New Whistleblowing Directive – Wide-ranging compliance obligations for companies and public institutions

Monday, 27 July 2020

Over the last decades, the concept of whistleblowing hotlines as commonly introduced in the USA has been voluntarily adopted by many European companies. Apart from data protection and labor law, there are no specific legal requirements for the operation of such systems so far. In practise, the effectiveness of such systems varies to great extent. The new Directive on the protection of persons who report breaches of Union law (EU/2019/1937, "Whistleblowing Directive") shall change this. It provides a pan-European standard for effective whistleblower protection and shall largely be transposed in national law by 17th December 2021.

1. Objectives of the Directive

The Directive shall effectively facilitate the detection, investigation and prosecution of infringements of Union law. This shall be achieved by mandatory establishment of internal reporting channels in the private and public sector. In addition, an external reporting channel to an authority named by the Member States shall be implemented. In order to promote the actual use of these channels whistleblowers will be fully protected.

2. Scope of the Directive

The Directive covers many business sectors such as public procurement, product and transport safety, environment, radiation, food, animal, consumer and data protection, security of network and information systems and public health protecting identifiable whistleblowers.

Whistleblowers are individuals who have obtained information on braches in a work-related context. The definition covers a wide range of persons, such as (retired) employees, self-employed persons, shareholders but also colleagues and relatives of whistleblowers who might get under pressure in a work-related context, as well as suppliers and subcontractors (recital 39). The latter in particular could suffer, for instance,  due to the imbalance of power threats of early termination of contracts.

The Directive does however not protect reports of infringements of national law or any information provided on anonymous basis. As the Directive provides a minimum harmonization, only Member States are entitled to extend its scope when transposing it into national law. Thus, they may also decide to cover breaches of national law or protect anonymous whistleblowers.

3. Mandatory Establishment of Internal Whistleblowing Channels

This obligation of implementing internal reporting channels applies to

  • legal entities in the private sectors with 50 or more workers;
  • legal persons subject to certain Union acts relating to financial services, the prevention of money laundering and terrorist financing, transport safety and environmental protection (see Annex I.B and II of the Directive), irrespective of the workers threshold;
  • all legal entities in the public sector, including entities owned or controlled by such entities (eg municipalities, provinces, public authorities).

Thus, in future a large number of private companies but also the public sector will be obliged to implement whistleblowing hotlines.

Art 9 of the Directive provides general rules on the procedure of internal reporting, only:

  • Reporting Channel: Reports must be enabled in writing (eg via complaint mailbox, online platform) or orally (eg by telephone or voice recording). Upon whistleblower's request reporting shall also be possible by means of physical meetings.
  • Designation of Reporting Person/Department: The reports shall be located with an impartial person or department. The choice of who shall be elected depends on the specific company structure. A dual function is not per se interdicted if independence and absences of conflict of interest is still ensured. For example it is thus possible to designate the chief of the compliance or human resources, compliance officer, head of legal or data protection officer, chief financial officer, an audit manager or a board member as specific contact (recital 56). For the protection of whistleblowers the "need-to-know" principle must be strictly observed with regard to the process of the information received.
  • Reporting Procedure: Receipt of a report must be acknowledged to whistleblower within seven days of receipt. Subsequently diligent follow-up must be established. However, the Directive does not clarify which specific steps (eg reporting to the prosecution authorities) shall be taken. Thus, it is up to the companies to establish reasonable processes and guidelines. In any case, the whistleblower shall be informed no later than three months after dispatch of the report about the follow-up measures taken – if possible and permissible in the specific case. This aims at boosting confidence in the reporting system.
  • Information Requirements: Legal entities must inform all potential whistleblowers in a clear and simple language about the reporting procedure.

Member States are also free to render more specific or stricter obligations with regard to reporting. This may concern in particular the channels, the specific follow-up measures to be taken and the penalties which might be imposed in the event of non-compliance.

4. Conclusion

The Whistleblowing Directive introduces wide-ranging obligations to establish internal reporting channels across various industries and sectors. Companies are therefore well advised to familiarize themselves with the new obligations and to take the first preparatory steps in due time. After all, the required implementation measures affect different laws and trigger corresponding coordination needs: The main focus will be on data protection law. In addition to the legal obligations under the GDPR and the Austrian Data Protection Act, the case law of the Austrian Data Protection Authority on whistleblowing hotlines must be considered. Furthermore, any stricter regulations in the financial services sector as well as labor law implications must be taken into account when establishing one's whistleblowing regime. The upcoming national draft for implementation may issue further obligations at a later stage - both with regard to the scope of application and the specific procedures. Those who are starting already now with their preparations of the implementation of the minimum standards on EC level will then have enough time implement any additional national specifics.