EU Whistleblower Directive: A Primer (Part II of IV) – Internal and External Reporting
Alex Cotoia rejoins us for part II of his IV-part series on the EU Whistleblower Directive. Alex can be reached at [email protected].
Article 7 of the Directive instructs member states to encourage reporting through internal organizational channels first, where the risk of retaliation is remote, and the reported breach can be effectively addressed on an internal basis.[1] Private sector organizations with 50 or more workers are legally required to establish channels and procedures for internal reporting of EU law breaches and conduct appropriate follow up.[2] To alleviate the impact of the Directive’s requirements on smaller undertakings, private sector organizations with 50 to 249 workers are permitted to share resources “as regards the receipt of reports and any investigation to be carried out.”[3] However, the Directive explicitly provides that such participating organizations remain individually accountable for maintaining the confidentiality of reports, providing feedback, and addressing the reported breach.[4]
The Directive further empowers member states to expand its applicability to private sector organizations with fewer than 50 workers.[5] As a predicate to that expansion, however, member states are obliged to conduct a risk assessment, considering the nature of the private sector organization’s activities, and the particular risk those activities pose to both the environment and to public health.[6]
Article 9 of the Directive is by and large the most impactful for organizations affected by the Directive. Under that Article, organizations must implement enhanced procedures for both internal reporting and diligent follow up. Specifically, organizations must ensure that channels for receiving reports are “designed, established and operated” in a secure manner that maintains both the confidentiality of the whistleblower’s identity and any third parties implicated by the report.[7] Moreover, organizations must ensure that the reporting system is inaccessible to unauthorized personnel.
Significantly, the Directive imposes a strict seven-day requirement for acknowledging receipt of the initial report.[8] While many organizations are accustomed to longer time periods that permit compliance professionals to conduct a preliminary examination of the claim, the Directive repeatedly emphasizes ‘diligence’ in addressing the reported claim by designated impartial persons or departments. The Directive requires, for instance, that the organization provide feedback to the whistleblower no later than three months from the acknowledgment of receipt of the whistleblower’s report.[9] Reporting channels required by the Directive must be able to receive oral or written reports (preferably both), the former of which should be enabled by telephone or other voice messaging system.[10] With respect to oral reporting specifically, an opportunity for a physical meeting within a “reasonable timeframe” after the report is made must also be available to the whistleblower.[11] Finally, the Directive further requires organizations to provide information to whistleblowers about external reporting opportunities to competent authorities.[12]
Articles 10 to 12 of the Directive address the need for member states to designate “competent authorities” to receive external reports respecting breaches of EU law. Like Article 9, competent authorities designated by member states must establish independent and autonomous external reporting channels,[13] promptly acknowledge receipt of such reports within seven days,[14] and provide feedback with respect to such reports within a reasonable timeframe—typically no later than three months.[15] The Directive does, however, permit competent authorities to extend the three-month deadline by an additional three months “in duly justified cases.”[16] Notably, Articles 11(3)-(6) delegate to member states the discretion to enable competent authorities to ferret out minor and repetitive reports, as well as prioritize suspected breaches of EU law that implicate the Directive’s “essential provisions.” This is a considerable silver lining for organizations apprehensive of the Directive, as it manifests the intention of the European Parliament and Council to enable member states to exercise discretion in choosing which breaches are the most egregious and therefore warrant the most attention.
Public disclosures of potential EU law breaches are also protected by virtue of Article 15 of the Directive. Under Article 15(1)(a), a whistleblower is protected to the extent she first reported internally to the organization or externally to a competent authority, and no appropriate action was taken within the required three-month timeframe. Protection also extends to whistleblowers who have reasonable grounds to believe either that: (a) the suspected breach might constitute an imminent or manifest danger to the public interest; or (b) in the case of external reporting, a risk of retaliation exists, or there is a low prospect of the breach being effectively addressed due to collusion with the perpetrator or the potential for evidence to be concealed or destroyed.[17]
[1] Directive 2019/1937, Article 7(2), 2019 O.J. (L 305) 17, 37.
[2] Directive 2019/1937, Article 8(3), 2019 O.J. (L 305) 17, 38.
[3] Id. at Article 8(6).
[4] Id.
[5] Id. at Article 8(7).
[6] Id.
[7] Id. at Article 9(1)(a).
[8] Id. at Article 9(1)(b).
[9] Directive 2019/1937, Article 9(1)(f), 2019 O.J. (L 305) 17, 39.
[10] Id. at Article 9(2).
[11] Id.
[12] Id. at Article 9(1)(g).
[13] Id. at Article 11(2)(a).
[14] Id. at Article 11(2)(b).
[15] Id. at Article 11(2)(d).
[16] Id.
[17] Directive 2019/1937, Article 15(1)(b), 2019 O.J. (L 305) 17, 41.