EU Whistleblower Directive

How to Navigate the EU Whistleblower Directive and More

Matt Kelly
Matt Kelly

For many years, corporate whistleblowers in Europe were left to fend for themselves when they tried to raise alarms about misconduct. The very idea of whistleblowing carried a stigma in Europe, tracing back to the continent’s dark history during fascism and World War II. However, last year’s EU Whistleblower Directive symbolizes a new wave of thought around the topic. 

Over the last decade, the attitude has been changing. The European Union has adopted new whistleblower protection directives for the whole region, and one country after another has adopted its own national law to encourage corporate whistleblowers. 

This is a welcome advance in ethics and compliance, although global businesses do face challenges in complying with EU’s new wave of whistleblower protection laws. Compliance programs must balance competing interests around privacy, cultivating a speak-up culture, and rooting out misconduct that is reported as efficiently as possible. 

The EU Whistleblower Directive and More

Corporations working in Europe will encounter whistleblower protection laws at multiple levels. 

First is the EU Whistleblowing Directive, which went into force at the end of 2019. This rule directs all member states of the European Union to adopt their own version of the directive as national law by the end of 2021. 

The directive itself says companies working in the EU that have 50 or more employees must create internal reporting systems to help employees and other third parties report violations of EU law and to protect those persons from retaliation when they do speak up. 

At a minimum, the national laws must include all the whistleblower protections listed in the EU directive, although they can also go further and include more protections if a country wants. For example, the EU directive lets individual states decide how to handle anonymous reporting, or whether to give financial rewards to whistleblowers who bring concerns to the government that result in monetary penalties. 

Second, are those national whistleblower protection laws in each EU state. Some countries have already adopted whistleblower protection laws that reflect the EU directive’s goals; others have embedded the same protections in anti-corruption laws. For example:

Not every EU country has specific whistleblower protection statutes yet. Germany, for example, only has whistleblower protections that arise from general employment law and labor agreements. Spain has whistleblower protections for the securities industry, and its criminal code encourages businesses to protect whistleblowers, but that’s all. 

Requirements of EU Whistleblower Protection Rules  

All EU whistleblower protection laws require the same basic elements: a system to allow employees and third parties to submit allegations of misconduct, and policies and procedures to protect those whistleblowers from retaliation after they do speak up. 

That said, the specific requirements of each country’s whistleblower protection rules can vary quite a bit. So organizations working across Europe, facing compliance with multiple whistleblower protection laws simultaneously, will need to ask themselves several questions as they try to understand precisely compliance obligations they have. For example: 

Is your business covered by a nation’s whistleblower protection rules?

Most global organizations are large enough that they will be covered, but that may not always be the case. As mentioned, Spain’s rules only apply to the securities sector. In France, Sapin II’s anti-corruption provisions apply to any company doing business in France with more than 500 employees, but the whistleblower protection clauses apply to companies with as few as 50 employees. 

What allegations can be submitted?

The EU Whistleblower Directive provides protections for certain violations of EU law, such as allegations about accounting fraud, food safety, money laundering, nuclear safety, and public health. National laws can go further, to protect allegations about violations of local criminal law or even the company’s own Code of Conduct. 

How should anonymous reports be handled?

National whistleblower protection laws will handle anonymous reporting in different ways. For example, countries such as Germany and France focus more on shielding the identity of the whistleblower through data protection laws, although even then the laws allow for some circumstances when a whistleblower’s identity might be revealed. (Such as when an accused person demands to know where an allegation came from.)

How will data protection laws intersect with whistleblower protection laws?

This issue can get complicated quickly because while whistleblower protection laws vary from one EU state to another, the EU General Data Protection Regulation (GDPR) applies universally across the entire union. So the subject of a complaint might have privacy rights that apply under the GDPR, even as a company tries to protect the identity of a whistleblower under other laws. This complexity can have implications for how the company handles the intake of complaints, investigations, and even follow-up communication with the original reporter. 

Altogether, compliance officers can see the larger challenge here. First, they must conduct a wide-ranging assessment of EU whistleblower protection rules that might apply to the organization. Then they need to construct the right blend of policies, procedures, and training that meet all the expectations of whistleblower protection rules without violating any data privacy rules.  

Why Whistleblower Protection Programs Are Important

If for no other reason, whistleblower protection programs are important because a company exposes itself to litigation or regulatory enforcement actions without them. 

Most EU whistleblower protection rules first direct employees to report their concerns internally, either to the compliance department or some other office. If the company ignores the complaint, only then can the employee bring his or her concerns to regulators. (This is the case in Germany and the Netherlands, for example.) 

So the less responsive a company is to whistleblowers, the greater the chance those whistleblowers will report misconduct to outside authorities. This means more money spent responding to regulators, who might also impose penalties for weak whistleblower programs or retaliation along the way. 

Across the EU, whistleblowers who experience retaliation can also seek redress in the courts, such as by filing a wrongful termination lawsuit. Laws differ about how much damages a whistleblower could claim, but at the least, they could sue to get back their jobs. Even if they don’t win, their cases mean more time and resources spent by the legal department. 

More broadly, however, a strong culture of whistleblower protection helps companies in other ways. Employee morale is likely to be higher, and turnover is likely to be lower. Numerous studies have also shown that higher rates of internal reporting correlate with fewer material lawsuits against the company, fewer regulatory enforcement actions, and even better financial performance. 

So even if a company can’t quantify a specific ROI for stronger whistleblower protection, when you compare the costs of investing in whistleblower programs versus the risks and expense of whistleblower protection failures—clearly, that ROI does exist. The European Union is converging on the same high standards for whistleblower reporting that already exist in the United States, and businesses ignore that fact at their peril. 

Get our newsletter for the latest compliance insights