The EU plans to protect whistleblowers | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

The EU plans to protect whistleblowers

On 17 April 2018 the European Commission announced a proposed directive protecting whistleblowers. The aim is to establish minimum standards for protection of persons uncovering irregularities or violations of EU law, and to unify the law of the member states in this area.

The proposed “Directive on the protection of persons reporting on breaches of Union law” would introduce a definition of whistleblowers, regulate the means of protecting them against retaliation, and provide for a system of reporting violations. It would also impose a number of obligations on the member states and employers, including an obligation to introduce sanctions for violating the duties provided for in the directive. The proposed directive is addressed to the member states, and the provisions affect individuals, undertakings, service providers, public institutions, and employers. The planned deadline for implementation of the directive is 15 May 2021. Below we present the key solutions provided for in the proposed directive (we reported on some of them previously in the article “Whistleblowing and protection of confidential information”).


In the European Commission’s view, whistleblowers are the best source of information on violations of all kinds, as demonstrated by recent high-profile scandals such as:

  • Dieselgate, in which Volkswagen installed illegal software in its vehicles that would reduce harmful emissions only during laboratory tests, while under normal driving conditions emissions might be up to 40 times the legal limit—the irregularities were uncovered thanks to whistleblowers
  • LuxLeaks, in which PwC auditors released to the International Consortium of Investigative Journalists 30,000 pages of documents on tax arrangements by 350 big international corporations, such as Apple, IKEA and Pepsi, in 2002–2010 registering special-purpose vehicles in Luxembourg, where they were offered exceptionally low tax rates allowing them to avoid paying millions of euros in taxes on profits earned in other countries (often elsewhere in the EU)
  • Panama Papers, where a “John Doe” released over 11,500 files to Süddeutsche Zeitung revealing that the Panamanian law firm Mossack Fonseca, specialising in offshore services, helped thousands of its clients (including persons linked to politicians and state officials, such as Russian President Vladimir Putin, Chinese Premier Li Peng, and family members of former British Prime Minister David Cameron) invest in tax havens
  • Cambridge Analytica, a now-bankrupt political consultancy which in 2014 illegally obtained the data of some 87 million Facebook users, which it used to create algorithms profiling individuals and targeting them with political messages in the 2016 presidential campaign in the United States—again, the irregularities were uncovered by whistleblowers.

But because whistleblowers are individuals economically dependent on the entity they are reporting on, they are particularly vulnerable to retaliation, which they need special protection against. Currently there are just a handful of EU member states providing such protection, and the provisions and scope of the protection differ significantly. (In Poland, protection for whistleblowers is to be introduced under the proposed Act on Transparency of Public Life, as we reported in the article “Proposed Act on Transparency of Public Life: New obligations for businesses and employers.” Such solutions are also provided for in the proposed amendments to the Act on Liability of Collective Entities for Punishable Offences published on 25 May 2018.)

In the Commission’s view, the lack of protection for whistleblowers in any member state can negatively impact the functioning of EU law in that member state, but also weaken the law through the EU.

Who is a whistleblower?

Under the proposed directive, a whistleblower means a “reporting person” working in the private or public sector who acquired information on breaches in a work-related context, including:

  • Persons with the status of a worker (i.e., within the Polish context, persons hired on the basis of an employment contract, contract of mandate, or contract to perform a specific work)
  • Self-employed persons (i.e. persons operating an individual business)
  • Shareholders and members of the management body of an undertaking
  • Volunteers and unpaid interns
  • Persons working under the supervision or direction of contractors, subcontractors and suppliers
  • Persons who learned of a breach during the recruitment process or other pre-contractual negotiations.

Protection would extend to whistleblowers who report on breaches within their organisations, to the competent state or EU authorities, or directly to the public or the media (e.g. on a website or social media).

Sectors where protection of whistleblowers is particularly vital

The European Commission found that protection of whistleblowers should be introduced in the following areas in particular:

  • Public procurement
  • Financial services and prevention of money laundering and terrorist financing
  • Product safety
  • Transport safety
  • Environmental protection
  • Nuclear safety
  • Food and feed safety, animal health and welfare
  • Public health
  • Consumer protection
  • Protection of privacy and personal data, and security of network and information systems.

But this is not a fixed list, and the directive provides for the possibility of expanding it to cover additional fields where there is a need for stronger enforcement of the law relying on reporting of irregularities by whistleblowers, and in sectors where violation of EU law can cause the greatest harm to the public interest.

Mechanisms for reporting irregularities—entities

The directive proposes the introduction of possibilities for reporting irregularities in both the public and private sectors.

In the private sector, the directive would impose new obligations on legal entities to establish internal channels and procedures for reporting and following up on reports, including protection of whistleblowers. These duties would apply to legal entities:

  • With 50 or more employees, or with an annual business turnover or balance sheet total of EUR 10 million or more, i.e. large and medium-sized undertakings
  • Operating in the area of financial services, regardless of size.

The new obligations would not apply to small and micro enterprises (apart from financial services).

According to the Commission, the average costs of complying with the new obligations for a medium-sized enterprise will include an average one-off implementation cost of about EUR 1,374 and an average annual operational cost of about EUR 1,055.

The directive would also require member states to designate state institutions to establish external reporting channels, which could also be used by whistleblowers from small and micro enterprises or anyone who finds this method of reporting more convenient.

Mechanisms for reporting irregularities—subject matter

Among the new obligations under the directive connected with establishment of reporting mechanisms, the most notable include:

  • Establishing internal channels (in person, by post, complaint box, phone hotline, and online platform) through which whistleblowers can report irregularities
  • Establishing appropriate reporting procedures
  • Conducting training on internal and external reporting
  • An obligation to respond to reports within 3 to 6 months, depending on the complexity of the breach and the time required to investigate it.

Public and private entities will also be required to appoint a person responsible for receiving and responding to reports of breaches and providing information on the results of the examination of reports.

Legal protections for whistleblowers

As the preamble to the proposed directive stresses, whistleblowers deserve broad protection against retaliation (direct and indirect) by the entity they report on that.

The main means of protection will be a ban on the use of any retaliatory measures. If the entity nonetheless retaliates, the whistleblower will have access to the following legal remedies:

  • Reinstatement
  • Restoration of a cancelled permit, licence or contract
  • Compensation for actual and future financial losses (for lost past wages, but also for future loss of income, costs linked to a change of occupation, legal expenses, costs of medical treatment)
  • Compensation for intangible damage (pain and suffering).

The draft directive also provides protection for the duration of legal proceedings between the parties, including in the form of certain interim relief (e.g. to stop threats and harassment), and protection against dismissal until the end of the dispute. The directive guarantees whistleblowers, as parties to proceedings, fundamental procedural rights such as access to the file, the right to be heard, and in the event of an unfavourable decision, the right to appeal. Moreover, under the directive, the entity taking measures appearing on their face to be retaliatory bears the burden of demonstrating that the measures were taken for objective reasons. There is also a presumption that a whistleblower has a reasonable belief in the accuracy of the report.

These protections for whistleblowers represent a minimum standard, and the member states could provide additional protections.

Sanctions for violating obligations under the directive

The proposed directive requires member states to introduce sanctions for violation of the obligations under the directive, to be imposed on natural and legal persons who:

  • Hinder or attempt to hinder reporting
  • Take retaliatory measures against whistleblowers
  • Bring vexatious proceedings against whistleblowers, or
  • Breach the duty of maintaining the confidentiality of the identify of whistleblowers.

There are also sanctions applicable to persons making malicious or abusive reports or disclosures, including the right to seek damages.

The proposal does not indicate the nature of the sanctions the member states should introduce, whether administrative or penal, and does not indicate the minimum levels of such sanctions, leaving such decisions to national lawmakers. The directive only indicates that the sanctions must be effective, proportionate and dissuasive.

Time for change

In light of the legislative changes presented in the directive and other proposed legislation (e.g. the bills for the Act on Transparency of Public Life and the Act on Liability of Collective Entities for Punishable Offences), there is an evident trend toward imposing additional obligations on businesses involving establishment of internal whistleblowing mechanisms. To prepare for the upcoming changes, it is worthwhile to consider introducing such internal mechanisms even before the proposed directive is adopted and implemented.

Such mechanisms should provide due protection to whistleblowers, enabling investigations to determine whether breaches occurred, adoption of appropriate remedial decisions, and, potentially, notification of the competent authorities. Uncovering irregularities with the aid of internal compliance procedures can limit the negative consequences for the enterprise and its management. The consequences will be much less painful than when the irregularities are identified by an external source and proceedings against the enterprise are pursued by external institutions.

We will keep readers informed of progress in the work on these solutions.

Magdalena Kotowicz, Janusz Tomczak, adwokat, Business Crime practice, Wardyński & Partners