Whistleblower protection: ready for action?
EU Directive 2019/1937 of 23 October 2019
The European Whistleblowing Directive (the Directive) provides for the establishment of mandatory secure channels for reporting breaches of EU law and the protection of those who report breaches in a professional context.
On 4 May 2022, Deloitte Legal, Deloitte Risk Advisory and IBJ organized a joint event to highlight the main principles (Who? What? How? When?) and directly apply them to practice via case studies and whistleblowing tooling.
This blog highlights the main takeaways.
On 17 December 2021, the deadline to implement the Directive expired. Today, we are still awaiting formal legislation in Belgium. Employers should however already take action to prepare as time is running short. Indeed, it could be argued that it is debatable that the Directive has direct effect. On top, a pre-draft Act for the private sector provides for the new rules to enter into force on the publication date for companies with 250+ employees (companies with less would have 2 more years to implement). Considering the government aims at having the Act voted before summer, the pressure is on.
Protection of whistleblowers was needed to protect the welfare of society
Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in that context.
By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged at both Union and international level. The Directive aims to provide common framework with minimum standards within the EU allowing such reports.
Not all breaches can be reported through the reporting channels
The Directive is limited to reports of breaches of EU law, breaches affecting the financial interest of the Union, and breaches relating to the internal market.
Breaches of EU law are defined as (i) acts or omissions that are unlawful and relate to the Union acts and areas falling within the material scope , or (ii) defeat the object or the purpose of the rules in the Union acts and areas falling within the material scope.
The following domains fall within the material scope: (i) public procurement; (ii) financial services, products and markets, and prevention of money laundering and terrorist financing; (iii) product safety and compliance; (iv) transport safety; (v) protection of the environment; (vi) radiation protection and nuclear safety; (vii) food and feed safety, animal health and welfare; (viii) public health; (ix) consumer protection; (x) protection of privacy and personal data, and security of network and information systems. In Belgium, the preliminary draft Act that is circulating, also covers tax fraud or evasion and social fraud.
Companies with 50 or more employees must provide internal reporting channels
Breaches can be reported via internal reporting channels (set up by the company internally or externally), via an external reporting channel (governmental body) or via public disclosure (last resort).
All legal entities in the private sector with 50 or more employees are required to provide internal reporting channels. Similar rules exist in principle for legal entities in the public sector, as foreseen in the current draft Act for Flanders.
Such internal reporting channels must allow the report to be made in writing (online, by post.) or orally (by telephone or voice message systems, or through a physical meeting).
Who can be coordinator of the internal reporting channel?
Upon receipt of a report, the company must acknowledge receipt within seven days. Thereafter, an "impartial person or department" must follow up on the report and provide feedback within three months of the acknowledgement. Failure to meet these deadlines gives the reporter the opportunity to benefit from protection as a reporter, even if he makes his complaint public.
The "impartial person or department" handling the complaint will often be someone with a compliance-related role. However, the company should be aware of potential conflicts of interests when appointing a coordinator or coordinators. It can be a main responsible with one or more backups should a conflict of interest occur (e.g. general counsel as main coordinator with internal auditor, CHRO or DPO as back-up). It can also be an external contact such as a lawyer or consultant. The in-house lawyer may not always be the easiest choice, because reports may involve the instructing officer of the lawyer. It may then be simpler to appoint another lawyer or consultant with whom ideally an agreement is signed to cover liability, confidentiality, GDPR and other relevant matters.
Who benefits from protection ?
Reporters qualify for protection provided that: (i) they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the material scope; and (ii) they reported correctly through one of the channels provided for in the Directive.
What kind of protection must be foreseen?
In addition to (and beyond) the duty of confidentiality for the persons handling the report, the reporter enjoys two types of protection, also after the end of the reporting procedure:
1. There is a ban on retaliation against the reporter. There may be no negative consequences for the reporter as a result of filing a report. The Directive mentions various examples: suspension, dismissal, negative performance evaluations, unequal treatment, financial loss, damage to reputation, and so on. According to sources, the Belgian preliminary draft Act would provide for compensation of 18 to 26 weeks of pay for reporters in case of e.g. dismissal as a result of the report.
2. The reporter has the right to have access to support measures. These measures include "full and independent information and advice" regarding these protections and procedures as well as (if provided for by Belgian law) financial assistance in the context of legal proceedings.
This protection also applies to third parties (natural or legal persons) associated with the reporters who may become victims of retaliation in a work-related context (e.g. colleagues or relatives, management companies of the reporters, the reporter's employer if an external organisation is involved, etc.).
The identity of the reporting person may not be disclosed to anyone beyond the authorised staff members competent to receive or follow up on reports, without the explicit consent of that person. This also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced. The identity can only be disclosed where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned. According to the Belgian draft Act, anonymous reporting would be accepted.
The Directive emphasises that any processing of personal data must be carried out in accordance with GDPR. In addition, the Directive contains a special obligation which is based on the principles of minimum data processing and storage limitation. It is crucial to consider the processing activities related to the handling of notifications as separate and new processing activities and to take the necessary steps to comply with the GDRP in this respect.
By way of closing remarks, we want to share the following guidelines:
- Make sure to implement appropriate internal reporting channels in due time as this is beneficial for everyone. Every company wants to avoid public disclosures of alleged breaches which can cause disrepute and wants to handle these reports internally.
- Provide clear information (policies) regarding whistleblowing (internal & external channels, rights & remedies, and so on) so that all internal staff is well informed.
- Provide the necessary training for the designated persons/ departments so that they are aware of key points of attention and execute and/or coordinate the investigation in the most efficient and legitimate way.
- Consult with your (legal) advisors upon receiving a notification to determine the right approach and strategy
- Do not underestimate the evidence and source(s) of the whistleblower.
Maximize the collaboration with the whistleblower.
- Always consider the worst case scenario when investigating reported breaches in the sense that litigation is likely to follow to ensure legitimate and profound evidence is collected.
- Manage proportionality of your action and consider legal privilege.
- Update your IT policies and consider the use of technology to investigate.
If you have any questions concerning the items in this newsflash, please get in touch with your usual Deloitte Legal - Lawyers contact at our office in Belgium or:
- Stijn Demeestere, firstname.lastname@example.org, + 32 2 800 71 42
- Thomas De Donder, email@example.com, +32 2 800 70 54
- Glenn Hansen, firstname.lastname@example.org, + 32 2 800 70 22
- Jürgen Egger, email@example.com, +32 2 800 70 53
For general inquiries, please contact:
- firstname.lastname@example.org, + 32 2 800 70 00
Be sure to visit us at our website: http://www.deloittelegal.be
This article is brought to you by DeloitteLegal
More Partner Blogs
Belgium is now in line with the European Working Time Directive when it concerns the non-loss of...
The Digital Operational Resilience Act (DORA) has an important impact on financial entities but...
Als basisprincipe in België geldt dat iedereen vrij is om naar eigen goeddunken elke handel te...
As a dedicated Legal Recruitment Partner, we are prepared to assist individuals of diverse ages...