feedback must be provided to the reporting person about the follow-up of the report within a reasonable timeframe not exceeding three months, or, for external reports, six months in the duly justified case.
Internal reporting.
Legal entities in the private sector with at least 50 employees and all public legal entities must establish internal channels and procedures for reporting and following-up on reports, which must be designed, set up and operated in a secure manner that ensure the confidentiality of the identity of the reporting person and any third party mentioned in the report, as well as the record keeping of the reports.
Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party; they can also be shared between legal entities in the private sector with 50 to 249 employees and between municipalities.
External reporting.
The competent authorities must establish independent and autonomous external reporting channels for receiving and handling information provided by the whistleblower, which must ensure the confidentiality of the identity of the reporting persons, of every person involved and of the information reported.
If the authority that received the report is not competent to address the breach reported, it must transmit it to the competent authority within a reasonable time, in a secure manner, to ensure the confidentiality of the whistleblower.
The competent authorities may decide not to follow-up a clearly minor reported breach or repetitive reports whose substance does not include any new meaningful information compared to a past report that was already closed or, in the event of high inflows of reports, may deal with reports on serious breaches or breaches of essential provisions falling within the scope of this Directive as a matter of priority. In such a case, they shall inform the reporting person about the grounds for their decision.
Public disclosure.
If no appropriate action was taken in response to the internal and/or external report within the timeframe, or if the whistleblower had reasonable grounds to believe that the breach may constitute an imminent or manifest danger for the public interest, or in case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being adequately addressed due to the particular circumstances of the case, the whistleblower may publicly disclose information on breaches.
In this case, the protection is also granted to those who assist the whistleblower in the reporting process, to colleagues and relatives who may be retaliated.
Duty of confidentiality.
Any information from which the identity of the reporting person may be directly or indirectly deduced must not be disclosed without his/her explicit consent to anyone beyond the authorised staff members competent to receive and/or follow-up on reports.
The identity of the reporting person and any other information referred to may be disclosed only where this is a necessary and proportionate obligation imposed by EU or national law in the context of investigations by national authorities or judicial proceedings, including to safeguard the rights of defence of the concerned person. In this case, the reporting person shall be informed before his or her identity is disclosed, unless such information would jeopardise the investigations or judicial proceedings.
Protection measures granted by the Directive.
Any form of direct or indirect retaliation, which occurs in a work context as a result of internal or external reporting or public disclosure, which may cause unjustified damage to the whistleblower, is prohibited.
Some measures of support and means of protection against retaliation are envisaged, including free access to comprehensive and independent information and advice on procedures and remedies available, as well as legal assistance during the proceedings; access to adequate remedial measures against retaliation, including interim relief pending the resolution of legal proceedings, and full compensation for damages suffered; the reversal of the burden of proof on the person who has taken the detrimental measure which will have to prove that this measure was not connected to public reporting or disclosure.
Member States may provide for financial assistance and support, including psychological support, for reporting persons in the framework of legal proceedings.
Furthermore, the exclusion of liability for breached any restriction on disclosure of the information is provided for whistleblowers who had reasonable grounds to believe that reporting or disclosure of such information was necessary for revealing a breach according to this Directive.
The Directive also provides that reporting persons shall not incur liability in respect of the acquisition of or access to the relevant information, provided that such purchase or access did not constitute a self-standing criminal offence.
Measures for the protection of concerned persons.
The new Directive protects those who report responsibly to safeguard the public interest; it discourages deliberate and knowingly false or misleading reports with effective, proportionate and dissuasive penalties. The Member states shall provide for measures for compensating damages resulting from such reports or disclosures in accordance with national law.
The concerned persons fully enjoy the right to an effective remedy and to a fair trial as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file and their identity is protected for the whole course of the investigations.
Penalties.
The Member States shall provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons that hinder or attempt to hinder reporting, take retaliatory measures or bring vexatious proceedings against whistleblowers and who breaches the duty of maintaining the confidentiality on the identity of reporting persons.
