The EU Whistleblowing Directive: considerations for UK organisations

On 16 December 2019, the EU passed the Whistleblower Protection Directive (the "Directive"), starting the clock on a two-year deadline which requires Member States to transpose the Directive's provisions into national law.

For various reasons, including cultural attitudes towards whistleblowing, the protection afforded to whistleblowers across Member States is heavily inconsistent.  While we have had whistleblowing cover in place in the UK since 1999 – thanks to the Public Interest Disclosure Act ("PIDA") – the protection afforded in many EU countries applies only to specific industries or disparate groups of employees.  The Directive is being introduced by the EU as a harmonisation process which ensures rigorous protection is afforded to whistleblowers across all Member States.

Key provisions of the Directive

The Directive provides that Member States must, by 17 December 2021, require employers to:

• introduce internal channels and procedures, including ensuring that the whistleblower's identity is kept confidential;
• prohibit all forms of retaliation against whistleblowers;
• identify competent authorities to receive, provide feedback and progress reports; and
• implement effective and proportionate penalties for anyone who retaliates against whistleblowers, obstructs the reporting of a disclosure or otherwise breaches the duties outlined in the Directive.

Implications for UK employers

Following Brexit, the UK is no longer obliged to implement the Directive.  What impact, as a UK employer, can the Directive therefore have on your business?

The first point to bear in mind is that the UK-EU Trade and Co-operation Agreement requires that the UK keeps up with EU levels of employment protection.  This may therefore see the government decide to amend UK law to keep pace with EU worker rights and best practice.

Here are some aspects of the Directive not currently reflected in PIDA, which could be introduced into UK whistleblowing law:

• widening the scope of individuals who are afforded protection, such as to include self-employed contractors, volunteers and non-executive directors;
• requiring employers with 50 or more employees to set up internal channels and feedback procedures;
• introducing standards for how regulators maintain confidentiality, provide feedback and follow-up on any disclosures;
• implementing provisions to protect whistleblowers from potential liability, such as breach of confidence, defamation and data protection; and
• providing legal aid for whistleblowers seeking to bring employment-related claims.

In addition, the Directive establishes only the minimum requirements that must be adopted.  As such, Member States may choose to 'gold plate' the provisions to cover additional areas.  For example, the draft bill in Germany provides that the whistleblower protection regime shall not only apply to breaches of EU law but also to infringements of German law in many areas.

Accordingly, while one aim of the Directive is the harmonisation of rules, it is possible that businesses will have to manage an assortment of new rules depending upon the approach adopted by different countries.  In addition to the option for jurisdictions to extend the provisions, there are also aspects where the Directive permits countries to determine their own rules, for example:

• whether businesses and competent authorities are required to accept and follow-up on anonymous whistleblowing reports;
• the scope of breaches which can be reported; and
• penalties for retaliation.

What action should you be taking?

These potential variations will make it difficult for multinational employers to implement a global, 'one-size fits all' approach to whistleblowing.  For example, how will you use whistleblowing hotlines that allow employees based in different jurisdictions to report concerns confidentially and anonymously?

The Directive will signal a significant change in approach to whistleblowing in many Member States, as well as altering the compliance landscape for employers with European operations.

If you are a global employer, you will need to carefully monitor the aspect of local country implementation to ensure you have an approach that both works for your business and achieves compliance.  Have you considered whether any changes will be required (or are simply desirable) based on the scope of the Directive and any expanded Member State protections?

In addition, if you adhere to the US Sarbanes-Oxley Act, will you need to revisit your approach to ensure that it satisfies the most extensive protections implemented by each Member State you operate in, while also continuing to meet US requirements?

While the Directive will require many EU and multinational companies to make changes, by ensuring that effective whistleblowing arrangements are in place, your business will have an opportunity to become aware of concerns at the earliest stages, helping to avoid or limit financial and reputational risks.

For more information on what matters your organisation should be taking into consideration now, in advance of the December 2021 deadline, please speak to one of the team.