Following the publication of the new whistleblowing directive in the Official Journal of the European Union on 26 November 2019, the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law becomes effective on the 16 December 2019. Within two years, i.e. by end of 2021, Member States are required to implement the directive into national law.
Long story short, this directive aims to close loopholes in national legislations, while it comes at significant bureaucratic costs. There are numerous examples of whistleblowers (so-called “reporting persons”) who faced retaliation by their employers after their ‘betrayal’ came to light (see example in the first text box). A broad consensus exists acknowledging that the protection of whistleblowers needs improvement. The scale of the measures adopted by the EU can be debated though.
|A remarkable case of whistleblowing:
An elderly care nurse reported her employer to the law enforcement authorities for mistreatment of patients and fraud. The criminal proceedings were closed without charges and she was dismissed without notice. The nurse took the case to court. Up to the German Federal Constitutional Court, she lost in courts of all instances. Finally, the European Court of Human Rights found evidence for her allegations, granted her compensation and annulled her dismissal. Ideally, this case should have been decided in that way by the court of first instance.
Whistleblowing (see definition in the second text box) is an important instrument of gaining otherwise hidden information. In a very regressive work environment, acts of whistleblowing are rare and usually about excessive cases, often reported anonymously and directly to authorities, state attorneys or the press. These are primarily cases that crossed a red line for the conscious-stricken whistleblower. Along with a more progressive feedback culture, the number of – anonymous and non-anonymous – whistleblowing acts apparently increases; more reports occur internally and more frequently in a non-anonymous way.
By making candid use of reported information entities can avoid litigations, fines and losses of reputation that could otherwise materialise. In a most welcoming work environment with exemplary feedback culture, whistleblowing strongly decreases or even ceases to exist; most or all complaints would be channelled through the hierarchy as stipulated by the regular internal processes. Eventually, whistleblowing pushes entities to foster a better feedback culture, since the internal complaint process is more effective, less risky and culturally superior compared to whistleblowing. Overall, whistleblowing finally reinforces a superior corporate and administrative culture in society as a whole. Since the bureaucratic burden is significant and cannot be avoided entirely, it will be each entity’s opportunity to realise this ‘cultural dividend’ by making the best use of a sincere whistleblowing process.
|A useful definition of Whistleblowing:
Whistleblowing is the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employer, to persons or organisations that may be able to effect action.
The primary objective of the directive is to establish EU-wide minimum protective measures for whistleblowers, who complied with the procedures it foresees. Secondly, it defines who can be a reporting person and what breaches of law can be reported. Thirdly, it requires private and public entities as well as municipalities to set-up internal and competent authorities to implement external reporting channels with specific features. Finally, the directive describes a reporting procedure that the whistleblower and the authority must follow either to be eligible or to prevent the disclosure of the breach of law to the public. This article sheds light on most of the relevant aspects of the directive and provides the author’s view on implementation challenges for lawmakers, authorities and entities:
- Affected entities that are regulated
- Reporting persons covered as protected whistleblowers
- Relevant laws the breach of which can be whistle-blown
- Requirements on internal and external reporting channels
- Whistleblowing to the public
- Measures of protection
- Data security and privacy
I. Which entities are required to implement and maintain whistleblowing channels
The directive seeks to achieve comprehensive coverage of regulated entities within the EU. The following entities are required to implement internal channels for whistleblowing:
- Private legal entities with 50 employees or more,
and – regardless of the number of employees – in addition
- public legal entities including those owned and controlled by a public entity, while
- municipalities with less than 10 000 inhabitants or less than 50 employees and/or
- entities with less than 50 employees
can be exempted at national discretion.
The number of affected entities and municipalities is huge. For example, according to the German Federal Statistical Office, there are about 64 000 firms with 50 to 249 employees and 15 000 with more than 250 employees in Germany alone. The numbers for the EU are close to fourfold. About 1 600 German municipalities have more than 10 000 inhabitants. In addition, thousands of public entities and smaller private entities not exempted need to be added to the list of adopters.
Private and public entities with more than 50 and less than 250 employees are granted two more years to implement their reporting channels, i.e. by the end of 2023. Although not explicitly stated, small non-exempted entities with less than 50 employees will benefit from the prolongation as well.
It should be noted that all entities, even those that are not required to implement an internal reporting channel for the first two years or permanently, can nonetheless be subject to whistleblowing through external channels or disclosure to the public. Hence, if a certain industry expects frequent whistleblowing, smaller entities may consider internal reporting channels as a shared service irrespective of its legal necessity.
Municipalities (in the following subsumed under ‘public entities’) can share internal channels or make use of a joint service centre if their Member State allows. Similarly, private legal entities with less than 250 employees may share resources. It appears advisable for small to mid-sized entities to either license a channel software-as-a-service or to outsource parts of the process to a service provider.
The Member States have to define the public and private legal entities to which the national legislation applies. The trialogue parties probably intended to include the broadest range of entities. However, the definition of a ‘legal entity’ differs amongst the Member States. In general, a legal entity is not a natural person and has the legal capacity on its own to sue and to be sued. However, a significant share of commercial activities cannot be distinguished from natural persons (e.g. sole proprietors, sole traders or independent professions, like physicians, pharmacists, tax advisors, lawyers and auditors, or civil law partnerships, ordinary partnerships, etc.).
Like a private legal entity, a public legal entity (or ‘public law body’) has on its own the capacity to sue and to be sued. Member States probably wish to exempt the inner core of government and its administration. However, the trialogue parties targeted procurement by national contracting authorities and entities in particular, as well as state aid and the functioning of the internal market. Hence, it is unlikely that the EU will tolerate broad exemptions for parts of the public sector unless their matters are not governed by this directive, like defence (see ch. III.).
By all means, the directive needs to be further detailed by the Member States. For instance, whether the staff is counted individually per entity or on a consolidated basis for groups of entities. When and how the number of employees is measured. Etc.
II. Which reporting persons may benefit from protection if they blow the whistle
In general, all persons who acquired information on breaches in a ‘work-related context’ can benefit from the protection as whistleblowers, including, for example, but not limited to:
- workers, employees, civil servants, self-employed;
- shareholders, executive and non-executive members of the board or of similar bodies;
- volunteers, paid and unpaid trainers;
- persons working for contractors, sub-contractors and suppliers;
- facilitators related to the whistleblower, e.g. a placement agent*;
- persons connected to the whistleblower, like colleagues and
- legal entities the whistleblower owns or works for or has a working-
A whistleblower can, of course, report misconduct during a contractual phase. However, the time before a contract or an engagement has started and after it has ended is covered too.
Information that is classified, protected by legal or medical professional privilege or falls under the secrecy of judicial deliberations or criminal proceedings may not be reported by the whistleblower. It needs further clarification in national law whether information protected by other professional privileges remains likewise sealed from attempts of whistleblowing.
Entities should observe that consultants who might be entrusted with solving delicate issues fall under the protection. The same holds for the entity’s employees who work at the centre of discovering and solving legal breaches, like legal counsels, internal auditors and compliance staff. The legislator may consider limiting the ability of staff being entrusted with solving reported issues to file further reports on the same cases externally.
The three groups marked above with an asterisk are indirectly protected if they face retaliation collectively. The differentiation is important. For example, an employee may hear from a consultant, who are married to each other, in a private context about a breach of law happened at the entity that they both work for in different areas. If the employee reports it via the internal channel, both of them did not act in accordance with the directive: The employee did not discover the violation in her/his work-related context, and the consultant told her/him in private rather than using a reporting channel. Hence, they would both fail in achieving protection under this directive. However, had the consultant reported the breach and rather kept it secret from his/her spouse, both of them would be eligible for protection, for example, if they were dismissed in connection with the reporting. The first example, in which the employee nonetheless acted in good faith by reporting the breach, illustrates that the condition of a ‘work-related context’ needs further clarification.
Protected whistleblowers are natural persons, never entities. Since the information reported must be obtained in a work-related context, some situations prevent modern whistleblowers from achieving protection according to this directive. For example, a hacker breaking into an IT system would not be eligible; likewise, an animal-rights activist, who breaks into a hog house for filming the pigs’ supposed inadequate animal housing. Neither would an employee who grubs through the files laying on other colleagues’ desks act in a work-related context (see below on the requirements regarding information gathering). Furthermore, customers, clients, patients and their relatives who witness breaches of law cannot become protected whistleblowers.
Some sectors had already implemented whistleblowing schemes, e.g. credit institutions by law and many large corporations voluntarily. Even for those entities, the group of potential whistleblowers is very much enlarged by the directive compared to – essentially – employees, who are primarily addressed by existing whistleblowing measures.
Anonymous whistleblowing is an important source of otherwise hidden information. Beyond that, it is a popular instrument for smearing while jumping the hierarchy and for complaining in one’s own interest. Personally, the author is convinced that anonymous reporting has its merits in large organisations, where loyalty, ethical conduct, culture, governance and controls can be of varying quality across regions and subsidiaries. In smaller organisations, though, the harm from anonymous complaints to the working atmosphere might outweigh its potential gain.
The directive leaves it to the Member States to decide whether anonymous reporting should be followed up by entities or not. Hence, Member States may consider anonymous reporting to be followed up by larger entities and – under certain conditions, e.g. depending on the severity of the breach – by all concerned entities. However, for a few industries, e.g. for financial institutions, some supervisory authorities already implemented anonymous reporting channels. For that reason, it would not be reasonable for entities to neglect anonymous reporting, even if they were allowed to, since any entity should seek to obtain the information on breaches of law and try to solve or mitigate the problem before it is reported externally.
In any case, anonymous whistleblowers are protected under this directive, even if a Member State does not require internal or external channels to follow up on such reports, however, only if they acted in accordance with this directive.
III. What are the codes of law the breaches of which can be whistle-blown
The EU is entitled towards the Member States to require imposing protective measures for reporting breaches of Union law only. The respective Union acts are listed in the annexe to the directive and cover the following areas of Union law:
- public procurement;
- financial services, products and markets and prevention of money laundering and terrorist financing;
- product safety;
- transport safety;
- protection of the environment;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection;
- protection of privacy and personal data, and security of network and information systems.
The following areas are covered as a whole, while the relevant law acts are not listed in detail:
- breaches affecting the financial interests of the Union;
- breaches relating to the internal market including competition and state aid rules.
This catalogue comprises most corners of the European Union’s law with a few exceptions. For instance, the inclusion of European law regarding ‘the working environment to protect workers’ health, safety and working conditions’ will be considered later after sufficient experience would have been gathered.
Next to EU regulations, the annexe lists directives that bind entities only after their transposition into national law. Irrespectively, the directive intends to include all national and Union implementing or delegated measures adopted pursuant to those Union acts. The annexe will dynamically be adapted to new Union law accordingly.
Member States are permitted to extend the protection to whistleblowers who report breaches of Union, national and other law acts not listed in the annexe. It appears advisable to include all areas of national law that is closely related to Union law covered by the directive. Otherwise, it can be confusing for potential whistleblowers to determine where Union law ends and national legislation begins.
Not only breaches that already happened can be reported, but also those very likely to occur and attempts to conceal breaches. Whereas weaknesses in controls, acts against the entity’s code of ethics or similar ‘soft issues’ are generally not required to be followed up. For internal channels, however, it appears advisable that ‘soft issues’ should be treated with the same attention as actual breaches of law into which they often evolve.
Remarkably, the directive does not provide for a statute of limitations after which a reporting is not required to be followed up anymore. It seems reasonable to let entities have discretion on whether they follow up outdated breaches, e.g. for which the limitation period in civil and criminal law expired or which occurred before the directive became effective.
For those industries accustomed to whistleblowing, it is important to note that existing national legislation will not be lowered but enhanced. Nowadays, whistleblowing regulation typically covers the specific law applicable to the respective industry, e.g. banking law and regulations for credit institutions. The areas of law covered by the directive are now vastly expanded. For instance, the protection of privacy and personal data will be a challenge for all industries and now falls under the general whistleblowing regime.
IV. Requirements that internal and external reporting channels need to fulfil
The directive requires private and public legal entities to establish internal reporting channels. These internal channels have to fulfil certain standards (see below a) and need to comply with a specific workflow and deadlines (see below b). Likewise, competent authorities have to set-up and operate external reporting channels (see below c). Reporting persons should always be encouraged to first use their entity’s internal reporting channel before turning to external reporting, although this intention is not formulated as a legal obligation.
a) Possible ways of reporting
All concerned entities have to implement internal reporting channels for whistleblowing. Nowadays the simplest form is just a letterbox hanging in a quiet corner of an office that is emptied irregularly. The directive, however, envisages ways of communication in a greater variety:
- reporting in writing or
- reporting orally
- via telephone or
- voice messaging
- and physical meeting, upon request of the whistleblower within a reasonable timeframe.
‘In writing’ includes various possibilities: complaint box, postal addresses within the entity, of an ombudsman or of an external representative, telefax numbers, e-mail addresses or an electronic template to be filled-in via the internet, an intranet page or an app on the smartphone, etc.
Surprisingly, a private legal entity can use either oral or written reporting. Apart from additionally requested physical meetings, the private entity – regardless of its size – needs to provide only one form of communication. This may appear to be too limited for large entities.
In the case of oral communication, the entity must offer the whistleblower to store the conversation, subject to her/his consent, in one of the following ways:
- recording in a durable and retrievable form;
- complete and accurate transcript, which the whistleblower must be able, but is not obliged, to check, rectify and agree with by signing it.
If the whistleblower does not consent with the storage of the conversation, specifically in the case of unrecorded telephone lines, the entity is entitled to prepare accurate minutes without the whistleblower’s explicit consent.
In the case of physical meetings, either a recording or accurate minutes of the conversation shall be prepared. The whistleblower must be able, but is not obliged, to check, rectify and agree with the minutes by signing them. Although a transcript is not mentioned as an option, it can be subsumed under ‘minutes’ as an even more accurate taking of the meeting.
It is almost certain that the authorities operating the external channels will use an electronic reporting system. Otherwise, the expected traffic from thousands of entities could likely not be handled. Hence, if the authority uses an electronic format, the entity cannot reside with a slower and more intricate medium of communication. The reason is that the whistleblower should not be discouraged by elaborate ways of reporting and that the entity should be informed no later than the authority. The entire process can be much more effective if operated electronically.
b) The workflow of the reporting process
When a whistleblower reports a supposed breach of law, the following process is envisaged:
- Within seven days, the entity confirms to the whistleblower the receipt of his/her report, which the whistleblower is requested, but not obliged to acknowledge.
- An impartial person or department is entrusted with the follow-up on the report. Along the way, it might be necessary to communicate with the whistleblower. Subject to national discretion, the same applies to anonymous reporting.
- Within a reasonable timeframe, but no later than three months after the acknowledgement of the receipt or of the seven-day period, whichever is earlier, the entity provides feedback to the whistleblower about its follow-up.
Without a doubt, the entire process has to be secure and confidential, especially with regard to the identity of the whistleblower, the concerned person and other affected parties. The entities shall also provide sufficient information to potential whistleblowers on ways to report externally to competent authorities.
If an entity provides an electronic way of communication, it will be able to document the receipt to (and its acknowledgement by) as well as the feedback to (and its acknowledgement by) the whistleblower, even if the report has been made anonymously. Using an intermediary instead, through which an anonymous communication would be possible too, the process is much slower, more costly and less secure.
c) External reporting to competent authorities
The directive requires the Member States to designate authorities and to provide them with adequate resources in order to operate an external reporting channel. Essentially, this external channel has to satisfy the same requirements as an internal reporting channel with some minor deviations:
- The acknowledgement of the receipt of the report shall not be sent if that is asked for by the whistleblower or if it jeopardises the protection of her/his identity. If the reporting channel comes with a secure electronic mailbox, which is only accessible by the whistleblower, the acknowledgement can always be sent.
- In duly justified cases, the feedback on the report can take six rather than three months. However, the decision to extend the timeframe must be communicated to the whistleblower. Otherwise, after three months of waiting, the reporting person would be eligible and might be tempted to disclose his/her knowledge to the public.
- If the report pertains to a minor issue or an issue that has been reported by other persons previously or reported repetitively, the authority may decide not to follow up on the issue. The authority has to inform the reporting person about its decision in due course.
- At times of high inflow, the authority can prioritise reports but without exceeding the timeframe. There is no requirement of sequential treatment of reports.
- The authority has to transmit the complaint to the respective EU institutions, bodies, offices or agencies, or to the responsible competent authority of the Member State, if deemed necessary, within a reasonable time and in a secure manner. The reporting person has to be informed, without delay, of such a transmission. It is self-evident, though not detailed by the directive, that the given timeframe should be extended by the time the transmission will take.
- Other than internal channels, external channels have to provide for both a written and an oral way of communication.
- The competent authorities have to publish information about the whole reporting process and measures of protection.
Remarkably, the EU allows whistleblowers to turn towards the external reporting channel without having reported internally to the concerned entity. As mentioned above, small and micro entities with up to 49 employees can be subject to external reporting. In both cases, the competent authority would approach the unaware entity in order to discuss the issue and request formal feedback. The feedback by the entity must be channelled back through the authority to the whistleblower within the applicable timeframe. This process requires the entity’s full attention and may pose a challenge to less prepared entities.
Establishing a reporting channel requires significant effort in the set-up, the processing and financially. A reporting channel is in principle a cost centre for entities and authorities that must be operated with the highest safeguards but in the most efficient way possible. Hence, centralisation and digitalisation of internal and external reporting channels seem inevitable.
V. When is the disclosure of the breach to the public permissible
Under usual circumstances, a whistleblower cannot disclose her/his knowledge in public without prior external reporting without risking his/her legal protection. The prerequisites for disclosure to the public are as follows:
1. The whistleblower reported
internally AND externally
OR only externally,
AND ‘no appropriate actions’ were taken within the applicable timeframe
(of 3 months for internal and 3 to 6 months for external reporting),
2. the whistleblower has ‘reasons to believe’ that
- the breach may constitute an imminent or manifest danger for the public interest OR
- retaliations are expected to follow from an external reporting OR
- the prospects of effectively addressing the issue are small OR
- the authority and the entity collude OR
- the authority is itself involved in the breach,
3. The Member State had previously established rules that allow the public disclosure according to the freedom of expression and information.
The conditions under 1. make clear that it is of the greatest importance to encourage potential whistleblowers to report the breach internally first before externally. If a breach is reported externally, the entity should provide information on the follow-up to the competent authority timely and in due course so that the authority can always stay within the time limit. Otherwise, the whistleblower may disclose the information to the press and would still benefit from legal protection.
The term ‘no appropriate actions’ is not further defined and, hence, requires a national legal definition. The concerned entity’s ‘appropriate actions’ may comprise some or all of the following: a) internal/external audit or compliance tasked, b) breach investigated, c) breach confirmed, d) causes identified, e) breach stopped, f) further breaches prevented, g) concerned person disciplined/charged, h) damage compensated/mitigated, i) authorities involved, j) board informed, k) public relations involved, l) customers/patients informed, m) feedback given and even more steps.
Furthermore, the competent authority contributes to the ‘appropriate actions’ as necessary, notwithstanding that the entity is responsible in first place. It would certainly be helpful, but bearing a liability risk, if a supervisory authority is required by national law to assess and confirm the appropriateness of the measures taken by the entity, particularly if the entity belongs to a supervised industry. The extent of the feedback would rather be abstract than detailed, e.g. in a formulaic way, in order to keep business secrets confidential.
The competent authority’s liability risk should not be underestimated. If the responsibility for inappropriate or belated feedback lies fully or in parts with the authority and the whistleblower discloses the breach to the public, the authority might be liable for the damages that the entity suffers following the public disclosure.
If follow-ups on anonymous reports are not required according to national discretion and are neither implemented by the entity voluntarily, the anonymous whistleblower cannot get notice of the feedback on measures, which may or may not have been taken by the concerned entity. Hence, the aforementioned condition 1. can never be met, so that anonymous reporting would only be possible according to above-mentioned conditions 2. and 3.
The conditions under 2. cannot be defined with great precision. The whistleblower just needs to have ‘reasons to believe’ on one of those prerequisites being present, which can hardly be assessed in objective terms. Hence, the whistleblower must be very confident in her/his case when disclosing a breach to the public.
It would be advisable for the Member States to foresee a ‘super authority’ to which complaints about external reporting authorities can be addressed. In this case, conditions 2.d. and 2.e. may never be applicable.
VI. What are the measures of protection
The protective measures for whistleblowers comprise a) a prohibition of any retaliation, b) general support with information, advice and financial aid, c) a strengthening of the legal position in criminal and civil proceedings and d) enforcement.
a) Prohibited retaliations
The Member States have to establish provisions that prohibit retaliation, including threats and attempts of it, may it be direct or indirect. The list of prohibited measures of retaliation is comprehensive: Dismissal, negative performance assessment or employment reference, failure to convert a temporary employment contract into a – legitimately expected – permanent one, etc.
Abusive behaviour cannot be ruled out. For instance, a whistleblower may purport to be a victim of retaliation, while such measures were taken by the entity independently of his/her reporting.
b) Supportive measures
Member States have to provide certain supportive measures to whistleblowers:
- access to comprehensive and independent information and advice;
- access to effective assistance from competent authorities;
- certification of the fact that the reporting person qualifies for protection;
- access to legal aid in criminal, cross-border civil and further proceedings, to legal counselling or other legal assistance;
- financial assistance and other support, including psychological support.
An information centre or a single independent administrative authority may provide the support measures.
c) Strengthening the whistleblower’s position in civil and criminal law
More importantly, the Member States have to strengthen the legal position of the whistleblower in civil and criminal law:
- A lawful reporting to internal or external channels or disclosure to the public shall not be considered a breach of confidentiality (or defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, etc.) and shall not incur liabilities of any kind. However, the whistleblower must have had reasonable grounds to believe that the reporting or disclosure of such information was necessary for revealing the breach.
- Reporting persons shall not be held liable for the acquisition of or access to the relevant information, provided that it did not constitute a self-standing criminal offence. In the latter case, the criminal liability shall remain governed by applicable national law.
- Any other possible liability of the reporting person arising from unrelated acts or omissions, which are not necessary for revealing a breach, will remain governed by applicable EU or national law.
- The burden of evidence, whether a measure should be deemed a retaliation or a justified action, is reversed and rests with the entity.
- Reporting persons and facilitators shall have access to remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with the national legal framework.
- Whistleblowers acting lawfully shall have the rights of dismissal of the case, remedies and full compensation for damages suffered.
- The possibility to agree on waivers or limitations of rights should be prohibited.
For whistleblowers, it is important to recognise that their actions should not exceed the essential requirements to report the breach. The extent of the leakage of information to the channels or the public, the gathering of the information and the claims they make ought to be limited to what is barely necessary to report the breach. Otherwise, whistleblowers risk their protection.
d) Measures of enforcement
The directive requires the Member States to penalise violations of the respective national law to be introduced. Especially, the following acts should be punishable:
- hinder or attempt to hinder reporting;
- take retaliatory measures against whistleblowers;
- bring vexatious proceedings against reporting persons;
- breach of confidentiality with regards to the identity of the reporting and concerned persons.
On the contrary, the Member States shall provide for effective, proportionate and dissuasive penalties where whistleblowers knowingly made false reports or false public disclosures.
Member States may grant whistleblowers more favourable rights. By introducing the respective national law, Member States may not use this opportunity to reduce already existing protection that is more favourable for reporting persons.
VII. Whistleblowing and data security
It does not come as a surprise that all data processing must comply with high-security standards. Particular attention should be paid to (a) securing the whistleblower’s identity and (b) the protection of personal data.
a) Securing the whistleblower’s identity
The identity of the reporting person shall not be disclosed without her/his explicit consent to anyone beyond the authorised staff competent to receive and/or follow up on reports. This shall also apply to any other information from which the identity of the reporting person may be deduced directly or indirectly. The only exceptions can be made during investigations by national authorities or judicial proceedings, including with a view to the rights of defence of the person concerned, if this is necessary and proportionate and if the whistleblower is informed about disclosing his/her identity.
There is a certain, unintended risk of disclosing the whistleblower’s identity: The entity could – based on the whistleblower’s report – deliberately file a criminal charge against the concerned person. The state attorney has the right to receive the information as to the whistleblower’s identity. The defendant, in turn, has the right to access the records. Lawmakers could limit the disclosure of the whistleblower’s identity within the records to cases where the whistleblower serves as a pivotal witness.
b) Control over personal data
The handling of personal data in accordance with the GDPR often appears as a conundrum. Personal data is processed with regards to:
- the whistleblower,
- the concerned person accused of wrongdoing,
- potential victims and
- potential witnesses.
First of all, the controller of the data needs to ensure that personal data can be processed as long as required to investigate and pursue the case in question. The GDPR permits it if the processing is necessary for compliance with a legal obligation or is in the legitimate interests pursued by the controller. Hence, when the national law is drafted such legal obligations should be clarified.
Under strict conditions, personal data can be processed without informing the data subjects. The following prerequisites are typically given when a whistle is blown:
- the prevention, investigation, detection or prosecution of criminal offences;
- the protection of the data subject or the rights and freedoms of others;
- the enforcement of civil law claims.
However, a whistleblower’s accusations are less critical if these do not substantiate a criminal offence or a breach of civil laws. For instance, the concerned person may have acted against the entity’s code of ethics. In such instances, a clear provision in national law would be desirable, whether and when a data subject has to be informed about her/his data processed during the follow-up of a whistleblowing act.
After the case has been resolved or if a breach cannot be proven, the personal data of the data subjects that did not consent to the processing of their data and of the whistleblower if he/she demands it must be deleted. This requirement may hinder the detection of patterns and repetitive misconduct.
The entity has to perform ‘data protection impact assessments’ (DPIA), where the processing of the data is likely to result in a high risk to the rights and freedoms of the concerned or other affected persons. When criminal offences related to vulnerable data subjects are concerned, the entity needs to develop rules to carry out a DPIA. Persons who cannot easily consent or oppose the processing of their personal data likely belong to vulnerable data subjects. Due to the fact that a whistleblowing system may at any time collect data regarding criminal offences of data subjects who cannot consent to the data processing, it seems necessary that general DPIAs are successfully accomplished before the system is taken into production.
Many questions on security and privacy of the personal data collected during the reporting and the follow-up have no simple answer. Further guidance by the national legislator or by national data protection commissioners is indispensable.
The hope of some activists to extend protection to all kinds of whistleblowing did not come to fruition. Whistleblowers who obtained their knowledge with the help of breaking the law or even criminal offences, or obtained it outside the work-related context will not benefit from legal protection. Thereby, conscious-stricken outsiders will be discouraged to reveal an entity’s supposed violations of law to the public. The second positive message is that over time the feedback culture should be expected to improve by the mere pressure of otherwise undesirable acts of whistleblowing. However, it all comes at significant costs to set-up and maintain the whistleblowing schemes.
A question vividly discussed is whether whistleblowers should be paid for revealing breaches. Paying whistleblowers can have contrarian consequences. With the intent to have a bigger impact and to enlarge their rewards, whistleblowers may wait to make the situation worse, may not report internally beforehand or may omit themselves necessary actions. Furthermore, it is an ethical question that one should not expect remuneration for due behaviour. On the other hand, monetary incentives might encourage otherwise lazy or ignorant informants.
An entity’s payment to an internal whistleblower should depend on his/her duly, but unsuccessful prior internal escalation of the breach and the actual savings made by the entity. Similarly, an authority’s payment to a whistleblower should have the prerequisite that the entity’s internal follow-up was insufficient and the savings and fines for the benefit of the taxpayer are significant. Where the entity’s management never had the chance to resolve the issue reported, rewards should not be granted.
Another question is whether whistleblowers should expect impunity if they were themselves involved in the breach. The directive does not prevent the punishment of whistleblowers for their contribution to the violation of law that they reported. Typically, a whistleblower can expect mitigation of punishment in the course of criminal proceedings. However, there is no automatic forgiveness with regard to civil claims the entity might bring forward. Hence, entities should consider conceding their claims in parts or in full if the whistleblower acted carelessly or if her/his contribution to the breach was not pivotal.
The administrative structure outlined in the chart may probably arise over the next two years. On the one hand, the central state and/or federal states will set up reporting authorities for the different areas of Union and national law. It is likely some areas will be fully centralised, for instance, industry-specific authorities for banks and insurance firms or nuclear plants. Other areas may be split into regional responsibilities, like procurement. Public law bodies and public entities likely remain organised hierarchically per region. Private entities will probably organise themselves as per their industry regarding shared services and best practices.
The new whistleblowing directive will have tremendous implications. Since large firms often already have a whistleblowing system, SMEs and the public sector are much more impacted. The bureaucratic burden will be significant, while entities will face a remarkable shift in the working ethics towards a better, more open feedback culture. The earlier the entities start preparing for the new regime, the less volatile their start into the whistleblowing area will be.
- In April 2018 the Commission sent its proposal of the whistleblowing directive to the Parliament, which accepted it with some improvements in first reading in April 2019. On 7 October 2019, the Council agreed with abstaining votes from Germany and the UK to the Parliament’s proposal. The presidency of the Parliament and the Council signed the directive on 23 October 2019. https://eur-lex.europa.eu/procedure/EN/2018_106. ↑
- CELEX 32019L1937; https://eur-lex.europa.eu/eli/dir/2019/1937/oj. ↑
- Article 28. ↑
- Article 26 (1). ↑
- https://www.dw.com/en/germanys-dire-record-on-protecting-whistleblowers/a-17923312. ↑
- Near, Janet P. & Marcia P. Miceli (1985): Organizational dissidence: The case of whistleblowing, Journal of Business Ethics, vol. 4(1), pp. 1–16. ↑
- Article 8 (3); according to EU’s definition, micro-enterprises have up to 9 and small enterprises up to 49 employees. ↑
- Article 8 (4), Annex part I.B. and II.A. ↑
- More precisely, all entities falling within the scope of the Union acts referred to in Annex Parts I.B. & II.A. regarding “financial services, products and markets, and prevention of money laundering and terrorist financing”. ↑
- Article 8 (4), Annex Part II.B. ↑
- Article 8 (4), Annex Part II.C. ↑
- Article 8 (7). ↑
- Article 8 (9). ↑
- For the year 2017; https://de.statista.com/statistik/daten/studie/1929/umfrage/unternehmen-nach-beschaeftigtengroessenklassen/. ↑
- For the year 2016; https://ec.europa.eu/eurostat/web/structural-business-statistics/structural-business-statistics/sme. ↑
- For the year 2018; https://www.destatis.de/DE/Themen/Laender-Regionen/Regionales/Gemeindeverzeichnis/_inhalt.html. ↑
- Article 26 (2); medium-sized enterprises have 50 to 249 employees and large enterprise 250 and more employees according to EU’s definition. ↑
- Article 8 (9). ↑
- Article 8 (6). ↑
- Article 8 (5)(9). ↑
- Recitals 6, 17 & 18. ↑
- Article 4 (1)(4). ↑
- Article 4 (2)(3). ↑
- Article 3 (3). ↑
- Auditors’, tax advisors’ professional privileges etc. are not mentioned, neither that of clergy members, who may learn about wrongdoings during a confession that is part of their work-related context. ↑
- According to recital 23, this directive applies where staff of the European Union report breaches that occur in ‘a work-related’ context, but including ‘outside their employment relationship’. ↑
- Articles 6 (2), 9 (1)(e), Recital 34. ↑
- Article 6 (3). ↑
- Article 27 (3). ↑
- Recital 19. ↑
- Article 2 (2). ↑
- Article 5 (2), Recital 43. ↑
- Article 25 (2). ↑
- Article 9 (2). ↑
- Recital 53. ↑
- Article 18 (2). ↑
- Article 18 (3). ↑
- Article 18 (4). ↑
- Article 9 (1)(a-c). ↑
- Article 9 (b). ↑
- Article 9 (c-d). ↑
- Article 9 (e). ↑
- Article 9 (f). ↑
- Article 9 (1)(a), see Ch. VII. ↑
- Article 9 (1)(g). ↑
- Article 11 (1). ↑
- Articles 10-12. ↑
- Article 11 (2)(b). ↑
- Article 11 (2)(b), Recital 67. ↑
- Article 11 (3)(4). ↑
- Article 11 (5). ↑
- Article 11 (2)(f) (6). ↑
- Article 12 (2). ↑
- Article 13. ↑
- Article 15. ↑
- This is already the case for the ECB in relationship towards national competent authorities concerning banking supervision. ↑
- Article 19. ↑
- Article 20. ↑
- Article 21. ↑
- Article 24. ↑
- Article 23 (1). ↑
- Article 23 (2). ↑
- Article 25 (1). ↑
- Article 25 (2). ↑
- Recitals 14, 76, 77 & 83; Articles 9 (1)(a), 12 (1)(3), 13 (d), 16, 17 & 22 (2)(3), further requirements according to General Data Protection Regulation (EU) 2016/679 (GDPR). ↑
- The guidelines of the EU might serve as a starting point for developing internal policies, see European Data Protection Supervisor: Guidelines on processing personal information within a whistleblowing procedure, July 2016 ↑
- Articles 9 (1a), 12 (1a), 16 (1). ↑
- GDPR Article 6(1)(c)(f), e.g. prevention of fraud, see Recital 47. ↑
- GDPR Article 23. ↑
- GDPR Article 23(1)(d). ↑
- GDPR Article 23(1)(i). ↑
- GDPR Article 23(1)(j). ↑
- Articles 13 (d), 17. ↑
- GDPR Article 35(1). ↑
- The U.S. Securities and Exchange Commission (SEC) pays a portion of the fines collected to the whistleblower. The rewards can be significant. The SEC promotes whistleblowing by listing the biggest rewards granted in the amounts of multi-million US dollars. ↑