ARTICLE
12 October 2021

EU Whistleblowing Directive: Changes And Challenges Facing Global Employers

SS
Seyfarth Shaw LLP

Contributor

Seyfarth Shaw LLP logo
With more than 900 lawyers across 18 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
Explore Firm Details
The clock is ticking for global employers with staff in the EU to prepare for changes in reports made by EU whistleblowers.
European Union Employment and HR
Verity Musselwhite Steel,Laurence D. Harvey Wood, and Ana Cid
Your Author LinkedIn Connections

The clock is ticking for global employers with staff in the EU to prepare for changes in reports made by EU whistleblowers. Employers need to determine how the Directive will be implemented in each of EU's 27 Member States, and how this impacts their operations in the states in which they operate, as a 'one size fits all' approach may not suffice.

The December 17 2021 deadline does not leave much time for employers to prepare, so below we have outlined what the Directive is changing, and the key things employers should remember and consider as they prepare.

What is changing?

Although Member States are implementing the Directive on a state-by-state basis via local legislation, each must impose minimum standards of protection for whistleblowers, specifically:

  • Companies with at least 50 workers will be required to set up internal reporting channels (such as a hotline or dedicated email address) and whistleblowing procedures to allow whistleblowers to make reports of suspected breaches of EU law. Companies that fail to do so will be subject to sanctions (see below).
  • Companies with at least 250 workers must introduce reporting channels and procedures by December 17, 2021. Companies with 50-249 workers have a deadline of December 17, 2023.
  • Reporting channels and procedures can no longer only apply to employees; they must also be available to job applicants, former employees, contractors, shareholders, board members, "facilitators" who help a whistleblower to make a report (e.g. an employee representative), and persons connected to the whistleblower (e.g. a colleague or relative) who are at risk of retaliation in a professional context.
  • After receiving a report, companies will have to acknowledge receipt within 7 days and provide feedback on the outcome within 3 months of the acknowledgement. Companies will therefore need to devote sufficient capabilities and resources to undertake efficient investigations without delay.
  • Companies must designate a specific person or department to take responsibility for investigating reports. Companies can encourage whistleblowers to make internal reports in the first instance, but it is ultimately the whistleblower's decision whether they do this or make an external report to a competent supervisory authority. Companies must assure all whistleblowers that they face no risk of retaliation.
  • Companies must make a record of all reports and retain them in accordance with local law, while keeping the identity of the whistleblower confidential (unless the whistleblower provides explicit consent to disclosing their identity).

Why can't employers rely on a pan-EU harmonized approach?

The Directive grants discretion to Member States on various elements of the new rules. For example, Member States are free to determine the following:

  • The Directive protects whistleblowers who make reports on suspected breaches of EU law, provided they had reasonable grounds to believe their information was true at the time of reporting and fell within the scope of the Directive. However, the EU encourages Member States to extend this protection to cover breaches of national law. Several countries have done so in their draft or actual implementing legislation (e.g. the Czech Republic, Sweden, Romania, and Denmark).
  • Sanctions for non-compliant companies must be "effective, dissuasive and proportionate," but Member States must determine the applicable punishments. Any attempts to hinder reports, retaliate against, or breach the confidentiality of a whistleblower, or to bring vexatious claims against them will be subject to penalties.
  • Third party/external reporting authorities must now follow up or investigate reports (previously many of these authorities were advisory in nature), but Member States will determine whether to introduce one national body, or sector-specific ones.
  • Rules on anonymous reporting will be determined by Member States.

How are Member States addressing the legislation?

The evolution of Member States' legislation does currently vary, with some parliaments discussing draft bills (e.g. Belgium) and others yet to introduce any. Specific examples are:

  • Spain: parliament is debating a draft bill following an initial consultation period in which proposals were submitted. This bill will complement existing whistleblowing rules that apply to certain sectors, such as the financial services sector, regarding anti-money-laundering measures, and the Spanish Criminal Code's provisions on compliance programs to limit criminal liability for legal entities.
  • France: following a period of consultation, draft legislation was published in July 2021, and parliament will debate it in the coming weeks. French law already provided protection for whistleblowers who report breaches of national law or of an international treaty that has been ratified by France.
  • The UK: does not have to follow the Directive, post-Brexit, but it did commit to a 'level playing field' with the EU, so some strengthening of its existing whistleblower rules is expected - although, this does not seem to be a priority for the government, and there are no concrete details yet on changes or timing. Nonetheless, some of the changes implemented by the Directive are similar to some of the UK rules currently in place in regulated sectors, such as financial services.

What initial practical steps should employers take?  

The Directive will likely mean revisions to existing whistleblower or ethics hotline policies/mechanisms as well as related data protection and record retention practices. In some cases, companies may want to plan to modify and seek board approval for their Codes of Conduct to incorporate these developments. We suggest the following practical steps:

  • For employers with a headcount of over 50 (or with one that will likely exceed 50 in the near future), take stock of current whistleblowing procedures in each of their EU jurisdictions and compare them with (i) the minimum requirements of the Directive and (ii) relevant national legislation, when published. This will be particularly crucial for employers with at least 250 workers, given the December 17, 2021 deadline.
  • If significant changes to policies will be required, consider whether information/consultation procedures (i.e. with work councils, unions etc.) will be triggered, and whether there will be a need to provide specific training to those responsible for handling reports.
  • US listed multinationals operating compliance or ethics hotlines under Sarbanes-Oxley and listing rules, which have historically operated under significant restrictions in the EU due to local data protection laws, need to pay particular attention to the broadening of the scope of persons eligible to report, the number of reportable topics, new time limits in which to respond to reports, and the likely changes in the approach to anonymity at the Member State level.
  • For those US companies that have not yet rolled out or made their hotlines EU law compliant, now is the time to address this in order to build trust in their reporting mechanisms and maximize the effectiveness of such mechanisms as tools to prevent and address questionable behaviors and practices and to limit financial and reputational exposures.
  • US private companies will need to consider whether they should implement a whistleblowing mechanism to the EU standard, where they previously had no obligation to do so under SOX.
  • All companies must keep in mind that collection and processing of whistleblower data implicates data privacy and record retention issues, and in particular, GDPR compliance requirements specific to the often sensitive nature of whistleblowing reports.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Verity Musselwhite Steel
Verity Musselwhite Steel
Photo of Laurence D. Harvey Wood
Laurence D. Harvey Wood
Photo of Ana Cid
Ana Cid
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More