Last week, the European Parliament approved new, wide-ranging rules to protect “whistleblowers” – those who reveal information concerning breaches of EU law. Political agreement on these rules had already been achieved among the EU’s legislative bodies, which means that the new rules are now likely to be implemented across the European Union in 2021. In some countries, that will herald a major upgrade in the protections available to those who blow the whistle on illegal practices.
As the European Parliament highlighted, several recent scandals have come to light following the actions of insiders who revealed information to the authorities or to the media, and a 2017 study by the European Commission argued that the economic case for stronger whistleblower protection for those engaged in public procurement was strong. But the European institutions are keen to encourage increased reporting of rule-breaches in order to improve enforcement and deter wrongdoing generally, and the new law will therefore apply across a wide variety of EU policy areas, including financial services, anti-money laundering, competition law, corporate tax rules, and personal data and privacy laws.
The draft Directive will protect workers – a category that is broader than employees and includes (for example) self-employed consultants, suppliers, trainees and job applicants – and they are protected from any form of retaliation so long as they have reasonable grounds to believe that the information they provided was true or they have a reasonable suspicion of illegal activity. Furthermore, the whistleblower must be given access to free and independent advice and will have a defence in any legal claim, including immunity from action for breaches of non-disclosure agreements.
The protection is not absolute. To qualify for protection, the whistleblower must follow the correct procedures, and will be “encouraged” to use the employer’s internal reporting channels. All companies with 50 or more employees, and most financial services companies even if they have fewer than 50 employees, will be obliged to establish such internal procedures. However, the individual concerned may go directly to the external responsible authorities, particularly if there are no internal procedures, or those procedures cannot be expected to function effectively, or (for example) if the alleged breach of law relates to financial services. In limited circumstances, the whistleblower can also report the alleged breach to the media, but this will be the exception rather than the rule.
Of course, one problem with whistleblowing rules – even if they are comprehensive – is that prospective whistleblowers may not be aware of them. In fact, according to the European Commission, only around 15% of European citizens know about existing laws. For that reason, the new Directive will require member states to publicise the new rules and the protection that they offer to relevant individuals. However, the Directive does not envisage financial rewards for whistleblowing or anonymity for reporting.
The impact of the new rules will vary from country to country and from sector to sector, depending upon the scope of existing rules. The UK, for example, already offers whistleblowers some of the most comprehensive protections in the world, and UK-regulated financial services firms are already required to have whistleblowing procedures. But, in general, UK law (most notably, the 1998 Public Interest and Disclosure Act) does not require companies to establish internal reporting procedures, nor does it require free legal advice to be made available to whistleblowers. Therefore, assuming that the UK implements the new rules (which may depend on the outcome of the Brexit negotiations), its rules will need to evolve, with a consequent impact on many British portfolio companies.
On the other hand, most EU countries do not currently offer comprehensive protection for whistleblowers. Although financial firms are often required to establish procedures – for example, firms within scope of the Markets in Financial Instruments Directive (MiFID) must have a channel for employees to report a breach of MiFID – the protection is patchy. Germany is a prominent example of a country that, in some sectors, offers virtually no protection other than as required by existing EU law. In those countries, the Directive will lead to major changes, even for some financial firms.