At the end of January news reached the compliance community that the European Commission (EC) had issued infringement proceedings against EU member states that have not yet fully transposed the EU Whistleblower Directive (2019/1937). The matter of local transpositions of the Directive was already causing executives in both global and national organisations some confusion. How should they now handle this new layer of complexity?
In this article we clarify what is happening, to which member states, and most importantly, what can organisations that are subject to the EU Whistleblower Directive do to minimise the risk of getting caught out by the legal proceedings.
Definitions
EU Whistleblower Directive: aims to give greater protection to whistleblowers, requires certain organisations to make internal reporting channels available to whistleblowers, and prohibits all forms of retaliation against whistleblowers.
Transposition: adoption of all the provisions of a Directive into local laws by EU member states.
Infringement procedure: when the European Commission takes legal action against an EU country that fails to implement EU law. The formal procedure follows a number of steps laid out in the EU Treaties.
Background to the infringement proceedings regarding the EU Whistleblower Directive
The EU Whistleblower Directive entered into force on December 16, 2019, giving all EU member states until December 17, 2021 to transpose the Directive into national laws irrespective of whether whistleblowing laws already exist.
Only three member states met the deadline, Sweden, Denmark and Lithuania. Seven more have joined them since the deadline, Cyprus, Estonia, Lithuania, Portugal, Latvia, Malta and Ireland. At the time of writing, the progress of all the other countries ranges somewhere between approval of proposed bills to not yet started the transposition process.
Which countries have been sent infringement procedure notifications?
Member states that missed the deadline for the EU Whistleblower Directive transposition stand to be in breach of EU Treaties, for which formal infringement proceedings can be initiated. These countries have been sent letters of formal notice, step one in the formal infringement procedure.
There are many factors that may have caused a delay in the local transpositions, from preoccupation with national general elections and establishing new governments (e.g., Germany) to prioritising pandemic-related issues. Further, the existence of comprehensive national whistleblowing laws (e.g., France, Ireland, the Netherlands), or patchworks of laws, may require amendments to local laws that is simply taking more time than available for government administrations.
Aside from a failure to meet the deadline, it would appear that some member states have been sent notifications even though they did implement their local transpositions in time. This is the case with Denmark, and it may indicate that infringement proceedings have also been initiated against member states that have not fully transposed the provisions of the EU Whistleblower Directive. In its local transposition, Denmark made an exception to the EU Directive provision that prohibits group subsidiaries with 250 employees or more from sharing internal reporting channels. The provision has generated a lot of feedback from larger organisations, regarding the duplication of resources or additional competences this would entail, amongst other things.
“It’s quite rare for infringement proceedings to be initiated against EU countries so soon after non-compliance with a Directive. Perhaps it indicates how seriously the EU sees the need to protect whistleblowers as a valuable resource for early information regarding breaches to EU laws,” says lawyer Jan Stappers, Senior Manager, Partnerships, WhistleB by NAVEX.
Do the infringement procedures impact companies wanting to comply with the EU Whistleblower Directive?
As a reminder, regardless of the infringement proceedings the EU Whistleblower Directive applies to all organisations in EU member states that employ 50 employees or more. There are provisions in the Directive allowing organisations with 50-249 employees more time to comply (latest December 17, 2023). However, the local transpositions of some countries make the Directive immediately applicable to all entities with 50 employees or more, as is the case in Portugal.
Although we cannot be certain, this move by the EC may catalyse member state governments into completing, or in some instances starting, their local transpositions of the EU Whistleblower Directive. So, while legally the infringements proceedings will not change the substance of the EU Directive with which organisations are required to comply, the national whistleblowing laws might start to emerge faster than organisations may have anticipated, based on progress so far.
Another thing for organisations to keep in mind is that in expediting their local transposition processes, member states might be temped to skip over some of the consultation stages that such processes usually involve. There may thus be a risk that the local transpositions are hastily drawn up, not fully representative of relevant national stakeholders, such as trade unions, and consequently not as robust.
How can organisations prepare to comply with whistleblower laws that don’t yet exist?
The unevenness of the member states’ transpositions of the EU Whistleblower Directive, both in terms of timing and substance, has left organisations that operate across jurisdictions grappling over which laws to follow. National companies do not necessarily have an easy time ahead of them either – they may be expected to comply very quickly once the local whistleblowing laws have been enacted.
What can they do to at least nudge themselves closer to compliance in the meantime? One of the best places to start is the minimum standards of the EU Whistleblower Directive. These will apply to all organisations with 50 or more employees, and to all EU member states. They require organisations to make internal reporting channels available, and they specify the processes surrounding these channels. If organisations familiarise themselves with these standards (see below) and adjust their own processes accordingly they will be off to a good start.
- A secure channel for receiving whistleblower reports must be put in place.
- Acknowledgment of the receipt of the report must be provided to the whistleblower within seven days.
- An impartial person or department must be appointed to follow up on the reports.
- Records must be kept of every report received, in compliance with confidentiality requirements.
- There must be diligent follow-up of the report by the designated person or department.
- Feedback about the report follow-up must be provided to the whistleblower within three months.
- All processing of personal data must be done in accordance with the GDPR.
Further, it would be prudent for organisations to check the whistleblowing laws that already exist or have been proposed in transposition bills in the EU countries where they have a presence and apply the strictest versions of these to their whistleblowing operations.