Following the resolution of the EU Parliament dated 24 October 2017, aimed at adopting a Directive on whistleblowing, the Committee, on 23 April 2018, formulated a text proposal, which was approved by the Committee on Legal Affairs of the European Parliament on 20 November 2018.
Upon approval, the Directive would provide Member States time until 15 May 2021 to adopt it.
Let’s review in details some of the main new developments.
Internal and external reporting
The draft Directive in Chapters II and III regulates “Internal Communications” and “External Communications” respectively.
The provisions concerning “internal” reporting apply exclusively to companies with more than 50 employees, a turnover of more than 10 million or whenever they operate in the financial services sector or are exposed to offenses such as money laundering and terrorism.
Follow-up Procedure
The Directive regulates the “follow-up procedure”, which means the action taken by the recipient of the report – internal or external – in order to assess the existence of the reported facts and, if necessary, to resolve the alleged breach (including actions such as internal investigation, inspections, prosecution, or that for the recovery of funds, and/or, finally, its archiving).
The follow-up and feedback to the aforementioned procedure should take place within a reasonable time, given the need to quickly address the problem that could be the subject-matter of the report, as well as in order to prevent unnecessary disclosure.
This time period should not exceed 3 months, but could be extended to 6 months, if justified by the specific circumstances of the case, and in particular by the nature and complexity of the subject-matter of the report, which could require lengthy investigations.
Material Application Context
Article 1 of the draft Directive establishes that it applies to all breaches (and therefore reports) that may take place in sensitive contexts according to “EU legislation”, such as: (i) public procurement; (ii) financial services, prevention of money laundering and terrorism financing; (iii) product safety; (iv) transport safety; (v) environmental protection; (vi) nuclear safety; (vii) food and feed safety and animal health and welfare; (viii) public health; (ix) consumer protection; (x) private life protection and personal data protection and network and information system security.
Personal Application Context
Article 2 calls for the Directive to be applied to (i) all parties with the qualification of worker pursuant to Article 45 of TFEU, as well as (ii) all parties with the qualification of self-employed workers pursuant to Article 49 of TFEU or, again, (iii) shareholders and members of the governing body of a company, including non-executive members, volunteers and unpaid trainees, as well as, then, (iv) anyone working under the supervision and direction of contractors, subcontractors and suppliers.
In addition, the Directive applies to reporting parties whose employment relationship had not yet started, if the information concerning a breach was acquired during the selection process or other stages of pre-contractual negotiations.
Prohibition of retaliation against reporting persons and protection measures
Article 14 of the Directive requires that all necessary measures must be taken to prohibit any form of retaliation, whether direct or indirect, against reporting persons meeting. For example: (i) dismissal, suspension or equivalent measures; (ii) demotion or withholding of promotion; (iii) transfer of duties, change of location of place of work, reduction in wages, change in working hours; (iv) withholding of training; (v) negative performance assessment or employment reference; (vi) the imposition of disciplinary measures; (vii) discrimination, disadvantage or unfair treatment; (viii) non-conversion of a fixed-term employment agreement into a open-term employment agreement; (ix) blacklisting; and (x) cancellation of a licence or permit.
Article 15 of the Directive, titled “Measures for the protection of reporting persons against retaliation”, establishes that:
– comprehensive and independent information and advice shall be easily accessible to the public, free of charge, on procedures and remedies available on protection against retaliation, and
– reporting persons cannot be held liable for breaching any restrictions on the disclosure of information imposed by contract or by law, nor may they incur liability of any kind in respect of such disclosure.
In judicial proceedings relating to a detriment suffered by the reporting person, it shall be for the person who has taken the retaliatory measure to prove that the detriment was not a consequence of the report but was exclusively based on duly justified grounds.
Finally, reporting persons shall have access to remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings.
Reference to the GDPR
Lastly, it is to be noted that in various articles (10 and 18) – as well as in the Recitals (58 and 79) – of the draft Directive, express reference is made to the GDPR, from which the concept of “by design” seems to be borrowed, with regard to the design of the reporting channels. This is because they must be implemented in such a way as to guarantee (i) completeness, (ii) integrity and (iii) confidentiality of the information (Art. 7).