Alex Cotoia, Regulatory Compliance Manager at the Volkov Law Group, joins us for an informative four-part series on the EU Whistleblower Directive. Alex can be reached at [email protected].

Directive 2019/1937 of the European Parliament and Council dated 23 October 2019 on the “protection of persons who report breaches of Union law” (the “Directive”)[1] is set to enter into legal force on 17 December 2021—the deadline established by the European Union (“EU”) for the transposition of the Directive’s requirements into the national law of all twenty-seven member states. The Directive has broad applicability to organizations operating in the EU internal market and applies to both public and private sector organizations alike.

As a general matter, the Directive requires member states to adopt common minimum standards respecting the protection of would-be whistleblowers who report violations of EU law in the areas of: (1) public procurement; (2) financial services; (3) product safety and compliance; (4) transport safety; (5) protection of the environment; (6) radiation protection and nuclear safety; (7) food and feed safety, animal health and welfare; (8) public health; (9) consumer protection; and (10) protection of privacy and personal data, as well as the security of network and information systems.[2] The Directive’s material scope also covers “breaches affecting the financial interests of the Union as referred to in Article 325 TFEU [Treaty on the Functioning of the European Union] and further specified in Union measures,”[3] as well as to “breaches relating to the internal market in relation to acts which breach . . . corporate tax [rules] or arrangements that create tax advantage[s]”[4] that broadly undermine EU corporate tax law. The EU’s emphasis on a discrete provision of the TFEU addressing the obligation of member states to adopt measures to counter fraud and other illegal activities in the public sphere is a strong indication of Europe’s continued commitment to governmental transparency and democratic accountability. 

Article 4 of the Directive extends whistleblower protection to certain “reporting persons working in the private or public sector who acquired information on breaches in a work-related context.”[5] This intentionally expansive definition encompasses both conventional full-time employees, as well as to “workers” as defined by Article 45(1) TFEU[6], and to persons having “self-employed status.”[7]

Organizations should be cognizant that the term “worker” as interpreted by the Court of Justice of the European Union (“CJEU”) is expansive. Indeed, under established case law, the test for determining whether an individual qualifies as a “worker” hinges on the so-called “Lawrie-Blum formula.”[8] Under this test, the essential feature of an employment relationship is that a person performs services of some economic value for, and under the direction of, another person in return for which she receives remuneration.[9] Thus, the term “worker” as employed in the Directive would include a host of unconventional employment relationships, including part-time and contract work, volunteer service, and internships.

Notably, the Directive also applies to “shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members.”[10] Similarly protected are “any persons working under the supervision and director of contractors, subcontractors and suppliers”[11] of an organization. Recognizing that retaliation against whistleblowers often extends beyond the reporting individual, Article 4 also affords protection to certain third persons connected to the whistleblower, including the whistleblower’s colleagues and relatives, as well as “facilitators” who assist a whistleblower in a covered context.[12] Under the Directive, the term “facilitator”[13] means any natural person who assists a reporting person with the reporting process in a work-related context.

By virtue of Article 6, whistleblowers are guaranteed legal protection under the Directive to the extent: (1) they have reasonable grounds to believe that the information reported was true at the time of the report; and (2) the whistleblower reported either internally to the organization, externally to a competent authority, or publicly as provided for in Article 15.[14] Significantly, despite the EU’s demonstrable distaste for anonymous reporting, Article 6(2) of the Directive does not impair the ability of member states to decide whether private organizations or competent authorities designated by member states are required to accept and follow up on anonymous reports of covered breaches.[15]

[1] Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons who Report Breaches of Union Law, 2019 O.J. (L 305) 17.

[2] Directive 2019/1937, Article 2, 2019 O.J. (L 305) 17, 34.

[3] Directive 2019/1937, Article 2, 2019 O.J. (L 305) 17, 35.

[4] Id.

[5] Directive 2019/1937, Article 4, 2019 O.J. (L 305) 17, 35.

[6] Id. at Article 4(1)(a).

[7] Id. at Article 4(1)(b).

[8] See generally, Case 66/85, Deborah Lawrie-Blum v. Land Baden-Württemberg, 186 E.C.R. 2139.

[9] Id.

[10] Directive 2019/1937, Article 4(1)(c), 2019 O.J. (L 305) 17, 35.

[11] Id. at Article 4(1)(d). 

[12] Id. at Article 4(4)(a) and (b).

[13] Id.

[14] Id. at Article 6(1)(a) and (b).

[15] See e.g., Article 29 Data Protection Working Party, Opinion 1/2006, “On the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial crime,” 10-11 (1 February 2006).