As the deadline for all twenty-seven European Union (“EU”) member states to “transpose” (or codify) the requirements of Directive 2019/1937 of the European Parliament and Council concerning the protection of persons reporting breaches of Union law (the “Directive”) fast approaches, organizations with a presence in the EU or operating in the internal market must familiarize themselves with the Directive’s requirements for confidential reporting, protection of persons subject to the Directive, potential penalties for non-compliance, and standards for handling and processing personal data collected in connection with the Directive.
Here are six key things to know about the new Directive:
- The new Directive applies to organizations in the private sector with 50 or more workers and to public sector organizations generally.
Directive Article 8(3) requires all “legal entities in the private sector with 50 or more workers” to establish an internal reporting channel in compliance with the Directive’s requirements. To ease the burden on smaller organizations, Article 8(6) specifies that legal entities with 50 to 249 workers may “share resources as regards the receipt of reports and investigation to be carried out.” However, Article 8(6) makes it clear that the ultimate responsibility for maintaining the confidentiality of such reports, providing feedback, and addressing the reported breach remain with each legal entity individually.
- The Directive establishes strict timelines for acknowledging receipt of whistleblower reports and providing feedback to the reporter.
Directive Article 9 requires covered entities to acknowledge receipt of all whistleblower reports within seven (7) days, designate an impartial person or department competent for following up on the reports, and have that designee or department “diligent[ly]” follow up with the reporter. Diligence in providing feedback to the reporter requires that the organization respond to the whistleblower no later than three (3) months from either acknowledgment of receipt of the initial report or expiration of the seven (7) day period after the report was made (if no acknowledgement was provided). Notably, Article 9 also requires the organization to furnish the reporter with information about external reporting possibilities to competent national authorities, and where applicable, to Union institutions, bodies, offices and agencies.
- The Directive recommends—but does not require—would-be whistleblowers to report internally prior to reporting externally.
Although Directive Article 7(2) instructs member states to “encourage” reporting through internal channels as a predicate to resorting to external channels, Article 10 is explicit that an individual may choose to forego the internal reporting route and resort directly to external reporting. This makes it even more important that organizations continue to foster cultures of transparency and accountability where all employees can offer feedback without fear of reprisal. Organizations lacking such a culture will undoubtedly subject themselves to additional regulatory scrutiny by having employees report to competent national authorities first when matters could have been handled in-house from the start. A speak-up culture, therefore, is essential to mitigating an organization’s risk under the new Directive.
- The Directive broadly protects both conventional employees and third parties from retaliation.
The Directive applies broadly to both “workers” as defined by Article 45(1) of the Treaty on the Functioning of the European Union (“TFEU”), as well as to self-employed persons, shareholders and persons belonging to the administrative, management or supervisory body of an organization (including non-executive members and paid or unpaid volunteers), and any persons working under the supervision and direction of contractors, subcontractors and suppliers of an organizations.
Significantly, the protections afforded by the Directive to would-be whistleblowers also extend to “facilitators” (defined as a natural person who assists a reporting person), third persons connected to the reporting person who could suffer retaliation in a work-related context (i.e., colleagues or relatives), and even legal entities that reporting persons own, work for, or are otherwise connected with in a work-related context.
- Under the Directive, the processing of personal data collected as part of a whistleblower report and ensuing investigation must be handled in accordance with GDPR.
Although brief, Article 17 requires that all processing of personal data carried out in connection with the Directive conform to the requirements of GDPR. This means that organizations must seek to minimize the personal data collected as part of breach investigations to information that is directly relevant to the handling of a specific report. All personal not ‘manifestly relevant’ to the handling of such a report must not be collected or deleted with “undue delay.” As a best practice, organizations re-revisiting their internal reporting policies and procedures to conform them to the Directive’s requirements should also conduct a Data Protection Impact Assessment (“DPIA”) as outlined in GDPR Article 35 to thoroughly understand what information will be collected, how that information will be stored, and ultimately, how the data will be dispositioned.
- The Directive sets minimum standards, making it imperative that organizations operating in different EU member states pay attention to emerging legislative and regulatory developments.
The new Directive establishes a minimum common standard for the protection of persons reporting potential breaches of Union law. Individual member states can—and likely will—supplement the Directive’s requirements with subtleties reflective of their own political, social and economic circumstances. As such, reliance on the Directive alone is ill-advised. Organizations should closely monitor the transposition of the Directive’s requirements into the national law of each member state in which they operate.
For a comprehensive guide to the Directive’s requirements, please refer to Steele’s EU Whistleblower Directive whitepaper, available here.