The EU Whistleblowing Directive was adopted in response to a series of scandals that were initially reported by whistleblowers, including such well-known fiascos as the Panama Papers and the Cambridge Analytica scandal.
This action by the European Union (EU) is another important statement of the advantages of a robust employee reporting system and effective case management practices. Research—and experience in the field—confirm that robust and widely-used internal reporting systems are more effective in identifying and remediating problems. There is an obvious correlation between increased use of hotline reporting systems and improved business performance.
2021 Deadline Quickly Approaching
As the 2021 deadline fast approaches for EU member states to transpose the requirements of the Directive into national law, organizations with a presence in the EU should be re-evaluating their internal policies and procedures to account for the Directive’s more exacting requirements.
In the face of these requirements, companies need to begin building and/or refining the elements of a compliant program. To do so, companies have to plan an end-to-end system by establishing reporting systems, promoting the availability of the reporting system, creating a system to triage and assign investigators to handle a complaint, managing investigations, providing feedback and status reports to whistleblowers, and organizing documents and internal management procedures. To implement the system internally, companies have to design and implement new policies and procedures to explain system improvements, publicize the changes and ensure that employees are fully aware of the new system. Failure to comply can lead to major problems for a corporation.
The Directive's Requirements
Among other things, the Directive requires companies with 50 or more employees (as broadly defined by the Directive) and those operating in the areas of financial services or particularly vulnerable to money laundering or terrorist financing to establish a robust internal whistleblowing system.
This system should permit employees to report in a variety of manners, to ensure there are convenient avenues available. This includes the ability to receive both written and oral reports, and the opportunity for the reporter to engage in a physical meeting with the department or individual designated by the organization to receive such reports.
As one would expect given the EU’s sweeping data privacy regulations, confidentiality under the Directive is considered paramount although anonymity is left to the discretion of member states. As such, organizations with a presence in multiple EU states should continue to be attuned to emerging developments in all affected jurisdictions and consider whether an anonymous reporting option—already a requirement under some regulatory schemes like Sarbanes-Oxley—should be available by default.
Crucially, although Article 7 of the Directive encourages reporting through internal organizational channels first, external reporting is available to employees where no action has been taken in response to a report, or where the whistleblower believes an imminent danger to the public or a risk of retaliation exists. This makes it all the more important that organizations do their level best to promote a speak-up culture and implement appropriate internal controls to ensure that whistleblowers are insulated from retaliation.
The Directive also mandates the diligent investigation and prompt disposition of whistleblower claims. Under Article 9 of the Directive, the whistleblower must be given initial confirmation of receipt of the report within seven days, and a response to the report no later than three months. Because investigations policies vary considerably across organizations, these policies should be revisited in light of the Directive’s timeline requirements and revised as applicable.
Moreover, organizations subject to the new Directive should continue to be cognizant of GDPR in relation to the processing and storage of sensitive employee information in connection with any whistleblower investigation. Although the Directive itself contains no specialized guidance with respect to the handling of such data in relation to whistleblowing schemes particularly, EU privacy regulations most certainly apply. For organizations, GDPR’s applicability to the Directive means that organizations must perform a Data Protection Impact Assessment (DPIA) in connection with the collection, processing, storage, and disposition of whistleblower data. Required by Article 35(1) of GDPR for all activities that involve a “high risk to the rights and freedoms of natural persons,” the DPIA should include:
- A systematic description of the proposed processing operation and the purposes of processing, including the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the proposed processing operations in relation to the purpose
- An assessment of the risks posed to the rights and freedoms of data subjects; and
- The measures envisaged addressing the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data in compliance with GDPR.
Ensure Proper Reporting and Data Processes
Finally, multi-national organizations must tread carefully when determining how the reporting process will work in practice. As the potential processor of whistleblower information, the organization must comply with all regulations governing the transfer of such data both within the EU/EEA and extraterritorially to jurisdictions like the United States, where the absence of a valid adequacy determination by the European Commission means that standard contractual clauses (SCCs) or binding corporate rules (BCRs) are required to legally export protected data.
Generally speaking, organizations should endeavor to keep as much information within the country of origin as possible and rely on thoroughly trained local personnel to investigate and appropriately disposition claims raised under the Directive. Most importantly, any information that is collected in relation to a whistleblower report should be strictly and objectively necessary to verify the allegations made, appropriately segregated from other personal data, and promptly deleted at the conclusion of the investigation, unless disciplinary or legal proceedings result therefrom.
The EU Whistleblowing Directive's Impact
The old adage that an “ounce of prevention is worth a pound of cure” is certainly applicable to case management practices of organizations that interface with the EU. By paying keen attention to emerging national developments, routinely revisiting standard policies and procedures, and taking preventative measures to ensure data processing activities are legal and secure, organizations can significantly mitigate the risk associated with internal whistleblowing activities.