On the 23 October 2019, the European Parliament and of the Council of the European Union has adopted the Directive 2019/1937 on the Protection of Persons Who Report Breaches of Union Law - EU Whistleblower Directive, herewith referred to as "the Directive", with the aim to lay down common minimum standards across the EU for protection of people reporting a breach and ensuring a harmonized framework at national level.

The Council of Europe has recommended that member states should have in place "a normative, institutional and judicial framework to protect individuals who, in the context of their work-based relationship, report or disclose information on threats or harm to the public interest". Currently, the European Commission notes that only ten of its member states have a comprehensive legislative framework, namely, France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden and the UK, making the whistle-blower protection accords EU uneven. In the case of Cyprus, the Ministry of Justice and Public Order is in the process of drafting the relevant proposed bill. Nevertheless, Cyprus Law indeed provides some kind of protection in the fields of the civil service, competition law, termination of employment, corruption and bribery offences, without however having established reporting channels.

Given the frequency of discrimination and intimidation encountered by whistleblowers, and the fact that persons who work for the public or private industries are often the first to know about possible threats for the public interest, the Directive is intended to offer protection to such persons for reporting breaches.

The Directive aims to lay down common minimum standards across the EU for protection of people reporting a breach and ensuring a harmonized framework at national level.

There are several reporting categories protected by the Directive, including public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety and compliance, consumer protection, public health, protection of the environment, animal welfare, transport safety, the security of network and information systems, data privacy, as well as breaches affecting the financial interests of the Union related to the internal market including breaches of EU competition and state aid rules.

The aforementioned protection is available to any reporting person working (prior, during or after the employment) in the private or public sector who acquired information on breaches in a work-related context, as well as persons facilitating whistleblowing, however, there are certain conditions to be satisfied for such a protection under the Directive. Most importantly, there has to be a reasonable ground to believe that the information on breaches reported was true at the time of reporting, the information must fall within the scope of the Directive, the reporting is carried out through the correct reporting methods and if the reporting is carried out anonymously and the reporters' identity was later exposed, the reporter shall nevertheless qualify for protection if they suffer from retaliation.

There are different methods of reporting as per the Directive; the internal reporting, the external reporting and the public disclosure and it is a requirement to establish safe channels for reporting both within an organization and to public authorities. Additionally, the Directive requires national authorities to inform citizens and provide training for public authorities on how to deal with whistleblowers. Under the Directive, whistle-blowers are not required to report internally before reporting to the relevant government authorities.

However, in order to "go public" whistle-blowers must have first reported either internally or to government authorities and no appropriate action was taken or else have reason to believe that either there is an imminent or manifest danger to the public (i.e. a public emergency), or that there is a high risk of retaliation and a low prospect of the violation being addressed due to the particular circumstances of the case (such as where a public authority is in collusion with the violator).

Internal reporting channels and procedures for reporting are required to be established for legal entities in the private and public sector with more 50 or more employees. Reporting persons are encouraged to use internal channels for reporting before resorting to external channels if possible and such internal channels should allow employees to report to an appointed individual or a department designated for the purpose or externally a third party.

The Directive also states that the processing of personal data must be in line with the General Data Protection Regulation (GDPR). Member States must ensure that the identity of the reporting person is not disclosed to anyone beyond the authorized staff members competent to receive or follow up on reports, without the explicit consent of that person. This shall also apply to any other information from which the identity of the reporting person may be directly or indirectly deduced.

The Directive is set to be transposed into national law by all EU Member States by 17 December 2021 and thus, Cyprus is also expected to comply with the given deadline.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.