Reed Smith Client Alerts

The Whistleblower Directive (Directive (EU) 2019/1937) (the Directive) requires every company or public body in the EU that has 250 or more employees to implement its own internal reporting policy for whistleblowing. Whilst one interpretation of the Directive allows for companies to have a group-level whistleblowing regime, the Directive is being interpreted by the EU Expert Group and the European Commission as requiring each subsidiary with 250 or more employees to have a separate internal reporting channel at the local level, and to give whistleblowers the option to report at the local or group level. However, many large companies view this as impractical and unworkable. In Denmark, leading multinationals have been working together to seek a change in how the legislation is implemented to allow for a more practical, centralised regime. Thanks to the corporations’ successful lobbying, the domestic law implementing the Directive has now been revised to allow companies to continue with their centralised systems. However, the ministry of justice reserves the right to reverse this decision, provided that (i) it first consults with the Danish parliament’s judiciary committee, the trade unions and large corporations, (ii) it is finally determined that the EU Commission’s interpretation stands and (iii) it becomes clear that the Directive is being implemented differently in other EU member states (in particular, the larger states). Denmark will therefore not be ‘best in class’ or the first mover in implementing the Directive, but will instead wait and see how the Directive is implemented in other member states.

Key points

1. Who: From the end of 2021, EU companies and public bodies with 250 or more employees must implement an internal reporting system. From 2023, this will change to include companies and public bodies with 50 or more employees.

The scheme must be made available to all employees (see key point 3).

2. What: The Directive covers disclosure of breaches of EU law in the following areas, among others: public procurement; financial services; product safety and compliance; transport safety; protection of the environment; protection against radiation and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data; network and information system security; as well as state aid and competition law compliance to the extent that a matter is not mandatorily regulated by sector-specific EU legislation.

3. Why: The purpose of the Directive is to provide greater protection across EU countries for those seeking to expose breaches of EU law.

Whistleblowers who report breaches of EU law will be protected from dismissal, suspension, demotion and other forms of discrimination. This protection extends to employees, former employees, subcontractors, shareholders, suppliers and other third parties.

4. How: It is up to each individual member state to define how the reporting channels will be established, provided that protections to ensure confidentiality and anonymity are incorporated.

5. Sanctions: The Directive obliges member states to impose effective and proportionate sanctions on companies and public bodies that do not adhere to the reporting system, including failing to maintain the confidentiality of whistleblowers and hindering attempts to report breaches.

6. When: The Directive must be implemented by EU member states no later than 17 December 2021.

Group implementation

7. The Directive requires that every company or public body with 50 or more employees set up reporting channels and procedures. Employers with 50-249 employees (be it group companies or individual companies) have the option to share resources.

8. The European Commission’s view is that the Directive has enough flexibility to be compliant with whistleblowing legislation in other jurisdictions, such as the U.S. FCPA and the UK Bribery Act, but that is difficult to see. And in turn, as regards compliance with the Directive, the Commission’s position is that each subsidiary must have its own separate procedure. Whistleblowers then have the choice to report breaches at either the local or group level. That choice, however, cannot be turned into an obligation to report to the parent company and the whistleblower must give their approval to a local report being shared with or handled and investigated by the parent company. Moreover, potentially holding the parent company out of an investigation may prevent it from mitigating the breach, if any.