At the end of 2019, the European Parliament and the Council of the European Union (“EU”) agreed to the text of the EU Directive for the Protection of Whistleblowers, the full name of which is “Directive (EU) 2019/1937 of the European Parliament and the Council, 23 October 2019, on the protection of persons who report breaches of Union law.” Indeed, the rather lengthy Annex to the Directive specifies the extensive list of Union legal acts violations of which whistleblowers are encouraged to report, and for which reporting they are protected. EU directives require member states to achieve a certain result, establishing a goal that all states are required to achieve. To achieve that goal, however, each state must enact its own, individual legislation, using its own internal legislative procedures. This process of incorporating the directive into national law is known as “transposition,” and such transposition must take place by the deadline set out in the directive itself. The deadline is normally two years, and as the EU Whistleblower Directive was adopted on December 16, 2019, member states had until December 2021 to complete the transposition. As of that date a few months ago, only two states, Denmark and Sweden, had completed the transposition process by adopting national legislation that complied with the Directive. Of the remaining twenty-five, most were in the process of drafting the legislation, though Ireland, Germany, Austria and the Netherlands were not even in the drafting process. However, both Ireland and the Netherlands already had national policies in place that needed only slight modification to be in compliance. Though the process has been delayed, there is no reason to expect that all member states will not soon come into compliance with the Directive. Moreover, national courts are often influenced by the policies in EU directives when interpreting their own pre-existing national law.
The EU Whistleblower Directive requires that companies with fifty or more employees, or that have annual sales exceeding ten million euros must provide secure internal reporting channels for those wishing to expose wrongdoing. Moreover, public institutions and any local governmental authorities with jurisdiction over ten thousand or more inhabitants also must provide such secure channels. These channels can be online, by mailbox, or in a telephone hotline answering system. The identities of those making these reports must be kept confidential. Any employee, full- or part-time, freelancer, supplier, service provider or business partner should be able to use this channel to report violations of European law. Those making the report, however, are only protected if they “have reasonable grounds to believe, in light of the circumstances and the information available to them at the time of reporting, that the matters reported by them are true.” Notably, the Directive does not specify what procedures should exist to determine if the reporting person has such reasonable grounds to believe the truth of their report, and does not specify who should make that determination. Close examination of each national law that is enacted to comply with the Directive is warranted to see exactly how the questions of who and how such reasonable belief is to be determined will be answered.
Though the company or other organization maintaining this secure reporting channel is allowed the first opportunity to address the problems reported, if that organization does not respond to the complaint in a reasonable time and manner, the whistleblower who made the report has the right to contact the relevant authorities directly. The Directive specifies that whistleblowers should be able to expect such responses within three months. If the organization fails to provide a secure channel, the whistleblower is, again, entitled to contact the relevant authorities directly. The Directive makes clear, therefore, that the appropriate authorities establish external reporting channels to which whistleblowers can make reports. The Directive also requires national laws establish procedures that will ensure that authorities will diligently follow up on the reports received diligently and give feedback to the reporting person in a reasonably prompt fashion. Again, the Directive defines a reasonable time as no more than three months.
The Directive also mandates that persons making these reports be protected from retaliation. This protection against retaliation should extend not only to the reporting persons themselves but also against what the Directive calls “indirect” retaliation. That means not only the whistleblower should be protected, but also her colleagues, relatives who might also have some work-related connection to the employer, and those who assisted or facilitated in making the report in some way.