Whistleblowers are individuals who report or publicly disclose information on breaches of law, acquired in the context of their work-related activities, that threaten or harm the public interest.
In recent years, whistleblowers have played a key role in exposing and preventing such breaches. Nevertheless, their protection is very fragmented across EU Member States and across policy areas, leading to legal insecurity and risk of unequal treatment.
On 23 April 2018, the European Commission proposal outlined a set of common minimum standards to provide protection for persons reporting on breaches of Union law. Later, the Draft was amended to strengthen whistleblowers’ protection, and on 16 April 2019 the European Parliament adopted the provisional agreement with 591 votes in favour, 29 against, and 33 abstentions.
On 7 October 2019, the Council of the EU formally adopted the proposal, and on 26 November 2019 the Directive was published in the Official Journal . Member States have two years (till December 2021) to transpose the new rules into their national law.
Positive aspects of the Directive
The Directive aims at laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law (Art. 1 and Art. 2) that are harmful to the public interest.
Accordingly, the notion of breach includes abusive practices, namely acts or omissions which do not appear to be unlawful in formal terms, but defeat the object or the purpose of the law (Recital 42 and Art. 5).
Member States are free to extend and strengthen protection under national law regarding areas or acts not covered by the Directive. However, as national security remains the sole responsibility of each Member State, Art. 3 explicitly excludes protection for reports and disclosures of breaches on matters relating to defence, security, and classified information.
The Directive applies to a wide range of reporting persons, both in the public and private sectors (Art. 4), and not necessarily within the traditional employee-employer relationship; it is also extended to facilitators, colleagues, relatives, and legal entities linked to the reporting persons.
To enjoy protection, reporting persons should have reasonable grounds to believe that the matters reported by them are true and that such information falls within the scope of the Directive (Art. 6).
These requirements are essential safeguard against malicious and frivolous or abusive reports and, at the same time, ensure that protection is not lost where the reporting person reported inaccurate information on breaches by honest mistake (Recital 32).
Member States can decide whether to accept or not anonymous reports of breaches (as the Directive protects anonymity only if the whistleblower is later identified). The whistleblowers’ identity should be protected in most circumstances, and there are few and limited exceptions to confidentiality (Art. 6 and Art. 16).
As a general principle, information on breaches may be reported through the internal reporting channels and procedures (Artt. 7-9), but there is also the possibility to report externally (Artt. 11-13) and, under certain conditions, the Directive allows for public disclosure (Art. 15).
Member States should define procedures and designate the reporting channels or external authorities that are competent to receive, give feedback on, and follow up on reports. In particular, legal entities in the private sector with 50 or more employees and all legal entities in the public sector (except municipalities with fewer than 10,000 inhabitants or fewer than 50 employees) should establish channels and procedures for internal reporting and follow up (Art. 8 and Art. 9). It is worth mentioning that the Directive establishes an obligation to follow up on reports and provide feedback within a reasonable timeframe (in general, no more than three months).
Member States should take all necessary measures to prohibit any form of retaliation (including threats and attempts) against persons protected by the Directive. Furthermore, they should establish several measures of support, such as independent information and advice, legal and financial assistance, and psychological support (Art. 20).
Art. 21 of the Directive provides some measures for protecting whistleblowers against retaliation. Namely, reporting persons:
- should not be considered to have breached any restriction on disclosure of information and shall not incur liability, provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary for revealing a breach pursuant to the Directive;
- should not incur liability in respect of the acquisition of or access to the information which is reported or publicly disclosed, provided that such acquisition or access did not constitute a self-standing criminal offence.
Nevertheless, any other possible liability of reporting persons arising from acts or omissions which are unrelated to the reporting or public disclosure or which are not necessary for revealing a breach pursuant to this Directive shall continue to be governed by the applicable Union or national law.
Member States shall provide for effective, proportionate, and dissuasive penalties (Art. 23) applicable to persons who try to hinder or attempt to hinder reporting, retaliate (and bring vexatious proceedings) against reporting persons, or breach the duty of maintaining the confidentiality of the identity of reporting persons. Furthermore, penalties should also be provided for reporting persons that have knowingly reported or publicly disclosed false information.
Lastly, the Directive allows Member States to adopt stronger national whistleblower protection, and it should not constitute ground for a reduction in the level of protection already afforded by Member States (non-regression clause, Art. 25).
Dark sides of the Directive
Transparency International prepared an analysis with several recommendations for improvements. Main issues include:
1. The scope
- The material scope should include any matter of wrongdoing and potential harm to public interest, covering all breaches of EU and national law. Otherwise, there are some areas of EU and national law that are not covered by the Directive. Limiting the scope in this way would create gaps in the protection, and such uncertainty on its application would surely affect the whistleblowers’ willingness to report.
- The exclusion of reports and disclosures on matters relating to defense, security, and classified information should also be revised, and specific reporting schemes should be provided, in order to protect public order and national security.
2. Protection measures
- The protection of whistleblowers should be strengthened, and reporting mechanisms should be improved in order to avoid risk of unfair treatment.
- There should not be additional penalties for knowingly false reports or disclosure, as similar penalties are already provided by national defamation or criminal laws.
- Whistleblowers should be entitled to full reparation for all direct, indirect, and future consequences of any detriment, including financial and non financial remedies.
3. Reporting mechanisms
- Anonymous reports should be accepted too, as potential whistleblowers could refrain from reporting for the fear of negative consequences. Nowadays, there are several solutions to stay in contact with anonymous whistleblowers and Member States should encourage that, as otherwise serious wrongdoing could remain undetected.
- All entities in the public sector should be obliged to establish internal reporting mechanisms, and the foreseen exceptions should be removed in order to avoid gaps in whistleblower protection.
4. Effective implementation and enforcement
- There should be a national whistleblower authority in charge of monitoring the enforcement of the legislation, and penalties for breaches of Directive’s obligations should be established.