Implementing the EU Whistle Blowing Directive
This series of blogs was originally published here throughout September 2020. On this page we have brought the series together in one place.
Update May 2021
The EU Whistle Blowing Directive is in the process of being transposed into the national laws of Member States. In doing so, we are seeing very little consultation. And clients across Scandinavia are citing national efforts that are confused at the draft stage. The directive text is here.
This confusion is driven by an interpretation of Article 8(6) of the Directive:
"Legal entities in the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out. This shall be without prejudice to the obligations imposed upon such entities by this Directive to maintain confidentiality, to give feedback, and to address the reported breach."
This has been mistakenly interpreted as meaning that legal entities with more than 250 workers cannot share resources such as a whistle blowing system with other legal entities in the same group. This is plainly wrong.
The notion that totally separate entities can share resources yet companies in a group cannot do so, appears totally illogical and inefficient. Adequate resources simply cannot be given for each legal entity to operate its own system.
Further, the draft proposals ignore preamble paragraph 55 which states:
"Internal reporting procedures should enable legal entities in the private sector to receive and investigate in full confidentiality reports by the workers of the entity and of its subsidiaries or affiliates (‘the group’), but also, to any extent possible, by any of the group's agents and suppliers and by any persons who acquire information through their work-related activities with the entity and the group."
Our continued advice to clients is to implement a global system that is used by all entities and affiliates within its group, as well as being available to external parties. There are options for including wording to users of your systems that will ensure the parent company / other entity can be meaningfully involved in investigations in a compliant manner.
Part 1 – What changes will the EU Whistle Blowing Directive bring?
The EU Whistle Blowing Directive (EU 2019/1937) (“the Directive” or “EUWBD”) is a hot topic of discussion right now. That makes sense, given that it is a new and wide-reaching piece of legislation that needs embedding in national laws and compliance from organisations. But what does it really change? And how should organisations handle these changes?
In this three-part series, we will look at the Directive from the perspective of multinational organisations. The Directive offers a great deal to unpick and observe over the coming years.
So – what’s new with the Whistle Blowing Directive?
Firstly, for a directive, it’s a very detailed document. It includes overall goals for Member States, but also describes what is expected to happen in individual cases. Organisations with more than 250 workers have to comply with its provisions by 17 December 2021. Those with more than 50 workers have to do so by 17 December 2023. There are details on how to handle individual reports, such as suggested timeframes for responses and what those responses shall include.
Secondly there is a route for whistle blowers to report externally to authorities within the Member States. Under certain conditions, a whistle blower can disclose a matter publicly.
Thirdly, there are details on non-retaliation that will catch the eye of anyone familiar with handling whistle blowing complaints. The practicalities of exactly how to handle retaliation requires examination.
What is not new?
As implied above, there is plenty in the Directive that is not new. A compliance expert in a multinational will probably look at the rules and determine that they already had some of the requirements in place several years ago.
This is all about retaliation. A subtle and not yet widely discussed point is that the Directive doesn’t affect things you see outside of a work-related context (cf Article 4). Outside work there is less leverage for retaliation than in a work environment (preamble, para. 36). It is noteworthy that certain industries are excluded, such as defence and national security.
Whistle blowing has changed. If your compliance program is in order, whistle blowing systems and internal processes have been less administratively burdensome in recent years. Take for example the requirements around data protection, where previously a registration was required for each Member State’s Data Protection Authority. Now, the GDPR makes such steps more efficient. At the same time, volumes of reports have increased generally. There are heightened enforcement and reputational consequences. And the world has become more volatile. So there’s no shortage of challenges.
Finally, the same old tensions exist around anonymity and privacy (data protection). Subjects have rights too, which may directly oppose a whistle blowers’ protections. Knowing your accuser and being given the chance to cross-examine their allegations is, in many jurisdictions, a ‘given’.
It seems to me that anonymity and privacy will collide with reality at some point on a whistle blower’s journey. Organisations will need to be one step ahead of how these processes might play out.
Part 2 – Whistle blower behaviour and managing retaliation risk
Below we go a little deeper into how whistle blower behaviour might be influenced by the Directive. And how organisations can best handle the risk of retaliation – both to individual whistle blowers and to the organisation itself.
Will this change the behaviour of whistle blowers?
The Directive includes explicit rights and protections for whistle blowers that are easy to establish in its clean text.
But whistle blowers have already crossed psychological and social thresholds to get to where they are. That is not an easy process, and the promise of rights and protections might not enter the equation as heavily as “what will my colleagues, friends and family think?” or “what will be the consequences for me personally in spite of my rights?”
What do whistle blowers think? The issue of what a whistle blower subjectively believes, will be an important discussion. Throughout the Directive, there are references to “reasonably believed” and “necessary” to report. This places a huge emphasis on the whistle blower’s rationale for reporting. Their good faith and maturity will be assessed as part of this process.
There will undoubtedly be fascinating aspects to this focus on “reasonable belief”. For example – the interplay between whistle blower protections and defamation cases brought by their organisations. If a whistle blower genuinely believes a set of facts, they may well be protected under the Directive. Yet those facts could be extremely damaging to an organisation, and may even be untrue. What rights to recourse or correction would an organisation have against a whistle blower who has damaged their reputation, albeit under ‘reasonable belief’?
Better handled internally?
We know from studies across many years that the vast majority of whistle blowers want to handle issues internally. One could question whether we will see a change to these patterns due to the Directive. Is it simply too terrifying to go external? Is there some residual loyalty to their organisation? Time will tell if the Directive changes this, and consistent, high quality research will ensure we capture and observe these changes.
Climbing the ladder
There is a theoretical concern that disgruntled whistle blowers will “climb the ladder” of rights until they get to public disclosure. Or maybe they’ll just skip straight to the media.
A reporter might consider starting with internal reporting, then external, then full public disclosure, hoping each time for an outcome they will like.
I don’t see this as a major risk. Firstly, for the fact that only a tiny percentage of whistle blowers report things externally. Secondly, if the reporter is disclosing information publicly, then they might already have received answers they don’t like from both the organisation (internal reporting) and the authority (external reporting). Will media outlets side with such a reporter? It’s another, major threshold for whistle blowers to cross.
Handling the risk of retaliation in the real world
Between a rock and a hard place
Retaliation can be horrible and deters many whistle blowers from making or pursuing a concern. The Directive is right to focus on retaliation.
But handling such a nebulous risk in the real world is a significant challenge. Imagine an anonymous complaint of possible bribes to a public official. The reporter hasn’t revealed themselves, though their identity may be deduced. There may be no means of dialogue with them to gather further information. Compliance departments will know this uncomfortable feeling, right between the most familiar of ‘rocks and hard places’. You can barely investigate, let alone prevent retaliation against the reporter.
Time is limited
As a CCO I would often take direct contact with whistle blowers (if possible) who I felt were acting in good faith, were totally genuine and yet could be exposed to retaliation. My teams and I would talk to reporters at regular intervals to ensure we heard about any issues that sounded like retaliation. Being able to do this in a select few cases is fine. But you simply cannot do so for everyone. If the average multinational receives between 3 and 6 serious reports per year for every 1000 employees, it’s unrealistic to talk like this to them all. Language and cultural barriers add risk to such an exercise that must be carefully considered.
In my experience reporters regularly have performance issues or other grievances that are often totally unrelated to their whistle blowing report.
We have to develop clear positions on retaliation. What is our definition? What are the red flags that dictate we should follow-up? What controls do we have in place to check for these red flags, and that our processes are being followed? How does HR and Compliance collaborate on retaliation and other issues? What records have been kept by HR that document clearly any unrelated issues?
These sorts of steps aim to ensure we keep a factual eye on the case at hand versus totally separate operational issues. For a system to operate smoothly, you’ll need the support of managers throughout the organisation and a collaborative, efficient Human Resources function.
Can you prove a negative?
It is noteworthy that the EUWBD places a presumption of retaliation against whistle blowers in certain cases before a court (Article 21(5)). Causation therefore needs to be ‘broken’ by an organisation for, for example, overlooking a reporter for a promotion or raise. This could make for peculiar viewing – organisations will be trying to ‘prove a negative’ (it was not about the report) and will need to point to HR files and management decisions totally extraneous to the whistle blowing process.
If a whistle blower’s identity has been hidden and there was no means of deducing that a report was made by them, will that be enough for a court to state that there is no causal link between the report and the detrimental treatment?
Part 3 – Requirements for General Counsels and Chief Compliance Officers
Here we look at the actions required from General Counsels and Chief Compliance Officers in meeting the Directive. We’ll also outline the practical next steps.
Creativity of GCs and CCOs
Legal & Compliance functions will appreciate the clarity of parts of the Directive, and will also be able to see several advantages offered by it.
The Directive allows for internal reporting first. This is not a requirement, but there is a duty on Member States to “encourage” this (Article 7(2)). This is an acknowledgement that complaints are often best handled by organisations themselves, and as close to the issues as possible. Authorities, I hope, will be brave in passing back cases that have not been through an adequate internal process first, assuming a problem could have been fixed there. In short – we get a clear shot at handling issues properly before the authorities are involved and before there is public scrutiny. How exactly this will develop is unclear at present, given that Member States are yet to detail how they will implement the Directive.
Organisations must “acknowledge” receipt of a report within seven days (Article 9(1)(b)) and then “provide feedback” to the reporter within a relatively short timeframe of three months (Article 9(1)(f)). This is fine for the majority of issues, but incredibly short for complex cases, which can take well over a year of careful work to come to fruition. Even if “feedback” simply means ‘staying in touch’ with the whistle blower, such communications need to be incredibly carefully managed.
All the efforts behind the Directive are presumably aimed at complex cases, not the run of the mill reports that simply need processing. Onlookers will have to acknowledge the flexibility behind the phrase “feedback” and its inclusion of “action envisaged” (Article 5(13)).
General Counsels (GCs) and Chief Compliance Officers (CCOs) will need to continue to show creativity in revealing issues naturally through the course of business. Perhaps through regular audits, reviews or risk assessments, there will be other means of establishing findings and dealing with them whilst not revealing a reporter’s identity (or even the fact that there is a report).
GCs and CCOs also need to show creativity in ensuring that accountability remains in the line, where issues are handled best. Better use by managers of case handling tools or central compliance resources is really challenging administratively, but might be needed if we are truly to capture and properly process all cases arising in the organisation.
Culturally, we need employees to work together with their managers to handle issues and not make them bigger than needed. Of course there is a valve for releasing pressure that cannot be handled locally, either by poor-performing managers or because they’re too big to be handled properly. Training of managers in handling issues should remain a priority for compliance teams.
Organisations will need to assess the Directive according to their own circumstances, risks and needs. Below are a few examples of what we see as the priorities:
Make sure you have the right misconduct reporting system in place. Don’t feel afraid of changing system – it can be a liberating experience. Do enough to meet the requirements of the Directive and think about whether you want to go further, for example based on what your organisation might need in the future.
Governance & Policies
Get the ‘nuts and bolts’ in place formally through policies, and ensure your systems are set up to match these decisions.
Discussions are needed around complex issues such as – anonymity, whistle blower and subject (accused) rights, formal steps protecting reporters against retaliation, data protection and tensions with other legal requirements. There should be crystal clear procedures for escalation to management, the CEO, the Audit Committee and the Board.
Ensure alignment early on to avoid surprises, perhaps in the middle of a tense investigation. Ownership and accountability should be decided sooner rather than later.
Think strategically about self-preservation. When do you need to protect your own organisation? Defamation is the flip side of whistle blowing – when do you need to take a stance? And when does taking a stance lose you goodwill?
Like all policies, controls are needed to ensure they’re operating as intended. What can be added to your compliance controls framework? Think escalation, approvals, segregation of duties, etc. You may also want to ensure that communications teams are actively monitoring the public domain for emerging cases.
Involve the people who matter in the whistle blowing process and aspects of non-retaliation. Work closely with all leaders and managers in your organisation, HR, Data Protection Officers, works councils and unions. Bringing employees and their representatives into the discussion is perhaps the most effective means of getting ahead of issues.
Training programs should include details on the Directive, which is rather prescriptive on what information should be made available.
Likewise, communications programs should meet the formal requirements and probably go further, according to your organisation’s individual culture and risks.
Dilemma-based training for key groups such as executive management (or risk-exposed functions) can really get people thinking about the challenges that lie ahead.
The Directive isn’t retroactively applicable. But one can see the potential to drag up old cases (Article 4.2 allows for whistle blowing from past work relationships). You need to ensure that you have handled matters credibly and thoroughly, also in the past.
A review of past significant cases in light of the Directive could help to get ahead of such a risk.
There are some uncertainties outlined above, and the need for research and observation is clear.
What remains to be seen is whether national measures will (or already do) go further than the Directive. The UK’s unique position remains to be seen.
The tensions between data protection and whistle blower rights will be more keenly felt in some jurisdictions than others.
Another piece of legislation – the GDPR – has been seen by some as over-optimistic, impractical and partly unenforceable. DPAs have been swamped with useless information, without the resources to address all of it. The Directive could face the same charges unless well implemented and enforced.
Case law will need to develop and guide the practical use of the Directive. Especially for enforcement and how great a deterrent will be seen in the form of penalties.
Contact us at firstname.lastname@example.org