What is the pertinent legislation on whistleblowing in Malta?
To date the primary legislation in Malta concerning whistleblowing is the Protection of the Whistleblower Act, Chapter 527 of the Laws of Malta (the ''Act'').
This legislation is expected to be amended in light of EU Directive 2019/1937 on the protection of persons who report breaches of Union law (the ''Directive''). The Directive is to be transposed into Maltese legislation by 17th December 2021.
Section 1: Whistleblowing under the current Act:
What is a whistleblower?
A whistleblower is an employee who discloses actions which are deemed to constitute improper practices concerning:
- failure to comply with any law and / or legal obligation to which one is subject; or
- endangerment of an individual's health or safety; or
- damage to the environment; or
- corrupt practices; or
- committal of criminal offences; or
- occurrence of miscarriage of justice; or
- occurrence of bribery; or
- abuse of power; or
- any matter falling within any one of the preceding paragraphs which has been / is being / is likely to be deliberately concealed.
Which employers have obligations under the Act and what obligations do they have?
The Act does not apply to all employers. Rather the Act specifies certain type of employers which are subject to the obligations as set out in the Act. Employers means:
- each ministry of the Government of Malta;
- any private sector organisation which according to its last
annual or consolidated accounts, meets at least two of the
- an average number of employees, during the financial year, of more than 250;
- a total balance sheet exceeding forty-three million euro (€43,000,000); and
- an annual turnover exceeding fifty million euro (€50,000,000).
- any voluntary organisation which annually raises more than five hundred thousand euro (€500,000) from public collections and other donations.
Employers must identify at least one person within its organisation to act as Whistleblowing Reporting Officer (''WRO'') and must put into place internal procedures to receive and deal with information concerning improper practices. Such information should be made available to all its employees and should be republished from time to time.
Employees shall be made aware of the different type of improper practices which would need to be reported. Even more important, is the culture which is embraced by the senior management of the employer. Without the right culture of openness and transparency, the purpose and objective of the whistleblowing policy can never be achieved.
What obligations do WROs have under the Act?
WROs receive internal disclosures from whistleblowers, evaluate and investigate them (in accordance with the internal procedures established by the employer).
WROs are obliged to refer reports it receives from an employee to the police if the disclosure leads to the detection of an improper practice constituting a crime or contravention. But such an obligation does not subsist if the issue has already been rectified.
WROs must within a reasonable time notify the whistleblower of the status of the improper practice.
When are whistleblowers afforded protection?
Whistleblowers disclosing an improper practice are subject to protections provided that the disclosure is a protected disclosure i.e. it is:
- made in good faith; and
- the whistleblower at the time of the disclosure reasonably believed that the information it disclosed which tended to show improper practice, was substantially true and was committed by his employer, other employees or by persons acting in the name and interests of the employer;
- not made for personal gain.
Provided the above is satisfied, the whistleblower will still be afforded protection even if it later transpires that the whistleblower was, in good faith, mistaken or the act which it disclosed did not materialise. But even if the above is satisfied, if persons make disclosures anonymously, they will not benefit from whistleblower protection.
What protections are afforded to whistleblowers who make protected disclosures?
Under the Act, whistleblowers may not be subjected to detrimental action merely on account of having made a protected disclosure. Detrimental action includes:
- action causing injury, loss or damage; and, or
- victimisation, intimidation, or harassment; and, or
- prosecution relating to calumnious accusations (under article 101 Criminal Code); and, or
- civil or criminal proceedings or disciplinary proceedings.
Detrimental action also includes occupational detriment in relation to the working environment which includes, but is not limited to, disciplinary action against the employee, dismissal suspension or demotion, transfers or refusal to transfers or refusal of promotions, alteration of terms and conditions of employment.
Moreover, whistleblowers making protected disclosures should not be liable to civil or criminal proceedings or disciplinary proceedings for having made such a disclosure.
The whistleblowers identity must be kept confidential and should not be disclosed, nor should information which leads to the identification of the whistleblower be disclosed (unless express written consent is given by the whistleblower).
Whistleblowers may file an action with the First Hall, Civil Court.
Do whistleblowers benefit from whistleblower protection if they were perpetrators or accomplices in the improper practice?
No. They do not benefit from immunity in civil, criminal, or disciplinary proceedings. However, due account shall be taken of the fact that the disclosure was made by such person, potentially resulting in mitigation or remission.
What are Whistleblowing Reports Units and when should external disclosures be made to a Whistleblowing Reports Unit?
A 'whistleblowing reports unit' ("WRU") is an officer, office or section within an authority which is tasked with receiving and processing any external disclosures relating to the activities of persons operating within the sector regulated by the relevant authority so as to determine whether the disclosures should be referred for further investigation.
External disclosures should be made to a WRUs if the whistleblower has reasonable grounds to believe that:
- the head of the organisation is / may be involved in the improper practice; or
- it is justified by the urgency of the matter or other exceptional circumstances; or
- he will be subjected to occupational detriment if disclosure is made internally; or
- it is likely that evidence will be concealed or destroyed if disclosure is made internally; or
- although an internal disclosure has previously been made, the whistleblower has not been informed about the status or it is reasonably evident that there has been no action or recommended action on the matter within a reasonable time.
What obligations do WRUs have under the Act?
WRUs are obliged to refer reports it received to the police if the disclosure leads to the detection of an improper practice constituting a crime or contravention and may even refer the information to another authority if it deems it to be more suited. The WRU has thirty (30) days to make such a report and must notify the whistleblower of the status of the disclosure.
If WRUs believe the disclosure should not have been made externally, it must notify the whistleblower within forty-five (45) days from when it received the disclosure that it will not be dealing further with the disclosure and that an internal disclosure must be made.
Section 2: Whistleblowing under the new Directive
Malta has not as yet transposed the provisions of the Directive into Maltese law. At this stage, it is premature to determine exactly how Malta will transpose the Directive and whether there will be any gold plating when transposing same.
Does the Directive use the same terminology?
Not always. A whistleblower is referred to as reporting person which is defined as a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities.
Also, improper practice is referred to as a breach which means any acts or omissions that are either:
- unlawful and relate to the EU rules and areas falling within the material scope of the Directive; or
- that defeat the object or purpose of the EU rules and the areas falling within the material scope of the Directive.
The Annex to the Directive provides a list of Directives and Regulations which fall within the material scope of the Directive. The key areas in respect of which the Directive would apply are the following:
- public procurement;
- financial services, products and markets and prevention of money laundering and terrorist financing;
- product safety and compliance;
- transport safety;
- protection of the environment;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection
- protection of privacy and personal data, and security of network and information systems
- financial interest of the EU (fraud and the financial interest of the EU);
- internal market, including corporate tax.
The Directive also introduces the concept of public disclosures which are disclosure or breaches made in the public domain.
Who may report breaches in terms of the Directive?
Breaches may be reported by reporting persons working in the private or public sector who acquired information on breaches in a work-related context, including workers, civil servants, persons having a self-employed status, shareholders and senior management officials, persons acting under the supervision and direction of contractors, subcontractors and suppliers.
The protections afforded by the Directive also extend to persons who, at the time when the disclosure is made, have ended their working relationship with the employer; or are still in the recruitment process; are facilitators; are third persons connected to the reporting person who could suffer retaliation (ex. colleagues), or are legal entities that the reporting person owns or works for.
This means that the persons who may be afforded protection will be extended.
Is the definition of employers under the Act the same under the Directive?
No. The Directive refers to legal entities rather than employers and provides that the following legal entities must have internal reporting and follow-up obligations:
- all public sector legal entities (irrespective of sector); and
- all private legal entities operating in the following sectors: financial services, products and markets and prevention of money laundering and terrorist financing, transport safety and protection of the environment;
- private legal entities with more than 50 workers if such entities do not operate in the above listed sectors.
Entities which employ between 50 and 249 workers may share resources as regards to receipt of reports and any investigation to be carried out.
Therefore, under the Directive more legal entities are going to be subjected to obligations concerning internal reporting and follow-up procedures. The threshold under the Directive is much lower to afford reporting persons more protection.
What are the principal changes to legal entities' obligations concerning internal disclosures?
The Directive now stipulates the type of procedures which are to be adopted by employers for the purposes of reporting and investigating breaches.
The internal reporting channels must be secure in so far as not only the identity of the reporting person must be kept confidential but also the identity of any third party mentioned in the report. There must also be protections ensuring that non-authorised staff members do not have access to such information.
Timeframes are imposed wherein reporting persons must receive an acknowledgement of receipt of the report within seven (7) days from disclosure and must receive feedback and updates within three (3) months from the acknowledgement of receipt.
Legal entities must provide clear and easily accessible information concerning not only the internal reporting procedures but also the external reporting procedures.
In addition to reports in writing, oral reporting through telephone or other voice messaging systems should be allowed by the employer.
Employers shall also be subjected to new record keeping obligations, the extent of which is dependent on the manner of Malta's transposition.
What are the principal changes concerning external reporting channels?
Competent authorities having WRUs must publish on their websites specific information and must acknowledge receipt of a disclosure within seven (7) days and provide feedback on the case within three (3) months or at most within six (6) months if duly justified.
When do reporting persons who have made public disclosures qualify for protection under the Directive?
Reporting persons who make public disclosures will qualify for protection if such reporting person has:
- previously made an internal and external report but no appropriate action was taken; or
- the reporting person believes that the breach may cause imminent or manifest danger to the public interest or there is risk of retaliation, or a low prospect of the breach being effectively addressed (in the context of external reporting).
When are reporting persons afforded protection?
Under the Directive, reporting persons qualify for protection if:
- at the time of making the report they had reasonable grounds to believe that the information on the breach being reported was true; and
- the report was made in accordance with the provisions of the Directive, whether internally, externally or through public disclosure.
Differently to the Act, there is no good faith requirement making it easier for reporting persons to prove that they qualify for protection.
If the disclosure was made anonymously and the reporting person is subsequently identified, such person will still benefit from protection. At this stage, the Act does not provide protection to whistleblowers who submit an anonymous report.
What protections are afforded to reporting persons who qualify for protection under the Directive?
The protections in the Directive are similar to those in the Act, albeit more extensive.
The reporting person's identity must be kept confidential and information which leads to identification shall not be disclosed unless express written consent is given or there are necessary and proportionate obligations imposed by EU law due to investigations by national authorities or judicial proceedings.
The Directive no longer refers to the terms detrimental action or occupational detriment. Instead, it prohibits threats and attempts of retaliation which although similar are more detailed. Prohibited retaliation includes
- suspension, lay-off, dismissal or equivalent measures;
- demotion or withholding of promotion;
- transfer of duties, change of location of place of work, reduction in wages, change in working hours;
- withholding of training;
- negative performance assessment or employment reference;
- imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty;
- coercion, intimidation, harassment or ostracism;
- discrimination, disadvantageous or unfair treatment;
- failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment;
- failure to renew, or early termination of, a temporary employment contract;
- harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income;
- blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;
- early termination or cancellation of a contract for goods or services;
- cancellation of a licence or permit;
- psychiatric or medical referrals
Reporting persons must have access to proper measures of support. The extent of such measures will depend on Malta's transposition. In principle, Malta would need to have in place:
- information on the procedures, remedies and protections and rights available to the reporting person;
- effective assistance from competent authorities; and
- legal aid in criminal and cross-border civil proceedings.
There is a presumption that if a reporting person had made a report under the Directive and has suffered detriment, then in court proceedings it shall be presumed that the detriment was made in relation to the report or public disclosure, and the person who has taken the detrimental measure must prove that the measure was based on justifiable grounds.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.