Implementation of Directive 2019/1937 of the European Parliament and Council concerning the protection of persons reporting breaches of European Union (“EU”) law, is poised to present companies with either a physical presence in the EU or operating in the internal market, with a unique set of challenges. Among other things, the Directive requires companies with 50 or more employees to establish a confidential mechanism for reporting breaches of Union law pertaining to public safety, consumer protection, financial services, product safety, environmental protection and other areas.  Under the Directive—adopted by the European Parliament in 2019—member states have until December 2021 to “transpose,” or officially codify, the requirements of the Directive into national law. This blog answers several key questions about the Directive and its scope. A definitive guide to the most important elements of the Directive is available here, in our latest white paper.

Why did the EU choose to adopt a whistleblower directive?

A 2018 European Commission (“Commission”) report cited recent public scandals—namely, Lux Leaks, the Panama and Paradise Papers, Dieselgate, and the Cambridge Analytica debacle—as the basis for strengthening legal protections for would-be whistleblowers throughout the EU.

Noting that whistleblowers were critical to exposing violations of the public trust that often have cross-border implications, the Commission urged the European Parliament, European Council and Economic and Social Committee of the EU to adopt uniform standards that would result in more consistent legal protection for such persons. Prior to the Directive’s adoption, the breadth and scope of protections afforded to whistleblowers varied considerably across the twenty-seven member states comprising the EU. Moreover, these protections were often industry or issue-specific, leaving ample room for employers to retaliate against would-be whistleblowers in some contexts but not others. The adoption of minimum uniform standards for the protection of persons who report potential breaches of Union law is largely an effort to remediate these deficiencies and create a culture of trust whereby conscientious employees and other parties with knowledge of malfeasance can approach competent authorities assured of legal protection.

What are the practical implications for companies faced with the Directive’s new requirements?

The practical implications for companies maintaining an EU presence or operating in the internal market are manifold. First, because the Directive provides for specific requirements when establishing reporting mechanisms, organizations need to be attuned to those requirements, notwithstanding the fact they may have an existing reporting program. For instance, the Directive—unlike similar legislative or regulatory requirements in the United States—is specific in mandating that covered organizations offer an opportunity for an in-person meeting between a reporter who chooses initially to convey information orally and a designated person within the organization. Second, because the Directive specifically applies the requirements of Directive 2016/679 (“GDPR”) to the handling of personal data by organizations in association with whistleblower reports, companies will have to consider whether conducting a Data Protection Impact Assessment (“DPIA”) for high-risk data collection activities pursuant to Article 35 GDPR is a necessary predicate to establishing new reporting mechanisms.

In a similar vein, companies headquartered in other countries—particularly the United States—but with affiliate presences in EU member states will need to consider how best to handle and process data collected from a whistleblower report. With the declaration by the Court of Justice of the EU that the EU-US Privacy Shield framework is invalid, companies will have to assess whether the risk of exporting personal data collected in connection with whistleblower reports is too great to rely simply on standard contractual clauses. In such cases, it may be prudent for organizations with a lower risk appetite to establish policies and procedures for collecting, handling, processing and disposing personal data by trained EU-based personnel who are delegated primary responsibility for investigating and resolving whistleblower claims.

How can organizations prepare for the Directive to come into full legal force?

The Directive sets minimum uniform standards and a deadline for member states to adopt those standards. As such, it is entirely possible that individual member states may supplement the Directive’s requirements with their own unique set of stipulations. As such, it is important for organizations with presence in EU member states to monitor all applicable legislative developments in this area.

Notwithstanding the potential for variation, however, organizations generally should utilize the period between now and December 2021 as an opportunity to examine their current reporting policies and procedures and fine-tune them to align with the Directive’s minimum requirements.  Other related policies—such as an organization’s non-retaliation policy, for instance—should also be re-examined in light of the Directive’s robust requirements. Because the Directive is extremely broad in defining what behaviors constitute potentially illegal retaliatory actions, companies must ensure their policies specifically prohibit such conduct in relation to whistleblower reports.

Read the full white paper on the subject here.