Staying Compliant with the EU Whistleblower Law 

Businesses with an EU presence have been reviewing their corporate compliance programs since the EU Whistleblower Protection Directive (Directive) took effect in October 2019. Some, like yours, may need to implement changes.

These efforts to reevaluate and possibly restructure compliance programs have occurred despite a lack of understanding of all the applicable legal requirements, as many EU members states watched their December 2021 deadline to transpose the Directive into national law come and go with little legislative progress.

While there is more certainty now than at the end of 2021, more than half of EU member states have yet to implement legislation as of mid-2022. This staggered cadence of legislative enactments presents a challenging puzzle for businesses to assemble based on their EU footprint and corresponding national laws (or absence thereof).

Despite these complexities, the Directive is both an acknowledgement and a reminder that whistleblowing programs are critical for maintaining well-functioning workplaces and protecting the public interest. The proposal for the Directive cites a 2017 corruption survey that found that 81 percent of respondents did not report corruption they experienced or witnessed and 85 percent of respondents believed that workers rarely or very rarely report concerns for fear of retaliation. This grim assessment, coupled with a fragmented approach to whistleblower protections across the European Union, led to adoption of the Directive with the goal of establishing common minimum standards for whistleblower protection across the bloc.

To this end, the Directive details specific baseline requirements to be included in national legislation.. Among the most notable of these requirements for corporate compliance functions are obligations for entities with 50 or more workers to:

• Establish confidential internal reporting channels;
• Communicate with whistleblowers within specific timelines;
• Adhere to strict limits on which entity may receive and investigate reports; and
• Appoint competent individuals to perform report handling and investigations.

The Directive adopted a staggered approach for its implementation deadline, establishing a December 17, 2021 deadline for entities with 250 or more workers to establish internal reporting channels, but defers until December 17, 2023, the requirement for entities with 50 to 249 workers to do so.

This article provides some key considerations for multinational organizations to address the minimum requirements.

Corporate census

The first step toward understanding which requirements impact an organization is to identify the legal entities within the corporate group that operate in EU member states and the number of workers in each entity. This “corporate census” will show, for example, whether a particular entity within the European Union meets the 50-worker threshold and, if so, which implementation deadline applies. Attention should also be given to any anticipated corporate restructuring, merger and acquisition activity, and staffing level fluctuations.

Understanding the organization’s EU footprint is essential toward identifying which national laws and requirements apply to the business and its various EU entities, or will in the near future.

Establish secure and confidential whistleblowing channels by entity

The worker count of each EU entity is critical information for understanding each entity’s obligation to establish an internal reporting channel. When the obligation is confirmed, consider the desired method(s) of reporting.

The Directive calls for reporting channels to enable reporting in writing, orally, or both. As to oral reporting specifically, the Directive notes that telephonic reporting, voice messaging, and in-person “physical” meetings are acceptable reporting methods. The best practice is to offer more than one option for reporting.

Whichever reporting method is selected, it must allow the whistleblower’s identity and the identity of any third party mentioned in the report to remain confidential and protected from access by unauthorized individuals.

Some national transpositions (e.g., Portugal) include monetary penalties for failing to protect the confidentiality of a whistleblower’s identity. The Directive defers to member states on whether anonymous reports must be accepted. Consequently, this is a decision for organizations to make with reference to national law.

The desire for direct reporting to a centralized compliance function, a common preference of multinationals, is a potential pain point. But the Directive is clear on the issue — each EU entity meeting the 50-worker threshold must establish its own internal reporting channel. That does not mean that organizations are prohibited from also allowing or encouraging reporting directly to the group level. The European Commission confirmed that while “reporting channels cannot be established in a centralised manner only at group level,” companies may “encourag[e] whistleblowers to report directly to the central group whistleblowing functions.” Nonetheless, Denmark’s transposition allows “group-common whistleblower schemes” (unless and until its minister of justice decides otherwise).

Identify and retain required resources

Assure that each entity has — or acquire — the resources to maintain an effective whistleblowing program. What those resources are for each entity that must establish an internal reporting channel will differ depending on size and existing resources.

The Directive treats medium-sized entities (50 to 249 workers) differently than large entities (250 or more workers). Thus far, national transpositions have largely followed this approach. Medium-sized entities may share resources for report receipt and investigations with other medium-sized entities. Similarly, unless a whistleblower objects, a medium-sized entity may also utilize the investigation resources of its parent company.

This reduces the resource burden for medium-sized entities, but no such allowance is granted to large entities. Each large entity must maintain its own resources for these functions. Therefore, a large entity that has historically relied on a centralized reporting channel and investigations unit must now establish its own reporting channel and retain the human and financial resources necessary to conduct investigations.

The Directive specifically notes that entities may utilize third parties to operate their reporting channels, which is commonly done. When organizations outsource this function, they must ensure that the third-party service has robust safeguards for maintaining confidentiality and data protection (including functionality to route reports to the correct entity and limit unauthorized access by individuals in other group entities).

Maintain consistency in whistleblowing procedures

Procedural consistency is important to an effective whistleblowing program. But such consistency may be challenged by decentralizing a previously centralized whistleblowing program.

Organizations with entities in multiple EU member states must be cognizant of each applicable national transposition to harmonize its compliance processes and account for nuances in national law. For example, the Directive states an entity must acknowledge receipt of a report within seven days of receipt and provide feedback (a defined term in the Directive) to the whistleblower within three months from acknowledgement of report receipt. But Portugal’s law indicates the feedback period runs from the date of report receipt, potentially shortening the feedback period by up to a week.

The corporate census enables the organization to develop procedures to maximize consistency in internal processes compliant with the national legislation.

The Directive is a laudable and substantial step toward greater whistleblower protections across the European Union. It is also forcing a partial decentralization of whistleblowing programs within multinational organizations, a shift that is, however, complicated by delayed transposition of the Directive in numerous EU member states. But with the general framework of the Directive well understood, corporate compliance programs can adjust established whistleblowing procedures in response — and provide greater protections for whistleblowers along the way.