On 7 October 2019, the European Council adopted the Whistleblower Protection Directive (the "Directive") on protecting persons who report breaches of EU law. The Directive refers to disclosures made in relation to several key areas, including fraud and money laundering, financial services, data protection, public procurement and public health.
When approving the Directive earlier this year, the European Parliament referred expressly to how whistleblowers have played a key role in recent scandals such as Luxleaks, Panama Papers and Cambridge Analytica. The EU notes that whistleblowers are important in uncovering unlawful activities that damage the public interest and the welfare of citizens and society. The EU has announced that it is adopting a package of measures, of which the Directive is only one part, to afford better protections to those who act in the public interest and report wrongdoing.
While the majority of EU Member States have offered varying and fragmented standards of protection for whistleblowers, the EU did note that the UK already had comprehensive legislation in place to protect whistleblowers, namely the Public Interest Disclosure Act 1998 ("PIDA"). Notwithstanding this, the UK Government has confirmed that it does not propose to adopt the Directive into UK law given its impending departure from the EU. The Directive must be implemented in Member States by 2021.
The Directive defines a whistleblower as a person who: (1) made a disclosure in good faith; and (2) had reasonable grounds to believe the information was true at the time of the disclosure1.
The Directive requires EU companies with more than 50 employees or with an annual turnover of €10 million, to set up and incorporate suitable internal reporting channels.
Protection is granted to a wide range of potential whistleblowers, covering not only employees but job applicants, contractors, former employees and those who assist and support whistleblowers.
The Directive introduces a hierarchy of reporting channels. In the first instance, whistleblowers are encouraged to use internal reporting channels within their company, before turning to external channels. However, whistleblowers will not lose their protections if they decide to use external channels first.
Most significantly, the Directive introduces safeguards to protect whistleblowers from actual and threatened attempts of retaliation, such as suspension, demotion and intimidation. It also holds whistleblowers free from liability for disclosure of information in respect of future judicial proceedings.
While the Directive does not define the types of reporting channels that should be implemented, it suggests that companies should implement systems which allow reports to be submitted via an online reporting system, a mailbox, or by post, and/or orally via a telephone hotline or answering machine system. Importantly, this needs to be supplemented by the offer of a personal meeting where this is requested by the whistleblower. The identity of the whistleblower must remain confidential at all times.
Further, a suitable person must be appointed to deal with any whistleblower reports. The EU has provided a list of those who would be qualified, specifying:
1. compliance officer:
2. head of human resources;
3. legal counsel;
4. chief financial officer; and/or
5. executive board member or management.
It is important to note, however, that there is room for the processing of such whistleblower reports to be outsourced to, for example, specialist service providers including an ombudsman.
A common criticism by whistleblowers is that they often receive little or no acknowledgement or follow up by the company; the Directive changes this. Once a report has been received, acknowledgement of receipt must be provided within seven days and no more three months can pass before the whistleblower must receive a status update on any ongoing investigation, the outcome of such investigation or any action to be taken (this can be increased to six months in certain circumstances). We note that this specification of timeframes is likely to cause companies and their advisers some potentially significant difficulties in devising and conducting internal investigations.
The Directive requires organisations to ensure that they provide employees and other stakeholders (suppliers, service providers and business partners) with clear and easily accessible information about the reporting process and an outline of the reporting channels.
The UK Position
As noted above, the EU’s proposal for the Directive expressly referred to how the UK already has comprehensive legislation protecting whistleblowers in the form of the PIDA. However, there are indications that the British approach to whistleblower issues also continues to evolve and develop.
In a letter to the House of Commons' European Scrutiny Committee2, the UK government addressed the fact that it would not implement the Directive, and stated that it was not complacent on the issue. Notably, the British government wrote that it is committed to reviewing the UK’s own whistleblowing framework, "once the recent [EU] reforms have built the necessary evidence of their impact. As part of this we will look at the protections offered in other countries."
These comments follow a review of the UK's whistleblowing framework by the UK All Party Parliamentary Group ("APPG"), in August 2019. The APPG found that PIDA was complicated, overly legalistic, obsolete and fragmented. As such, the APPG recommended that there should be a new legal definition of whistleblowing and whistleblower to reflect current working practices and the need to protect the public. This was supplemented by a recommendation to establish an Independent Office for the Whistleblower as a new regulator in whistleblowing matters and, given their misuse in certain sexual harassment cases, that non-disclosure agreements should be banned in a whistleblowing context.
Furthermore, recent UK litigation has demonstrated how whistleblowing protection continues to expand. The Supreme Court decision in Gilham v Ministry of Justice3 held that PIDA protections can apply to holders of public office even without any formal contracts of employment.
Ms Gilham is a district judge who raised a number of complaints regarding the impact of public sector cuts on the justice system in 2010/11. She argued that those complaints amounted to a protected disclosure under PIDA. Ms Gilham alleged that she was subject to a number of reprisals on the grounds of her whistleblowing. The Ministry of Justice took the position that Ms Gilham was an office holder, not a worker, and therefore not covered by the whistleblowing protections.
On 16 October 2019, the Supreme Court held that Ms Gilham, and any other person holding a judicial role, is protected under UK whistleblowing legislation. The court held that denying this protection to non-contractual office holders is incompatible with a person's rights under the European Convention of Human Rights, namely Article 10 (freedom of expression) and Article 14 (protection against discrimination).
The decision in Gilham is significant as it makes plain that non-contractual office holders, such as judges and clerics and some trustees and company directors, who are not necessarily “employees”, can be protected as whistleblowers in the appropriate circumstances. This decision is to be welcomed as it brings clarity and consistency to this area of the law.
Separately, it is worth noting that certain businesses are also subject to additional requirements. Financial services firms authorised by either the Prudential Regulation Authority or Financial Conduct Authority must comply with rules specifying the systems and controls that they must have in place to handle whistleblowing issues. For certain firms, these rules include the need to appoint a 'whistleblowers' champion' who is responsible for ensuring and overseeing the integrity, independence and effectiveness of the firm's policies and procedures on whistleblowing.
For those doing business within the EU, the Directive is an important development of relevance across industry sectors. Member States have until October 2021 to transpose the Directive into domestic law, and there may, of course, be some degree of variation between those national implementations. It would be prudent, however, for affected companies to begin benchmarking their current policies and procedures against the Directive. Many organisations will need to update their existing compliance and whistleblowing systems to reach compatibility with the Directive.
As for the UK, it is obvious that much remains uncertain about Brexit. Nonetheless, there are at least some indications (described above) that the British government does recognise the potential for further reforms of UK whistleblowing law, particularly in light of criticism by Parliament. What is certain, however, is the topical relevance and importance of whistleblower protection in this era defined by cases such as the MeToo movement, corporate fraud or corruption, doping in international sport, or intelligence officers within the Trump White House.
1 Proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law COM/2018/218 final - 2018/0106 (COD) (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52018PC0218)
3  UKSC 44