The Italian Government has a new deadline to adopt the necessary legislation to implement Directive (UE) no. 2019/1937 concerning “the protection of persons who report Union law violations” (the “Directive”), since the December 17, 2021, deadline has been missed.
In particular, according to the Law no. 127/2022 entered into force on September 10, 2022, the Parliament delegated the Government to adopt a legislative decree to implement the Directive.
The goal is to implement such directive no later than December 10, 2022, in compliance with the following principle and criteria:
In the light of the above, the Italian government shall definitely change the current Law no. 179/2017 that regulates the protection of whistleblowers, in order to be compliant with the Directive. The main measures of the Directive to be implemented include the following:
All we have to do is to wait for the publication of the legislative decree implementing the Directive.
Whistleblowing is being redefined . The Legislative Decree implementing the EU Directive 2019/1937 “on the protection of persons who report Union law violations” (the “Directive“) is almost ready. It will bring significant changes compared to the rules that came into force in 2012 (Law 6 November 2012, no. 190) in the public sector and at the end of 2017 (Law 30 November 2017, no. 179) in the private sector.
◊◊◊◊
On 23 October 2019, the European Parliament and the Council adopted the Directive laying down “common minimum standards” to ensure adequate protection of whistleblowers in the Member States’ legal systems. The aim is to give consistency to heterogeneous or fragmented national regulations and enhance the value of this tool.
On 23 April 2021, Law no. 53/2021 (the European Delegation Law) was published in the Official Gazette. This Law consists of 29 articles containing delegated provisions for transposing European directives and adapting national legislation to certain EU regulations.
With this Law, the Parliament delegated the Government to adopt a legislative decree to implement the Directive. In art. 23 of the delegated law, it is stated that the Government, in the exercise of the delegation, must observe the following principles and directive criteria:
This rule will affect national regulations. The impact of the new European regulation seems to concern its extension more than its content. In the matters covered by the Directive, the protection of whistleblowers does not differentiate between the public and private sectors, as in Law no. 179/2017.
Having said this, let us go into detail on the main innovations introduced by the Directive.
The Directive better defines the reporting person, i.e. the individual who reports or discloses information on violations acquired in their working framework.
This includes (i) self-employed persons working for a public or private sector entity, (ii) shareholders and members of the administrative, management or supervisory body of a company, including non-executive members, volunteers and paid and unpaid trainees, and (iii) any person working under the supervision and direction of contractors, subcontractors and suppliers.
The protective measures may be applied to colleagues or relatives of whistleblowers where there is a risk of retaliation at work due to the report.
The personal scope of application is broader than under Italian Law and, therefore, the list of protected whistleblowers should be reviewed in the light of the new European rules.
Unlike the current Law 179/2017, for the application of the protections provided in favour of the reporting person, it will not be necessary for the reports to be based on unlawful conduct, relevant under Legislative Decree no. 231/2001 and based on precise and concordant facts.
It will be sufficient that the reporting person had, at the time of reporting, reasonable grounds to believe that the information reported was accurate and that the report or public disclosure was necessary to bring to light a violation of public interest falling within the scope of the Decree. The reasons underlying the whistleblower’s report are considered irrelevant to their protection.
The Directive requires the establishment of internal reporting channels before reporting through external channels (i.e., reporting to the authorities designated by the Member States and relevant authorities at a European level), “where the breach can be effectively dealt with internally and the reporting person considers that there is no risk of retaliation.”
Companies with more than 50 employees, regardless of the nature of their activities, and legal entities in the public sector, including those owned or controlled by them, must have internal reporting channels. The exemption of small and medium-sized enterprises from this requirement does not apply to companies falling within the AML/CFT framework scope.
In addition, following an appropriate risk assessment, Member States may require companies with a smaller number of employees to establish internal reporting channels in some cases.
For public disclosures of wrongdoing, the Directive provides that the protection of the reporting person is triggered only if one of the following conditions is met:
The above-mentioned public disclosure (under certain conditions) is not reflected in Italian Law.
According to the Directive, Member States must ensure that the reporting person’s identity is not disclosed, without their explicit consent, to anyone other than the authorised personnel responsible for receiving or following up reports. This is without prejudice to specific exceptions. The same applies to any other information from which the reporting person’s identity can be deduced directly or indirectly.
Under the Directive, Member States must take the necessary measures to prohibit any form of retaliation against a whistleblower, including dismissal, change of job, reduction of salary or modification of working hours and imposition of disciplinary sanctions.
Data collection and processing shall be carried out under Regulation (EU) 2016/679 on the protection of personal data.
Personal data that is manifestly not useful for the processing of a specific report, according to the Directive, must not be collected or, if accidentally collected, must be deleted without delay.
According to the Directive, high sanctions should be applied to those who obstruct reporting persons. Sanctions should be imposed on those who publicly report or disclose information about violations that is knowingly false.
◊◊◊◊
All that remains is to wait for the publication in the Official Gazette of the Legislative Decree transposing the Directive.
Other related insights:
With Decision No. 17 of 23 January 2020 and in imposing a sanction on an Italian University for not having properly protected the confidentiality of the identification data of two persons – the whistleblowers –, who had reported possible unlawful behaviours, the Italian Data Protection Authority has laid stress on the fact that an obligation weighs on the Employer, namely, the “Controller” (pursuant to Article 4 of Regulation EU 2016/679, hereinafter, the “GDPR”) to implement technical and organisational measures fit to ensure the protection of the personal data processed (cf. Newsletter of the Italian Data Protection Authority No. 462 of 18 February 2020).
In particular, at the time of the facts and in aligning itself with the obligations to properly protect the employee that reports unlawful behaviours within the working environment (the so-called “whistleblowing” introduced in the Italian legal system with Legislative Decree No. 165 of 30 March 2001), the University had chosen to use a technological solution. In this case, in order to ensure the protection in the capture and management of all reports of offences, the University had availed itself to the use of a software platform supplied by a third party outside the University’s organisation.
In changing and concomitantly updating the software platform, there was the so-called overwriting of access credentials leading to an exposure of the personal data of the two whistleblowers on some browsers accessible and viewable by whomever searched on the Internet.
As a result of the above, the University served notice on the Italian Data Protection Authority as to the so-called data breach, with which the University reported the spread of the common personal data of the two whistleblowers on the public web, to the extent that they could potentially be consulted by anyone.
The investigation carried out by the Italian Data Protection Authority has found that the University had not adopted proper technical and organisational measures aimed at ensuring “the security and confidentiality needs typical of data management within whistleblowing procedures”; on the other hand, the University failed to define a correct procedure for controlling accesses, which should have limited data processing to the authorised staff.
Indeed, the University had limited itself to embrace the security measures chosen by the software supplier. Nonetheless, the above-mentioned security measures were neither suitable nor fit, since they failed to foresee measures such as coding or the adoption of a safe communication protocol for information, thus allowing the infringement of the confidentiality and of the integrity of the personal data processed, as well as the respective incorrect keeping and accessibility.
In particular, the Italian Data Protection Authority held that “As regards the application at issue, in light of the nature, the scope and the aim of the processing, as well as of the high risk for the rights and freedoms of the whistleblowers, the solution adopted by the University can in no way be deemed a technical measure fit to ensure the confidentiality and the integrity of the data processed as well as the authenticity of the website used by the users both as a whistleblowing channel (employees, students, etc.) and as a tool for managing any whistleblowing (Head of Corruption Prevention and of Transparency, i.e. RPCT and the respective collaborators, if any”.
Click here to continue reading the article.
On 26 November 2019, Directive of the European Parliament and Council no. 1937/0/201, dated 23 October 2019, concerning the protection of individuals who report breaches of EU law, therefore, concerning whistleblowing, was published in the Official Journal of the European Union. Of specific importance, the provisions of the Directive are revealed, which include: – the creation of secure reporting channels. In fact, it provides for the obligation of creating reporting channels within both public or private organisations with over 50 employees and within municipalities with over 10,000 inhabitants (Article 8); – a wide range of individuals protected by the Directive who are given the opportunity to make reports: (i) employees pursuant to Article 45, paragraph 1, of the Treaty of the Functioning of the European Union, including civil servants; (ii) self-employed workers pursuant to Article 49 of the Treaty on the Functioning of the European Union; (iii) civil servants, shareholders and members of the administrative, management or supervisory body of a company (including non-executive directors); (iv) paid and unpaid volunteers and trainees; (v) any person who works under the supervision and management of contractors, subcontractors and suppliers; (vi) reporting persons, if they report or disclose information on breaches obtained in the context of an employment contract that has since terminated; (vii) reporting persons whose employment contract has not yet started in cases in which information concerning a breach has been obtained during the selection process or other stages of the pre-contractual negotiations (Article 4); – the support and protection measures 1) of facilitators, 2) of third parties associated with the whistleblower who could risk retaliation in a work context (e.g.: colleagues or relatives of the whistleblower), 3) of the legal entities pertaining to the whistleblower, for whom he works or with which he is otherwise associated in an employment (Article 4). It concerns individuals who could also be subject to so-called “indirect retaliation” which takes place, for example, by “cancelling the provision of services, blacklisting or boycotting”; – a hierarchy of reporting channels, prioritising and encouraging reporting via internal channels and then resorting to external channels, which the public authorities are required to set up (Articles 7 and 8); – the provision of a response deadline not exceeding 3 months of the report, a of the date of acknowledgement of receipt of the report, or, if no notification has been sent to the reporting person, three months as of the expiry of the seven-day deadline from the making of the report (Article 9); – the scope of application of the new EU rules on whistleblowing to protect informants who also reveal breaches a) in sectors such as that of public procurement, services, products and financial markets; b) in the prevention of money laundering and terrorist financing; c) in product safety and compliance; d) in transport safety; e) in environmental protection; f) in nuclear radiation protection and safety; g) in food and animal feed safety and in the health and well-being of animals; h) in the protection of public health; – the reversal of the burden of proof on individuals who adopted damaging measures in judicial proceedings (Article 21); – exemption from liability due to the disclosure of information for the whistleblower (Article 21). The purposes expressly provided for by the Directive are to guarantee effective protection of: – “informants” and, therefore, the categories of individuals who “although not dependent on their work activities from an economic point of view, still risk being subject to retaliation for having reported breaches. The forms of retaliation against paid or unpaid volunteers and trainees include: no longer using their services, giving them negative job references, otherwise damaging their reputation or career prospects”; – “facilitators, work colleagues or relatives of the reporting person who are under an employment contract with the reporting person’s employer or a customer of the latter or a recipient of the services of the latter”; – trade union representative or labour representatives if (i) they personally make a report as employees; (ii) they provide the whistleblower with advice and support.
Click here to continue reading the note to the ruling.
