Over the last decades, the concept of whistleblowing hotlines as commonly introduced in the USA has been voluntarily adopted by many European companies. Apart from data protection and labor law, there are no specific legal requirements for the operation of such systems so far. In practise, the effectiveness of such systems varies to great extent. The new Directive on the protection of persons who report breaches of Union law (EU/2019/1937, "Whistleblowing Directive") shall change this. It provides a pan-European standard for effective whistleblower protection and shall largely be transposed in national law by 17th December 2021.
1. Objectives of the Directive
The Directive shall effectively facilitate the detection, investigation and prosecution of infringements of Union law. This shall be achieved by mandatory establishment of internal reporting channels in the private and public sector. In addition, an external reporting channel to an authority named by the Member States shall be implemented. In order to promote the actual use of these channels whistleblowers will be fully protected.
2. Scope of the Directive
The Directive covers many business sectors such as public procurement, product and transport safety, environment, radiation, food, animal, consumer and data protection, security of network and information systems and public health protecting identifiable whistleblowers.
Whistleblowers are individuals who have obtained information on braches in a work-related context. The definition covers a wide range of persons, such as (retired) employees, self-employed persons, shareholders but also colleagues and relatives of whistleblowers who might get under pressure in a work-related context, as well as suppliers and subcontractors (recital 39). The latter in particular could suffer, for instance, due to the imbalance of power threats of early termination of contracts.
The Directive does however not protect reports of infringements of national law or any information provided on anonymous basis. As the Directive provides a minimum harmonization, only Member States are entitled to extend its scope when transposing it into national law. Thus, they may also decide to cover breaches of national law or protect anonymous whistleblowers.
3. Mandatory Establishment of Internal Whistleblowing Channels
This obligation of implementing internal reporting channels applies to
Thus, in future a large number of private companies but also the public sector will be obliged to implement whistleblowing hotlines.
Art 9 of the Directive provides general rules on the procedure of internal reporting, only:
Member States are also free to render more specific or stricter obligations with regard to reporting. This may concern in particular the channels, the specific follow-up measures to be taken and the penalties which might be imposed in the event of non-compliance.
The Whistleblowing Directive introduces wide-ranging obligations to establish internal reporting channels across various industries and sectors. Companies are therefore well advised to familiarize themselves with the new obligations and to take the first preparatory steps in due time. After all, the required implementation measures affect different laws and trigger corresponding coordination needs: The main focus will be on data protection law. In addition to the legal obligations under the GDPR and the Austrian Data Protection Act, the case law of the Austrian Data Protection Authority on whistleblowing hotlines must be considered. Furthermore, any stricter regulations in the financial services sector as well as labor law implications must be taken into account when establishing one's whistleblowing regime. The upcoming national draft for implementation may issue further obligations at a later stage - both with regard to the scope of application and the specific procedures. Those who are starting already now with their preparations of the implementation of the minimum standards on EC level will then have enough time implement any additional national specifics.