A lively debate has been sparked both among the public and scholars about the protection of informants, prompted in part by the whistleblowers who uncovered the scandals that recently attracted so much interest in the media, including Cambridge Analytica, the Panama Papers or LuxLeaks. One topic under discussion is the extent to which whistleblowers should enjoy “the legal regime’s blessing” and be protected against sanctions, inter alia, under labor or criminal law, in view of the tension between private interests in the protection of internal matters and the public interest in uncovering legal violations and internal irregularities.
Under the legal regime in the EU member states – still non-harmonized to date – whistleblowers frequently have to fear sanctions or even retaliation. Whistleblowers now enjoy greater protection thanks to an EU Directive, which has now also been ratified by the Member States in the Council after having been adopted by the Parliament in April 2019. The Whistleblower Directive takes effect on the 20th day following its publication in the Official Journal of the European Union.
This Alert Memorandum elaborates on the objective and regulatory scope of the Whistleblower Directive, requisite implementing acts, and a few practical consequences of the new protection of whistleblowers.
Background of the Whistleblower Directive
Whistleblowers are individuals who disclose information they have obtained about misconduct in a work-related context, either by reporting it to the organization concerned or to a public authority, or by taking it to the public. Whistleblowers report legal violations (e.g., against EU law) or other internal irregularities “first hand,” thus playing a key role in uncovering such legal violations, avoiding future breaches, and effectively enforcing (EU) law. It is acknowledged in this regard that whistleblowers also serve the public interest and have to be protected from sanctions within certain limits. But whistleblowers are nonetheless frequently exposed to the risk of sanctions or retaliation, including in the form of discrimination, termination, damage claims or even criminal prosecution.
Until now, the treatment of whistleblowers, especially in regard to their protection, has not been regulated on a uniform basis in the EU:
In Germany, protective regulations specific to sector-related reporting systems and general protective labor-law regulations do exist, but only on an isolated basis. A further regulation took effect on April 26, 2019: Sec. 5 no. 2 of the Business Secret Act (Ge-schäftsgeheimnisgesetz) specifies the criteria for permission to “uncover” legal violations or other misconduct, even if this would entail a disclosure of business secrets (which is generally unlawful and criminal under Sec. 4, 23 of the Business Secret Act).
In ten EU member states, including the United Kingdom, France and Italy, whistleblowers enjoy ample protection, whereas the remaining member states afford only limited protection or – which is the case in Spain – do not have any laws on whistleblower protection at all. Even at the EU level, to date whistleblowers are safeguarded by protective regulation only in isolated sectors, especially in the financial services area.
The EU Whistleblower Directive (the “Directive”) seeks to close the gap created by this fragmentary legal situation.
Goal, Scope of Application and Regulatory Content of the Directive
In reaction to the gaps in current protection, the EU is looking to better protect whistleblowers from sanctions and retaliation. The Directive’s goal is to create effective reporting procedures that provide extensive information about the options available to whistleblowers, react to reporting and warrant remedial “follow-up” measures, and to create protective measures to prevent retaliation against whistleblowers. The Directive intends to create a favorable legal framework for doing so, and to establish incentives for reporting legal violations and irregularities. This favorable legal framework, in turn, is directed toward more effectively uncovering, and ultimately preventing, legal violations in particular.
Under the Directive, whistleblowers are protected on condition of the personal and substantive scope defined therein (see a. and b. below), and based on two cornerstones: (1) the creation of safe reporting channels serving as an upstream protective mechanism (see c. below) and (2) subsequent protection against retaliation (see d. below).
Personal scope of application: employees, civil servants, and other individuals who receive information “in a work-related context”
Art. 4 of the Directive defines a broad personal scope of application in order to warrant the greatest protection possible. Persons protected by the Directive include, inter alia, (1) employees (Art. 45 TFEU), (2) self-employed persons (Art. 49 TFEU), (3) shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, (4) certain persons working under the supervision and direction of contractors and suppliers, and (5) applicants in connection with the recruitment process. Art. 4(4) affords protection to “facilitators” who support the whistleblower in reporting a matter in a work-related context and to third parties associated with the whistleblower who may suffer retaliation.
Conditions for protection: reporting of eligible violation of EU law
Pursuant to Art. 2(1), violations of primary EU law specified in the Directive, or listed secondary EU law, fall under the scope of application of the Directive. Concerned EU law includes legislation in the areas of, inter alia, public procurement, financial services and financial markets, product safety, transport safety, environmental protection, consumer protection, competition law, protection of privacy and data protection.
Under Art. 2(2), the member states are expressly authorized to extend the scope of application of whistleblower protection under national law to include further legal acts and areas of the law. The EU itself expressly reserves the right to subsequently supplement the contents (Art. 27(3); Recital (106)).
Under Art. 6(1) lit. a), the whistleblower is in any case required to have reasonable grounds to believe, on the date of his/her reporting, that the information is accurate and falls within the scope of application of the Directive or of its national implementation.
Reporting channels: three-tier reporting system
The Directive creates a three-tier reporting system. In the first stage, the whistleblower can approach internal reporting departments, in the second stage contact a competent authority, and in the third stage take a case to the public. Under Art. 16, “confidentiality” is called for in all reporting channels, especially with regard to protecting the whistleblower’s identity.
The member states are expected to encourage whistleblowers to use internal channels if these can effectively aid in addressing the violations and there is no need to fear retaliation (Art. 7(2)). This approach is not mandatory, however. Under Art. 10, the whistleblower is free to approach (external) official channels directly (for which reason the system that has now been adopted is not a genuine three-stage model). The precise features of the three-tier model were debated during the EU legislative process. Commission and Council took the position that internal reporting channels should first be approached before contacting external authorities. The Parliament objected that whistleblowers should have a genuine choice of alternatives. The final text of the Directive offers a compromise to resolve this issue. However, taking the case to the public (at the third stage) is permitted only for whistleblowers who meet special conditions.
Stage 1: Art. 8 and 9 specify the features of internal reporting channels and the internal reporting procedure. Pursuant to Art. 8(1), these specifications apply to all legal entities, both in the private and public sector. Internal whistleblower systems generally have to be in place only for a company’s own employees; however, they may also be open to third parties (Art. 8(2)). The following companies in particular are required to set up internal reporting channels and corresponding procedures: (1) companies with over 50 workers and (2) companies operating in the financial services sector, irrespective of the number of workers (Art. 8(3), (4)). Every whistleblower is to receive confirmation of the receipt of his/her report, is to be assured of confidentiality, and is entitled to be notified within three months of how the reporting has been handled, and of the “follow-up” measures taken (Art. 9).
Stage 2: Art. 10 to 14 regulate the provision of external reporting channels. Under Art. 11(1), the member states specify the competent authorities and ensure that these set up independent whistleblower systems. The member states must provide the necessary funds to those authorities for this purpose. Also, in the case of an external reporting channel, the competent authority must confirm receipt of the report to the whistleblower within seven days and generally inform him/her within three months of the follow-up measures being taken (Art. 11(2)). In minor matters, the competent authority may forgo follow-up measures “after having duly reviewed the matter” (Art. 11(3)).
Stage 3: Finally, under certain conditions the option is available to take a matter directly to the public under Art. 15 (“Public Disclosures”). Disclosure is accordingly permitted only if (1) a prior internal or external reporting did not result in an appropriate reaction within three months or if (2) the whistleblower is justified in assuming that (a) the reported violation represents a threat to the public interest (e.g., giving rise to a fear of irreversible damages) or (b) in case of external reporting, retaliation was to be feared or only minor prospects of success existed for effectively dealing with the violation (e.g., in cases in which the authority was involved in the relevant violation or may pursue adverse interests when facing reporting).
Post-reporting: protection against retaliation
Art. 19 requires the member states to take any measure necessary to exclude “any form of retaliation” against whistleblowers. Potential retaliation under Art. 19 includes the whistleblower’s suspension, termination, demotion, withholding of a promotion, reorganizations of the workday, negative performance assessments and coercion, harassment, intimidation and discrimination. Under Art. 20, the member states must guarantee protection against the above retaliation to (potential) whistleblowers by granting access to information and effective assistance by the competent authorities. Whistleblowers meeting certain requirements are also entitled to legal and financial aid.
However, Art. 21(3) provides that the protection of whistleblowers be limited to the extent that procuring information in connection with the reporting may still trigger criminal liability if the procurement of, or access to, the relevant information qualifies as an independent criminal act. At the same time, sanctions for deliberately publicizing false information should be effective, appropriate and “dissuasive” (Art. 23(2)). Art. 22(1) provides that whistleblowers should be granted legal protection and a fair proceeding – not least of all in the prosecution of their own legal violations.
On the other hand, under Art. 23(1) the member states are expected to establish “effective, appropriate, and dissuasive” sanctions, in particular against persons preventing whistleblowers from reporting or who retaliate against whistleblowers. Art. 24 regulates the rights and protective measures granted to whistleblowers under the Directive, which are not permitted to be amended or restricted, including in the context of an employment contract.
Implementation of the Directive
The national legislator is required to implement the Directive within two years from its entry into force (Art. 26(1)). For legal and administrative provisions that serve to establish internal reporting channels at legal entities with 50 to 249 workers, the transposition deadline is four years.
It remains to be seen whether the German lawmaker will make use of its power to extend the scope of “German” whistleblower protection to violations of purely domestic, German law. In any event, the implementing acts of the member states will specify measures expected to be taken by private actors that fall within the scope of the Directive. Under the Directive, companies may set up and manage their reporting systems either through an internal department or an external third party (Art. 8(5)). It should be noted that smaller companies of 50 to 249 employees may cooperate in sharing resources for the receipt and investigation of any reported violations (Art. 8(6)).
Remarks and Outlook
The Directive should generally be viewed as appropriate in view of the current regulation of whistleblower protection, which is considered to be inconsistent and inadequate.
Companies have an interest of their own in uncovering irregularities in the company – not least of all for compliance reasons. Whistleblower protection is therefore also in the interest of the company. Even if bureaucratic burdens and implementation issues cannot be ruled out, a functioning whistleblower system affords great opportunities and benefits for the company concerned. Beside the opportunity to create and promote a corporate culture based on reflection, the implementation of the Directive has the potential to facilitate the discovery of internal misconduct more efficiently, by fostering internal investigations that handle legal violations transparently and persistently, and to ultimately avoid violations in the future. Engendering confidence in compliance structures, concerned companies may benefit from a substantially improved public image.
The extent to which the Directive actually lives up to its purpose of uniform and effective protection of whistleblowers will largely depend on its implementation by the member states. In this regard, the member states have a certain latitude – as they often do – and there are no upper limits considering the minimum harmonization that has been created by the Directive.
Irrespective of the foregoing, concerned companies are well advised to address the topic on a timely basis and make corresponding arrangements for implementation promptly. Companies that already have a reporting system are also recommended to review whether the system in place adequately fulfills the new requirements, e.g., with regard to treating the identity of the whistleblower confidentially, warranting data protection and observing the specified deadlines.
 For example, in the financial services sector pursuant to Sec. 4d FinDAG (text available only in German), in the banking sector under Sec. 25a(1) sentence 6 no. 3 KWG (text available only in German) and pursuant to the German Money Laundering Act (Geldwäschegesetz) (Sec. 6(5) GwG and Sec. 48 GwG). The German Corporate Governance Code (Sec. 4.1.3) encourages listed companies to establish a secure reporting system for whistleblowers.
 Act implementing Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (BGBl I (2019), p. 466; text available only in German).
 References herein without further specification refer to the September 25, 2019 text of the Whistleblower Directive (Fn. 7).
 For a complete list, see Art. 2(1).
 This Alert Memorandum does not discuss whistleblower regulation applicable to actors in the public sector, in particular public authorities and offices.
This post comes to us from Cleary, Gottlieb, Steen & Hamilton LLP. It is based on the firm’s memorandum, “New EU Regulation Strengthens Protection of Whistleblowers,” dated October 22, 2019, and available here.