Part 1 – What changes will the EU Whistleblowing Directive bring?
The EU Whistleblowing Directive (EU 2019/1937) (“the Directive” or “EUWBD”) is a hot topic of discussion right now. That makes sense, given that it is a new and wide-reaching piece of legislation that needs embedding in national laws and compliance from organisations. But what does it really change? And how should organisations handle these changes?
In this three-part series, written in collaboration with seasoned compliance professional Ezekiel Ward from North Star Compliance, we will look at the Directive from the perspective of multinational organisations. The Directive offers a great deal to unpick and observe over the coming years.
So – what’s new with the Whistleblowing Directive?
Firstly, for a directive, it’s a very detailed document. It includes overall goals for Member States, but also describes what is expected to happen in individual cases. Organisations with more than 250 workers have to comply with its provisions by 17 December 2021. Those with more than 50 workers have to do so by 17 December 2023. There are details on how to handle individual reports, such as suggested timeframes for responses and what those responses shall include. The basics of complying with the Directive are listed in this previous article.
Secondly there is a route for whistleblowers to report externally to authorities within the Member States. Under certain conditions, a whistleblower can disclose a matter publicly.
Thirdly, there are details on non-retaliation that will catch the eye of anyone familiar with handling whistleblowing complaints. The practicalities of exactly how to handle retaliation requires examination.
What is not new?
As implied above, there is plenty in the Directive that is not new. A compliance expert in a multinational will probably look at the rules and determine that they already had some of the requirements in place several years ago.
This is all about retaliation. A subtle and not yet widely discussed point is that the Directive doesn’t affect things you see outside of a work-related context (cf Article 4). Outside work there is less leverage for retaliation than in a work environment (preamble, para. 36). It is noteworthy that certain industries are excluded, such as defence and national security.
Whistleblowing has changed. If your compliance program is in order, whistleblowing systems and internal processes have been less administratively burdensome in recent years. Take for example the requirements around data protection, where previously a registration was required for each Member State’s Data Protection Authority. Now, the GDPR makes such steps more efficient. At the same time, volumes of reports have increased generally. There are heightened enforcement and reputational consequences. And the world has become more volatile. So there’s no shortage of challenges.
Finally, the same old tensions exist around anonymity and privacy (data protection). Subjects have rights too, which may directly oppose a whistleblowers’ protections. Knowing your accuser and being given the chance to cross-examine their allegations is, in many jurisdictions, a ‘given’.
It seems to me that anonymity and privacy will collide with reality at some point on a whistleblower’s journey. Organisations will need to be one step ahead of how these processes might play out.
In next week’s blog we’ll be looking at what whistleblower behaviours might be driven by the Directive. And how organisations can best handle the risk of retaliation. Follow us on LinkedIn or subscribe here to North Star Compliance and stay tuned!