Directive (EU) 2019/1937, which aims at unifying rules and minimal guarantees on the protection of persons who report breaches of Union law, is currently being implemented into Luxembourg law through the bill of law 7945 (the « Bill of Law »).

However, the Bill of Law has a wider scope than Directive 2019/1937, as it pertains to the report of breaches of Union and of Luxembourg laws (the “Breach”). It is also intended to complete specific pre-existing frameworks, which are already in place in i.a. the financial and insurance sectors.

In a business context, any person of any status (public or private sector employees, including those whose employment contract has not started or has ended, volunteers and trainees, subcontractors, suppliers, self-employed persons, shareholders and members of the administrative, management or supervisory body- the "Whistleblower") may report information about Breaches, including reasonable suspicions, of actual or potential Breaches, that have occurred or are very likely to occur in his/her business (the "Information").

To benefit from the protective regime provided for by the Bill of Law, the Whistleblower must (i) have reasonable grounds to believe that the Information is true at the time of reporting and (ii) have complied with the reporting procedures, as described in the Bill of Law.

First, reporting may be done internally where the Breach can be effectively remedied internally, and the Whistleblower believes there is no risk of retaliation. Indeed, every public legal entity and every private legal entity with more than 50 employees must establish channels and procedures for internal whistleblowing and its follow-up, but it may also outsource these requirements.

In addition or alternatively, the Whistleblower may externally report to competent authorities, e.g. la Commission de surveillance du secteur financier, le Commissariat aux assurances, le Conseil de la concurrence, l'Administration de l'Enregistrement et des Domaines, l'Inspection du travail et des mines, la Commission nationale pour la protection des données or any other competent authority at European level. Such reporting is made through the independent and autonomous channels set up by these competent authorities and described in the Bill of Law.

Finally, the Whistleblower may make a public disclosure of the Breaches, for example, if he/she has reasonable grounds to believe that (i) the Breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage; or (ii) in the case of external reporting, there is a risk of retaliation or there is a low prospect of the Breach being effectively addressed due to the specific circumstances of the case.

Provided that the Whistleblower has complied with the provisions of the Bill of Law, he/she is protected by the confidentiality of the reporting and by the rules set out in Regulation (EU) 2016/679 (General Data Protection Regulation). In addition, he/she will not be subject to retaliatory measures, as listed in the Bill of Law (suspension of employment, disciplinary measures, discrimination, ...), nor will he/she incur any liability as long as he/she had reasonable grounds to believe that the reporting or public disclosure was necessary to reveal a Breach. However, the civil liability of the relevant person who carried out a false reporting may be sought.

Regarding the legislative process, the Bill of Law was filed with the Parliament on 10 January 2022, i.e. after the implementation time limit provided for in Directive 2019/1937. The legislative process is currently at its earliest stages and the Bill of Law, as currently filed with the Parliament, may be amended.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.