Whistleblowing systems: how new laws push demand
Implementation of whistleblowing systems has shown strong growth in recent months, mainly due to new legal obligations. We see a growing amount of organisations deciding to implement a professional whistleblowing system. This development is likely to be caused by the recent attention for whistleblower protection, anti-corruption and data protection. We see a trend in which companies that are not legally obliged to implement whistleblowing systems do so because they believe that it is the right thing to do, for example to increase transparency and credibility. Yet, the main reason for implementing a professional whistleblowing system are legal obligations with an international or national scope.
According to the French anti-corruption law Sapin II » (in force from 1 January 2018), companies employing more than 50 individuals are required to set up of a professional whistleblowing system. Such whistleblowing systems should be accessible for alerts raised by staff members or by outside stakeholders. According to the law, the whistleblowing procedure must indicate which measures are in place to guarantee strict confidentiality of the identity of the whistleblower, of persons concerned by the alert and the facts reported. Hefty penalties may be imposed when an organisation does not comply with the legal requirements.
Section 2 of the new Italian Whistleblowing Law No. 179/2017 (in force from 29 December 2017) states that organisations, which adhere to the “231 Model” must provide for whistleblowing systems. Organisations must establish one or more channels for reporting unlawful conduct, ensuring the confidentiality of the whistleblower’s identity and at least one alternative channel which must ensure the confidentiality of the whistleblower’s identity, using IT technology. Since the great majority of Italian companies adheres to the 231 Model, all these companies are obliged to implement a professional whistleblowing IT system. Whistleblower channels must be available to directors, managers or other subjects acting on behalf of the company. The scope of the law is broad: the whistleblowing system must also be available to any other individual who is under the supervision of the organisation
The House for Whistleblowers Act » (in force from 1 July 2016) states that employers who have 50 people or more working within their organisation are under the obligation to have an internal procedure for reporting wrongdoing in place. This obligation applies to employees, but also to temporary agency workers that have performed activities for the employer for at least 24 months, former employees and stakeholders. Non-Dutch entities may fall under the scope of the Dutch law: a Dutch branch of a non-Dutch entity can also be held to draw up an internal whistleblowing procedure.
The European Union: banking
The EU CRD IV Directive (European Directive 2013/36 », in force from 1 January 2014) refers to reporting of breaches of the national provisions transposing the Directive and the Capital Requirements Regulation (Regulation EU 575/2013 », or “CRR”). Various countries are working on new whistleblowing regimes, which oblige credit institutions and investment firms to establish appropriate internal procedures for the purpose of reporting potential or actual breaches of financial markets legislation through a specific, independent and autonomous channel. Whistleblowing systems are proposed to be made available to employees of credit institutions and investment firms. However, also other stakeholders, such as clients, may be invited to notify suspicious practices and procedures in the operations of such financial institutions through the whistleblowing system.
The European Union: whistleblower protection
At the end of April 2018, the European Commission proposed » new EU-wide standards aimed at protection for whistleblowers. The EC’s proposal includes an obligation for organisations to implement safe channels for internal reporting. Companies with more than 50 employees or with an annual turnover of over EUR 10 million will have to set up an internal procedure to handle whistleblowers’ reports. All state, regional administrations and municipalities with over 10,000 inhabitants will also be covered by the new proposal.
The European Union: data protection
The General Data Protection Regulation (Regulation 2016/679 » “GDPR”) will enter into force on 25 May 2018. Organisations that have a whistleblowing procedure in place should consider how whistleblower reports will be processed and what information will be provided to the whistleblower. Relevant considerations include, among others, whether information provided by whistleblowers will be handled by a third party, transferred abroad, or communicated to a foreign authority. Depending on the circumstances and the nature of the information a whistleblower provides, the GDPR is likely to limit the way in which whistleblower complaints can be processed, if no professional whistleblowing system is in place. We see that ever more organisations choose to implement professional whistleblowing systems, in order to adhere to national and international legislation and process personal data such as the ones contained in a whistleblowing report in compliance with the law. Please see the whitepaper » that we have written on this subject: How to handle personal data in a Whistleblowing system: Are you compliant with the new EU General Data Protection regulation?