Legal Update

Apr 27, 2023

EU Whistleblower Directive – Where Are We Now?

Click for PDF

As the last of the EU member states implement the Whistleblower Directive, we recap the new rules employers need to be aware of, and give our views on whether a ‘one size fits all’ approach is feasible.

Background: the Directive

Back in October 2019, the EU ‘Whistleblower Directive’[1] became effective, requiring EU member states to pass local laws providing minimum standards. Most missed the original deadline of 17 December 2021, but more recently, implementation has picked up pace. This alert gives an update on the status of these new whistleblowing standards across Europe, and recaps the key actions for employers.

Recap: whistleblower standards

The purpose of the Directive was to require EU Member States to establish common minimum standards to ensure that:

  1. Companies with at least 50 employees must set up internal reporting channels to allow workers to report breaches of EU law[2]; and
  2. Persons who report (whether internally or externally, i.e., to the relevant authorities) or publicly disclose breaches are legally protected against retaliation from their employer or colleagues.

The Directive applies to persons working in the private or public sector who acquire information on a breach “in a work-related” context. Protection also extends to “facilitators” (i.e., persons who assist a whistleblower in the reporting process at work), and to “third persons” (i.e., people such as colleagues or relatives who are connected with the whistleblower and could suffer retaliation at work).

Note: the Directive only covers breaches of certain specified areas of EU law, such as public health, protection of the environment, product safety, financial services and markets, and data privacy. Member States are however free to choose whether to establish whistleblower reporting channels and protections in relation to breaches of other laws, and a number have done that.

Conditions for protection

Under the Directive, a whistleblower is entitled to protection, provided:

  1. They had reasonable grounds to believe that the information on the breach reported was true at the time of reporting, and that information fell within the scope of the Whistleblowing Directive; and
  2. They reported the breach (or made a public disclosure about it) in accordance with the relevant requirements of the Directive.

Note: the Directive does not require whistleblowers, in the first instance, to use internal reporting channels; the protection applies even if they go directly to the competent authorities to report the breach. However, protection in relation to public disclosures normally only applies if the whistleblower has first reported the breach either internally or externally and no action has been taken within a defined period.

Protection from retaliation

The Directive requires Member States to prohibit any form of retaliation (such as dismissal, disciplinary sanctions, or demotion) against the whistleblower. It also provides for a reversal of the burden of proof in cases of alleged retaliation: once a worker proves in court that they reported a breach and suffered a detriment, the employer must then prove that the detrimental treatment was based on duly justified grounds.

Local country status

Member States had until 17 December 2019 to implement the Directive (save that companies with 50 to 249 employees could be given until 17 December 2023 to set up internal reporting channels).  

Most countries have now passed legislation with only seven stragglers remaining, including Germany, Poland, and Luxembourg. As usual, it has not led to a totally level playing field for employers: although all countries have applied the minimum standards in the Directive, many have gone further in protecting a wider scope of reports (rather than just breaches of EU law), allowing anonymous reporting (albeit in some countries, with a lower level of protection), the types of internal reporting channels to be used, and the level of sanction against employers for breach.

What should employers be doing now?

Employers will want to check that their internal reporting procedures comply with local law in each European country in which they have an entity with a headcount of at least 50 workers, even if that country has not yet implemented the Directive.

However, multinational employers will prefer to adopt a uniform reporting procedure across Europe, in order to ensure consistency of approach. 

Checking compliance with local law in each EU State could in any case be time-consuming and costly, so multinationals might consider a more pragmatic initial approach of checking that their reporting procedure at least complies with the minimum requirements of the Directive, in particular as regards:

  • Who is allowed to file a report. According to the Directive, this should include not only a current employee, but also a candidate, former employee, worker, self-employed person, volunteer, or trainee. Personnel working under the supervision of contractors, subcontractors, and suppliers are also included;
  • The types of breach that can be reported via the company’s internal channel;
  • Whether to allow anonymous report: in most countries this should be allowed, but the data privacy considerations need careful handling. Ensuring reports can be made to an in-country reporting line avoids some of these issues, but in some countries employee representative obligations will still be triggered;
  • Arrangements for receiving reports (to ensure the confidentiality of identity of the whistleblower, and to prevent access by unauthorised personnel);
  • Acknowledgement of receipt of the report within seven days;
  • Designation of a person or team to follow up on the report, maintain communication with the whistleblower and provide feedback to them within three months on the action envisaged or taken and the grounds for it.

This approach does not guarantee full legal compliance in each country, so multinationals are advised to make strategic choices as regards checking local laws in key locations depending upon their particular footprint in Europe. There are also broader questions for employers to address, for example as to whether reporting is handled via an outsourced provider or internally (in which case, a local reporting route should be available rather than relying on a centralized hotline), and how information from reports is shared and acted on across a group of companies.

What about the UK?

As a footnote, the UK (although no longer part of the EU and so not covered by European Directives) has recently announced a review of its own whistleblower framework. The driver is however to address potential weaknesses in the UK’s longstanding whistleblower protection regime, rather to align with the new EU regime. So, any changes may put the UK further out of alignment with the EU, for example in terms of reporting mechanisms, which individuals are protected, and levels of protection (with whistleblower remedies already higher than most EU countries, although well below the US). But our experience is that multinational employers are able to create a framework that takes a reasonably consistent approach across Europe, by accepting this will go beyond the minimum rules in some countries.

***

Laurence and Tessa are part of Seyfarth’s leading International Employment Law practice. To find out more about the EU Whistleblower Directive, please reach out to them or anyone else on our specialist team.


[1] More properly known as Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law.

[2] There is no minimum headcount threshold for employers in financial services and other specific sectors.