The 17 December 2021 deadline for EU Member States to implement the EU Whistleblowing Directive into national laws is fast approaching. Private sector organisations in the European Union with 250 or more workers (and certain public authorities) will be required to comply with the new laws from that date, though those with 50-249 workers have until 17 December 2023 to do so. Importantly, the 50-worker minimum limit is removed for financial services firms and the UK is not required to introduce the Directive. We've set out below responses to some of the frequently asked questions on this topic. This is based on the provisions of the Directive though do remember that Member States are free to go beyond these minimum standards and so the final national laws must be checked.

1) Why was the Directive introduced?

Existing whistleblower protection in the European Union offers patchwork protection only, which may deter individuals from raising concerns (particularly those in global roles where it is not clear which jurisdiction/laws apply). The economic case for enhancing whistleblower protection is strong. Annual losses in the EU due to a lack of whistleblower protection in public procurement are estimated at between ?5.8 and ?9.6 billion. That's in a "normal" year, absent a global pandemic coupled with significant (and often questionable) increases in public spending.

2) What's "whistleblowing" in this context?

It's limited to reporting breaches of certain EU laws, including those relating to financial services, food and product standards, public health, public procurement and consumer protection. Some Member States (e.g., Denmark) are going further and extending this to serious wrongdoing and violations of national law whereas others (e.g., Germany) are being criticised for their plans to apply the minimum approach only.

3) Who does it cover?

It's broader than employees and workers. Self-employed contractors, workers, volunteers, non-executive directors, shareholders, suppliers and contractors are all covered.

4) What are the key requirements? 

  • Establish reporting channels (internally and/or externally) to receive reports in writing and orally (e.g., telephone / voice messaging system). For private sector organisations, this applies only to organisations with 50-249 workers though member States may extend this requirement to organisations with fewer than 50 workers.
  • An impartial person/department should be professionally trained and have responsibility for handling reports.
  • Reports should be acknowledged within 7 days and feedback/follow-up provided in 3 months (this may be extended to 6 months e.g., in complex cases).
  • Whistleblowers should be protected from retaliation (examples include removing workplace duties, negative performance reviews, blacklisting or psychiatric/medical referrals).

5) Are there any areas where Member States are free to decide how to manage?

Member States are free to decide to enhance any of the protections in the Directive, though these key areas have been left up to the Member States:

  • The scope of breaches that can be reported (e.g., whether this will go further than only certain EU law breaches).
  • Whether businesses and relevant public authorities will be required to accept and follow up on anonymous reports (in any case, a tricky topic with broader commercial considerations at play - it's generally not recommended to take a blanket approach of ignoring anonymous reports).
  • The penalties for retaliation.

6) Will this impact how businesses deal with employee grievances?

If you're handling a workforce in the EU, it's one to watch. It's up to each Member State whether they bring interpersonal grievances within the scope of the protection. Even if they do not do so, you're HR and investigation teams need to be alive to the risk of employees raising concerns via these channels. You'll also need to proactively manage the reputational risk of employees raising concerns with any regulators directly (e.g., particularly in the financial services and healthcare sectors).

7) What can businesses do now to prepare?

Although national legislation is not yet finalised in many countries (though it's underway in 23 of the 27 EU Member States), businesses can take proactive steps to manage this change by:

  • Assessing whether you are in scope and, if so, take advice from European counsel on the key upcoming issues in each jurisdiction relevant to your business (at this stage, many countries have draft bills so there is information available).
  • Do a gap analysis of your existing whistleblowing/speaking up frameworks (bearing in mind any specific regulatory obligations placed on your industry, e.g. financial services/healthcare, or your business by virtue of your global operations e.g. there are separate U.S.-specific whistleblowing requirements).
  • Designate responsible individuals to manage reports (and arrange training for those individuals).
  • Consider engaging with an external provider/hotline to receive reports - the Littler | Whistle Protect tool with WhistleB allows employees to raise concerns externally.

For businesses who are not impacted (including those in the UK), this is a welcome reminder to consider introducing, or refreshing their existing, whistleblowing or speaking up policies not least from a cultural and governance perspective - see our previous article on this here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.