Directive 2019/1937 on the protection of persons who report breaches of EU law (or “whistleblowers”) was published on 26 November 2019.
This Directive requires, among others, that all companies with more than 50 employees and public sector entities establish internal procedures to facilitate and ensure rapid follow-up on reported breaches. To ensure the effectiveness of the system, the Directive also provides for serious protection against retaliation to whistleblowers.
The Member States must transpose it by 17 December 2021 at the latest.
Material scope of application
The Directive aims to protect persons reporting:
1. breaches or abuses of EU law in the following areas:
- Public procurement
- Financial services, prevention of money laundering and terrorist financing
- Product safety
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food and feed safety, animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data, and security of network and information systemsbreaches harming the EU’s financial interests
2. given their negative impact on the proper functioning of the internal market, breaches relating to EU competition rules and corporate tax rules.
3. The Directive provides that Member States may extend the scope of protection to other areas.
Personal scope
The Directive applies to reporting people in the private or public sector who acquired information on breaches in a work-related context including, at least, the following:
- Workers;
- Self-employed service providers, including freelances, contractors, sub-contractors and suppliers;
- Shareholders and members of the management body of a company;
- Volunteers and unpaid trainees;
- Persons working under the supervision and direction of contractors, subcontractors and suppliers;
- Job applicants;
- Persons whose employment relationship has ended.
The measures of protection foreseen by the Directive shall also apply to:
- Facilitators (i.e. those who support the whistleblower when reporting);
- Third persons connected with the whistleblower and who may suffer retaliation in a work-related context, such as colleagues or relatives; and
- Legal entities that the reporting person owns, works for or which are otherwise connected with the whistleblower in a work-related context.
Conditions for protection
According to Article 6 of the Directive, whistleblowers benefit from the protection offered by the Directive provided that:
- They had reasonable grounds to believe that (i) the information reported is true at the time of reporting and (ii) that this information falls within the scope of the Directive.
- They reported either internally or externally or made a public disclosure in accordance with the Directive.
Internal and external reporting channels
In order to efficiently protect whistleblowers, Members States must ensure that:
- All public entities and private companies with 50 or more employees set up effective internal reporting channels, ensuring confidentiality of the whistleblowers (“internal reporting channels”)
- The national authorities designated as competent to investigate reports also establish external reporting channels enabling reporting of complete and confidential information; (“external reporting channels”)
Whistleblowers are generally encouraged to use internal channels first, but they can choose whether to report directly externally to the competent authorities.
The Directive furthermore specifies that the recipient of reporting must diligently follow up on the reports and provide feedback to the reporting person within a reasonable timeframe not exceeding three months or, for the external reporting, six months in duly justified cases.
Public disclosure
According to Article 15, whistleblowers can make public disclosure and report to the media only if:
- No appropriate action was taken within the foreseen timeframe in response to their internal or external reporting
Or
- They reasonably believe that:
- There is an imminent or manifest danger for the public interest;
- There is a risk or retaliation or a low prospect for the breach to be effectively addressed due to the particular circumstances of the case (e.g. evidence may be destroyed or collusion of authorities)
Protection measures
The Directive provides for a prohibition of retaliation in all its various forms, e.g. dismissal, negative performance assessment, intimidation, harassment, discrimination or unfair treatment; damage, including to the person’s reputation, or financial loss, blacklisting.
Moreover, adequate remedies shall be taken in case of retaliation, including reversal of the burden of proof in proceedings and interim relief pending the resolution of legal proceedings.
Whistleblowers should also not incur liability for breach of NDAs provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary for revealing a breach, and provided that no criminal offence was committed.
Members Sates also keep the possibility to introduce or maintain more favourable provisions in their national regime.
Sanctions
Member States shall provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons that:
- hinder or attempt to hinder reporting;
- retaliate against persons protected by the Directive;
- bring vexatious proceedings against these persons;
- breach the duty of maintaining the identity of reporting persons confidential.
Safeguards for concerned persons and the credibility of the system
The Directive also implements measures of protection for the “concerned person(s)”:
- Persons concerned by the reports fully enjoy the presumption of innocence, the right to an effective remedy and a fair trial, and the rights of defence;
- Competent authorities shall ensure, in accordance with national law, that the identity of the persons concerned is protected as long as investigations triggered by the report or the public disclosure are ongoing.
- Member States shall provide for effective and proportionate sanctions to dissuade malicious or abusive reports.
Entry into force and implementation in Belgium
This Directive shall enter into force on 16 December 2019, and Member States shall transpose the Directive by 17 December 2021, with a possible extension until 17 December 2023.
Given that Belgium, unlike France, Sweden or Italy, does not already have a comparable general system, the way in which transposition will be handled by our future government should be closely observed. We will keep you informed…