On 23 April 2018, the Commission presented a long-awaited legislative proposal on the protection of whistleblowers. The proposal for a “Directive on the protection of persons reporting on breaches of Union law” (COM(2018) 218 final) is accompanied by a Communication entitled “Strengthening whistleblower protection at EU level” (COM(2018) 214 final). Additional supporting documents and annexes are provided for, including existing EU rules on whistleblowing, an overview of Member States’ legislative framework, a comparative table on the principles on whistleblowing of the Council of Europe, the results of the public consultation on whistleblowing protection, and reports from an external study on the subject matter. All documents can be retrieved here.

In particular, the European Parliament, civil society organizations, and trade unions have consistently put pressure on the Commission to come up with such legislative action (see eucrim 4/2017, p. 176). Better protection of persons who report or disclose information on activities harming public interests (whistleblowers) is deemed especially necessary for the following reasons:

• Whistleblowers have increasingly played a crucial role in the revelation of scandals, as witnessed in the recent Dieselgate, LuxLeaks, Panama Papers, and Cambridge Analytica scandals; they are also important for the protection of the EU’s financial interests – often vital for OLAF’s work and that of the future European Public Prosecutor’s Office;
• Whistleblowers, however, regularly become victims of retaliation and/or intimidation, which in turn causes fear of reporting grievances;
• The protection of whistleblowers across the EU is currently fragmented and considered insufficient, so that whistleblowers are confronted with uncertainties about the varying legal orders across Europe.

By means of the proposed Directive, the Commission intends to lay down minimum standards for the protection of persons who report unlawful activities or abuse of EU legislation. This includes the following areas:

• Public procurement;
• Financial services, prevention of money laundering, and terrorist financing;
• Product safety;
• Transport safety;
• Environmental protection;
• Nuclear safety;
• Public health;
• Food and feed safety, animal health and welfare;
• Consumer protection;
• Data protection and security of networks or information systems;
• Breaches relating to the EU’s competition rules;
• Breaches affecting the EU’s financial interests as defined by Art. 325 TFEU, Directive 2017/1371, and Regulation No. 883/2013;
• Breaches relating to the internal market as far as certain rules on corporate taxes are concerned.

The Directive further sets the obligations for public authorities and private companies as well as the conditions and protection measures for the persons reporting and the persons concerned by the allegations.

The Directive mainly establishes the following obligations:

• As a general rule, all private companies with more than 50 employees or with an annual turnover of over €10 million, all State and regional administrations/departments, and all local municipalities of more than 10,000 inhabitants are obliged to establish internal reporting channels and procedures for reporting and following up on reports.
• The said private and public entities must fulfil certain conditions of procedure for internal reporting and follow-up, including the following obligations:
  • To ensure confidentiality of the reporting person’s identity;
  • To designate a responsible person or department to follow up on the reports;
  • To provide feedback to the reporting person within a “reasonable timeframe,” at the latest three months after the report.

• The obligation for EU Member States to establish independent and autonomous external reporting channels to designated competent authorities (in this context, the proposal sets out further criteria for the independent and autonomous design of the external reporting channels);
• These authorities must give feedback to the reporting person within three months (extendable to six months) about the follow-up on the case.

It is foreseen that three tiers of reporting be established: In general, the whistleblower must first report information to his/her employer using internal reporting channels. However, he/she can directly use the external channels (second tier) or, where relevant, address EU institutions, under the following conditions::

• Internal channels do not exist;
• The use of internal channels is not mandatory (e.g., reports by non-employees); or
• Internal channels do not function or could not reasonably be expected to function (e.g., because of a fear of retaliation; concerns about confidentiality; concerns about the destruction of evidence; avoidance of imminent substantial danger to life, health, safety of persons, the environment, etc.).

As a last resort, the whistleblower can also publicly disclose information, e.g., to the media or civil society organizations (third tier). This is considered possible under two conditions:

• The whistleblower reported internally and/or externally first, but no appropriate action was taken in response to the report within the timeframe referred to;
• The whistleblower could not reasonably be expected to use internal and/or external reporting channels due to imminent or manifest danger to the public interest, or to the particular circumstances of the case, or where there is a risk of irreversible damage.

The proposed Directive further provides a set of measures to protect the whistleblower from retaliation if the conditions under the new EU law are met. These measures must be implemented by the EU Member States and include, inter alia:

• Entities must be prohibited from taking certainaction against whistleblowers such as suspension or dismissal, demotion or withholding of promotion, coercion, intimidation or harassment, discrimination or unfair treatment, etc.
• Reporting persons’ access to legal advice;
• Reversal of the burden of proof, so that it is up to the person taking action against a whistleblower to prove that the detriment was duly justified;
• Reporting persons’ access to remedial measures against retaliation, including interim relief pending the resolution of legal proceedings;
• No liability for whistleblowers for disclosing information, thus creating a ground of immunity;
• Increased protection in judicial proceedings, as a result of which whistleblowers can, for instance, rely on EU law as a defence if legal actions are taken against the whistleblower outside the work-related context (e.g., for defamation, breach of copyrights, breach of secrecy, or for compensation requests).

However, the Directive will also provide protection for persons affected by malicious whistleblowing or unjustified allegations in a report. In this context, the proposal stresses that the persons concerned must fully enjoy the right to an effective remedy and to a fair trial as well as the presumption of innocence and the right of defence.

In the accompanying Communication, the Commission calls upon Member States to foster awareness raising, give guidance to businesses and the staff of national authorities, and provide for appropriate training measures. Member States are also encouraged to consider extension of the Directive’s scope to other areas and go beyond the minimum rules set by the EU law.