The European Parliament announced, on 16 April 2019, that it had approved the draft Directive on the Protection of Persons Reporting on Breaches of Union Law (‘the Draft Whistleblowing Directive’). The Draft Whistleblowing Directive aims to provide EU-wide standards on the protection of whistleblowers that report breaches of EU law in areas including financial services, money laundering, public health, consumer and data protection. Furthermore, the Draft Whistleblowing Directive intends to set out rules relating to internal and external reporting channels, as well as introduce safeguards preventing whistleblowers from facing retaliation.
Michael Huertas, Partner at Dentons Frankfurt, told DataGuidance, ”The Draft Whistleblowing Directive has been overwhelmingly endorsed by the European Parliament [and] it is now expected to be approved by the Consilium. After publication in the Official Journal of the European Union, both the ten EU jurisdictions that already have a whistleblowing regime in place as well as the remaining 17 that need to introduce [whistleblowing] measures will be required to comply with these new rules, along with financial services firms operating in those jurisdictions. [Furthermore, the Draft Whistleblowing Directive] is supposed to strengthen whistleblowing as a valuable detection and compliance mechanism. For financial services [it is] time to prepare for compliance as the definition of a ‘whistleblower’ is broad, thus companies will need to handle reports from not only employees but also shareholders, interns, volunteers and the self-employed. This potentially opens an entire new range of persons who may want to report and a range of regulatory/litigation risks.”
The preamble of the Draft Whistleblowing Directive clarifies that by introducing EU-wide measures regulating whistleblowing, it seeks to establish common minimum standards ensuring effective whistleblower protection across all the Member States, as well as different policy areas. Furthermore, the Draft Whistleblowing Directive aims to complement sector-specific EU rules that already regulate whistleblowing, in particular in the area of financial services, to be fully aligned with the proposed minimum standards.
The Draft Whistleblowing Directive’s rules will apply to all employers as far as protection against retaliation is concerned
Huertas continued, ”For financial services, where whistleblowing measures are more prevalent due to [already] existing requirements, the Draft Whistleblowing Directive pushes the scope of existing coverage much further by extending to most sectors of financial markets […] and also includes areas ranging from public procurement to breaches or avoidance of corporate tax. [Moreover,] the Draft Whistleblowing Directive’s rules will apply to all employers as far as protection against retaliation is concerned […] Additionally, enterprises with at least 50 employees […] will be required to set up internal processes for whistleblower reporting. [In particular, whilst] the €10 million threshold was taken out, the exemption for small and micro undertakings to not establish internal reporting channels still applies (see amended Recital 49 and 50, where no changes were made which give context on Article 8(3)). A micro undertaking is defined by the EU loosely as [an undertaking having] fewer than 10 employees and an annual turnover or balance sheet below €2 million, and a small enterprise as fewer than 50 employees and an annual turnover or balance sheet below €10 million. This means that the upper threshold by which that exemption ceases to apply, unless such entities are regulated entities otherwise caught by the scope of thematic areas of the Whistleblowing Directive, would be €10 million. [Nonetheless,] the obligation to set up such reporting mechanisms and channels for whistleblowers will apply to all financial services firms and firms vulnerable to money laundering or terrorist financing, irrespective of their size or turnover.”
To ensure protection of whistleblowers, the Draft Whistleblowing Directive obliges Member States to provide effective, proportionate and dissuasive penalties, which may be imposed on individuals or organisations that hinder reporting, take retaliatory measures, start vexatious proceedings against the whistleblower, or breach the confidentiality of their identity. Furthermore, the Draft Whistleblowing Directive imposes a requirement on Member States to introduce penalties applicable to whistleblowers who knowingly make false reports or false public disclosures.
Huertas concluded, ”The Draft Whistleblowing Directive is perhaps much more ambitious in terms of coverage, but it is also pragmatic in terms of compliance standards […] The impact of the new rules is nevertheless likely to be high […] For financial services firms, the immediate practical priority to operationalise compliance is likely to mean updating internal guidelines and policies coupled with other whistleblowing channels and procedures. [Further, this will also require] conducting self-assessment risk reports to gauge where a firms’ conduct may lead to new risks from whistleblowing reports, or incorrect compliance with the rules inasmuch as class-action risks that could arise from the EU’s ongoing work in finalising a new regulatory regime, similar to the Draft Whistleblowing Directive, on class/collective action.”
WERONIKA NATALIA BŁASZCZYK Privacy Analyst
Clarification: On 1 May 2019, this article was amended to provide greater clarity to the thresholds applicable regarding the obligation to establish internal channels under paragraph 4.