[co-author: Alex Cotoia]
Alex Cotoia, Regulatory Compliance Manager at the Volkov Law Group, accompanies us on an informative four-part series on the EU Whistleblower Directive.
Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on “Protection of persons who report breaches of Union law” (the “Directive”)[1] is to come into force on December 17, 2021 – the deadline set by the European Union (“EU”) for the implementation of the provisions of the directive in the national law of all 27 member states. The directive has broad applicability to organizations operating in the EU internal market and applies equally to public and private sector organizations.
In general, the Directive requires Member States to adopt common minimum standards to protect potential whistleblowers reporting breaches of EU law in the following areas: (1) public procurement; (2) financial services; (3) product safety and compliance; (4) transportation security; (5) environmental protection; (6) Radiation Protection and Nuclear Safety; (7) food and feed safety, animal health and welfare; (8) public health; (9) consumer protection; and (10) protection of privacy and personal data and the security of network and information systems.[2] The material scope of the directive also includes “infringements that adversely affect the financial interests of the Union within the meaning of Article 325 TFEU”. [Treaty on the Functioning of the European Union] and specified in more detail in Union measures “[3] as well as “Internal Market violations in relation to acts contrary to. . . Corporation tax [rules] or regulations that create tax advantages[s]”[4] which largely undermine EU corporate tax law. The EU’s emphasis on a discreet provision of the TFEU addressing the obligation of Member States to adopt measures to combat fraud and other illegal activities in public spaces is a strong sign of Europe’s continued commitment to state transparency and democratic accountability.
Article 4 of the Directive extends whistleblower protection to certain “reporters who work in the private or public sector and who have received information about infringements in a work-related context”.[5] This deliberately broad definition includes both conventional full-time employees and “employees” within the meaning of Article 45 (1) TFEU[6], and to people with “self-employed status”.[7]
Organizations should be aware that the term “worker” as interpreted by the Court of Justice of the European Union (“ECJ”) is broad. In fact, according to established case law, the test to determine whether a person is qualified as a “worker” depends on the so-called “Lawrie-Blum formula”.[8] According to this test, the essential characteristic of an employment relationship is that one person provides services of a certain economic value for another person and under their instructions, for which they receive remuneration.[9] The term “worker” used in the Directive would thus encompass a wide variety of unconventional employment relationships, including part-time and contract work, voluntary service and internships.
In particular, the guideline also applies to “shareholders and persons who belong to the administrative, management or supervisory body of a company, including non-managing partners”.[10] Similarly protected are “any person who works under the supervision and direction of contractors, subcontractors and suppliers”[11] an organization. Given that retaliation against whistleblowers often goes beyond the reporter, Article 4 also provides protection for certain third parties related to the whistleblower, including the whistleblower’s colleagues and relatives and “intermediaries” who assist a whistleblower in a covered context.[12] According to the guideline, the term “intermediary”[13] means any natural person who supports a whistleblower in a work-related context in the reporting process.
Under Article 6, whistleblowers are guaranteed legal protection under the Directive to the extent that: (1) they have reasonable grounds to believe that the information reported was true at the time it was reported; and (2) the whistleblower reports either internally to the organization, externally to a competent authority or publicly in accordance with Article 15.[14] Significantly, despite the EU’s proven reluctance to report anonymously, Article 6 (2) of the Directive does not affect the ability of Member States to decide whether private organizations or Member State-designated competent authorities are required to accept anonymous reports and to follow up on covered infringements.[15]
[1] Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report violations of Union law, 2019 OJ (L 305) 17.
[2] Directive 2019/1937, Article 2, 2019, OJ (L 305) 17, 34.
[3] Directive 2019/1937, Article 2, 2019, OJ (L 305) 17, 35.
[4] I would.
[5] Directive 2019/1937, Article 4, 2019, OJ (L 305) 17, 35.
[6] I would. in Article 4 paragraph 1 letter a.
[7] I would. in Article 4 (1) (b).
[8] See generally, Case 66/85, Deborah Lawrie-Blum v. State of Baden-Württemberg, 186 ECR 2139.
[9] I would.
[10] Directive 2019/1937, Article 4 (1) (c), OJ 2019 (L 305) 17, 35.
[11] I would. Article 4 paragraph 1 letter d.
[12] I would. in Article 4 (4) (a) and (b).
[13] I would.
[14] I would. in Article 6 (1) (a) and (b).
[15] See e.g. B. Article 29 Working Party, Opinion 1/2006, “On the application of EU data protection rules to internal whistleblowing systems in the areas of accounting, internal accounting controls, audit matters, combating bribery, banking and financial crime,” 10-11 (1. February 2006).