Tax evasion, letterbox companies offshore, food scandals: Whistleblowers expose irregularities and in doing so render an important service to society. Within the company, they are often put under massive pressure because of their actions. The EU aims for a better protection of whistleblowers in the future. What the specific design of the legal framework in Austria will look like remains an interesting question.

The Whistleblowing Directive has created a legal framework for reporting breaches of Union law and protecting whistleblowers against retaliation. Wolfgang Gabler, fwp lawyer and certified compliance officer, provides an overview of the changes.

Obligatory introduction of a whistleblowing system in legal entities in the private and public sector as from 2021

Scope of the Whistleblowing Directive

In transposing the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 (‘Whistleblowing Directive’), the Member States must provide for 

• legal entities in the public sector, including any entity owned or controlled by such entities, as from late 2021,
• legal entities in the private sector (legal entities under private law) with more than 250 employees as from late 2021, and
• legal entities in the private sector with 50 to 249 employees as from late 2023

to introduce a whistleblowing system.

Member States may also require legal entities under private law with fewer than 50 employees to establish internal reporting channels after an appropriate risk assessment taking into account the nature of the activities of the entities and the ensuing level of risk for, in particular, the environment and public health was carried out.

Furthermore, Member States may exempt municipalities with fewer than 10,000 inhabitants and fewer than 50 employees, and other legal entities in the public sector with fewer than 50 employees from the obligation to introduce a whistleblowing system.

The purpose of the Whistleblower Directive is to enhance the enforcement of Union law by laying down common minimum standards for the protection of persons reporting breaches relating to the following areas of Union law:

public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; protection of the environment; radiation protection and nuclear safety; food and feed  safety; animal health and welfare; public health; consumer protection; protection of privacy and personal data, and security of network and information systems; breaches affecting the financial interests of the Union and breaches relating to the internal market.

A number of exceptions to these areas have been provided for:

National security, the protection of classified information, the protection of legal and medical professional privilege, the secrecy of judicial deliberations, rules on criminal procedure and the employees’ right to consult their representatives or trade unions as well as the autonomy of the social partners and their right to  enter into collective agreements.

Where specific rules on the reporting of breaches in the areas of financial services, money laundering and terrorist financing as well as transport safety and protection of the environment are provided for in the Union acts, those rules apply.

Reporting persons within the meaning of the Whistleblowing Directive are:

• persons having the status of worker, within the meaning of Article 45(1) TFEU, including civil servants;
• persons having self-employed status, within the meaning of Article 49 TFEU;
• shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees;
• any persons working under the supervision and direction of contractors, subcontractors and suppliers;
• employees who have acquired information on breaches in a work-based relationship which has since ended;
• employees, whose work-based relationship is yet to begin, having gained knowledge of breaches during the recruitment process or other pre-contractual negotiations;
• facilitators (persons who assist a reporting person in the reporting process in a work-related context, and whose assistance is confidential);
• third persons who are connected with the reporting persons (colleagues or relatives of the reporting persons); and
• legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context.    

Obligation to establish internal reporting channels

Member States are obligated to ensure that legal entities in the private and public sector establish channels and procedures for internal reporting and for follow-up. They have to provide useful information on the use of the internal reporting channels.

The thresholds of 50 or 250 employees do not apply to legal entities subject to legislation relating to financial services, products and markets, prevention of money laundering and terrorist financing, transport safety and protection of the environment.

Reporting channels may either be operated internally by a person or department designated for that purpose, or provided externally by a third party. Legal entities under private law with 50 to 249 employees may share resources as regards the receipt of reports and any investigation to be carried out; however, they must be able to maintain confidentiality, to give feedback and to address the reported breach.

Procedures for internal reporting and follow-up

Procedures for internal reporting and follow-up must include the following:

1. Channels for receiving the reports must be designed, established and operated in a manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members.
2. The reporting channels must enable reporting orally or in writing, or both. Oral reporting must be possible by telephone or through other voice messaging systems, and, upon request by the reporting person, by way of a physical meeting within a reasonable timeframe.
3. Designation of an impartial person or department which receives the reports, maintains communication with the reporting person and, where necessary, asks for further information from and provides feedback to the reporting person.
4. The receipt of the report must be confirmed to the reporting person within seven days of that receipt.
5. Designation of an impartial person or department competent for following-up on the reports. This can be the same person or department as defined above in item (4.).
6. Follow-up by the designated person or department, where provided for by law, also as regards anonymous reporting.
7. Reasonable timeframe to provide feedback to the reporting person, not exceeding three months from the confirmation of receipt or, if no confirmation was sent to the reporting person, three months from the expiry of a seven-day period after the report was made.
8. Provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.

Type of reporting and protection of the reporting person

 Reports should primarily be made via internal reporting channels established within the legal entity in the public or private sector.

Whistleblowers may also report directly via external reporting channels or use them following internal reporting. Member States must designate authorities as external reporting channels competent to receive, give feedback and follow up on reports.

If a reporting person first reported internally and externally, but no appropriate action was taken within the three-month period, or the reporting person has reasonable grounds to believe that

•  the breach may constitute an imminent or manifest danger to public life, or
• in the case of external reporting, there is a risk of retaliation or a low prospect of the breach being effectively addressed, due to the case, 

may publicly disclose the information to third parties. In all of the cases mentioned, whistleblowers may claim protection against retaliation provided that

• they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information falls within the scope of the Whistleblower Directive, and
• they reported either internally or externally, or made a public disclosure in accordance with the above-mentioned conditions.

Persons reporting to relevant institutions, bodies, offices or agencies of the Union breaches falling within the scope of the Whistleblower Directive qualify for protection under the same conditions as persons who report externally.

Member States must provide for measures to prohibit any form of retaliation against whistleblowers pursuant to the Whistleblower Directive including threats and attempts of retaliation. For this purpose, a reversal of the burden of proof is stipulated according to which the perpetrator of retaliation against the whistleblower must prove that the measure was based on sufficiently justified reasons.

Conclusion

The Whistleblower Directive must be transposed into Austrian law by 17/12/2021, for legal entities with 50 to 249 employees, the deadline is extended to 17/12/2023. By transposing the Directive, a legal basis for whistleblowing systems will be created, in particular, for companies which are already using such systems. It will be interesting to see how the legal protection of whistleblowers will be designed and whether legal entities under private law with fewer than 50 employees will be obligated to introduce a whistleblowing system.