Key points
1. Who: From the end of 2021, EU companies and public bodies with 250 or more employees must implement an internal reporting system. From 2023, this will change to include companies and public bodies with 50 or more employees.
The scheme must be made available to all employees (see key point 3).
2. What: The Directive covers disclosure of breaches of EU law in the following areas, among others: public procurement; financial services; product safety and compliance; transport safety; protection of the environment; protection against radiation and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data; network and information system security; as well as state aid and competition law compliance to the extent that a matter is not mandatorily regulated by sector-specific EU legislation.
3. Why: The purpose of the Directive is to provide greater protection across EU countries for those seeking to expose breaches of EU law.
Whistleblowers who report breaches of EU law will be protected from dismissal, suspension, demotion and other forms of discrimination. This protection extends to employees, former employees, subcontractors, shareholders, suppliers and other third parties.
4. How: It is up to each individual member state to define how the reporting channels will be established, provided that protections to ensure confidentiality and anonymity are incorporated.
5. Sanctions: The Directive obliges member states to impose effective and proportionate sanctions on companies and public bodies that do not adhere to the reporting system, including failing to maintain the confidentiality of whistleblowers and hindering attempts to report breaches.
6. When: The Directive must be implemented by EU member states no later than 17 December 2021.
Group implementation
7. The Directive requires that every company or public body with 50 or more employees set up reporting channels and procedures. Employers with 50-249 employees (be it group companies or individual companies) have the option to share resources.
8. The European Commission’s view is that the Directive has enough flexibility to be compliant with whistleblowing legislation in other jurisdictions, such as the U.S. FCPA and the UK Bribery Act, but that is difficult to see. And in turn, as regards compliance with the Directive, the Commission’s position is that each subsidiary must have its own separate procedure. Whistleblowers then have the choice to report breaches at either the local or group level. That choice, however, cannot be turned into an obligation to report to the parent company and the whistleblower must give their approval to a local report being shared with or handled and investigated by the parent company. Moreover, potentially holding the parent company out of an investigation may prevent it from mitigating the breach, if any.
9. The EU's approach is, in practice, unworkable for large groups with many subsidiaries because many have centralised finance, law, corporate social responsibility and HR departments, meaning that these functions are not present in each legal entity and that ultimate responsibility is at the group level.
10. A centralised whistleblowing model ensures that the outcome of a case does not differ depending on the subsidiary and makes transnational reports easier to manage. In addition, dealing with investigations at the group level will generally mean a lower risk of confidentiality breaches and a higher level of impartiality.
Certain aspects of implementation left to member states to decide
11. There is a level of flexibility afforded in the Directive, allowing member states to implement the regime in slightly different ways. This has been confirmed by the European Commission. Member states may:
(a) Decide to transpose the material provisions of the Directive exactly as set out in the Directive, or to extend the prospective regime of the Directive to reports of breaches of national law in the policy areas covered by the Directive (or even beyond).
(b) Give whistleblowers the right to request a physical meeting at the company where they are employed
(c) Include more favourable provisions in their transposition laws (shorter deadlines for acknowledgement of receipt or for feedback, rewards for whistleblowing, etc.).
(d) Decide how best to implement certain aspects of the internal reporting channels and procedures (for example, the procedure for providing feedback) to allow for follow up.
12. Some member states are not planning to implement new legislation, instead amending existing legislation so as to be compatible with the Directive. In these cases, the existing legislation may not address the issue of a distinction between a centralised or decentralised system.
13. In Denmark, the proposed bill to implement the whistleblowing regime originally followed the European Commission’s interpretation in stating that larger multinational or group companies cannot continue solely with a centralised whistleblowing procedure.
14. A number of large Danish companies, (Maersk, Carlsberg, Lego, Vestas, Danske Bank, Ørsted, Pandora, DSV, Leo Pharma, Chr Hansen, Coloplast, Velux, Kamstrup, Egmont and Demant) lobbied to amend the bill, to allow the sharing of the same whistleblowing channel on the basis that this will be more effective than a decentralised system, as smaller organisational units have narrower perspectives, are less familiar with routine procedures and have less experience, and as a result the quality of their whistleblowing procedures will suffer.
15. In the end, the Danish government agreed that a centralised system is preferable. The Danish ministry of justice’s representative in the EU Expert Group raised concerns about decentralised whistleblowing regimes in the group’s last meeting on 14 June 2021 and gained support from the Spanish and Latvian representatives, but there is no consensus on whether or not there is a need for both a centralised and decentralised system.
16. The above-mentioned large Danish companies have also been in dialogue with the Expert Group. In addition to the issue of whether a dual system is needed, the companies expressed their concerns regarding the group’s view that a subsidiary should be allowed to share the outcome of an investigation (but not the details absent the whistleblower’s approval). The Danish companies do not accept that this is the final word, given that the Directive is open to interpretation.
17. Reed Smith understands that other multinationals, including Akzo Nobel, Bacardi, Daimler, Diageo, Heineken, Infineon, Nokia, Bosch, Philips, Swiss Re, Unilever and Volkswagen, are also lobbying for a centralised system.
18. If your company has subsidiaries with 250 or more employees, Reed Smith invites you to contact us if you are interested in lobbying national governments to ensure that the best options available to large enterprises are adopted by member states, including a centralised whistleblowing regime.
19. You may consider bringing the issue up with your respective national representatives in the Expert Group.
In any event, multinationals doing business in Europe need to prepare for the implementation of the Directive. Reed Smith can help with this and have significant experience in the implementation of compliance regimes.
Client Alert 2021-183