To enhance the enforcement of European Union (the EU) law and policies, the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the Whistleblower Directive) intends to lay down minimum standards that are common throughout the EU providing for a high level of protection of persons reporting breaches of EU law.
The Whistleblower Directive entered into force on 16 December 2019 and must be implemented by EU Member States in three months’ time, by 17 December 2021. Although Belgium and many of the other EU Member States alike are far from ready to meet that deadline, the date of 17 December 2021 will still be relevant taking into account the vertical effect of EU Directives.
In this briefing, we summarise the key takeaways from the Whistleblower Directive for Belgian legal entities active in the private sector, all subject to the final legislative texts implementing the Whistleblower Directive into Belgian law.
I. Scope of the Whistleblower Directive
The scope of the Whistleblower Directive covers reports made:
by persons who acquired information in a work-related context, meaning that a wide range of individuals can benefit from the protection offered by the Whistleblower Directive. As such, employees, former employees, self-employed contractors, job applicants, trainees, shareholders, etc. can be considered as whistleblowers; and
on breaches with respect to EU law, such as environmental protection, tax fraud, data protection, anti money laundering, competition law, product and road safety, etc.
Whilst the personal scope of the Whistleblower Directive is very wide, its material scope is thus more limited. That said, EU Member States are encouraged to broaden the (material) scope of the whistleblower protection when implementing the Whistleblower Directive into local law.
II. Types of reporting possible under the Whistleblower Directive
The Whistleblower Directive covers three types of reporting channels:
internal reporting channels must be established by legal entities as soon as they have at least 50 employees (or less depending on the member state’s implementation);
external reporting channels for which the Whistleblower Directive calls upon the member states to designate the authorities competent to receive, give feedback and follow up on reports and to provide these with adequate resources; and
public disclosures which the Whistleblower Directive considers to be a last resort in case a report made through an internal or external reporting channel did not result in appropriate action or if the concern to be reported constitutes an imminent or manifest danger to the public interest or, in case of external reporting, if there is a risk of retaliation or a low prospect of the breach being addressed effectively.
An important action point for legal entities in the private sector therefore is to timely take the necessary steps to establish an internal reporting channel (so-called “whistleblowing hotlines”) if they have reached the threshold of 50 employees (or less, depending on local law requirements).
More in particular, it will be key to:
ensure that it is made possible for whistleblowers to raise concerns in writing (online, by mail, etc.) or orally (e.g. by phone or in person), through either an in-house or an externalised system;
designate an impartial person or department competent for following-up on the reports (such as the Compliance Officer, or an external ombudsman);
provide clear and accessible information regarding the available reporting channels to potential whistleblowers, in any case to one’s own workers but also to third parties such as external contractors;
ensure that concerns raised through the internal reporting channel are duly dealt with in accordance with the procedural requirements laid down in the Whistleblower Directive, including acknowledgement of receipt within seven days, diligent follow-up, provision of feedback within a reasonable timeframe that does not exceed three months’ time, etc.; and
guarantee the confidentiality of the identity of the whistleblower as well as any third party mentioned in the report.
Note that legal entities in the private sector with between 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out, provided that all obligations outlined in the Whistleblower Directive are met. EU Member States may also grant these legal entities another two years’ period of time, i.e. until 17 December 2023, to establish an internal reporting channel.
III. Types of protection provided for by the Whistleblower Directive
Persons making a report through an internal or external reporting system or, in specific circumstances, through public disclosure shall qualify for:
protection against retaliation and threats or attempts of retaliation (e.g. dismissal, suspension, discrimination, unfair treatment, withholding of promotion or training, intimidation, harassment, etc.);
measures of support which include comprehensive and independent information and advice, as well as effective assistance from the competent authorities and legal aid in judicial proceedings.
Such protection shall be offered to the extent that:
the reporting person had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Whistleblower Directive; and
the reporting person made a report through one of the three reporting channels provided for by the Whistleblower Directive.
If a person has made a report and qualifies for protection against retaliation, the burden of proof is reversed and it will be up to the individual or legal entity responsible for that act of retaliation to evidence that there is no link with the report made.
IV. Data protection
The Whistleblower Directive explicitly provides that any processing, exchange or transmission of personal data pursuant to the Whistleblower Directive must be carried out in accordance with the provisions of the General Data Protection Regulation (GDPR). Personal data which are manifestly irrelevant for the handling of the report made shall not be collected or, if already collected, be immediately deleted.
Unlike for example the GDPR, the Whistleblower Directive does not provide for any specific sanctions, but rather requires EU Member States to provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons who obstruct the reporting of concerns or attempt to obstruct, who fail to keep the identity of the whistleblower confidential or who take retaliatory measures against whistleblowers.
Finally, note that EU Member States will also be required to provide for sanctions in case of malicious reports made by a whistleblower. The proportionality of such penalties should however ensure that they do not have a dissuasive effect on potential whistleblowers.
It remains to be seen what sanctions the Belgian legislator will provide for.
In case of questions with respect to your obligations with respect to the Whistleblower Directive, please do not hesitate to reach out Paul Geerebaert or Bruno Aguirre.