The European Council has adopted a new directive to protect whistleblowers who reveal breaches of EU law in a range of areas, including: money laundering, data protection, competition law and environmental protection. Under the new rules, larger companies will have to establish a safe reporting channel and diligently follow-up on the report within three months. The rules also protect whistleblowers from liability and against retaliation. National authorities are required to inform citizens about their rights under this directive and to assist whistleblowers. Member states will have to transpose the directive into national law by late 2021 at the latest.

Protection of the whistleblower

The Whistleblower Directive, adopted on 7 October 2019, protects whistleblowers from being retaliated against by their employers, such as from being dismissed or demoted. This protection extends to people helping the reporting person, such as colleagues or relatives. The Directive also protects whistleblowers from liability caused by reporting information or making a public disclosure on a breach, such as defamation, breach of copyright, breach of secrecy, breach of data protection rules, or disclosure of trade secrets. They also cannot be held liable for accessing or acquiring the information reported, unless that constitutes an independent criminal offence under national law. The Directive introduces a rebuttable presumption that any detrimental action made against the whistleblower is related to reporting the breach. Additionally, member states must support whistleblowers by shielding them from retaliation and providing legal aid in criminal and in cross-border civil proceedings. Member states may also give whistleblowers financial assistance and other support measures, such as psychological support.

Protection is also provided to self-employed workers, trainees, volunteers, shareholders and persons belonging to the administrative, management or supervisory body of an undertaking that reports a breach.

Reporting channels

Companies with more than 50 employees and all legal entities in the public sector must set up internal reporting channels. Those reporting channels may be operated internally by an impartial person or a department designated for that purpose. Although named an internal channel, companies and public sector entities may - paradoxically - also outsource the reporting channel to a third party service provider. The internal reporting channel must guarantee confidentiality, and protect the identity of the whistleblower and any third party mentioned in the report. Access to the report and related information is restricted to authorised staff members only. The channel must provide the possibility to report a possible breach in writing and orally, either by phone or in person. A company must diligently follow-up within three months after receiving the report.

In addition to internal reporting channels, member states must create external reporting channels by designating an authority to receive, give feedback and follow up on whistleblower reports. The reporting channel to such an authority must be independent, autonomous and confidential. Companies and all legal entities in the public sector must provide clear and easily accessible information regarding the possibility of external reporting.

Minimum harmonisation

The Directive will apply to reports of EU legislation breaches, which form part of a vast and well-defined list. Member states may extend that list to include breaches of their own domestic legislation. Member states may also extend the obligation to establish internal reporting channels to companies with fewer than 50 employees. Although this Directive will harmonise whistleblowing legislation in the EU, it still differs from the US internal reporting and bounties measures, as we reported earlier.