Almost one year after its adoption by the European Parliament, more than half of the EU's 27 Member States have started transposing the EU Whistleblower Protection Directive into national law. Now, only 15 months remain until the transposition deadline leaving the clock ticking loudly not just for lawmakers, but also for the organisations that will be required to follow the new rules.
The Directive impacts hundreds of thousands of organisations and small and medium-sized enterprises (SMEs) right across Europe that employ more than 50 people. But it is those with 250 employees or more that will be required to comply first.
What the Directive means for affected organisations
The Directive revolves around the explicit protection of a broad range of whistleblowers who report a violation of EU law. In turn, this places a number of legal obligations on organisations, with the adoption of safe reporting channels (such as whistleblower websites and hotlines) chief among them. The Directive is explicit in specifying that such channels should be:
"designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members"
- Article 9, DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
Affected organisations are also required to:
- Inform employees on the reporting options available to them
- Put measures in place to protect whistleblowers from dismissal, demotion and other forms of retaliation
- Assign a competent impartial person or team to receive and follow up on reports
- Respond to and follow up on reports within three months
Public and private organisations and SMEs with 50 or more employees will be subject to the law, although only those with 250 or more employees will need to be compliant from December 2021. Those with 50-249 employees will have a further two years to comply.
Slow national adoption limits awareness
The Directive must be transposed individually by each Member State by December 2021. Each local version of legislation is likely to differ in detail but should reflect the Directive's overriding aim: to ensure a baseline level of protection for whistleblowers across the EU.
However, as seen in the lead-up to the EU's General Data Protection Regulation (GDPR) in 2018, widespread awareness of the law amongst those that need to comply is likely to remain relatively low until transposition is completed.
In Sweden, progress has been notable. On 29th June 2020 an Exploratory Committee delivered its 802-page report, containing its proposal for transposition, one month later than planned. Its proposed date for entry into force is 1 December 2021.
Our neighbours in Denmark, meanwhile, have seen their progress slowed by the coronavirus pandemic (as is the case in Portugal). The Danes expect to have an implementation proposal ready in Spring 2021, alongside their Nordic counterparts in Finland.
The Republic of Ireland began its public consultation in June, while Latvia invited the public to propose improvements to its own Whistleblowing Law amendments in July. In the same month, Slovenia's Ministry of Justice reiterated its desire to prioritise the transposition of the Directive and Bulgaria, Estonia and Greece have all taken steps towards transposition during 2020.
Elsewhere in Europe, adoption remains a topic of fierce debate. In Germany, political infighting has delayed progress; Spain has seen various legislative alternatives proposed and at least one proposal has been rejected by Congress. Czechia's draft proposal, meanwhile, has been roundly criticised by opposition parties and NGOs.
Remaining Member States, including Italy, Belgium and Austria have made little or no progress in transcribing the law. Although France also falls into this group, its existing Sapin 2 law already requires companies with 50+ employees to have a whistleblowing channel in place.
Key steps towards compliance with the Directive
While many EU countries have yet to begin transposition, there is no reason why organisations cannot begin their path towards compliance now.
The most obvious and pressing requirement - the implementation of a confidential reporting channel - is perhaps the easiest and most straightforward step for those who do not yet have a solution in place.
For medium- to large-scale organisations, or those with more mature risk and compliance requirements, an Enterprise-level solution that ties your entire programme together within one platform is likely to be the best solution. This will help ensure that your Directive-related training, awareness and policy obligations interact seamlessly with your reporting process.
For small- and medium-sized businesses who are just beginning their compliance journey, a secure solution that can be bought and implemented online in a matter of hours - like the new WhistleB 'Ready-to-launch' service – will also guarantee compliance with the core requirement of the Directive.
Compliance as a value-driver
Whichever route organisations choose to go down, the implementation of a reporting system should be considered beyond a simple yet essential response to legislation.
Independent research from George Washington University has highlighted a correlation between the increased use of reporting systems and improved business performance. Indeed, the most successful organisations recognise their whistleblowing system as an important tool for reducing risks and building trust with employees because they facilitate the detection of possible misconduct at an early stage.
As the December 2021 deadline approaches, thousands of organisations will discover that compliance with the Directive will deliver many more benefits than a simple 'tick' in the box.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.