As EU members states scramble to implement the EU Whistleblower Protection Directive by the December 2021 deadline, this article takes stock of whistleblowing law around the globe, considers how the new directive will change the legal landscape and highlights the key points to consider when putting together a whistleblowing policy or procedure.
Whistleblowing law outside the EU
Many countries have laws to encourage employees to blow the whistle on wrongdoing within their organisations and to protect them from retaliation as a result.
Some countries have introduced overarching employment laws protecting employees who blow the whistle in a work-related context (e.g. Australia, New Zealand, Japan and the UK). The type of malpractice which attracts protection if reported varies by country. Typically, employees are protected if they report concerns about suspected unlawful conduct by their employing organisation, but Australia goes further by protecting whistleblowers who report an "improper state of affairs" including, for example, conduct which does not live up to an organisation's own codes.
Other countries have specific employment laws to protect employees who report certain types of wrongdoing, even though there is no overarching whistleblowing legislation. For example, employees in several countries are protected against retaliation for raising concerns about health and safety or harassment, or for reporting their employers to local labour inspectorates (e.g. Colombia, Singapore and Chile).
Many countries have laws encouraging individuals to report corruption, bribery and other types of corporate crime (e.g. Brazil, Singapore and Argentina). Such laws typically apply to all citizens, not just employees, but they tend to prompt companies to adopt ethics or compliance policies which may include whistleblowing channels and protections. Colombia has new regulations requiring companies to set up whistleblowing channels for citizens to raise concerns about corruption, money laundering, terrorism financing and similar types of criminal conduct.
Some countries may have limited specific laws around whistleblowing but have tough general laws protecting employees from unfair dismissal that effectively preclude retaliating against whistleblowers (e.g. Chile and Brazil).
The US legal framework stands out as particularly notable because of its 'bounty' programmes. The US has numerous federal laws protecting whistleblowers, including the Sarbanes-Oxley Act, the Dodd-Frank Act, the Foreign Corrupt Practices Act and the False Claims Act. Whistleblowers under these laws stand to gain monetary payments if their employer is successfully prosecuted as a result of their disclosure. Some bounty programmes are open to whistleblowers from outside the US. Bounty programmes are not completely unheard of outside the US (Singapore, for example, has a bounty programme for individuals who report cartels) but are unusual.
Only a few countries require privately-held companies to establish specific channels and procedures for whistleblowers to report concerns. In Serbia, whistleblowers are entitled to have their reports acted upon within 15 days, updates on the progress of the investigation and access to the case files. Japan is also strengthening its laws around systems for following up on reports. Many other countries, however, leave the process up to individual companies. Even in the US, privately-owned companies are not generally required by federal law to set up any particular whistleblowing channels or follow any specific processes. In New Zealand and the UK, whistleblowing legislation is focussed on protecting the whistleblower against retaliation rather than requiring the company to investigate what the whistleblower is reporting. Australia also has no defined process for handling whistleblower disclosures.
As a best practice, of course, many companies do have channels in place for employees to raise concerns and procedures for investigating any concerns raised.
If the company investigates a report, keeping the whistleblower's identity secret may be a key concern. In Australia and New Zealand, whistleblowing legislation specifically requires employers to keep the identity of a whistleblower confidential, except in certain situations. Japan has detailed government guidance on how to protect the identity of a whistleblower during an investigation so that the parties concerned do not realise than the investigation was triggered by a whistleblower's report. These guidelines include tips such as carrying out the investigation at the same time as a regular audit, pretending that the investigation is an unannounced audit for camouflage and conducting "dummy" investigations on other departments.
The penalties for retaliating against whistleblowers vary across countries. In Singapore, there are criminal penalties for dismissing or threatening to dismiss employees who report health and safety breaches. In New Zealand, it's unlawful under the Human Rights Act to treat whistleblowers less favourably than others. In the UK, where the penalties for dismissing a whistleblower are relatively high, employees sometimes try to position themselves as whistleblowers to gain additional protection, leading to the UK changing its legislation some years ago to underline that whistleblowers must report matters in the public interest before they can qualify for protection.
Whistleblowing is not common everywhere, and the practice of whistleblowing is not regarded positively in all countries. On the other hand, corporate compliance continues to be a growing concern, and our lawyers in many places across the globe are reporting an increase in whistleblower activity and whistleblowing-related claims.
Whistleblowing within the EU
The new EU Whistleblower Protection Directive must be implemented by 17 December 2021. The Covid-19 pandemic has caused delays and countries are now scrambling to get their legislation in place by the deadline. We have conducted a survey of EU countries to find out the status of implementation of national law across the block – and have also included one or two countries that are not in the EU, but are geographically close to the block:
The Directive has ambitious aims for how companies should encourage and respond to whistleblowing, but modest scope in applying only to reports of suspected breaches of certain EU laws. Those laws are listed in the Directive and cover areas such as public procurement, product safety, environmental compliance, the operation of the single market and data protection. It looks likely, however, that many (if not most) EU countries will broaden the scope of their local implementation to cover other types of unlawful behaviour including breaches of national law and potentially other threats to the public interest. For example, the Czech Republic, Sweden, Romania and Denmark were among the first countries to draft their implementing legislation and all of those countries took the approach of broadening the scope to cover breaches of local law, with Sweden proposing that whistleblowers should be protected for disclosing any information in the general interest.
The Directive provides protection for a range of would-be whistleblowers, including employees, job applicants, former employees, contractors, shareholders, board members and supporters of the whistleblower.
The whistleblower can report a concern internally within the company or directly to a competent supervisory authority. They are protected in both cases. It is up to EU Member States to decide whether to designate one single competent authority or many sector-specific ones. Companies must clearly signpost the available external reporting channels. They can recommend that internal reporting channels are used first but, ultimately, it is up to the whistleblower to decide.
Organisations with a headcount of at least 50 employees will be required to set up internal whistleblowing channels. The deadline for doing so is extendable to 17 December 2023 for companies with a headcount under 250 employees. Penalties for companies that do not set up internal channels are up to each Member State to decide, but the existence of external reporting channels is unlikely to be regarded as a sufficient sanction.
Possibly the most significant feature of the Directive is the explicit requirement for companies to follow up on reports received internally through their whistleblowing channels. There are very specific requirements on this issue. Companies must acknowledge receipt of a report within seven days and provide feedback on the outcome of the report within three months of the acknowledgement. Companies also need to designate a person or department as responsible for follow-up. In practical terms, this means that all companies operating within the EU need to build the capacity to conduct investigations, where it did not exist before.
If the whistleblower takes their report externally, the external body must also investigate and follow up on the allegations. This represents a significant change in many countries where the relevant bodies previously existed only to provide advice or support rather than investigations.
The identity of the whistleblower must be protected.
The extent to which group companies can have a central approach is being hotly debated. The Directive requires each subsidiary with over 50 employees to set up their own whistleblowing channels. Medium sized companies with 50-249 employees can draw on resources from other companies when it comes to receiving and investigating reports, although they retain responsibility for maintaining confidentiality, providing feedback and addressing the alleged breach. Companies can outsource the operation of whistleblowing channels to third parties. According to the Committee of Experts set up by the EU Commission, this means that companies can still have central policies but whistleblowers must always have the option to report at a subsidiary level. Medium-sized companies can pass reports to headquarters to investigate, but the whistleblower would need to be told about this and would have the right to object and request investigations to be carried out locally. The Committee's view is also that the option to outsource the operation of whistleblowing channels applies only to external third parties (such as external platform providers, external counsel or auditors) and not to companies within the same corporate group.
In Denmark, however, companies have argued strongly against this restrictive approach in favour of more group solutions. See our article.
It is sometimes claimed that the EU wants to be the world's global regulator, influencing practice around the globe. The introduction of the Whistleblower Protection Directive tends to supports this claim. The Directive may not have the same level of impact as the GDPR, but it does look set to become the benchmark or gold standard for encouraging and handling whistleblowing in a work-related context.
Even before the introduction of the EU Whistleblower Protection Directive, it was becoming more common for companies to adopt whistleblowing policies and procedures, sometimes on a global level. The new EU Directive will of course result in such policies and procedures being even more widespread. In the final part of this article, we highlight some of the key practical issues to consider when putting together a policy.
|What to report and how to report it:||Will the policy define your ethical or compliance standards as well as explain how to report suspected breaches of them? How should whistleblowers raise their concerns – via an external reporting platform or internally? How will oral reporting (where applicable) be made possible? Does the policy need to point employees to alternative procedures, for example for bullying, harassment or grievances, to avoid those types of complaint being raised through the wrong channels?|
|How to investigate:||Do you have investigation capacity internally or will you be drawing on others to help? Do you have the resources to commit to following an EU-compliant process for all types of malpractice report, everywhere? How will you make sure that investigators are aware of local rules? In some countries, for example, it may be advisable to use a notary public to authenticate copies of emails and documents etc. In others, there are strict rules about admissibility of evidence in subsequent court proceedings that investigators may need to know. In situations where the investigation implicates another employee, local disciplinary requirements may be triggered.|
|Protections for whistleblowers:||In addition to promising non-retaliation, how will you protect the identity of the whistleblower? Confidentiality is not just a concern in countries that have implemented the GDPR; it is baked into local laws elsewhere around the globe (e.g. Australia and Russia).|
|Who can complain:||Will your policy allow or even encourage anonymous reports? These may be harder to investigate. (The EU Directive leaves it up to Member States to decide if companies are legally obliged to follow up on anonymous reports).|
|Local requirements:||Your policy may need embedding or formalising in local law, especially if it defines your compliance and conduct standards as well as explaining the process for reporting beaches of them. In Russia, for example, if employees could be disciplined for breach of your policy then it needs to be formally adopted by the local company and employees should sign to confirm their familiarity with it.|
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.