The clock is ticking for global employers with staff in the EU to prepare for changes in reports made by EU whistleblowers. Employers need to determine how the Directive will be implemented in each of EU’s 27 Member States, and how this impacts their operations in the states in which they operate, as a ‘one size fits all’ approach may not suffice.
The December 17 2021 deadline does not leave much time for employers to prepare, so below we have outlined what the Directive is changing, and the key things employers should remember and consider as they prepare.
What is changing?
Although Member States are implementing the Directive on a state-by-state basis via local legislation, each must impose minimum standards of protection for whistleblowers, specifically:
- Companies with at least 50 workers will be required to set up internal reporting channels (such as a hotline or dedicated email address) and whistleblowing procedures to allow whistleblowers to make reports of suspected breaches of EU law. Companies that fail to do so will be subject to sanctions (see below).
- Companies with at least 250 workers must introduce reporting channels and procedures by December 17, 2021. Companies with 50-249 workers have a deadline of December 17, 2023.
- Reporting channels and procedures can no longer only apply to employees; they must also be available to job applicants, former employees, contractors, shareholders, board members, “facilitators” who help a whistleblower to make a report (e.g. an employee representative), and persons connected to the whistleblower (e.g. a colleague or relative) who are at risk of retaliation in a professional context.
- After receiving a report, companies will have to acknowledge receipt within 7 days and provide feedback on the outcome within 3 months of the acknowledgement. Companies will therefore need to devote sufficient capabilities and resources to undertake efficient investigations without delay.
- Companies must designate a specific person or department to take responsibility for investigating reports. Companies can encourage whistleblowers to make internal reports in the first instance, but it is ultimately the whistleblower’s decision whether they do this or make an external report to a competent supervisory authority. Companies must assure all whistleblowers that they face no risk of retaliation.
- Companies must make a record of all reports and retain them in accordance with local law, while keeping the identity of the whistleblower confidential (unless the whistleblower provides explicit consent to disclosing their identity).
Why can’t employers rely on a pan-EU harmonized approach?
The Directive grants discretion to Member States on various elements of the new rules. For example, Member States are free to determine the following:
- The Directive protects whistleblowers who make reports on suspected breaches of EU law, provided they had reasonable grounds to believe their information was true at the time of reporting and fell within the scope of the Directive. However, the EU encourages Member States to extend this protection to cover breaches of national law. Several countries have done so in their draft or actual implementing legislation (e.g. the Czech Republic, Sweden, Romania, and Denmark).
- Sanctions for non-compliant companies must be “effective, dissuasive and proportionate,” but Member States must determine the applicable punishments. Any attempts to hinder reports, retaliate against, or breach the confidentiality of a whistleblower, or to bring vexatious claims against them will be subject to penalties.
- Third party/external reporting authorities must now follow up or investigate reports (previously many of these authorities were advisory in nature), but Member States will determine whether to introduce one national body, or sector-specific ones.
- Rules on anonymous reporting will be determined by Member States.
How are Member States addressing the legislation?
The evolution of Member States’ legislation does currently vary, with some parliaments discussing draft bills (e.g. Belgium) and others yet to introduce any. Specific examples are:
- Spain: parliament is debating a draft bill following an initial consultation period in which proposals were submitted. This bill will complement existing whistleblowing rules that apply to certain sectors, such as the financial services sector, regarding anti-money-laundering measures, and the Spanish Criminal Code’s provisions on compliance programs to limit criminal liability for legal entities.
- France: following a period of consultation, draft legislation was published in July 2021, and parliament will debate it in the coming weeks. French law already provided protection for whistleblowers who report breaches of national law or of an international treaty that has been ratified by France.
- The UK: does not have to follow the Directive, post-Brexit, but it did commit to a ‘level playing field’ with the EU, so some strengthening of its existing whistleblower rules is expected – although, this does not seem to be a priority for the government, and there are no concrete details yet on changes or timing. Nonetheless, some of the changes implemented by the Directive are similar to some of the UK rules currently in place in regulated sectors, such as financial services.
What initial practical steps should employers take?
The Directive will likely mean revisions to existing whistleblower or ethics hotline policies/mechanisms as well as related data protection and record retention practices. In some cases, companies may want to plan to modify and seek board approval for their Codes of Conduct to incorporate these developments. We suggest the following practical steps:
- For employers with a headcount of over 50 (or with one that will likely exceed 50 in the near future), take stock of current whistleblowing procedures in each of their EU jurisdictions and compare them with (i) the minimum requirements of the Directive and (ii) relevant national legislation, when published. This will be particularly crucial for employers with at least 250 workers, given the December 17, 2021 deadline.
- If significant changes to policies will be required, consider whether information/consultation procedures (i.e. with work councils, unions etc.) will be triggered, and whether there will be a need to provide specific training to those responsible for handling reports.
- US listed multinationals operating compliance or ethics hotlines under Sarbanes-Oxley and listing rules, which have historically operated under significant restrictions in the EU due to local data protection laws, need to pay particular attention to the broadening of the scope of persons eligible to report, the number of reportable topics, new time limits in which to respond to reports, and the likely changes in the approach to anonymity at the Member State level.
- For those US companies that have not yet rolled out or made their hotlines EU law compliant, now is the time to address this in order to build trust in their reporting mechanisms and maximize the effectiveness of such mechanisms as tools to prevent and address questionable behaviors and practices and to limit financial and reputational exposures.
- US private companies will need to consider whether they should implement a whistleblowing mechanism to the EU standard, where they previously had no obligation to do so under SOX.
- All companies must keep in mind that collection and processing of whistleblower data implicates data privacy and record retention issues, and in particular, GDPR compliance requirements specific to the often sensitive nature of whistleblowing reports.