By Florina Thenmayer and Lisa Kulmer
Once seen as an overreach, Directive (EU) 2019/1937 may soon become the new global standard of worker protections.
At the end of 2021, a significant transformation swept through the European Union (EU) corporate landscape with the emergence of the Directive (EU) 2019/1937 or the “Whistleblowing Directive.” The groundbreaking legislation was a clarion call for change by ensuring minimum standards of protection for whistleblowers across the EU. In its initial 2019 rollout, the Directive was more lenient towards private sector entities with fewer than 250 employees, granting them an additional two-year grace period to embrace the Directive’s requirements which included an internal reporting channel for whistleblowing. While some EU member states still were struggling to implement all aspects of the Directive in 2023, it is safe to say that by 2024, the Directive (EU) 2019/1937 will be in effect across the EU member states, shaping a more transparent, accountable, and ethically sound future for businesses across the continent.
In fact, because of the significant position of the EU as a global player and the scope of the Directive, many members of the World Services Group (WSG) Employment and Labor Industry Group have predicted that the EU Whistleblowing Protection guidance will soon become the global standard for all international business. With all that said, if you do not think these new EU regulations will impact you and your clients, we encourage you to read on.
The Directive applies to private and public employers and every class of worker.
The scope of the new Directive extends to employers with a workforce of 50 or more, specific sectors (e.g., the financial sector), or municipalities with more than 10,000 inhabitants. The Directive’s provisions cast a wide net, encompassing not only employees but also consultants, contractors, suppliers, board members, shareholders, volunteers, unpaid trainees, and even job applicants. Remarkably, this Directive’s reach extends beyond the confines of direct employment, enveloping individuals who may not be official employees of the organization. Additionally, the Directive covers work colleagues and family members who may assist a whistleblower, provided that these individuals could also suffer retaliation in a work-related context. The new guidance ensures that whistleblowers who report breaches of EU law will be protected from suspension, demotion, dismissal, and other forms of discrimination and harassment.
The burden of proof is on the employer, not the whistleblower.
Unlike other international whistleblower protection regimes, such as those afforded to whistleblowers in Great Britain and the US, the EU Directive places the burden on employers to prove that retaliation did not occur. Before the Directive, when an employee enforced their whistleblower rights, they often faced a challenging disparity in legal and financial resources. Employers could justify their actions more easily, even when accused of retaliation. Given the lack of specific protection, it was even more difficult for whistleblowers to access evidence to prove otherwise.
The Directive is a game-changer for whistleblowers because it introduces a reversed burden of proof. That means employees are only required to establish their engagement in protected conduct or speech at the time when the alleged retaliation occurred. The onus then shifts to the employer, demanding that they substantiate the neutrality of their actions, demonstrating an absence of any connection between the protected conduct and the subsequent measures taken against the whistleblower. However, employers are well advised to carefully review the specific implementation of the Directive in the relevant member state.
Retaliation is very broadly defined in the EU Directive.
“Retaliation” as defined in Article 19 includes “loss of business and loss of income” and “failure to renew a temporary employment contract.” Member states must prohibit any form of retaliation including damage to reputation, demotion, dismissal, negative appraisal, intimidation, suspension, or transfer.
Whistleblowers can face dire consequences when they report wrongdoing, and that’s why the anti-retaliation requirements within the EU Whistleblower Directive are a crucial – and necessary – step for companies. Does your company’s whistleblower retaliation strategy meet (and even exceed) the requirements of the EU Whistleblower Protection Directive?
Whistleblowers can report directly to government bodies without going through internal reporting channels first.
One of the first things many employees do when they suspect fraud or misconduct is to report the incident to a company supervisor or compliance team. Many companies also advertise internal hotlines where people can report the incidents. While internal reporting is the preferred way under the EU Directive, an accuser does not necessarily have to raise allegations within the company first, especially if the breach cannot be effectively addressed internally and where the reporting person considers that there is a risk of retaliation.
Under the EU Directive, employees may take their complaints directly to an authority designated by their local government or member state government, pursuant to that government’s internal rules, which cannot be less stringent than the EU Directive. This is a significant departure from both UK and US whistleblower regulations. In most cases, whether the report is made to a company or government entity, both have three months to investigate the complaint and respond to the whistleblower. Government entities may have six months to investigate allegations for “duly justified” cases. It is up to individual member states to determine whether they will permit anonymous whistleblower reports.
If you do business in the EU, this Directive applies to your company.
While individual member states retain the flexibility to expand the policy areas covered by the Directive, its current scope is already quite extensive, albeit limited to EU law and does not cover, for example, violations of labor law provisions, which in practice are quite often subject of whistleblower reports. For private employers, the current rules cover protection of privacy and personal data, animal health and welfare, antitrust, consumer protection, financial markets, services and products, food and product safety, public health, protection of the environment, prevention of money laundering and terrorist financing, nuclear safety, public procurement and transportation safety.
Perhaps most challenging for international companies doing business in the EU, the Whistleblowing Directive also applies to EU data protection regulations (GDPR) and was drafted to work in tandem with the GDPR —an arena that many international companies are already struggling to comply with. Given this broad and comprehensive list, member states are likely to adopt an even broader general definition of whistleblowing for simplicity’s sake, while at the same time extending protections beyond the original intent of the Directive.
What’s Next? Get prepared.
Whether you are a true believer in instituting an international culture of compliance or lean towards a strategic approach relying on accountability and a robust defense, procrastination is not your ally. It is imperative to establish an internal investigation protocol. Create precise and detailed job descriptions and delineate the responsibilities of key personnel in human resources, audit, compliance, and loss prevention – those who will oversee the compliance with the EU Whistleblowing Directive. Provide appropriate avenues for employees to report misconduct, such as web-based, phone-based, and in-person systems. Conduct comprehensive executive-level training for corporate officials, managers, and line supervisors.
Any seasoned human resource professional knows the mantra well: document, document, document. However, it is crucial to underscore that all documentation must align with GDPR data protection protocols, a topic we will address. Having appropriate documentation early in the disciplinary process can be a vital safeguard, demonstrating that any subsequent actions taken against the individual are unrelated to whistleblowing activities. As employers work through this new regulatory regime, they may see well-timed and conceivably indisputable whistleblowing reports from employees attempting to insulate themselves from discharge, which is why having on-the-ground legal counsel will be crucial.
The implications of the EU Whistleblowing Directive and its intricate implementation within specific jurisdictions present a tangible concern, particularly given the pivotal shift in the burden of proof. To aid businesses with navigating this complex landscape, the World Services Group recently published a valuable resource – a comprehensive, free guide to the EU Whistleblowing Directive. This guide features contact information for legal experts situated in EU jurisdiction, poised to address your legal inquiries and concerns.
You have your internal protocols ready to go, now what? Watch out for GDPR data compliance.
While this article is not intended as a comprehensive guide to GDPR compliance, it is worth mentioning again that this aspect of compliance with the EU Whistleblower Directive may be one of the most challenging. This article only addresses a few issues to keep in mind as you create your own whistleblower internal reporting systems.
Hotlines for reporting incidents must comply with GDPR compliance requirements. Even if your company uses an outside contractor to manage your hotline, you must ensure that the contractor follows GDPR guidelines. Hotlines must have appropriate technical and organizational measures that meet the reporting requirements of GDPR and ensure the protection of data subject’s rights.
Reports and Investigations
Companies with 50 or more employees operating in the EU have specific obligations to set up whistleblowing reporting systems. Establish internal procedures and controls to handle whistleblower reports confidently and confidentially. Any data related to whistleblower reports should not be retained any longer than necessary to comply with the EU Directive, other EU requirements such as GDPR, or national law of the member states.
If a whistleblower report is made to or investigated by a person or entity outside the EU, or if the results of the investigation are shared with a person or entity outside the EU, GDPR protocols must be followed. From a practical perspective, non-EU companies may wish to decentralize some of their human resources functions and collect and process all whistleblower actions at their location(s) within the EU.
Whether or not you choose to take this course of action, there will always be a GDPR tension between the rights of the whistleblower, and the rights of the target over information about the allegation.
To date, the Directive has garnered minimal attention from the media, yet it signifies a pivotal transformation in the way EU enterprises manage their internal operations. It exerts a profound influence on how non-EU companies and international companies with EU subsidiaries or local EU offices do business in the EU.
If your company has not already taken steps to come into compliance with Directive (EU) 2019/1937, do not hesitate to reach out to any of the attorneys who helped create the World Services Group free guide to the EU Whistleblower Directive. With a little advice and a lot of patience, we can all look forward to better corporate governance, greater accountability, and a better quality of life for all workers.
About the Authors
Florina Thenmayer (l) is a Member of World Services Group’s (WSG) Employment and Labor Industry Group and was instrumental in the creation of WSG’s European Whistleblower Report, which offers country-by-country updates on minimum standards of protection for whistleblowers across the EU. She is a principal associate with the DORDA law firm located in Vienna, Austria, and specializes in complex international M&A transactions and the cross-border deployment of the workforce .Lisa Kulmer (r), also a Member of WSG’s Employment and Labor Industry Group, provides essential guidance for implementing whistleblowing systems and offers expert counsel on the necessary procedures and employee protection in the event of a report. As principal associate at the DORDA law firm in Vienna, Austria, she specializes in advising on works council participation rights as well as providing guidance and enforcing restrictive covenants. #FlorinaThenmayer #LisaKulmer #whistleblower #directive #protection #EU #corporategovernance