More questions about the European Whistleblower Protection Directive
WhistleB partners with law firms and others to help customers deal practically with questions about the EU Whistleblower Protection Directive, and its legal implications. As part of our mission to make compliance with the new laws as simple as possible for companies, we have teamed up with our legal partners to hold webinars in recent months. We receive a mix of legal and practical questions from participants, which we are happy to share with you.
In this post, we summarise responses to questions received during a webinar held with Swedish law firm Advokatfirman Delphi. While some of the responses are naturally focused on the Swedish market in this case, they may nonetheless be valuable to companies in other countries. Rebecka Thörn, a Partner at Delphi provided legal insight, and WhistleB Director Karin Henriksson has provided the practical insight to these questions about the EU Whistleblower Protection Directive.
Questions related to the independence or nature of the person receiving the report.
Questions: What does it mean that the person investigating the report should be independent? Does it need to be somebody from outside the organisation? Can an employee in an organisation or company really be deemed to be impartial?
It does not need to be a person from outside the organisation. According to the proposed law (in Sweden), the requirement is for the person to be “independent”, but they can be an employee in the organisation. The person appointed should have the kind of position which allows a certain amount of independence and autonomy, in particular from senior executives. One can think of it as being similar to the kind of standing that the data protection officer currently has, and the person does not need “hire and fire” authority. Whistleblowing reports are typically received by a person, or a combination of people from the following departments: Legal, Compliance, Human Resources or Finance.
Finally, some organisations choose to outsource the receipt and management of cases to trusted third-party providers.
Questions related to providing feedback to an anonymous whistleblower.
Question: How can we provide feedback to anonymous whistleblowers, in practice? Is this done through an open channel or directly? If it is direct to the person, how can they be reached if the report was sent anonymously?
The Directive provides that the person submitting a report (the whistleblower) should receive appropriate feedback, which means that the employer should reply in some way and within a specified amount of time. How this is done practically depends on the whistleblowing channel in use in the organisation. For example, WhistleB’s system allows feedback to a whistleblower as well as the possibility to ask the person questions. However, this requires the whistleblower to log in to the whistleblowing channel (still anonymously) to be able to read the feedback.
In the case of a report received via an anonymous email, for example, the feedback should reasonably go to the email address that the whistleblower has used. However, it is obviously not a requirement to provide feedback to an anonymous whistleblower if it is not possible to contact the person.
Question: How can a case be investigated in a legally secure manner if the whistleblower is anonymous?
In Sweden, the inquiry (into the proposed law) suggests a number of measures be taken to guarantee legal safety. This would include requirements for the follow-up of matters that have been reported via reporting channels. This follow-up shall also be performed by independent and impartial persons, which should reinforce legally safety. Anybody that is deliberately falsely accused will have the possibility to report false information to the police, for example if the person deems that they have been subject to slander.
Questions about external reporting.
Question: Can you be more specific about external reporting? Can several local authorities/municipalities procure and use a shared external investigator?
Yes, from what we understand in Sweden, municipalities/local authorities can cooperate in this area.
Question: Which external authorities will a whistleblower be able to turn to?
The Directive requires that companies provide information about options for external reporting channels, but most countries have not yet announced the competent authorities that will be appointed for this role. In Sweden, the current proposal is that some ten government agencies should implement external reporting channels, including the Swedish Tax Agency and the Swedish Economic Crime Authority. Once the new law is in force, we will know which authorities will also be required to provide such channels.
Questions on the types of legal breaches/misconduct that can be reported.
Question: Is it only breaches of certain types of law than can be reported, or can breaches to internal policies etc be also reported?
The EU Whistleblower Protection Directive protects whistleblowers who sound the alarm on breaches of EU law. Each EU member state will then specify other areas for which whistleblowers will be accorded protection. In the case of Sweden, the proposed national law would also protect those who report breaches against Swedish law, as well as those who provide information about misconduct that is not a breach of law but for which it is in the public interest that the circumstances be known. Breaches of internal policies may come under this latter category, but reports would have to be assessed on a case-by-case basis.
Question: Can an organisation limit the types of misconduct that can be reported? For example, if a bullying issue is reported, can one ignore these matters if they should in fact be reported according to normal grievance processes?
The basic idea behind the Directive is that reporters of breaches to EU laws, national laws and serious wrongdoing will be protected by the new laws. If the report does not contain information related to these specific areas, then legally it does not count as a whistleblowing matter and should not be managed within the scope of the whistleblowing system. In these cases, it is best practice to notify the person who sent the report and refer them to the relevant manager, the HR department or similar, as appropriate.
Question: Is the intention that reports related to incidents and accidents be reported via the whistleblowing system, or should these be handled in a separate reporting system?
No, these types of reports are meant to be handled outside of the whistleblower system according to the currently applicable processes, which may for example require a complaint to be filed with the national workplace environment authority.
Questions regarding implications for other laws.
Question: Will the restrictions that currently exist under data protection laws also apply under the new whistleblower laws?
Restrictions and rules will still remain in force regarding the handling of personal data, as will other data protection laws.
Question: How can government agencies and other public organisations ensure the anonymity of the whistleblower, or even keep investigations and reports confidential, once a completed case becomes public information? Doesn’t such information come under the principle of public access to official documents?
In Sweden important changes to the legislation on secrecy and public access to information are proposed. For example, it is proposed that whistleblowers should be protected by absolute confidentiality and that information that can be traced to the person reporting must not be released.
Question: Will there be any difference to the existing protection against reprisals?
The proposal is that the current prohibition on reprisals, contained in the Swedish law (2016:749) related to specific protection against reprisals for employees who sound the alarm against serious misconduct, be transferred to the new whistleblower law. No major change is expected as a result.
If you have questions about the EU Whistleblower Protection Directive, feel free to contact us or visit our website.