Last December, the European Union’s Whistleblower Directive took effect. The mandate currently requires EU companies with more than 250 employees to implement effective internal mechanisms to enable employees to report and escalate concerns about corporate wrongdoing internally, and to prevent retaliation against them. In December 2023, the directive will expand to apply to businesses with as few as 50 employees.
The directive provides for minimum standards that must be adopted at a national level, and EU member states can adopt additional provisions to provide more protection if they so choose. The legislation applies to individuals who report a breach of EU law in a range of areas including consumer protection, public procurement, product safety, environmental damage, money laundering, terrorist financing, public health and nuclear safety.
Furthermore, it is very broad in scope and in the definition of who qualifies for protection. In addition to employees, protection extends to the self-employed, new recruits who have not yet formally started work, shareholders, volunteers, suppliers, board members (including non-executive directors), “facilitators” who help a whistleblower make their report, a whistleblower’s colleagues and relatives, and legal entities associated with the whistleblower.
In essence, the directive is aimed at protecting anyone who speaks up internally and in the public interest. Given the requirements, companies need to review their HR measures and risk controls to ensure employees are properly protected and that incident reports can be escalated, investigated and acted upon.
They also need to allocate sufficient resources to comply. Companies must ensure they either set up their own reporting channels or pay a third party to do so. In addition, they must have systems in place that can acknowledge receipt of a report within seven days, provide feedback within three months of any action taken (or not taken), and keep records of every report received.
The new rules also introduce uncertainties. In the EU, directives allow plenty of scope for countries to differ in how they interpret and enforce the rules. At present, European countries are at very different stages of implementing the Whistleblower Directive. According to law firm DLA Piper, 15 out of the 27 EU countries that already had either partial or no existing whistleblower protection laws in place still had not transposed the directive into national law as of February 2022. Four of those countries—Austria, Germany, Hungary and Italy—have not even proposed the necessary legislation yet.
As a result, employees based in much of Europe may still have little or no legal protection if they want to raise concerns. Even when these countries do catch up and transpose the directive into national law, it will likely result in 27 variations of the same rules, offering differing levels of protection. For companies with pan-EU operations, this could create a compliance nightmare about how and to whom employees should first report wrongdoing. Companies should closely monitor the application of the EU directive in each country and consider the subsequent impact on the organization’s global whistleblowing program.
Complicating matters, the directive does not explicitly define “whistleblowing.” This is a key issue as the term does not even exist in some EU languages. As it refers to protecting individuals who report “breaches of European Union law,” reporting abuses of national law may still risk prosecution. Additionally, some lawyers say the possibility of protection for anonymous whistleblowing remains unclear, while some EU countries may require a strong evidential threshold before whistleblowers gain protection. For example, documents may carry more weight than conversations or verbal instructions. Many short-term challenges will arise from the differences among EU countries, the level of protection they provide, and the effectiveness with which they enforce protections.
A Standard of Protection
Despite the shortcomings, however, experts believe the EU directive provides a “bedrock” upon which companies can build their global whistleblower protection programs. “Companies should follow the principle that the strongest level of legal protection provided by any one jurisdiction should be used as the minimum standard for an organization’s whistleblowing program globally,” said Andreas Pyrcek, forensic and integrity services partner at EY.
Many agree that the fairest and most transparent solution is a “one-size-fits-all” approach that ensures whistleblower protection for all employees, regardless of location. “If you don’t have a common policy, it’s going to be quite hard to send out the message that everyone is guaranteed the same level of protection if they come forward,” said Tim Martin, CEO of employee engagement platform WorkInConfidence. “Some people are going to feel rightly aggrieved at being treated in a different way.”
A singular approach also makes sense from a practical perspective. For companies operating across a number of jurisdictions, it is costly to develop different whistleblowing policies for each country, especially if they have relatively small teams working there. “Once you have a good, strong policy in place, you can then check whether it meets local legal and regulatory requirements or if it needs to be tailored,” Martin said. “A good place to start would be to make sure your whistleblowing policy is compliant with EU and U.S. laws and tweak it from there.”
Companies should also be aware that local laws may conflict with global whistleblowing policies. For example, Italy’s Decree 231/01 makes companies responsible for corporate crimes committed by executives and employees, such as acts of bribery and corruption, violations of workplace safety, and environmental damage. The measure requires organizations to inform Italian supervisory bodies about alleged criminal activity immediately. Meanwhile, in Russia and China, local data privacy and state secrecy laws may limit the amount of information that can be shared outside of the country. Consequently, companies should realize there is a danger that information submitted confidentially by a whistleblower may be used in a criminal investigation, which could risk that person’s safety and anonymity once details are shared with regulators and investigating authorities.
Depending on the nature of the allegation and the jurisdiction, a company may also need to consider whether it is appropriate to investigate some complaints itself. “If the allegation involves a complex fraud, for example, there is no doubt that external independent forensic experts should be leading the investigation,” said Giles Newman, managing director at ethics and compliance firm Navex. “However, if the complaint concerns an HR-related issue, such as bullying or sexual harassment, it might be more appropriate for the company’s HR or in-house legal to pursue the matter. These kinds of judgments will depend on the individual circumstances, as well as an assessment of whether any in-house investigation might conflict with local employment laws.”
Ultimately, whistleblowing policies are only effective if companies take them seriously. “Nobody is going to report potential wrongdoing and risk losing their job if the company doesn’t bother to promote the whistleblowing program and is not seen to investigate complaints,” Newman said. “It is much better if the company is seen to welcome any and all reports from the outset, rather than dismiss what it deems to be ‘capricious’ or ‘malicious’ reports that are immediately disqualified from even a basic investigation.”