Cleary Gottlieb Discusses EU’s New Whistleblower Protections

A lively debate has been sparked both among the public and scholars about the protection of informants, promp­ted in part by the whistleblowers who uncovered the scandals that recently attracted so much interest in the media, including Cambridge Analytica, the Panama Papers or LuxLeaks.  One topic under dis­cussion is the extent to which whistleblowers should enjoy “the legal regime’s blessing” and be protected against sanctions, inter alia, under labor or criminal law, in view of the tension between private interests in the protection of internal matters and the public interest in uncovering legal vio­lations and internal irregularities.

Under the legal regime in the EU member states – still non-harmonized to date – whistleblowers frequently have to fear sanctions or even retaliation.  Whistle­blowers now enjoy greater protection thanks to an EU Directive, which has now also been ratified by the Member States in the Council after having been adopted by the Parliament in April 2019.[1]  The Whistle­blower Directive takes effect on the 20th day following its publication in the Official Journal of the European Union.

This Alert Memorandum elaborates on the objective and regulatory scope of the Whistleblower Directive, requi­site implementing acts, and a few practical conse­quen­ces of the new protection of whistleblowers.

Background of the Whistleblower Directive

Whistleblowers are individuals who disclose information they have obtained about misconduct in a work-related context, either by reporting it to the organization concerned or to a public authority, or by taking it to the public.  Whistleblowers report legal violations (e.g., against EU law) or other internal irregularities “first hand,” thus playing a key role in uncovering such legal violations, avoiding future breaches, and effectively enforcing (EU) law.  It is acknowledged in this regard that whistleblowers also serve the public interest and have to be protected from sanctions within certain limits.  But whistle­blowers are nonetheless frequently exposed to the risk of sanctions or retaliation, including in the form of discrimination, termination, damage claims or even criminal prosecution.

Until now, the treatment of whistleblowers, especially in regard to their protection, has not been regulated on a uniform basis in the EU:

In Germany, protective regulations specific to sector-related reporting systems[2] and general protective labor-law regulations[3] do exist, but only on an isolated basis.  A further regulation took effect on April 26, 2019: Sec. 5 no. 2 of the Business Secret Act (Ge-schäftsgeheimnisgesetz)[4] specifies the criteria for permission to “uncover” legal violations or other misconduct, even if this would entail a disclosure of business secrets (which is generally unlawful and criminal under Sec. 4, 23 of the Business Secret Act).

In ten EU member states, including the United Kingdom, France and Italy, whistleblowers enjoy ample protection, whereas the remaining member states afford only limited protection or – which is the case in Spain – do not have any laws on whistleblower protection at all.[5]  Even at the EU level, to date whistleblowers are safeguarded by protective regulation only in isolated sectors, especially in the finan­cial services area.[6]

The EU Whistleblower Directive[7] (the “Directive”) seeks to close the gap created by this fragmentary legal situation.

Goal, Scope of Application and Regulatory Content of the Directive

In reaction to the gaps in current protection, the EU is looking to better protect whistleblowers from sanctions and retaliation.  The Directive’s goal is to create effective reporting procedures that provide extensive information about the options available to whistleblowers, react to reporting and warrant remedial “follow-up” measures, and to create prote­ctive measures to prevent retaliation against whistle­blowers.  The Directive intends to create a favorable legal framework for doing so, and to establish incen­tives for reporting legal violations and irregu­larities.  This favorable legal framework, in turn, is directed toward more effectively uncovering, and ultimately preventing, legal violations in particular.

Under the Directive, whistleblowers are protected on condition of the personal and substantive scope defined therein (see a. and b. below), and based on two cornerstones: (1) the creation of safe reporting channels serving as an upstream protective mechanism (see c. below) and (2) subsequent protection against retaliation (see d. below).

Personal scope of application: employees, civil servants, and other individuals who receive information “in a work-related context”

Art. 4 of the Directive[8] defines a broad personal scope of application in order to warrant the greatest protection possible.  Persons protected by the Direc­tive include, inter alia, (1) employees (Art. 45 TFEU), (2) self-employed persons (Art. 49 TFEU), (3) shareholders and persons belonging to the admi­nistrative, management or supervisory body of an under­taking, (4) certain persons working under the supervision and direction of contractors and suppliers, and (5) applicants in connection with the recruitment process.  Art. 4(4) affords protection to “facili­tators” who support the whistleblower in reporting a matter in a work-related context and to third parties asso­cia­ted with the whistleblower who may suffer reta­liation.

Conditions for protection: reporting of eligible violation of EU law

Pursuant to Art. 2(1), violations of primary EU law specified in the Directive, or listed secondary EU law, fall under the scope of application of the Directive.  Concerned EU law includes legislation in the areas of, inter alia, public procurement, financial services and financial markets, product safety, transport safety, en­vi­ronmental protection, consumer protection, com­pe­tition law, protection of privacy and data pro­tection.[9]

Under Art. 2(2), the member states are expressly autho­rized to extend the scope of application of whistle­blower protection under national law to inclu­de further legal acts and areas of the law.  The EU itself expressly reserves the right to subsequently supple­ment the contents (Art. 27(3); Re­cital (106)).

Under Art. 6(1) lit. a), the whistleblower is in any case required to have reasonable grounds to believe, on the date of his/her reporting, that the information is accurate and falls within the scope of application of the Directive or of its national implementation.

Reporting channels: three-tier reporting system

The Directive creates a three-tier reporting system.  In the first stage, the whistleblower can approach internal reporting departments, in the second stage contact a competent authority, and in the third stage take a case to the public.  Under  Art. 16, “confiden­tiality” is called for in all reporting channels, especially with regard to protecting the whistle­blower’s identity.

The member states are expected to encourage whistle­blowers to use internal channels if these can effectively aid in addressing the violations and there is no need to fear retaliation (Art. 7(2)).  This approach is not mandatory, however.  Under Art. 10, the whistleblower is free to approach (external) offi­cial channels directly (for which reason the system that has now been adopted is not a genuine three-stage model).  The precise features of the three-tier model were debated during the EU legislative process.  Commission and Council took the position that internal reporting channels should first be approached before contacting external authorities.  The Parlia­ment objected that whistleblowers should have a genuine choice of alternatives.  The final text of the Directive offers a compromise to resolve this issue.  However, taking the case to the public (at the third stage) is permitted only for whistleblowers who meet special conditions.


Stage 1: Art. 8 and 9 specify the features of internal reporting channels and the internal reporting procedure.  Pursuant to Art. 8(1), these specifications apply to all legal entities, both in the private and public sector.[10]  Internal whistleblower systems generally have to be in place only for a company’s own employees; however, they may also be open to third parties (Art. 8(2)).  The following companies in particular are required to set up internal reporting channels and corresponding procedures: (1) com­panies with over 50 workers and (2) companies operating in the financial services sector, irrespective of the number of workers (Art. 8(3), (4)).  Every whistleblower is to receive confirmation of the receipt of  his/her report, is to be assured of confidentiality, and is entitled to be notified within three months of how the reporting has been handled, and of the “follow-up” measures taken (Art. 9).

Stage 2: Art. 10 to 14 regulate the provision of external reporting channels.  Under Art. 11(1), the member states specify the competent authorities and ensure that these set up independent whistleblower systems.  The member states must provide the necessary funds to those authorities for this purpose.  Also, in the case of an external reporting channel, the competent authority must confirm receipt of the report to the whistleblower within seven days and generally inform him/her within three months of the follow-up measures being taken (Art. 11(2)).  In minor matters, the competent authority may forgo follow-up measures “after having duly reviewed the matter”  (Art. 11(3)).

Stage 3: Finally, under certain conditions the option is available to take a matter directly to the public under Art. 15 (“Public Disclosures”).  Disclosure is accor­dingly permitted only if (1) a prior internal or external reporting did not result in an appropriate reac­tion within three months or if (2) the whistleblower is justified in assuming that (a) the reported violation represents a threat to the public interest (e.g., giving rise to a fear of irreversible damages) or (b) in case of external reporting, retaliation was to be feared or only minor prospects of success existed for effectively dealing with the violation (e.g., in cases in which the authority was involved in the relevant violation or may pursue adverse interests when facing reporting).

Post-reporting: protection against retaliation

Art. 19 requires the member states to take any mea­sure necessary to exclude “any form of retaliation” against whistleblowers.  Potential retaliation under Art. 19 includes the whistleblower’s suspension, termination, demotion, withholding of a promotion, reorgani­zations of the workday, negative performance assessments and coercion, harassment, intimidation and discrimination.  Under Art. 20, the member states must guarantee protection against the above retaliation to (potential) whistleblowers by granting access to information and effective assistance by the competent authorities.  Whistleblowers meeting certain require­ments are also entitled to legal and financial aid.

However, Art. 21(3) provides that the protection of whistleblowers be limited to the extent that procuring information in connection with the reporting may still trigger criminal liability if the procurement of, or access to, the relevant information qualifies as an inde­pendent criminal act.  At the same time, sanctions for deliberately publicizing false information should be effective, appropriate and “dissuasive” (Art. 23(2)).  Art. 22(1) provides that whistleblowers should be granted legal protection and a fair procee­ding  – not least of all in the prosecution of their own legal violations.

On the other hand, under Art. 23(1) the member states are expected to establish “effective, appropriate, and dissuasive” sanctions, in particular against persons preventing whistleblowers from reporting or who retaliate against whistleblowers.  Art. 24 regu­lates the rights and protective measures granted to whistle­blowers under the Directive, which are not permitted to be amended or restricted, including in the context of an employment contract.

Implementation of the Directive

The national legislator is required to implement the Direc­tive within two years from its entry into force (Art. 26(1)).  For legal and administrative provisions that serve to establish internal reporting channels at legal entities with 50 to 249 workers, the transposition deadline is four years.

It remains to be seen whether the German lawmaker will make use of its power to extend the scope of “German” whistleblower protection to violations of purely domestic, German law.  In any event, the implementing acts of the member states will spe­cify mea­sures expected to be taken by private actors that fall within the scope of the Direc­tive.  Under the Direc­tive, companies may set up and manage their repor­ting systems either through an internal depart­ment or an external third party (Art. 8(5)).  It should be noted that smaller companies of 50 to 249 employees may cooperate in sharing resources for the receipt and investigation of any reported violations (Art. 8(6)).

Remarks and Outlook

The Directive should generally be viewed as appro­priate in view of the current regulation of whistle­blower protection, which is considered to be inconsis­tent and inadequate.

Companies have an interest of their own in uncovering irregularities in the company – not least of all for compliance reasons.  Whistleblower protection is therefore also in the interest of the company.  Even if bureaucratic burdens and implemen­tation issues cannot be ruled out, a functioning whistleblower system affords great opportunities and benefits for the company concerned.  Beside the opportunity to create and promote a corporate culture based on reflection, the implementation of the Directive has the potential to facilitate the discovery of internal mis­conduct more efficiently, by fostering internal inves­tigations that handle legal violations transpa­rently and persis­tently, and to ultimately avoid violations in the future.  Engendering confidence in compliance structures, concerned companies may benefit from a substan­tially improved public image.

The extent to which the Directive actually lives up to its purpose of uniform and effective protection of whistleblowers will largely depend on its implemen­tation by the member states.  In this regard, the member states have a certain latitude – as they often do – and there are no upper limits considering the minimum harmo­nization that has been created by the Directive.

Irrespective of the foregoing, concerned companies are well advised to address the topic on a timely basis and make corresponding arrangements for implemen­tation promptly.  Companies that already have a reporting system are also recommended to review whether the system in place adequately fulfills the new requirements, e.g., with regard to treating the identity of the whistleblower confidentially, warranting data protection and obser­ving the specified deadlines.


[1]     Press release of the Council of October 7, 2019.

[2]     For example, in the financial services sector pursuant to Sec. 4d FinDAG (text available only in German), in the banking sector under Sec. 25a(1) sentence 6 no. 3 KWG (text available only in German) and pursuant to the German Money Laundering Act (Geldwäsche­gesetz) (Sec. 6(5) GwG and Sec. 48 GwG).  The German Corporate Governance Code (Sec. 4.1.3) encourages listed companies to establish a secure reporting system for whistleblowers.

[3]     For example, the prohibition of victimization (Sec. 612a of the German Civil Code, BGB) or extra-company (Sec. 17(2) ArbSchG) and internal company complaint mechanisms (Sec. 84 et seq. BetrVG).

[4]     Act implementing Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (BGBl I (2019), p. 466; text available only in German).

[5]     Such member state regulations frequently implement EU Directives, e.g., under Art. 71 of Directive (EU) 2013/36 (Capital Requirements Directive).

[6]     For example, Regulation (EU) No. 596/2014 on market abuse (Market Abuse Regulation).

[7]     Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law, final text dated September 25, 2019.

[8]     References herein without further specification refer to the September 25, 2019 text of the Whistleblower Directive (Fn. 7).

[9]     For a complete list, see Art. 2(1).

[10]    This Alert Memorandum does not discuss whistle­blower regulation applicable to actors in the public sector, in particular public authorities and offices.

This post comes to us from Cleary, Gottlieb, Steen & Hamilton LLP. It is based on the firm’s memorandum, “New EU Regulation Strengthens Protection of Whistleblowers,” dated October 22, 2019, and available here.