Finnish implementation of the WB Directive – Q&A
When will the Finnish legislation enter into force?
The Finnish act implementing the Whistleblower Protection Directive (Directive (EU) 2019/1937) (the “WB Directive“) will not enter into force by the deadline set out in the Directive i.e. 17 December 2021. The latest news from the Ministry of Justice is that the Government Bill relating to the national act is expected to be issued in early February 2022. The working group preparing the national legislation received a vast amount of feedback based on the draft Government Bill they issued in early July 2021. The working group is now looking into the feedback and considering whether they need to introduce changes and/or clarifications before they issue the actual Government Bill. At the moment, it is difficult to estimate when the national legislation will enter into force. However, the Government Bill is scheduled to be presented to the Finnish Parliament in week beginning 21 February 2022.
When will companies have to comply? Will there be any transitional period(s)?
According to the WB Directive, companies with 250 employees or more are required to comply with the WB Directive by 17 December 2021. Smaller companies with between 50 and 249 employees will benefit from a transitional period, giving them until 17 December 2023 to comply with the requirements in the WB Directive.
However, as the national implementation of the WB Directive is delayed, the Finnish Ministry of Justice has outlined that (i) whistleblowers cannot be protected under national WB law until the act implementing the WB Directive enters into force; and (ii) for this reason it is not practical to establish reporting channels before the act implementing the WB Directive enters into force.
The Ministry of Justice has not commented on the WB Directive’s direct effect. In accordance with the doctrine of legitimate expectations. Finnish companies must be able to rely on the Ministry of Justice’s instructions relating to reporting channels. Hence, companies should not face negative consequences for not establishing reporting channels before national implementation. Finnish companies nevertheless ought to be mindful of the fact that the WB Directive’s direct effect cannot be entirely excluded (at least in relation to some of its provisions).
Furthermore, it is important to bear in mind that local laws and approaches may differ in other Member States.
What protection will whistleblowers have?
Regardless of what is stated above regarding whistleblowers being without the protection of the national WB act until it enters into force, it should be noted that the Finnish employment legislation itself provides relatively strong protection for employees (including situations where an employee has reported suspected misconduct).
In addition, once the national act enters into force, whistleblowers will be protected in two ways, namely (i) the whistleblower’s identity being kept confidential; and (ii) a broad prohibition on retaliatory measures being taken against the whistleblower.
Employers must ensure that the identity of the individual that reports relevant violations at the organization is not disclosed to anyone beyond the staff members authorized to receive or follow up on reported violations, without the explicit consent of that individual. This also applies to any information from which the identity of the individual may be directly or indirectly deduced.
In addition, the national legislation implementing the WB Directive will impose a broad prohibition on retaliatory measures being taken against the whistleblower by the employer. This prohibition includes terminating their employment, weakening the terms of their employment, treating them unfavorably, and taking other measures with adverse consequences for the whistleblower. Any threats or attempts to retaliate against whistleblowers are also prohibited.
Who will be protected against retaliation?
The protection provided in the national legislation applies to those who report certain violations of EU law which they observe in their work-related activities. This includes not only employees but also e.g. self-employed individuals, shareholders, members of one of the employer’s administrative, management or supervisory bodies, CEOs, volunteers and interns.
Protection is provided if the individual reporting the alleged violation has reasonable grounds to believe in the accuracy of the reported information at the time of reporting, i.e. the individual is acting in good faith, and the information reported falls within the scope of the legislation.
As a starting point, protection is granted if the individual reporting the violation complies with the appropriate reporting procedure. Primarily, the violation should be reported through an internal channel of the relevant organization. In the absence of an appropriate reporting channel or if the organization does not properly investigate the alleged violation, the individual that filed the report may report the breach to a centralized external channel operated by the office of the Chancellor of Justice. If there is no timely response to such report(s), or if the individual filing the report has reason to believe that there is an imminent danger to the public interest, they can also make a public disclosure.
What GDPR and data protection considerations need to be taken into account?
Establishing a whistleblowing channel will require organizations to take a number of data protection compliance measures, including updating privacy policies and guidelines, and entering into data processing agreements with service providers. Furthermore, a data protection impact assessment must be carried out before implementing the channel. The processing principles in the EU Data Protection Regulation (“GDPR”) and the whole life cycle of personal data must be considered, as well as questions regarding, for example, who has access to the data, which systems are being used in the reporting procedure, what kind of security measures are required, what the legal bases for processing the personal data are, and when to archive, pseudonymize, anonymize or delete the data. The processing of personal data should also undergo so called co-operation proceedings (Fi. yt-menettely).
As to the lifecycle management of personal data, the Directive and the draft Government Proposal do unfortunately not contain any specific time limits for storing information collected through the reporting channels, which has been criticized by local companies. The Directive merely states that information may be retained for as long as “is proportionate and necessary.” It is therefore unclear for how long personal data contained in the reports and gathered during the investigation must or may be stored.
In the absence of any mandatory time limits for storing information, the general principles on retention periods in the General Data Protection Regulation (GDPR) apply, such as the principles of purpose limitation, data minimization, data accuracy and storage limitation. One benchmark for an appropriate storage period is the limitation period in which claims relating to the issues relevant to the case must be brought by or against the organization. Similarly, the reverse burden of proof provision relating to the prohibition against retaliation may be a relevant factor in the assessment. Some guidance on how long the documentation should be kept could also be sought from the five-year storage period under Chapter 12, Section 3 of the Securities Markets Act for MAR-related whistleblowing reports.
Will group companies need to establish their own channels?
The European Commission’s starting point is that group companies with 50 or more employees should have a channel of their own and that, consequently, group companies cannot continue to have solely a centralized whistleblowing procedure. Originally, the working group preparing the new Finnish legislation had the same approach as the Commission i.e. each group company should have a channel of their own. However, based on the feedback received from a number of group companies, the working group changed their approach. Now, the Finnish draft Government Bill specifically provides that group companies may establish group-level reporting channels and make such channels available within the group. According to the working group, details and the exact wording relating to this so-called group company question are still subject to change.
Johanna Lilja (Partner)
Johanna Lilja is Head of Roschier’s Data Protection practice. She is specialized in intellectual property, with a special focus on patent and design litigation. In addition to IP and data protection work, Johanna specializes in various industry-specific regulatory issues, with a focus on the pharmaceutical, medtech and healthcare sectors. Her experience also covers compliance cases and internal investigations relating to anti-bribery, marketing and data privacy issues. She is recognized as one of the leading experts in her field in Finland (e.g. by Chambers Europe, Chambers Global and Who’s Who Legal).
Laila Sivonen (Principal Associate)
Laila Sivonen is a Helsinki-based Principal Associate specialized in commercial dispute resolution as well as corporate compliance and ethics. Laila’s practice includes litigation, arbitration and alternative dispute resolution. Laila has experience of international and domestic arbitration under various arbitration rules as well as ad hoc arbitration. Laila has had a key role in several complex, high-stake and multi-jurisdictional investigations relating to suspicions of white-collar crime.