Andre Bywater and Jonathan Armstrong join us for a guest posting on the EU Speaking Up regime. André and Jonathan are lawyers with Cordery in London, United Kingdom, where they focus on compliance issues. André Bywater can be reached at [email protected] and Jonathan Armstrong can be reached at [email protected].

In 2019 the EU introduced new rules to enable whistleblowers to report about EU law irregularities (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32019L1937), which EU countries must implement into their national law by 17 December 2021.  Following Brexit the UK (which has existing whistleblowing rules) will not be applying these EU rules. EU countries must ensure that rights and remedies under the EU whistleblowing rules cannot be waived or limited by any agreement, policy, form or condition of employment.

Speaking up is now an EU issue

Speaking up has been regulated comprehensively in only some EU countries. Following scandals like the Panama Papers the EU decided it was time to act and have an EU regime in order to better be able to detect, investigate and sanction abuses of EU law.

It’s very important to understand that these new rules are focussed on certain EU laws, as set out in a lengthy list – areas that will affect all organisations are anti-trust/competition and data protection and other areas such as product safety and public procurement might affect many more. A key issue for organizations will therefore be to scope out what covers them and consequently what they’ll need to refer to in their whistleblowing policies.

Raising concerns

The EU whistleblowing rules enable a wide range of people to raise concerns, not only employees and the self-employed but volunteers, trainees, shareholders, non-execs and others – those handling claims in organizations will need to know about this. This expansion of who can speak up is very much a global trend.

Raising concerns means raising reasonable suspicions about actual or potential breaches of a particular EU law in question. Those speaking up must have reasonable grounds to believe that the concerns they’re raising were true at the time of reporting.

The EU rules put the emphasis on whistle-blowers reporting internally (i.e. within an organization), but external reporting (i.e. to regulators etc.) is also possible as is going public, subject to certain conditions. Internal reporting applies to private sector organizations with 50 employees or more, to which exceptions apply, notably financial services.

Reporting channels may be operated internally but this can be outsourced to a third party. Organizations will therefore need to check contracts with and do due diligence on hotline operators to ensure that the new EU rules have been taken into consideration. Confidentiality is sacrosanct – a whistle-blower’s identity must not be disclosed to anyone apart from those in the team handling a report. As for anonymity however it will be up to each EU country to decide on whether to allow for anonymous reporting or not and if so under what conditions. This may lead to a patchwork of different requirements which make it more challenging for an organization to have a one-size-fits-all whistleblowing policy.

Internal reporting is subject to a number of prescriptive rules concerning timelines and content. Receipt of a report must be acknowledged to the whistle-blower within 3 days of receipt of the report, and 3 months after that feedback, outcomes etc. must be provided to the whistle-blower. Record-keeping is also set out in detail and whistle-blowers have plenty of rights as regards being able to review, rectify and sign off on records of calls, minutes made of meetings etc. Organizations will have plenty to do putting this into their policies and processes.

Protections, penalties and bounties

A centrepiece of the EU speaking up rules is a prohibition on retaliation against the whistle-blower. These are extensively (but not exhaustively) set out ranging from employment termination to being excluded from training to psychiatric or medical referrals.

Individuals subject to whistleblowing allegations are also protected, i.e. they have full legal rights.

EU countries have to apply sanctions to penalise issues like hindering or attempting to hinder whistleblowing and they must also apply measures that provide for remedies and compensation such as for retaliation. Because this is all left to the discretion of EU countries there will inevitably be a patchwork throughout the EU where e.g. sanctions for the same issue could range from going to jail in one country to a minor fine in another country. 

EU countries also have to provide for penalties and compensation for false whistle-blowing.

The EU rules are completely silent about rewards or bounties. Generally-speaking this issue is not something seen in Europe. One exception at least however applies in the UK. The UK antitrust regulator, the Competition and Markets Authority (the CMA), offers financial rewards of up to £100,000 (currently around USD$145,000) entirely at the CMA’s discretion and in exceptional circumstances for ‘inside’ information about the existence of a cartel; see the CMA’s “Informant Rewards Policy” here https://www.gov.uk/government/publications/cartels-informant-rewards-policy.

Key takeaways

Organizations in the EU will need to either put in place or review policies and procedures – trying to put this together on a one-size-fits-all basis will be challenging because there will be local variations. One particular area that will require particular attention will be to also comply with privacy/data protection (GDPR) requirements – doing a Data Protection Impact Assessment will therefore be a must.