As reported in our blog post EU strengthens and expands whistleblowing protections, the EU has been working to strengthen protection and support for whistleblowers reporting on breaches of EU law. The draft EU law was formally adopted by the EU Council on 7 October 2019 following 24 nations voting in favour (Hungary, Slovakia, the Czech Republic and the UK abstained). Member States have two years in which to transpose the Directive into national law (although whether the UK will do so will depend on the outcome of Brexit).
A study carried out for the European Commission in 2017 showed public procurement across the EU loses between €5.8 and €9.6 billion per year in potential benefits due to a widespread lack of protection for whistleblowers. Currently only 10 EU countries have a comprehensive law protecting whistleblowers. This is therefore an area the EU has been keen to address.
The new law provides protection to whistleblowers across a wide range of sectors including public procurement, financial services, money laundering, product and transport safety, nuclear safety, public health, consumer and data protection. However, it will not protect whistleblowers making reports on matters concerning defence, security and classified information. It protects not only employees, but trainees, volunteers, self-employed workers, and anyone else who acquires information in a work context.
The key points are:
All companies of over 50 employees or local authorities with more than 10 000 inhabitants must create effective and confidential reporting channels;
Although whistleblowers are encouraged to use internal channels within their organisation, they will not lose protection if they make reports through external channels to competent national or EU bodies;
Whistleblowers are also able to approach the media if, for example, they have made an internal or external report but "appropriate" action has not been taken, or if there is an immediate or obvious threat to the public interest (for example from spoiled food or defective software);
Legal safeguards will exist to protect whistleblowers from retaliation, such as being suspended, demoted and intimidated, and the same protections for those who assist them (such as colleagues or family members).
From a business point of view, it is clearly desirable for reports of suspected wrongdoing to be reported through internal channels, rather than straight to the authorities. This gives the company a chance to investigate and decide whether action needs to be taken including self-reporting of wrongdoing. Without appropriate reporting processes and protection for whistleblowers from retaliation, businesses leave themselves open to a higher risk that the prosecuting authorities may come knocking in relation to issues the company is simply unaware of. Ideally, a whistleblowing policy should form part of a suite of policies and procedures covering areas such as financial crime and data protection. Where the company's position in relation to such matters is clear and communicated to its workers, such policies provide a clear guide to workers regarding what is expected of them and what misconduct should be reported and actioned.
Although it does not have to be transposed into national law until 2021, the adoption of the EU law is a timely reminder to businesses that are not otherwise currently required to have such policies in place (for example due to regulation by bodies such as the Financial Conduct Authority), it is best practice to have a whistleblowing policy and an internal reporting channel for suspicions of wrongdoing such as data misuse, tax evasion, money laundering, fraud or corruption, whether through a letterbox, telephone hotline or digital reporting system. Having a way for workers to confidentially report their suspicions, and processes in place for appropriately actioning such reports, could avoid the need for any external disclosure and the reputational damage such disclosure to the media or public authorities could result in. Whether or not the EU law is transposed into English law, it will remain good business practice for even non-regulated businesses to have in place policies and procedures to protect against this risk and companies should ensure now that theirs are fit for purpose.