It has been over two years since the deadline for EU Member States to implement the EU Directive on the protection of persons who report breaches of Union law (the “Whistleblowing Directive”). As of the date of this article, 25 EU Member States have implemented the Whistleblowing Directive into their national law, meaning that the new rules are now fully in effect across almost all the EU. Only Poland and Estonia have not implemented the Whistleblowing Directive, but we expect that they will cross the finish line by this summer.
As a reminder, the Whistleblowing Directive introduced EU-wide standards for protecting whistleblowers. It requires organizations with more than 50 workers to establish internal reporting channels and comprehensive whistleblower protection frameworks. For more information about the Whistleblowing Directive’s substantive requirements, see our overview article.
Below, we provide our thoughts on key trends that we have observed in the local implementing laws to date as well as our outlook for the rest of 2024.
Trends across the continent
In our last update, we noted that EU Member States have deviated in their implementing laws on the scope of reportable concerns, the deadlines for organizations to acknowledge and provide feedback to whistleblowers, and the penalties for whistleblowing infringements.
As more EU Member States have finalized their implementing laws, we have noticed additional deviations from the Whistleblowing Directive that have practical impacts on how organizations set up their whistleblowing compliance programs. Three key divergences include:
- Regulatory oversight: EU Member States have taken different approaches to designating a competent regulatory authority for the purpose of receive whistleblowing reports and enforcing the new rules. For example, some EU Member States (such as Bulgaria and Denmark) have designated their data protection authority (DPA) as the competent authority under the Whistleblowing Directive. Others (such as Ireland, Slovakia, and the Netherlands) either already had dedicated whistleblowing authorities and/or have designated new or additional ones. Some EU Member States have designated multiple authorities (and in some cases entire existing government departments) as competent authorities (such as Sweden, Germany, Portugal).
In practice, this means that in some Member States, the DPAs will be the only authorities looking at the reported concern under the whistleblowing rules, no matter what the actual topic of the concern may be. This raises the question whether the DPAs will inform other authorities that would normally be responsible to investigate the issue under other laws (such as the competition authority about an antitrust concern raised through the whistleblowing hotline). In other Member States, the implementing laws have provided direct points of contact that align with the topic of the whistleblowing concern (for example, if a whistleblower reports an antitrust issue, the local competition authority will take note of it and be competent to enforce not only the antitrust but also the whistleblowing rules). - Reporting obligations & responsible persons: Some EU Member States (such as Bulgaria and Slovenia) require that organizations provide annual statistics about whistleblowing reports received by the competent authority. Other EU Member States (such as Croatia and Czech Republic) have introduced an obligation to appoint a “competent person” who is responsible for the management of the whistleblowing hotline. The requirements of this role often differ according to the individual EU Member State, but many laws require that this individual be independent and have the necessary expertise to act within this role. Some EU Member States (such as, Spain and Greece) even require that this individual be registered with the competent authority. Organizations should be mindful about such local requirements that do not stem from the Whistleblowing Directive.
- Record-keeping requirements: Retention requirements also differ across the EU Member States. While the Whistleblowing Directive itself only states that reports shall be stored for no longer than necessary and for a time period that is proportionate to comply with the Whistleblowing Directive, some EU Member States have imposed prescriptive requirements on how long organizations need to retain whistleblowing reports and related documents. For example, the Austrian implementing law requires that organizations retain relevant personal information for five years (or longer if required for administrative or judicial proceedings). In Cyprus, on the other hand, organizations must delete personal information three months after the investigation is closed (unless legal or disciplinary proceedings are ongoing, in which case, the personal information may be retained for one year after such proceedings). Organizations will find these conflicting retention periods difficult to comply with when they receive reports about cross border issues that affect an organization in multiple EU Member States.
What do we expect in 2024?
We expect the competent authorities to steadily ramp up their enforcement activity going forward. We will be looking out for new regulatory guidance and enforcement actions for non-compliance with the Whistleblowing Directive later this year.
Judging by the feedback received from various sources, some organizations are already handling a noticeable increase in the use of their hotlines. We therefore expect the number of whistleblowers raising their concerns through internal reporting channels to steadily increase as potential whistleblowers become more familiar with the new rules, especially with the rights and extensive protections offered to them by the new whistleblowing regime (see our webinar for more information on these rights and protections).
With that in mind, organizations should consider reviewing and assessing their whistleblowing compliance programs periodically to ensure they are:
- Still compliant and up to date with the latest developments stemming from additional regulatory guidance and enforcement; and
- Adjusted based on mistakes and lessons learned in practice (e.g., if their whistleblowers tend to go to external competent authorities instead of using the organization’s internal hotline, this may be a sign that the internal hotline needs to be set up differently).
We will continue to monitor legal updates and regulatory guidance not only in Poland and Estonia but across all EU Member States to keep you up to date with any whistleblowing developments. For further details about implementation status, high-level summaries of each implementing law, and the latest whistleblowing updates, visit MoFo’s Whistleblowing Resource Center.
Thiago Cosentino, Privacy Analyst, assisted with this client alert.