The deadline for implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“Directive”) by Member States expired on 17 December 2021.
However, the Polish Parliament has not managed to meet it, and hence the implementing regulations are still at the drafting stage. The Directive lays down common minimum standards for the protection of whistleblowers falling into three categories:
- internal market rules (for example breaches of EU competition and State aid rules, corporate tax law);
- financial interests of the Community (breaches affecting the interests of the European Union as set forth under Article 325 TFEU and in the relevant measures);
- falling within the scope of the EU acts in specific areas (for example public procurement, protection of the environment, public health, consumer protection).
The Directive also provides for potential extension of the scope of protection as set forth under the Directive to further breaches under national legislation enacted by individual Member States.
Individuals who report such breaches (known as whistleblowers) are afforded special forms of protection. The whistleblowers include not only employees of the relevant company, but also any other individuals who obtain and report such information.
These can include interns, subcontractors, or former employees. The Directive stipulates that whistleblowers are not subject to liability for such acts as breach of confidentiality, copyright, or business secrecy to the extent covered by their reporting. Also, no form of retaliation can be applied against them. The list of forms of retaliation given in the Directive is open-ended, with examples including such measures as reduction in wages, suspension, lay-off, or demotion. To be protected, a whistleblower is required to report a breach in one of three predetermined ways.
The first of these are the internal reporting channels. The Directive provides for Member States to require businesses to put in place internal reporting channels for whistleblowers. In this case, the breach is handled without the involvement of any external authorities. The legislators have imposed certain minimum standards that the internal channels are required to meet. These
include among others the appointment of an impartial person or department to receive reports and the ability to provide feedback to the whistleblower within three months of receiving the breach report. The internal channels are also required to ensure privacy and confidentiality.
The next option are the external reporting channels. In this case, the report is submitted to authorities specifically designated for that purpose by individual Member States. Such authorities must be impartial and independent. Receipt of a report must be
acknowledged without delay. The external authorities also inform whistleblowers about the outcome of the investigation.
The last way to report breaches is by public disclosure. This is a procedure that the whistleblower may employ if the two previous channels have been used and the competent authorities have not taken any action. The whistleblower will also be able to rely on this option if the breach constitutes a danger to the public interest or in the case of external reporting, there is a risk of retaliation against the whistleblower. Public disclosure involves communication of information to an authority or institution that is not specified under law as authorized to receive information through the external channels (e.g. the press). Such disclosure results in the whistleblower being protected to the same extent as when reporting through internal and external channels.
Thus, as becomes evident, the Directive has opened up new possibilities for reporting breaches of EU law. While the new whistleblower regulations seem well thought out, they require a lot of work on the part of Member States and businesses. This type of system must be watertight and reliable, as otherwise whistleblowers will be afraid to use it.