Morrison Foerster is an international law firm with lawyers practicing throughout the United States, Asia, and Europe. Click to discover more.

mofo_share_image.jpg

Morrison Foerster

favicon.ico

favicon-16x16.png

favicon-32x32.png

apple-touch-icon.png

MoFo Favicons

Terms / Notices

Cookies

Privacy Policy

Attorney Advertising

Secure Login

Alumni

  Facebook

MoFo Facebook

  Linkedin

MoFo LinkedIN

Twitter

MoFo Twitter

YouTube

MoFo Youtube

Morrison Foerster - Footer

You have not solved the recaptcha challenge yet or session expired, try again.

Disclaimer

<p>Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our <a href="https://www.mofo.com/about/privacy-policy.html"><u><em>Privacy Policy</em></u></a>, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.</p>

Feedback

mofo-logo-2022.svg

People

Capabilities

Resources

About

Culture

Offices

Careers

Stay Connected

When did your organization last update its investigation procedures? Recent developments in Europe mean that now may be the right time for a refresh. The EU Directive of the European Parliament and of the Council on the Protection of Persons Who Report Breaches of Union Law (the Directive) has far-reaching consequences, not only for how organizations set up internal reporting channels, but also for how they carry out internal investigations after receiving an initial report.




After the whistle blew…

About Morrison Forester

people-default-header-desktop.jpg

people-default-header-mobile.jpg

Default Meta Data

<p>When did your organization last update its investigation procedures? Recent developments in Europe mean that now may be the right time for a refresh. The EU Directive of the European Parliament and of the Council on the Protection of Persons Who Report Breaches of Union Law (the Directive) has far-reaching consequences, not only for how organizations set up internal reporting channels, but also for how they carry out internal investigations after receiving an initial report.</p><p>Organizations with well-developed investigation procedures should already have investigation protocols (or similar documents) in place that provide clear instructions on how internal investigations, including those into whistleblowing reports, are carried out. These investigation protocols should be revisited in light of the Directive. Organizations should also provide sufficient training to their employees so they can become familiar with the new requirements.</p><p>Ensuring that organizations investigate whistleblowing reports properly, impartially, and fairly has become just as essential as potential whistleblowers trusting organizations with their concerns. Whistleblowers will now be legally allowed and even encouraged to report their concerns to competent regulatory authorities in many circumstances. They may do so, for example, if they believe they could be retaliated against, or if they believe that the organization will not appropriately investigate their concerns. Such external reporting may expose the organization to regulatory investigations that could have been avoided if the issue identified by the whistleblower was resolved at an earlier stage internally. In some cases, whistleblowers may even disclose their concerns to the public, which may cause additional reputational damage.</p><p>Organizations should therefore strive to make their internal whistleblowing and investigation processes as whistleblower-friendly as possible, so whistleblowers feel comfortable reporting their concerns to the organizations instead of to the regulators or the public. </p><p>Below we set out five key issues that organizations should think about when reviewing their investigation procedures:</p><h4>1. Confirming receipt of a whistleblower’s report</h4><p>While many organizations acknowledge receipt of a report when it is received, this is generally done as a matter of best practice rather than a specific legal requirement. Under the Directive, organizations must confirm receipt of a whistleblower’s report within<em> seven days</em>; however, EU Member States are already deviating from this timescale. For example, Latvia requires that whistleblowers be informed of the organization’s initial assessment of their report within three days.</p><p>Because the Directive leaves it up to the individual organizations to decide what reporting channels to set up (e.g., phone lines, online reporting platforms, physical complaint boxes), organizations should also plan how they will confirm receipt of reports for each channel they operate. For example, if whistleblowers can make reports to a designated email address, the organization must decide who will monitor that email address and then ensure that a confirmation is sent by or before the prescribed deadline. Hotline service providers who offer online reporting platforms may be able to provide an automatic confirmation. If this is not the case, organizations will need to put a manual process in place for acknowledging receipt of a report that will work just as well as an automated one.</p><h4>2. Anonymous reporting and training</h4><p>Under the Directive, individuals are generally entitled to make anonymous reports, although EU Member States may deviate on this point. The Directive’s protections apply to anonymous whistleblowers who are subsequently identified. If a whistleblower makes an anonymous report, investigators should under no circumstances attempt to identify them or otherwise make their identity known to the organization, the implicated individuals, or anyone else.</p><p>Disclosing an individual’s identity may be permitted in very limited circumstances under applicable law, but investigators should be reminded of this obligation and the importance of confidentiality when handling whistleblowers’ reports. This also means that if the identity of the whistleblower is accidentally uncovered or guessed during the investigation, the investigator in question should keep this information confidential. The investigator should not share this knowledge with anyone, not even the whistleblower. </p><p>More broadly, the entire range of personnel of an organization (not only the investigators tasked with working on whistleblowing reports) should receive training about, and be prohibited from engaging in, whistleblower retaliation. Part of this training programme should involve instructing investigators that they need to inform those responsible for the whistleblowing compliance programme, for example, (i) when they make mistakes (e.g., if an investigator discloses the identity of the whistleblower in an interview with an implicated individual) or (ii) if they have a conflict of interest and should be excluded from investigating the whistleblowing report. If an investigator is asked to investigate a report implicating a colleague who is also a friend, the investigator should immediately remove themselves from the investigation.</p><p>The training should also address the different possible forms of what qualifies as retaliation. Note that it is defined broadly in the Directive. In addition to more obvious forms, such as suspension, dismissal, or equivalent measures, the Directive mentions certain conduct that might not always be perceived as “retaliation.” For example, the Directive lists the following actions as potential forms of retaliation:</p><ul><li>Withholding training;</li><li>Changes to working hours or place of work;</li><li>Harm to an individual’s reputation (including on social media);</li><li>Early termination or cancellation of a contract for goods and services;</li><li>Blacklisting; and</li><li>Providing a negative performance assessment or employee reference.</li></ul><h4>3. Dealing with disciplinary action and a whistleblowing report at the same time</h4><p>Related to the points above about retaliation, there may be circumstances where an employer is, for example, contemplating disciplinary action against an employee. If the employee issues a whistleblowing report while disciplinary action is being contemplated, the organization should carefully consider how to continue without getting into trouble with the local employment laws and the Directive. If the contemplated action is perceived as retaliation, even if it is unrelated to the whistleblowing report, whistleblowers may complain externally and organizations could potentially expose themselves to fines for retaliating against the whistleblower. Such delicate situations should be carefully considered to ensure that any kind of decisions made about whistleblowers (whether they are disciplinary actions or just asking an employee to work night shifts instead of day shifts) cannot be misinterpreted as retaliation. </p><h4>4. Scope of reportable concerns</h4><p>Under the Directive, whistleblowers may report concerns about violations of EU law that are listed in the Directive’s Annex. EU Member States are expanding the scope of reportable concerns in their implementing laws (see our <a href="/special-content/gdpr-european-privacy/whistleblowing/">Whistleblowing Resource Center</a> for more information). Organizations will need to be able to triage reports received through their whistleblowing channels to determine whether they are within the scope of the Directive and/or the relevant local implementing law. If a report is outside this scope, the report should not be ignored. Ultimately, a concern has been raised, and the opportunity to address it should be welcomed. Even when the Directive does not directly apply, the organization should still investigate the report through its regular channels so the allegation can be appropriately resolved.</p><h4>5. Feedback</h4><p>The Directive entitles whistleblowers to receive feedback on the reports they submit. From an organization’s perspective, there are two key issues to consider:</p><ol><li>When should feedback be provided?<em> </em>The Directive only requires feedback to be provided within <em>three months</em> from the acknowledgment of receipt of the report. However, organizations should consider providing more frequent updates during long-term investigations, instead of just providing an update at the three-month stage. The organization’s internal processes may disengage a whistleblower if they do not hear from the organization for three entire months, and the whistleblower may then consider reporting the concern to the regulators or the public.</li><li>What should the feedback contain? The Directive states that the feedback should contain (i) the action planned or taken following the report and (ii) the grounds for the action planned or taken. Regulators will hopefully issue more detailed guidance on this content. Organizations should also be wary of unduly infringing the rights – including the privacy rights – of implicated individuals and other third parties when providing feedback. The ISO standards on whistleblowing management systems (<a target="_blank" href="https://www.iso.org/standard/65035.html">ISO 37002:2021</a>), while not specifically relating to the Directive, also state that the level of detail provided in the feedback may be limited to avoid compromising the investigation.</li></ol><h4>What should organizations do now to comply with these requirements?</h4><p>We have summarized some of the major issues that organizations should be thinking about when reviewing their investigation protocols to comply with the Directive. How organizations meet the requirements discussed above will depend on a myriad of different factors, including local laws in EU Member States where the organization has more than 50 workers (this is a trigger for the Directive’s application), the organization’s existing investigation procedures, and its risk appetite.</p><p>At this stage, we are still in a state of flux as many EU Member States have yet to finalize their implementing laws. Organizations therefore need to continue to monitor developments to determine how will affect their investigation processes (see <a href="/special-content/gdpr-european-privacy/whistleblowing/whistleblowing-local-implementation.html">our Local Implementation map</a>). You can find further information about these issues and the other requirements in our <a href="/special-content/gdpr-european-privacy/whistleblowing/">Whistleblowing Resource Center</a>.</p>