Guide to EU Directive on Whistleblower Protection

Following the adoption in 2019 by the EU of a new Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law (Whistleblowing Directive), all Member States will be obliged to guarantee a uniform minimum standard of protection to whistleblowers across a wide range of sectors of EU law including public procurement.

The Directive covers both the public and private sectors, and it offers protection to a wide range of potential whistleblowers, as well as individuals who assist them, and other individuals and legal entities connected with them.

This Guide on the EU Directive on Whistleblower Protection is based on the main principles of the Whistleblowing Directive. As well as laying out the common minimum standards for a national whistleblowing law, there are recommendations on how national laws can extend the level of protection to close loopholes and ensure comprehensive protection for anyone who exposes corruption or other wrongdoing.

I. The Importance of Whistleblowing in Public Procurement

The high risk of corruption in public procurement means high potential loss of public funds. This is where whistleblowers play a vital role. Reporting and stopping corruption can uncover breaches of the law and result in significant public savings.

The public procurement sector is a major component of the economy and therefore it is a vulnerable hotspot for corruption. Within the EU, corruption is estimated to cost €120 billion per year, which represents approximately 1 % of the total GDP of the EU.¹ In the field of procurement, corruption is estimated to increase the cost of government contracts by 4 - 15%.²

The European Union, through its Directives on public procurement, has put in place measures designed to catch corrupt practices (such as the use of e-procurement, record keeping and conflict of interest mechanisms), yet unlawful practices can still occur.

People who work within the procurement sector are more likely to pick up on corruption, rather than it being detected through anti-corruption control mechanisms. Through their close contact with the procurement system, they can effectively contribute to the detection of unlawful procedures in public procurement by disclosing information that may not be readily available or evident. Therefore, their protection contributes to the fight against corruption.³

There is a strong economic case for whistleblower protection

In public procurement the link between costs and benefits in terms of public funds is arguably closer and more direct than in other areas. For the EU as a whole, the potential benefits of effective whistleblower protection are in the range of EUR 5.8 to 9.6 billion each year in the area of public procurement exclusively.⁴

A cost-benefit analysis in which the costs of the whistleblower protection system were assessed against the benefits in terms of the potential for reductions in corruption and the misuse of public funds, found that the overall costs for setting up and maintaining whistleblower protection mechanisms are quite low in comparison with the potential benefits. Therefore, there is a strong economic case for whistleblower protection, even when considering only the area of public procurement.⁵

Whistleblower protection must be effectively implemented and promoted

In order to have effective whistleblowers, systems of protection must be properly implemented and promoted. According to a Eurobarometer survey, three out of four Europeans who witnessed corruption did not report it.⁶ A survey by Transparency International showed that fear of retaliation is the most common reason for not reporting instances of corruption.

Awareness should be created amongst employees of their rights as whistleblowers to protection and how to legally report a breach internally, externally or publically. This would make it more likely that people come forward when witnessing wrongdoing, thereby contributing to the effectiveness of the system. Guidance should be produced for both employers on how to set up the systems, and to employees on knowing who they can report to and what protection they can avail of as whistleblowers.

Weak implementation of whistleblower legislation is one of the main issues. The recent EU Directive lays down new, EU-wide standards to protect whistleblowers revealing breaches of EU law in a wide range of areas.

II. The 15 Key Elements of the new Whistleblowing Protection

1. Protection – Who is protected?

Member States should ensure protection for whistleblowers who correctly report breaches of EU law, as well as those “facilitators” who assist with reporting.

Who is a whistleblower? A whistleblower is a person working within the private or public sector who, through a “work-related context”, has acquired information regarding a breach of law and who, in the absence of special rules to protect them, is likely to face retaliation if they report it. This applies to current employees as well as those who have since left their position or who have not yet begun it. This should cover:

• a. Employees of any kind, including public officials
• b. Self-employed
• c. Shareholders and people belonging to the administrative, management or supervisory body, including non-executive members, volunteers and paid/unpaid trainees
• d. Any persons working under the supervision and direction of contractors, subcontractors and suppliers.

Who is a facilitator? A facilitator is a person who aids the whistleblower in their reporting of a breach or who is connected to the whistleblower and therefore likely to suffer retaliation in a work- related context. This includes third parties connected to the reporting and legal entities connected to the whistleblower in a work-related context.

2. Protection – When is protection given?

In order to qualify for protection, whistleblowers must have reasonable grounds to believe the information that they report to be true.

The whistleblower must also follow the correct procedures, which include reporting internally, externally, or publically.

It doesn’t matter what the whistleblower’s reasons for reporting a breach of the law are. The Directive makes clear that “the motives of the reporting persons in reporting should be irrelevant in deciding whether they should receive protection”.

3. Retaliation is prohibited

Member States shall take the necessary measures to prohibit any form of retaliation, including threats and attempts of retaliation, whether direct or indirect.

What is retaliation? Retaliation is any direct or indirect act or omission which causes some kind of harm or detriment to the whistleblower or facilitator. This could include change of responsibilities, dismissal, reducing salary, not giving an expected promotion, threats or bullying, and so on.

The burden of proof will be on the employer to demonstrate that they did not act in retaliation. In cases of retaliation, the whistleblower will be entitled to remedies to prevent workplace harassment or dismissal, as well as access to confidential, free advice. Each country has to set up a system for provision of advice, for example with advice provided by an independent body.

4. Which kinds of breaches of law can whistleblowers report on?

As a minimum standard, Member States must ensure protection for whistleblowers when they report breaches in specific areas of EU law, including breaches in public procurement. They are free to extend these rules to other areas. Breaches of national measures remain a national matter.

What is a breach? A breach of law is an act or omission that results in a violation of law that the country is obliged to have under EU rules. This means that protection of whistleblowers is guaranteed when a breach is reported in the following areas:

• (i) public procurement;
• (ii) financial services, products and markets and prevention of money laundering and terrorist financing
• (iii) product safety;
• (iv) transport safety;
• (v) protection of the environment;
• (vi) radiation protection and nuclear safety;
• (vii) food and feed safety, animal health and welfare;
• (viii) public health;
• (ix) consumer protection;
• (x) protection of privacy and personal data, and security of network and information systems;
• (xi) corporate tax rules;
• (xii) competition law.

In terms of public procurement, the new rules may not apply to reports about breaches of the procurement law involving defence or security, and national security, as these tend to be regulated by national laws.

5. Reporting channels - Internal Reporting

Public and private sector legal entities must create secure and confidential internal reporting channels. This should be the first port of call for whistleblowers, however they can report to an external channel directly if they believe the internal channel is compromised.

How can internal reports be made? Internal reports can be made in writing and/or orally through telephone lines or other voice messaging systems. The whistleblower can also request to make a report through a physical meeting. An acknowledgement of receipt shall be given within 7 days and the whistleblower shall be given feedback on the follow up of the report within 3 months from receipt.

To whom are reports made? A designated impartial person or department competent for following-up on the reports shall maintain communication with the whistleblower and, where necessary, ask for further information and provide feedback to the reporting person. Clear and accessible information on external reporting should be made available. This information must be easily understandable and accessible, not only to employees, but also to suppliers, service providers and business partners.

Internal reporting channels are only obligated to take reports from employees, they can decide whether or not to take reports from others (e.g. self-employed, shareholders, volunteers). It is up to the Member States to set the rules on the follow up of anonymous reports.

5.1 Private sector

Private legal entities with 50 or more employees must set up secure internal reporting channels. These channels can be set up within the entity or can be outsourced to a third party.

Entities with between 50 to 249 employees are permitted to share resources on some aspects of the internal reporting mechanisms, as regards the receipt of reports and any investigation to be carried out.

In areas where there is a particular risk of wrongdoing, Member States may require private legal entities with less than 50 employees to set up internal channels. This includes those:

a. operating in the area of transport safety, protection of the environment and all financial services firms irrespective of their size

b. vulnerable to money laundering, terrorist financing irrespective of size.

5.2 Public sector

All public legal entities, including any entity owned or controlled by a public legal entity must have internal channels for whistleblowers.

Member States may provide that internal reporting channels are shared between municipalities, or operated by joint municipal authorities in accordance with national law, provided that the shared internal channels are distinct and autonomous from the external channels. Member States may, however, exempt municipalities with fewer than 10,000 residents or 50 employees.

6. Reporting channels - External Reporting

Public authorities must establish independent and autonomous external reporting channels for receiving and handling reports. External reporting should be used when internal whistleblowing channels are compromised or could not reasonably be expected to work properly.

How can external reports be made? Like with internal reporting channels, reports can be made in writing and/or orally through telephone lines or other voice messaging systems. The whistleblower can also request to make a report through a physical meeting.

Similar to internal reporting, a receipt of acknowledgement should be given within 7 days, however the whistleblower can request not to receive a receipt if this might risk revealing their identity. Feedback on follow up should be given within 3 months, or 6 months with justification. The final outcome should subsequently be communicated to the whistleblower.

Without undue delay, information about the report should be communicated to the relevant law enforcement and other institutions for further investigation.

The authorities must have dedicated staff members for this purpose who must be trained to provide the public with information on whistleblower reporting procedures and receive and follow up on the reports, as well as asking the reporting person for further information where necessary.

If it is decided that a report is minor and does not require follow up, the whistleblower is still entitled to receive protection.

7. Names of whistleblowers and those accused must be protected

The identity of the whistleblower must be kept confidential. The identity or any information relating to the identity of the whistleblower shall not be disclosed to anyone beyond authorised staff without their explicit consent. This information may only be disclosed where it is necessary and proportionate in the context of investigations by national authorities or judicial proceedings. The whistleblower will be informed in advance and this disclosure will be subject to safeguards. Even if a whistleblower’s identity is uncovered, they can still qualify for protection. All personal data of the whistleblower must be handled in accordance with the General Data Protection Regulation (GDPR).

Identity of those who breached EU law must be protected while investigation is ongoing.

Competent authorities shall ensure that the identity of the concerned persons is protected for as

long as the investigation is ongoing. The concerned person will fully enjoy the right to an effective remedy and to a fair trial as well as the presumption of innocence. All personal data of any accused persons must be handled in accordance with the GDPR.

Trade secrets must be protected. Trade secrets that are contained in reports should not be used or disclosed for other purposes beyond what is necessary for follow up of reports.

8. Reporting channels - Public Disclosures

A whistleblower who decides to disclose a concern to the public (for example by informing the media) is protected under this Directive if either:

• a. They firstly reported internally or externally but no timely action was taken, or
• b. They had reasonable grounds to believe that the breach constituted an imminent or manifest danger for the public interest, or in the case of external reporting, this channel would be insufficient as there is a low prospect of the breach being effectively addressed, or that there would be a risk of retaliation due to particular circumstances of the case.

9. Support measures must be provided to whistleblowers and facilitators

Whistleblowers and facilitators shall have access to support measures. In particular the following:

• a. Free independent information and advice on procedures and remedies available on protection against retaliation and the rights of the whistleblower
• b. Effective assistance from competent authorities regarding protection against retaliation
• c. Access to legal aid, legal counselling and legal assistance

Member States may provide for financial assistance and support, including psychological support, for reporting persons in the framework of legal proceedings.

10. Liability regarding disclosure of information

Whistleblowers and facilitators shall not face any liability regarding disclosure of information provided that they followed reporting procedures and that disclosure of such information was necessary for revealing a breach.

Whistleblowers shall not incur liability in respect of the acquisition of, or access to, the relevant information, provided that such acquisition or access did not constitute a self-standing criminal offence.

If a whistleblower reports to public authorities or media in a lawful way, they will be exempt from liability for breach of any restriction on disclosure of information imposed by contract, such as an employment agreement, or by law.

Where a person reports or publicly discloses information on breaches falling within the scope of this Directive, and meets the conditions of this Directive, such reporting or public disclosure shall be considered lawful.

No agreement, policy, form or condition of employment, including a pre-dispute arbitration agreement, may waiver or limit these rights.

11. Compensation for retaliation

Whistleblowers and facilitators shall have access to remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with national law. So for example, if someone is suspended from their job, they should be reinstated until the investigation is finalised.

It is crucial that whistleblowers who do suffer retaliation have access to legal remedies and compensation. All losses or detriment should be covered, including indirect and future losses and financial and non-financial losses. The appropriate remedy in each case should be determined by the kind of retaliation suffered, and the damage caused in such cases should be compensated in full in accordance with national law.

12. Penalties for those who hinder or abuse the system

12.1 Hindering whistleblowers

To prevent attempts to stop whistleblowers reporting and to prevent reprisals, there shall be effective, proportionate, and dissuasive penalties.

These will apply to people that:

• (a) hinder or attempt to hinder reporting;
• (b) take retaliatory measures against whistleblowers;
• (c) bring vexatious proceedings against whistleblowers;
• (d) breach their duty of maintaining the confidentiality of the identity of whistleblowers.

12.2 False reporting

When it is established that a whistleblower has knowingly reported or publicly disclosed false information, they can be sanctioned. This could include being required to compensate for damage resulting from false reporting or public disclosures.

13. Record keeping

All private and public sector legal entities covered by the new rules and relevant competent authorities will be required to keep records of every report received.

Records of received reports must ensure compliance with confidentiality requirements.

Reports shall be stored for as long as it is necessary in order to comply with the requirements imposed by the Directive, or other requirements imposed by Union or national law.

Whistleblowers shall be offered the opportunity to check, rectify and agree the transcript of the conversation by signing it.

14. Reporting to the European Commission

Member States should, on an annual basis, submit to the Commission statistics on the reports, if they are available at a central level in the Member States.

Statistics shall include, preferably in an aggregated form, data on:

• (a) the number of reports received by the competent authorities;
• (b) the number of investigations and proceedings initiated as a result of such reports and their outcome; and
• (c) if ascertained, the estimated financial damage, and the amounts recovered following investigations and proceedings, related to the breaches reported.

15. Levels of protection

Member States can expand on protection within the Directive however they cannot regress on their current level of protection offered.

Member States may introduce or retain more favourable provisions to the rights of whistleblowers than set out in the Directive. If a Member State already has in place a more favourable system for whistleblowers rights, they cannot reduce the amount of protection available so that it is in line with the Directive

III. Recommendations to Member States on the Whistleblowing Directive

The Whistleblowing Directive is an opportunity to bring all national frameworks into line regarding the rights of whistleblowers and offer a minimum level of protection that is uniform across all Member States. However, it must be remembered that Member States are encouraged to go further regarding the protection they offer when transposing the Directive. Whilst the Directive is indeed welcomed, there are various areas that could be strengthened in order to enhance protection at the national level.

Member States should extend the scope of protection to reports of breaches in all areas of law, both EU and national. As it stands, the Directive offers protection to people who report breaches only in certain areas of EU law. This current distinction could cause practical confusion and result in unprotected reporting.

Member States should allow anonymous reporting. The Directive states that national law shall regulate the follow up of anonymous reports. It is important to allow for these reports as whistleblowers may not trust the reporting channels and should still have a way to make valid reports.

Member States should extend protection to everyone who is at risk of retaliation as a consequence of whistleblowing. The current Directive does not offer protection to potential whistleblowers – those who intend to report or those who are suspected of doing so. This could leave some people unprotected and exposed to risks of retaliation.

Member States should ensure that all public legal entities have to establish internal reporting channels. The Directive states that Member States may exempt municipalities with less than 10,000 residents or 50 employees from the obligation to establish internal reporting mechanisms. This could mean exempting local government entities, despite the fact that they take important decisions in areas such as public procurement.

Member States should establish a duty of care for whistleblowers for those working in internal and external reporting channels. This could be done through the implementation of procedures with obligations to protect and consequences for negligence.

To receive protection against legal proceedings, whistleblowers should only have to believe the information to be true and report the breach correctly. The Directive places an extra burden on the whistleblower stating that they shall not incur liability “provided that they had reasonable grounds to believe that the reporting or public disclosure was necessary for revealing a breach”. This extra burden should be removed.

Member States should ensure that whistleblowers and facilitators have access to a full range of remedial measures covering all direct, indirect and future consequences of any type of retaliation. The Directive leaves the access to remedial measures against retaliation up to Member States.

Member States should establish an independent authority with sufficient power and resources for it to oversee implementation of effective reporting channels and ensure the protection of whistleblowers. The Directive states that support measures may be provided by a single and clearly identified independent administrative authority, it is recommended that a well- resourced independent body with significant investigation and sanction powers be charged with overseeing protection of whistleblowers.

Penalties should be given to legal entities who do not establish proper whistleblower reporting channels. The Directive fails to require that there are sanctions for not setting up adequate reporting channels. It is recommended that an independent authority monitors compliance with the new rules and has the power to sanction those that have not put an adequate system.

Member States should make their annual reports to the Commission on statistics of whistleblowing available to the public. This information should be made available in a machine- readable and reusable format.