The Clock Is Ticking on the Whistleblower Directive: Practical Steps Companies Can Take

Skadden, Arps, Slate, Meagher & Flom LLP

Jason Williamson

On December 16, 2019, the EU passed the Whistleblower Protection Directive (Directive), which implements minimum standards of protection for whistleblowers across the EU who report breaches of EU law. For a general overview of the Directive and what it covers, please refer to our June 3, 2021, client alert “Blowing the Whistle: Protections Under EU Law.”

When the EU passed the Directive, the clock started running on a two-year deadline (i.e., December 17, 2021) for member states to transpose the Directive into national law. With the deadline for implementation approaching, many member states have yet to implement the Directive into national legislation.

Companies operating across the EU are currently in the unsatisfactory and confusing position of trying to comply with the Directive without the clarity and specifics of national legislation and guidance. This confusion has been exacerbated in 2021 by the European Commission’s (EC’s) interpretation of certain requirements of the Directive, particularly with respect to the permissibility of group reporting structures for subsidiaries of large corporations. Despite this lag in national level implementation, companies should not delay in taking steps to ensure internal policies and procedures comply with the Directive.

We set out below the key aspects of the Directive that have been a cause for debate in recent months and some practical steps companies can consider, even if the member states in which they operate have not yet implemented the Directive.

Key Aspects of the Directive: What Companies Should Look Out For

The Directive provides minimum standards of protection that member states are required to implement for whistleblowers, but countries also have the flexibility to impose additional requirements if they choose to do so. At the time of writing, whether any member states will expand and further specify protections beyond the requirements of the Directive is unclear, but a “gold standard” could emerge in some countries and then be emulated in others. For example, considering that Germany’s draft bill extends protection to cover whistleblower reports relating to both EU and national law, designing the directive and national law to mirror each other confers the advantage of consistency.

As companies wait to see the extent to which member states take varying approaches to requirements in the Directive, three key areas of the Directive have been the subject of debate.

Reporting Channels

The Directive obliges companies with 50 or more employees to establish internal reporting channels to allow whistleblowers to submit a report (either in writing or orally), while ensuring that the identity of the whistleblower is kept confidential. The Directive permits companies with 50 to 249 employees to share resources (i.e., global reporting channels), but the EC has made clear in statements published on June 2, 2021, and June 29, 2021, that the Directive requires larger companies, including group subsidiaries, to also implement local reporting channels. The EC has taken this approach to ensure proximity between the whistleblower and reporting channel.

This interpretation of the Directive has been criticized as impractical, and may create new challenges for parent companies seeking to handle whistleblower reports at a local level where a whistleblower wants the matter handled locally, or does not consent to information being shared outside of the subsidiary-level team handling the report.

Numerous multinational corporations have raised concerns, both at an EU and a member state level, about the requirement for local-level reporting channels. For example, as a result of lobbying in Denmark, the Danish government amended its legislation to permit group reporting channels for larger companies, while reserving the right of the Danish Ministry of Justice to amend the legislation if it is found to be contrary to the EC’s interpretation and approaches taken by other member states. In contrast, in Sweden, the implementing legislation requires companies with over 250 employees to establish local reporting channels by July 17, 2022.

At the time of writing, there is no member state consensus on this point. The only flexibility that the EC has shown is to make clear that the Directive does not prevent large corporations from using centralized reporting channels, as long as reporting channels exist at a subsidiary level. Until a consistent position is established across member states, companies should take a risk-based approach by ensuring reports can be made through both local and group channels that are linked and coordinated.

Relatedly, the Directive provides whistleblowers with the right to make a report externally to a designated national authority, regardless of whether or not they have first made an internal report. Notably, an employee who feels disadvantaged by the absence of a local reporting channel could take a complaint to the national authority in the first instance, which would prevent the company from having the opportunity to first review and investigate the report.

Retaliation

The Directive prohibits all forms of retaliation against whistleblowers, which is interpreted broadly to include not only suspension, demotion and transfer of duties, but also causing harm (whether reputational or financial) to a whistleblower, failing to convert a temporary employment contract into a permanent one where the employee had legitimate expectations of a permanent offer, and even unfounded psychiatric or medical referrals.

If an individual meets the conditions for protection under the Directive and experiences retaliation, the burden shifts to the employer allegedly responsible for the retaliation to prove that the measures taken were justified and unconnected to the whistleblower’s complaint. This is a significant change from current regimes at a member state level, many of which do not provide comparable levels of protection for employees of private companies or impose the reversed burden of proof on the employer. Prior to enactment of the Directive, only eight member states had existing legislation that provided for a reversed burden of proof. The requirements of the Directive in this regard will be a profound change for many organizations.

Penalties

The Directive does not address the level of financial penalty that enforcers can impose on companies or individuals who fail to comply with the law. This contrasts other EU regulations, such as the General Data Protection Regulation, which imposes financial penalties linked to a company’s turnover. Instead, the Directive requires member states to transpose into national legislation effective, proportionate and dissuasive penalties for: hindering or attempting to hinder reporting, retaliation against whistleblowers, bringing vexatious proceedings against whistleblowers or breaching the duty of confidentiality owed to whistleblowers. Additionally, the Directive requires member states to establish laws to set penalties for false reports made by whistleblowers either internally or publicly that result in damage.

A consistent position among member states with respect to the level and type of penalties for noncompliance with the Directive has not yet emerged. For example, Poland’s draft legislation allows for fines or imprisonment for up to three years. The Czech Republic is considering maximum fines of approximately €40,000 or 5% of net turnover if an employer fails to prevent retaliation, while the Netherlands is considering penalties of up to €21,750 or imprisonment for breaches of confidentiality. While the ceiling for fines under the Directive is not yet clear, as a comparison scenario, the courts in the U.K. do not cap damages available in employment claims made by whistleblowers.

The Current State of Implementation

As stated above, implementation of the Directive by member states has been slow. Some countries, such as France and Ireland, have started preparing and obtaining approval of draft legislation, while other countries, such as Hungary, Italy and Luxembourg, have reported little to no progress. The U.K., having left the EU, is not required to implement the directive, but all companies with operations in the EU will want to ensure they are compliant.

Although the majority of member states have not yet implemented the Directive, companies should take steps now to ensure they are compliant. Companies should consider these five practical steps:

  1. Monitoring of legislative standards: Companies should monitor national implementation of the Directive to ensure company policies and procedures reflect the requirements of national legislation, with a particular focus on the areas where there is scope for differentiation.
  2. Review of policies and procedures: Multinational corporations operating in the EU should review their current whistleblowing arrangements and assess whether those are compliant with the Directive. Companies should conduct a risk assessment and map current policies and procedures against the requirements of the Directive to identify and address any gaps. Addressing varying standards imposed in each member state in its policies and procedures may be impractical for a company. Instead, companies operating across the EU may find it more appropriate to implement a benchmark that complies with the Directive and adopt that on a global basis. Companies should monitor whether member states impose a higher standard, and consider then applying that standard globally to avoid administrative challenges. Organizations should also make sure that policies provide for appropriate record management to ensure evidence is available if a company needs to prove that it did not retaliate against a whistleblower.
  3. Review of investigative and escalation procedures: Connected to the review of whistleblower policies and procedures, companies should ensure that internal investigative and escalation procedures are equipped and prepared to handle whistleblower reports, and that relevant teams are aware of the new requirements in the Directive regarding the timing and handling of whistleblower reports.
  4. Assessment of reporting channels: Given the EC’s current interpretation of the Directive, companies should assess whether updates to reporting channels are required to provide both global and local reporting. If reporting is handled through both global and local channels, company policies and procedures should provide a coordinated approach between group entities for investigating and handling complaints.
  5. Communication: Companies should deliver clear messaging to employees about the new requirements and any updates to policies and procedures and conduct training to effectively embed whistleblower procedures within their organizations.

Conclusion

It is important that the lack of progress made by member states in the implementation of the Directive and the confusion that has arisen as a result of the debate related to certain requirements (e.g., reporting channels) do not hamper an organization’s efforts to comply with the Directive. By taking practical steps now, organizations can help demonstrate taking proportionate actions to comply with the Directive, even in circumstances where the member state position is not yet clear.

Trainee solicitor Kiara Kottegoda contributed to this article.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP