To guarantee an EU-wide minimum standard for the protection of whistleblowers, the European Union adopted the Whistleblower Directive in December 2019. One of the Directive’s key instruments to facilitate early reporting is the obligation for private and public legal entities to establish an internal reporting channel. In addition, all natural and legal persons must abstain from retaliating against a whistleblower who has properly filed a report via one of the reporting channels (internal, external and in some cases also public disclosure). EU Member States have until 17 December 2021 to implement the Directive.
Unlike some other EU countries, Belgium does not yet have a dedicated legal regime to facilitate and protect reporting by whistleblowers. Currently only the financial and the public sectors are subject to such a regime. The implementation of the Whistleblower Directive will extend this to all sectors. It will also necessitate an update of existing policies, in particular those in place on a voluntary basis within companies not subject to sector-specific regulation.
A Bill for the protection of whistleblowers is pending in the Belgian Parliament, but this does not reflect most of the minimum requirements of the Whistleblower Directive.
Below we elaborate on the key aspects of the Directive with a focus on the obligation to establish an internal reporting channel and the applicable minimum requirements.
Protected reporting channels and obligation to establish an internal reporting procedure
The Whistleblower Directive establishes a three-tiered reporting system: corporate internal reporting, external reporting to government-appointed authorities and public disclosure.
In principle, a whistleblower’s public disclosure will only give rise to protection if the claim was first reported internally or externally and no appropriate action was taken within the timeframe set out in the Whistleblower Directive. However, by way of exception, protection does apply if the reportable breach constitutes an imminent or manifest danger to the public interest or, in case of external reporting, if there is a risk of retaliation or a low prospect of the breach being addressed effectively. An important take away for companies is that a failing internal reporting system may result in a protected public disclosure.
To facilitate the first line of reporting, the Whistleblower Directive requires private legal entities employing at least 50 workers to establish an internal reporting system. Member States may extend this to private legal entities employing less than 50 workers following an appropriate risk assessment of the nature of the activities involved.
For legal entities active in the public sector, the Whistleblower Directive reverses the rule: these entities must always provide an internal reporting system but Member States may provide an exception for public legal entities with less than 50 employees or municipalities with less than 10,000 inhabitants.
For financial service providers the threshold of 50 workers can be lowered if this is provided for in pre-existing financial regulation.
While in general the Whistleblower Directive must be implemented by 17 December 2021, Member States may grant an extension for private companies with 50-249 employees. By 17 December 2023 at the latest, those companies too must have a compliant internal reporting system in place.
Besides the establishment of internal reporting channels, Member States must also set up channels for external reporting by whistleblowers and appoint authorities that can receive and follow up on those reports.
Who can file a report?
The Whistleblower Directive protects reporting persons working in the private or public sector who have acquired information on potential non-conformities in the context of a work-related activity. As such, the following are eligible as whistleblowers:
- all workers in a professional context, i.e. employees, self-employed workers, volunteers, unpaid trainees, shareholders and members of supervisory bodies;
- independent third-party contractors, subcontractors and suppliers;
- ex-workers and future workers, being all persons reporting breaches in a professional as opposed to private context.
Both EU citizens and third country nationals are protected provided they deal with EU companies.
While the internal reporting system must at least be accessible to their workers, legal entities are encouraged also to inform other persons who came into contact with the entity through their work-related activities, such as service providers, distributors, suppliers, and business partners. In addition, the internal reporting procedure must be available for persons having a work relation not only with the specific legal entity but also with its subsidiaries or affiliates.
What can whistleblowers report on and for what can they be protected?
The Whistleblower Directive provides for protection of reports on violations of European legislation across a large number of areas such as anti-money laundering, consumer protection, environmental protection, transport safety and compliance, radiation protection and nuclear safety, public health, public procurement, financial services, protection of privacy, financial interests of the EU, competition law, State aid rules and corporate tax rules.
Member States are encouraged, however, to include additional national legislation as part of the material scope of application in the targeted areas. In addition, Member States can extend the protection for reports covering other areas (e.g. sexual harassment).
Requirements regarding the internal reporting channel
The Whistleblower Directive sets out general as well as procedural requirements for the internal reporting procedure, such as guaranteeing confidentiality and providing for an independent investigation and timely decision.
Those requirements apply whether the internal reporting system is organised in-house or outsourced. The Whistleblower Directive thus allows legal entities to authorise third parties to receive and investigate internal reports on their behalf. Such third parties could be external reporting platform providers, external counsel, auditors, trade union representatives or employees’ representatives. In addition, private companies with 50 to 249 workers or municipalities can share resources to organise the internal reporting.
When designing your internal reporting channel, a preliminary question will therefore be whether to opt for an in-house or outsourced system.
In order to encourage whistleblowers to file a report, their access to information on the available channels is essential. As such, that information must be made clearly and easily accessible by in-scope legal entities. The Directive suggests that such information could be posted at a visible location accessible to all such persons and on the entity’s website and could also be included in courses and training seminars on ethics and integrity.
It is up to each legal entity to define the kind of reporting channels it wishes to establish. Those channels should enable persons to report in writing and submit reports by post, by physical complaint box(es), or through an online intranet or internet platform, or to report orally, by telephone hotline or other voice messaging system, or both. At the whistleblower’s request, such channels should also enable reporting by means of physical meetings, within a reasonable timeframe.
Once a report is filed, it must be received and followed up by “the most appropriate person or department”. The Whistleblower Directive specifies that the choice of the most appropriate persons or departments within a legal entity depends on the structure of the entity, but, in any case, their function should be such as to ensure independence and absence of conflict of interest. In smaller entities, this could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, an integrity officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board. To guarantee the independent nature of the enquiry, it is advisable to elaborate on who will ultimately decide on the outcome of the enquiry and where relevant the appropriate follow up-actions (e.g. recourse to a grievance committee).
Confidentiality must be ensured both during and after the internal assessment of the report. The identity not only of the whistleblower but also of any third party mentioned in the report must be protected. A “secure” design of the internal procedure will include among other things not allowing non-authorised staff to have access to the files.
Any processing, exchange or transmission of personal data carried out pursuant to the Whistleblower Directive, must comply with GDPR and Directive 2016/680.
The Whistleblower Directive also regulates certain procedural elements, in particular as regards deadlines. Upon receipt of a report, the designated staff must acknowledge receipt within 7 days. Follow-up steps must be taken to address the report. Feedback entailing actions or lack thereof must be given within 3 months from the expiry of the 7-day time-limit for acknowledgement of receipt.
When the internal investigation is closed and the whistleblower is correctly informed of its outcome, the legal entities must keep records of every report received, in compliance with the confidentiality requirements. However, reports must be stored for no longer than is necessary and proportionate to comply with the Whistleblower Directive or with requirements imposed by Union or national law.
Retaliation under the Whistleblowing Directive: How are whistleblowers protected?
If there are reasonable grounds to believe that the whistleblower’s information is true at the time of reporting and the information falls within the scope of the Whistleblowing Directive, Member States must protect against potential retaliation the persons who correctly internally or externally reported or publicly disclosed such information.
Thus all legal entities must refrain from any kind of retaliation prompted by (internal or external) reporting actions or a public disclosure if the latter is compliant with the Whistleblower Directive.
Retaliation is broadly defined as “any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person”.
More specifically, the following are prohibited:
- Suspension, lay-off, dismissal or equivalent measures;
- Demotion or withholding promotion;
- Transfer of duties, change of location of work, reduction in wages;
- Withholding of training;
- Coercion, intimidation, harassment.
Not only the whistleblowers themselves must be protected, but also the facilitators, colleagues, and relatives of the whistleblower or companies owned by them or for whom the whistleblower currently works.
The core of the protection against retaliation lies in the reversed burden of proof. From the moment that a person can demonstrate that (i) he/she disclosed information (by internal or external reporting or by public disclosure) and that (ii) he/she encountered any act of retaliation, the burden of proof shifts to the natural or legal person responsible for that act or retaliation. Hence, it is for the later to demonstrate justifiable grounds.
What sanctions do companies face under the Whistleblowing Directive?
The Whistleblower Directive calls for effective, proportionate and dissuasive penalties for natural or legal persons who (attempt to) obstruct reporting, who fail to keep the identity of the whistleblower confidential or who retaliate against whistleblowers. No minimum penalty is provided by the Directive. It remains to be seen how Belgium will transpose the Directive and the penalties it requires. Inspiration can be drawn from other legal systems where rules on whistleblowing have already been enacted, such as the Netherlands and the United States.