The EU Whistleblower Directive and implementation challenges – a “last minute” update

Introduction:

As law practitioners in Denmark - one of the few countries that actually have passed the required legislation – the purpose of this article is to offer a view on the implementation issues that were assessed in the Danish implementation process as well as a on some of the uncertainties and potential challenges to legislators that the EUWBD still poses – at least from a Danish perspective.

The current implementation status (early November 2021) is that only Denmark and Sweden seem to have passed the required legislation.

Minimum directive:

The EUWBD requires the member states to transpose the specific minimum protection[1] set out in the directive into national legislation, and to do so no later than 17 December 2021. The content and elements of the EUWBD is described in more details here (https://www.twobirds.com/en/in-focus/the-eu-whistleblowing-directive), but it is perhaps relevant to recall that the EUWBD only relates to reporting on breaches of EU-based legislation. Since the EUWBD is a minimum directive, it allows Member States to apply a higher degree of protection, for instance by including a wider set of legislation under the protection offered by the EUWBD by means of national implementation legislation.

Various elements to decide:

When transposing the directive into national legislation, the legislator therefore must carefully consider whether to, for instance, add breaches of certain parts of national law under the protective wings of the implementation act. This can be done either as an integrated part of the implementation act, or separately[2].

Enhancement of the scope of protected law:

The most obvious choice that should be made is whether to introduce reporting of breaches of certain types of national law to the list of protected reporting. In Denmark, “serious offences and other serious matters” have been added to the list, and in Sweden, reports on “…misconduct in work-related contexts for which there is a public interest.”[3], [4], [5] have been added.

Obviously, the more generic the regulation covered by national implementation is, the less clear the boundaries for protected reporting will be. In the legislative work pertaining to the Danish implementation act, some guidelines are offered, but the final chart making is left with the courts to lay down through case law[6].

In this connection, it is worth recalling that article 6 of the directive requires that protection is offered to reporters that had reasonable grounds to believe that the information on breaches reported was true at the time of reporting it and “…that such information fell within the scope of this directive”. Obviously when transposing this into national law, if the legislator decides to increase the level of protection by adding reporting on certain types of national law, the implementation of article 6 should obviously also include this reporting under the protection.

Some employers might consider including additional elements under their whistleblower schemes. In Denmark, this could for instance be embezzlement of company funds or bribery[7], but to the extent such elements fall outside the scope of the act, there is actually no protection in place by law. Employers should therefore carefully consider whether it makes sense to deviate from the scope of protection established by national implementation law – and if the decision is to do so - that the whistleblower policy is absolutely clear on this[8].

From a data protection perspective, article 17 of the directive allows for processing of personal data in connection with whistleblower schemes. The Danish implementation act seems to only permit processing of personal data in connection with whistleblower schemes established in accordance with the act. This means, that schemes established outside the scope of the act, e.g., voluntary schemes established by companies with less than 50 employees, or companies who have chosen to include additional elements which are not covered by the material scope of the act, cannot rely on the legal basis for processing found herein. Thus, the legal bases for such processing of personal data must be identified directly in the GDPR and the Danish supplementary data protection law.

Obviously, the general public opinion (often formed by any recent domestic scandals involving breaches of national law, in particular if the breaches were disclosed due to some sort of whistleblowing) would play a role in the decision-making relating to the scope of protection.

Who may report?

Another element that could give rise to variations between Member States will be who the national implementation law will require being allowed to report. While article 4 in the directive lists the individuals that are covered by the directive, article 8(2) states that the channels and procedures “…shall enable the entity’s workers to report…”, and then states that “…They may enable other persons, referred to in points (b), (c) and (d) of article 4(1) and article 4(2), who are in contact with the entity in the context of their work-related activities to also report…” But as seen, the obligation relating to the internal whistleblower systems only relates to “the entity’s workers”.

The Danish implementation act[9] only requires employers to establish channels for their workers, and thus leaves the other protected groups with the option to report externally (or publicly) but other Member States might transpose this part differently.

Shared channels and shared investigative capabilities – addressing the elephant in the room?

Of particular interest is the question as to whether and to what extent group companies may share reporting channels and investigative capabilities.
The EUWBD states in article 8(3) that article 8(1) (the obligation on Member States to ensure that legal entities establish “channels and procedures for internal reporting and for follow-up…”) “…shall apply to legal entities in the private sector with 50 or more workers.”

Article 8(6) allows for “…legal entities in the private sector with 50 to 249 workers (to) share resources as regards the receipt of reports and any investigation to be carried out. This shall be without prejudice to the obligations imposed upon such entities by this Directive to maintain confidentiality, to give feedback, and to address the reported breach” - as this article puts it.

During the implementation process in Denmark, the originally proposed bill allowed legal entities in the private sector with 50 to 249 workers to have shared channels as described in the EUWBD article 8(6). Specifically, section 14 of the original bill stated that:

“Employers within the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out due to such reports.”

To conclude, the bill clearly did not allow shared channels for legal entities with 250 workers or more. During the consultancy process, this was heavily criticized by several Danish multinational companies as well as employer associations. The end-result in the adopted implementation act was, that a new subsection 3 was included in section 9:

“Section 9.

Employers with 50 or more employees must establish an internal whistleblower scheme where workers can report infringements covered by section 1.

Subsection 2: The Minister of Justice may, after a specific risk assessment and after negotiation with the relevant Minister, lay down more detailed rules that employers with fewer than 50 employees must establish an internal whistleblower scheme

Subsection 3: Employers covered by subsection 1 may establish group-wide whistleblower schemes. The Minister of Justice may lay down rules to the effect that the first sentence shall not apply.

As seen, the legislator has given the Minister of Justice authority to revoke the legal basis allowing for group-wide shared schemes for larger private companies with 250 or more employees. From the preparatory work, it is quite clear that the Danish government with this amendment sought a “quick fix” to the apparent uncertainty on the shared channels/shared investigative capabilities element. After referring to the fact that

“The Ministry of Justice has on several occasions been in dialogue with the European Commission on the understanding of the Directive's rules on internal whistleblower schemes and the possibility of establishing common internal whistleblower schemes, just as the Ministry has been in dialogue with other EU countries on the issue. As it i.a. appears from the Ministry of Justice's answer to question no. 36 to the bill, it is on the present basis on the basis of the dialogue and i.a. in view of the specific exceptions of the Directive on the possibility of sharing resources, in the case of companies with 50-249 employees and municipalities, the Ministry of Justice's assessment that it is not possible for larger private companies with 250 or more employees or state and regional employers with 50 or more employees to fulfil the obligation to establish internal whistleblower schemes through a group-wide scheme.”,

the preparatory work reads:

“It is proposed in the 2nd sentence that the Minister of Justice may decide that the 1st sentence. shall not apply.

The purpose of the authorization provision is to introduce the necessary authority to lay down by executive order rules that the rule that group companies can fulfil the obligation to establish an internal whistleblower scheme through a group-wide scheme shall nevertheless not apply. It is a prerequisite for using the authorization that the Parliament's Legal Affairs Committee has been involved, including the Ministry of Justice will, during the autumn of 2021, for the purpose of this involvement obtain information on other EU countries' implementation of the directive on this point and explain the European The Commission's view. Prior to the involvement of the Legal Affairs Committee, the Ministry of Justice will have a dialogue on the issue with the larger Danish companies that have raised the issue, and these companies' interest organizations and other relevant labour market partners.

The authorization provision must be applied if it must be considered sufficiently clear that the Directive does not allow groups to fulfil the obligation to establish internal whistleblower schemes with a group-wide whistleblower scheme. In this assessment, e.g. emphasis should be placed on how the European Commission and other EU countries interpret the Directive on this point, including whether there are different interpretations of the Directive in different EU countries, and whether a number of major countries have agreed on an interpretation at all. Thus, if, at the time of the transposition deadline, there is a real doubt as to the interpretation of the Directive on this point, the authorization provision will not be used. In addition to the above on the risk of actually impairing the protection of whistleblowers, this is also due to the fact that administrative considerations with considerable weight speak in favour of not requiring groups that already have a joint group scheme to establish whistleblower schemes with subsidiaries, etc. considered to be sufficiently clarified.”

In other words: Denmark might have been one of the first countries to implement the EUWBD, but we surely were not certain on the correct implementation here, and we have therefore equipped the Minister of Justice with the power to revoke the possibility for group-wide shared channels for larger private companies with 250 or more employees if it later appears that this is not in conformity with the EUWBD, and it seems we to some extent chose speed over accuracy.

While it from a practical perspective would be relevant to analyze how “separate” a separate system needs to be (if and to the extent such requirement is found to exist)[10], it is obviously at this extreme late point in time of great concern that this central element of the mandatory whistleblower schemes – whether group companies may or may not share channels and/or investigative capabilities – is not clear.

Furthermore, this element might end up being implemented differently across the Member States, potentially giving rise to even more confusion. This will particularly be the situation where multinational group companies would find themselves caught between different legislation on this topic in the Member States where the group operates[11].

The EU Commission has in a response letter of 29 June 2021 stated that the provision in Article 8(3) leaves no room for interpretation as each legal entity with 50 or more workers is required to set up channels and procedures for internal reporting, even where such legal entities belong to a group of companies, and that any different interpretation would be contra legem.

Furthermore, the Commission has (amongst other flexibilities provided for in the EUWBD) – including the relatively obvious fact that the directive does not prohibit maintaining or creating also centralized functions within a group (i.e., alongside the ones now required to be established as a consequence of the EUWBD) – pointed to the fact that:

“Based on Article 8(6), where in a given corporate group compliance programmes are organised at headquarters level, it could be compatible with the Directive that a subsidiary company benefits from the investigative capacity of its parent company provided that:

1. the subsidiary company is medium-sized (has 50 to 249 workers);

2. reporting channels exist and remain available at the subsidiary’s level;

3. clear information is provided to the reporting persons as to the fact that designated person/department at headquarters level would be authorised to access the report (for the purpose of carrying out the necessary investigation), and the reporting person has the right to object to that and to request that the reported conduct is only investigated at the level of the subsidiary;

4. any other follow up measure is taken and feedback to the reporting person is given at subsidiary level.”

Conclusion:

To sum up, even though the implementation date is only a few weeks away, several very important questions and decisions as well as implementation steps are still left undealt with.

The vast majority of Member States are yet to pass the implementation legislation or even propose a Bill, and even Member States that have implemented the EUWBD have done so without a clear understanding of for instance the important element of shared channels and investigative capabilities.

In addition, most likely the Member States will apply different protective elements, cf. the varieties described in this article.

It will for these reasons be extremely important for employers falling under the scope of the EUWBD to closely monitor the development of the implementation process in basically all the relevant jurisdictions in which the employer operates, as well as the EU Commission’s view on these elements.

[1] See preamble 104 of the EUWBD (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019L1937)

[2] The latter will likely be the case if generic whistleblowing protection legislation already is in place – France for instance.

[3] Romania seems to be adding “reports: actions or ommissions qualifying as breaches of law, consisting of disciplinary misconducts, administrative offences or criminal offences, or conflicting with the subject-matter or the purpose of such laws, including breach of ethics and professional regulations.”

[4] Existing laws in France already have a broader protection.

[5] Finland seems to be on the path to including parallel national legislation to the EU legislation listed in the EUWBD.

[6] I.e., this will be dynamic. Most likely the employer will as a consequence be under an obligation to update the information provided under the WB scheme. See also note viii.

[7] If this does not add up to a “serious offence” and does not relate to EU-funds or constitute a breach of relevant EU-law, reporting on this will not be covered by the Danish implementation act. Same considerations can be made re. Swedish law.

[8] If an employer nevertheless decides to add elements, the employer will then likely be under a strict obligation to provide absolutely clear information about the fact that reporting on these elements do not result in protection, as the EUWBD in art. 7, subsection 3requires that “Appropriate information relating to the use of internal reporting channels ..shall be provided in the context of the information given by legal entities in the private…sector…”

[9] Section 9, subsection 1.

[10] Both the EUWBD (art 8(5)) and the Danish implementation act (section 11, subsection 2) allows for outsourcing of the reporting channels, and in particular in these scenarios, the “separation issue” seems a little theoretical.

[11] If for instance German law end up not allowing shared channels, then group companies operating in Denmark might be allowed to share channels whereas the German operating companies may not.