On April 16, 2019, the European Parliament made history with the approval of the European Union (EU) Whistleblower Directive (“Directive”) that provides universal whistleblower protections for all potential “reporting persons” located within member states of the EU. These protections apply whether or not the reporting person is a citizen of an EU member.
Prior to this Directive, individual EU member states were charged with enacting whistleblowing laws and related procedures. Of the 28 EU member states, less than half (only 10) had implemented statutes that offered whistleblowers any protection from retaliation. Without a comprehensive system of whistleblower protections, violations of EU laws or violations within EU member states would go unreported because potential reporting persons feared retaliation.
In 2017, the European Commission estimated the loss of potential benefits in public procurement at the UE level to be €5.8 to €9.6 billion each year. This massive loss of potential EU funds coupled with threats to public safety, the environment, banking, and a desire for transparency led to a public outcry for uniform whistleblower protections. Ultimately, in 2019, the European Parliament was motivated to approve the EU Whistleblower Directive.
Who Can Be A Whistleblower in the European Union?
A “reporting person” may be anyone in contact with the target entity through work-related activities. The idea of “work” is broadly defined to include trainees, past and present employees, shareholders, consultants, suppliers, distributors, contractors, and volunteers whether associated with private or public entities.
To receive protection, the whistleblower must report a breach of the following areas of law: public procurement, financial services, financial interests, internal market, prevention of money laundering and terrorist financing, product safety, transport safety, environmental protection, radiation protection and nuclear safety, food safety, animal health and welfare, public health, consumer protection, protection of privacy, personal data, and network security. The whistleblower must also have reasonable grounds to believe the reported breach was true at the time of the report and make the report in accordance with the Directive.
What Protections Can a Whistleblower Receive?
Under the Directive, a whistleblower is protected from retaliation of any kind including, but not limited to, demotion, discharge, or industry blacklisting. There is a presumption of retaliation if the whistleblower can prove that he or she engaged in a protected activity and suffered a detriment as a result. If retaliation is found to have occurred, the whistleblower is to be compensated in full, including: lost wages; future loss of income; and/or restoration of the whistleblower’s employment position. The whistleblower is also eligible for damages such as attorney fees, medical expenses, and pain and suffering.
The whistleblower is also protected from civil and criminal liability for claims regarding unlawfully obtained evidence, defamation, breach of contract, breach of copyright, breach of secrecy, breach of data protection rules, and disclosure of trade secrets if the whistleblower had reasonable grounds to believe that the disclosure of this information was necessary to reveal a breach under the Directive. Of note, member states may create additional protections to supplement the Directive.
How to Blow the Whistle
Pursuant to the Directive, member states (public entities) must establish external reporting channels. Private entities must establish both internal and external reporting channels. These external and internal reporting channels must be independent and autonomous, must ensure the anonymity of the whistleblower, and be capable of receiving written and oral reports. Once the whistleblower reports a breach of the underlying standard through the appropriate reporting channel, they must receive feedback within 3 months. After that time, the whistleblower may publicly disclose the breach. In addition, a whistleblower may bypass the internal or external reporting channels altogether and make a public disclosure if the breach constitutes an imminent danger to the public interest or if there is a low probability that the reported breach will be addressed internally.
The Take Away
Even though the EU Whistleblower Directive provides broad protections for whistleblowers, it does not include a monetary award or bounty for the reporting person. While this step of providing protection against retaliation is laudable and may be enough to encourage whistleblowers in the 18 EU member states that did have previous protections in place, it may have little effect on reducing or curbing violations of laws in the 10 member states that already offered whistleblowers protection from retaliation. It has been shown that whistleblower statutes that reward the reporting person by providing a bounty actually incentivizes individuals with important information to come forward. As the EU Whistleblower Directive notes, the stakes for the reporting person are quite high. Member states have two years to implement the minimum protections provided in the Directive. It will be interesting to observe if any of the member states add their own whistleblower award, and if universal protection is enough to spur the rate of whistleblowing in the EU. There are other statutes which do afford a bounty for fraud occurring within the EU which impacts non-EU entities. For example, in the United States, the False Claims Act, the SEC Whistleblower Protection Program, and the IRS Whistleblower Program are set up to provide both protection against retaliation and a bounty for whistleblowers whose information results in a recovery.