EU WHISTLEBLOWING DIRECTIVE
On 16 April 2019 the EU Parliament passed a new, ground-breaking EU Directive on Whistleblowing – setting minimum standards of protection that countries in the EU must provide legally for whistleblowers. As the Directive is the minimum standard, EU countries can provide greater protection for whistleblowers in their own national laws than what’s required in the Directive.
PIDA has stood the test of time – it was world leading and a model example for other countries to use. However, with the EU Whistleblowing Directive widening the scope of protection in many areas, there is a danger that the UK will be left behind when the Directive is implemented. EU countries had to implement the Directive’s provisions into their national legislation by 17 December 2021 (but organisations with 50-249 workers have until 17 December 2023 to introduce their internal reporting channels).
On 17 December (date of the transposition) Protect hosted a webinar – ‘EU Whistleblowing Directive – why it matters to us in the UK’ – to establish what needs to be known about the Directive and why it matters to whistleblowers and organisations based in the UK. You can watch a recording of the webinar here.
Are more whistleblowers protected under the EU Whistleblowing Directive?
Whilst PIDA only protects employees and certain types of workers from retaliation due to whistleblowing, the EU Directive offers protection to other types of people including:
- Self-employed individuals
- Shareholders or members of the administrative, management or supervisory bodies within the organisation (for example non-executive directors, trustees)
- Paid or unpaid trainees
- People working under the supervision and direction of the organisation’s contractors or suppliers
- Job applicants (reporting on breaches during the recruitment process or in pre-contractual negotiations)
- Family members and colleagues connected to the whistleblower
Can whistleblowers raise a wider range of concerns under the EU Whistleblowing Directive?
- Health and safety
- Miscarriages of justice
- Criminal offences
- Damage to the environment
- Breaches of legal obligations
- The deliberate concealment of any of the above
In contrast, the EU Whistleblowing Directive covers breaches of EU law in these areas:
- Public procurement
- Financial services, products and markets, and prevention of money laundering and terrorist financing
- Product safety and compliance
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food and feed safety, animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data, and security of network and information systems
The Directive does not cover workers’ rights, equality matters or health and safety in the workplace. Therefore, concerns such as harassment, discrimination and bullying are not covered under the Directive. However, as the Directive only sets the minimum standards for whistleblowing laws, it is up to EU countries whether they wish to go beyond the Directive and allow such concerns to be covered in their own national whistleblowing laws.
Does the EU Whistleblowing Directive place obligations on employers?
PIDA only offers protection to workers that are victimised for raising concerns. However, the EU Whistleblowing Directive goes beyond this and places obligations on employers when it comes to their whistleblowing arrangements. Additionally, any processing of personal data carried out according to the Directive should be in line with GDPR.
Organisations with 50 or more workers are required to establish internal channels for whistleblowers to raise concerns and have their concerns investigated. Organisations must:
- Allow whistleblowers to report their concerns orally or in writing
- Acknowledge receipt of whistleblowers’ concern within 7 days
- Maintain the confidentiality of whistleblowers – a whistleblower’s identity is only to be disclosed where it is necessary and proportionate to do so under EU or national law
- Have an impartial person or department designated and competent to investigate concerns (for instance executive board members or management, HR, compliance officers, legal counsel), maintain communication with whistleblowers and provide feedback
- The timeframe for providing feedback to the whistleblower cannot exceed 3 months
- Clearly provide details for whistleblowers to report their concerns externally to a relevant regulator
The EU Whistleblowing Directive allows for countries to impose these requirements on organisations with fewer than 50 employees following a risk assessment, taking into account factors such as the nature of an organisation’s activities and the level of risk to the environment and public health.
The EU Commission have made it clear that organisations with 50 or more workers have to establish internal channels for whistleblowers, even if they are part of a group with other organisations. When it comes to subsidiary companies, they can share resources with its parent company provided that:
- the subsidiary company is medium-sized (has 50 to 249 workers);
- reporting channels exist and remain available at the subsidiary’s level;
- clear information is provided to the whistleblower as to the fact that the designated person/department at headquarters level would be authorised to access the report (for the purpose of carrying out the necessary investigation), and the reporting person has the right to object to that and to request that the reported conduct is only investigated at the level of the subsidiary;
- any other follow up measure is taken and feedback to the whistleblower is given at subsidiary level.”
 ‘The EU Whistleblower Directive and implementation challenges – a “last minute” update’ Bird & Bird, https://www.twobirds.com/en/news/articles/2021/denmark/the-eu-whistleblower-directive-and-implementation-challenges.
Does the EU Whistleblowing Directive place obligations on regulators?
As mentioned above, PIDA only offers protection to workers that are victimised for raising concerns. UK regulators (prescribed persons) only have an additional duty to publish an anonymised annual report on whistleblowing disclosures made to them by workers. However, the EU Whistleblowing Directive goes beyond this and places obligations on regulators when it comes to their whistleblowing arrangements. Further, any processing of personal data carried out according to the Directive should be in line with GDPR.
Regulators are required to:
- Allow whistleblowers to report their concerns orally or in writing
- Acknowledge receipt of whistleblowers’ concern within 7 days
- Maintain the confidentiality of whistleblowers, prohibiting access of information to non-authorised members of staff – a whistleblower’s identity is only to be disclosed where it is necessary and proportionate to do so under EU or national law
- Have an impartial person maintain communication with whistleblowers and provide feedback
- The timeframe for providing feedback cannot exceed 3 months (this can be extended to 6 months if it is justifiable to do so)
- Publish key details on their website such as their contact details, the types of concerns that whistleblowers can raise to them and the process used after receiving concerns
Does the EU Whistleblowing Directive protect whistleblowers more from retaliation than PIDA does?
PIDA only provides protection from victimisation to whistleblowers in a work-related context. The EU Whistleblowing Directive goes further; whistleblowers can rely on whistleblowing according to the Directive as a defence to action taken against them, for example defamation, breach of copyright, trade secrets, confidentiality and personal data protection.
Support for whistleblowers:
Unlike PIDA the EU Whistleblowing Directive requires EU countries to have support measures accessible for whistleblowers, including:
- Independent, free and comprehensive advice on their legal rights, remedies and procedures
- Effective assistance from regulators in their protection against retaliation, including providing certification to demonstrate that they qualify for protection
- Legal aid in criminal and cross-border civil proceedings
The Directive also highlights that EU countries may provide whistleblowers with financial and psychological support in legal proceedings.
FAQs on the EU Whistleblowing Directive
No. As the UK is no longer a member of the EU, UK organisations do not legally have to comply with the Directive. However, despite this, it is crucial to ensure that your whistleblowing arrangements are of an appropriate standard and effective.
As a UK organisation, you may be affected if you have branches in EU countries. In addition, it is worth remembering that individuals working under the supervision and direction of an EU organisation’s contractor or supplier are protected under the Directive, and so EU organisations you are working with may want your organisation to be compliant. It is important to note that the Directive only imposes the minimum standards for EU countries to comply with, therefore different countries’ national laws may vary from one another.
It is important to implement the measures outlined in the Directive for employers and regulators in your whistleblowing arrangements. A few ways to start being compliant with the Directive include adapting your policies and procedures accordingly and ensuring managers and accountable personnel have sufficient training. Head to our Business Support page for further guidance – completing our Whistleblowing Benchmark can ensure that your organisation is fully compliant with the Directive.
The Directive goes wider than PIDA in many aspects, including protecting more different types of whistleblowers and imposing obligations on employers and regulators regarding their whistleblowing arrangements. See the main differences explained above.
So far no countries have transposed the EU Whistleblowing Directive. Currently 12 out of 27 countries have adopted new law to transpose the Directive:
You can keep up-to-date on transposition with Whistleblowing International Network’s EU Whistleblowing Monitor here.
Any processing of personal data carried out according to the Directive (i.e. in receiving and investigating whistleblowers’ concerns) should be in line with the GDPR. Third parties who are authorised to receive whistleblowing reports on behalf of organisations must offer appropriate guarantees for data protection to whistleblowers. Staff members of regulators (competent authorities) should be professionally trained on the relevant data protection rules in order to handle reports and communications of whistleblowers.
Whistleblowers that report concerns in accordance with the Directive do not incur any liability for data protection breaches and can rely on this right in defence of any legal proceedings brought against them. The burden of proving that the whistleblower does not meet the conditions necessary for protection will be on whoever is bringing the claim.
The Directive does not specifically refer to sexual harassment as a concern that can be raised by whistleblowers. However, the Directive states that EU countries can decide for themselves whether interpersonal workplace grievances (which could include sexual harassment claims) fall within the scope of the whistleblowing protection. Therefore, as the Directive only sets the minimum standards for whistleblowing laws, EU countries may go beyond the Directive and allow such issues to be covered in their own national whistleblowing law.
The Directive does not specifically refer to breaches of workers’ rights as a concern that can be raised by whistleblowers. However, the Directive states that EU countries can decide for themselves whether interpersonal workplace grievances (which could include breaches of workers’ rights) fall within the scope of the whistleblowing protection. Therefore, as the Directive only sets the minimum standards for whistleblowing laws, EU countries may go beyond the Directive and allow such issues to be covered in their own national whistleblowing law.
Further, according to the Directive, separate protection should be provided to trade union and employee representatives not only where they report concerns as workers but also where they provide advice and support to other whistleblowers (in addition to those they already have through their status as representatives).
The Directive does not impose criminal sanctions, however, it instructs EU countries to provide penalties for victimising whistleblowers which may be criminal, civil or administrative. As an example, under Poland’s bill of the Whistleblower Protection Act, violations of the Act (for instance, employees not having proper whistleblowing arrangements and retaliation against whistleblowers) are punishable by a fine, restriction of freedom or imprisonment for up to 3 years. These penalties may be imposed on, among others, the HR Manager, Compliance Officer, management board member, or any other person who commits such acts.
Maintaining the confidentiality of a whistleblower once they have raised their concerns is key in order to gain staff’s confidence in the whistleblowing arrangements and prevent possible victimisation from occurring to the whistleblower. We cover this issue in detail through our training programmes and our Whistleblowing Benchmark.
According to the Directive, if a whistleblowing investigation is not finished within 3 months the whistleblower should be informed about this and at what point to expect further feedback. Whistleblowing investigations should be conducted as promptly as possible and it is important to provide regular updates to the whistleblower during the investigation to assure them that action is being taken into their concerns. However, whistleblowing investigations can indeed take a long time and present various other pitfalls. You can attend our Whistleblowing Investigations Masterclass to learn about the practicalities and considerations that are necessary with whistleblowing investigations, such as navigating regulatory requirements.