The key objective of the Whistleblowing Directive and the Act is to encourage persons who have become aware of suspected breaches against public interest in a work-related context to report their observations. This is promoted by adopting a new centralised whistleblowing channel among the authorities and by obligating most organisations in the public and private sector to establish a confidential internal whistleblowing channel. In addition, whistleblowers will be protected from negative consequences.
This article reviews the proposed new obligations related to the establishment of internal whistleblowing channels and whistleblower protection.
Who is obligated to establish an internal whistleblowing channel?
Private sector employers regularly employing at least 250 employees and public sector employers regularly employing at least 50 employees are obligated to set up a whistleblowing channel within three months after the new Act enters to force. In practice, the timeframe for setting up internal whistleblowing channels likely expires in February–March 2023. Private sector employers regularly employing at least 50 employees will have to establish a whistleblowing channel by 17 December 2023.
Group companies can have a joint whistleblowing channel. In addition, smaller private sector organisations with fewer than 250 employees may, even without belonging to a same group of companies, share resources related to whistleblowing channels.
Organisations with fewer than 50 employees are exempted from the obligation to establish a whistleblowing channel. Suspected breaches related to the operations of these organisations not having an internal whistleblowing channel can be submitted directly to the centralised whistleblowing channel of the authorities. The statutory requirements for internal whistleblowing channels also apply to these smaller organizations if the organization has voluntarily set up a whistleblowing channel.
Organisations may outsource the whistleblowing channel to an external service provider. However, outsourcing does not relieve the organisation of its responsibility to ensure that the statutory obligations associated with the whistleblowing channels are followed.
What is a whistleblowing channel?
The proposed Act applies to reporting of serious breaches that endanger the public interest in specific legal fields, such as breaching EU or national legislation related to product safety, competition rules, public procurement, environmental protection as well as privacy and personal data protection. It is to be noted that for instance breaches of labour laws fall outside the scope of the proposed new Act.
Such breaches are reported via the whistleblowing channel either in writing and/or orally. The reporting of breaches must be confidential. An important part of ensuring confidentiality of reporting is that only such persons who have been specifically designated to receive and process reports should have access to the internal whistleblowing channel.
The whistleblower should receive an acknowledgement of receipt within seven days. In the case of an electronic system, an automatic acknowledgement of receipt sent by the system is sufficient. The follow-up measures based on the report must be communicated to the whistleblower within three months following the acknowledgement of receipt.
There are no specific rules on the technical qualifications of the whistleblowing channel. The proposed legislation does not require that the whistleblowing channel should be electronic, although this is likely the most common alternative. Instead, the whistleblowing channel may be implemented, for example, in the form of a locked feedback box or a tip-off line.
Organisations are not obligated to accept anonymous reports. In practice, anonymous reports are relatively typical even if the investigation based on anonymous report may be more challenging. If an organization decides to accept anonymous reports, it is recommended that the whistleblowing channel would allow communication with the anonymous whistleblower so that the organization may ask questions or request further information from the whistleblower. Many electronic whistleblowing channels have this function.
There are no language requirements for the reports or related instructions. In our view, the recommended approach is to accept reports and to prepare instructions for the whistleblower in the working languages used at the workplace.
As such, the obligation to establish a whistleblowing channel is not a new one, and many organisations have already set up whistleblowing channels based on business field specific legislation. However, the proposed new general Whistleblower Protection Act significantly expands the obligation to set up a whistleblowing channel, as it concerns all organisations that employ at least 50 employees, regardless of their field of operation and, creates a framework for extensive whistleblower protection. The proposed Act does not impact the validity of the business field specific whistleblower legislation but supplements it.
What does whistleblower protection actually mean?
In addition to the obligation to establish a whistleblowing channel, the proposed Act obligates all organisations to protect the whistleblower against retaliation. This obligation is not dependent on the size of the organisation. In other words, it is applied even to smaller organisations, which are not obligated to set up their own internal whistleblowing channels. If the organisation does not have an internal whistleblowing channel or the whistleblower has no access to it, the whistleblower may get protection by submitting a report to the centralised whistleblowing channel of the authorities.
The statutory whistleblower protection consists of several supplementary elements:
Prohibition against retaliation
Reporting a suspected breach must not cause any negative consequences for the whistleblower. It is also prohibited to threaten retaliation, attempt to retaliate, prevent the submission of the report or attempt to prevent the submission of a report. The prohibition against retaliation does not prevent the employer from making ‘negative’ decisions concerning the employment relationship of the whistleblower as long as they are not based on the submission of the breach report.
A reversed burden of proof is applied in legal processes concerning retaliation. In practice, the employer must be able to provide justification for the allegedly retaliatory decision and prove that the decision was not based on the submission of the breach report. This highlights the importance of documenting the grounds of such decisions.
Only specifically designated individuals may process the whistleblower’s personal data and data, which may reveal the whistleblower’s identity. Organisations are obligated to designate in advance the responsible persons and roles who receive breach reports and are responsible for their processing. The number of designated parties may also be increased afterwards, if necessary. In addition, the organization may also appoint experts for investigating the accuracy of an individual suspected breach. The confidentiality obligation is not limited in time and breaches of the confidentiality obligation are punishable.
No liability for disclosing necessary information
Acquiring or disclosing information necessary for revealing a breach may not result in any negative consequences for the whistleblower, even though similar actions would in other circumstances constitute a breach of a contract or legal provision and lead to consequences. For example, confidentiality obligation agreed in the employment contract does not prevent the whistleblower from submitting a breach report. The whistleblower’s discharge from liability also covers criminal sanctions, with the exception of a situation in which the acquisition or obtaining information constitutes an offence.
What are the prerequisites for receiving protection under the Whistleblower Protection Act?
A whistleblower who has received information on the suspected breach in a work-related context is entitled to whistleblower protection if the following three conditions are met:
Reporting through correct whistleblowing channel
The main rule is that the whistleblower must submit the report first through the organisation’s own internal whistleblowing channel, if the organisation has one. If the organization has not taken appropriate measures based on the report within a three-month deadline, the whistleblower may then report the breach to the competent authorities through the centralised whistleblowing channel or under certain circumstances directly to the competent authority. If appropriate measures are not take even after this report, the whistleblower may exceptionally have a right to publish the information concerning the breach as a last resort or even earlier in certain acute situations.
The whistleblower has a justified reason to believe that the reported issues are accurate at the time of submitting the report
A report submitted in good faith, which turns out to be incorrect, will not lead to consequences. In addition, the whistleblower is not obliged to obtain proof to support the report.
If the report, when assessed objectively, includes clearly incorrect information or unjustified rumors, the whistleblower is not entitled to whistleblower protection. In addition, intentional submission of an unjustified report is a punishable act, which may also lead to employment consequences and liability for damages.
The suspected breach is covered by the scope of the Act
The whistleblower must have a justified reason to believe that the suspected breach is included in the fields of law within the scope of the Whistleblower Protection Act and the suspected breach may lead to a penalty or punitive administrative sanction (or the breach may seriously endanger “the objectives of general interest”). From the whistleblower’s perspective, this criterion can be deemed challenging in practice, even when there are no especially high criteria set for the whistleblower’s awareness of the consequences of the suspected breach.
What if the employer neglects the whistleblower protection obligation?
Breaching the prohibition against retaliation or attempting to prevent the submission of a report may result in an obligation to pay compensation to the whistleblower. The EUR amount for the compensation is not regulated but it is assumed that the compensation amount would, depending on the nature of the violation, be between a couple of thousand euros and approximately EUR 15,000. If the organization intentionally engages in retaliatory activities, it is also obliged to compensate the whistleblower for the loss caused in full.
Unjustified disclosure of the identity of the whistleblower or the person who is the subject of the report, or any information based on which their identities can be concluded, is punishable.
What if the whistleblowing channel is also used to receive reports on other breaches?
It is generally in the interest of the organisation to obtain information about breaches occurring in its operations. Many organisations wish to receive reports on also other omissions and breaches than those covered by the scope of the Whistleblower Protection Act.
Organizations typically wish to treat all whistleblowers equally regardless of how the breach report was submitted and what it concerns. On the other hand, some of the statutory whistleblower protection elements cannot be applied to reports on suspected breaches which do not fall within the scope of the proposed Whistleblower Protection Act. Such protection elements include, for example, the right to receive compensation for retaliation and penalties based on breaches of the statutory confidentiality obligation. Such organisations should acknowledge the diversity of situations when planning their whistleblowing processes and drafting related instructions.
It is also possible that, regardless of the instructions, organizations receive reports on breaches that are not covered by the scope of the Act or that do not even belong to the possibly more extensive scope of the whistleblowing channel determined by the organization. In our view, such reports should be processed like any other breach report received by the employer outside the whistleblowing channel.
A whistleblower acting in good faith is protected by labour law provisions in all situations
When discussing the proposed Whistleblower Protection Act, it is often overlooked that many standards and principles protecting whistleblowers are already included in the employment legislation. Submitting a breach report in good faith is not a legitimate reason to terminate an employment relationship, and it does not entitle the employer to put the whistleblower otherwise at a disadvantage. In addition, the employer already has an obligation to intervene with harassment and inappropriate treatment at the workplace, among other things.
The employer is always obligated to protect the whistleblower against retaliation even when the criteria for special protection laid down in the Whistleblower Protection Act is not met. This is the case, for example, when an employee in good faith reports to the employer breaches related to bullying, harassment, occupational health and safety or code of conduct. An employee who has submitted a report on breaches, which fall within the Whistleblower Protection Act, is nevertheless in somewhat better position compared those submitting other breach reports, because the whistleblower protection under the proposed Act is more comprehensive.
What to expect next?
The proposed Whistleblower Protection Act and related amendments should enter into force as soon as possible. When considering the busy autumn parliamentary session, the extent of the proposal and large volume of feedback received during the legislative process, it is expected that the legislation will enter into force at the end of 2022, at the earliest. In such case, the time limit for the establishment of whistleblowing channels concerning private sector organisations that employ more than 250 employees would expire in February–March 2023.
If the organisation’s internal whistleblowing channel is not established within this time limit, it is possible to report suspected breaches related to the operations of the organisation directly to the centralised whistleblowing channel of the authorities. This means that an organisation that fails to set up the channel would not be the first instance to investigate the suspected breach within its operations.
In addition, the proposed Whistleblower Protection Act obligates organisations to provide detailed information on the whistleblowing channel, reporting process and the whistleblowers’ rights. On the one hand, appropriate instructions should encourage employees to submit reports and, on the other hand, reduce the number of reports excluded from the scope of the whistleblowing channel. Larger private sector organisations must have processes related to whistleblowing in place and responsible parties designated by the time when the whistleblowing channel is set up. In addition, the organization is also obliged to handle the matter with the personnel representatives in continuous dialogue process and to carry out an impact assessment on the processing of personal data in the whistleblowing channel.
In terms of risk management, each organisation should assess in advance how it will ensure that whistleblowers receive appropriate protection. Reporting breaches is usually associated with overlapping interests and suspected breaches often surface unexpectedly. This may be a crisis for any organisation. It is significantly easier to function appropriately and efficiently when the relevant processes and practices are defined in advance.