Internal Reporting Systems

Whistleblowing Legislation in the EU and Brazil

By Julia Arbery[1] and Lisa Van Houten[2]

Overview

The DWS greenwashing scandal,[3] Biogen,[4] United Healthcare,[5] and Cardinal Health[6] —these are all well-known examples of whistleblower cases in the United States. There, whistleblowing is an accepted—and even encouraged—practice due to the stringent laws that provide a safe harbor for reporting wrongdoing, both within an organization and to public authorities, regardless of anonymity.

The primary law used to assist those blowing the whistle on bad behavior is the federal False Claims Act (FCA). The Securities and Exchange Commission (SEC) also has a whistleblower program that has grown significantly over the past decade. Fiscal Year (FY) 2022 continued to build on the record-breaking success for the SEC's Whistleblower Program. In FY 2022, the SEC awarded approximately $229 million in 103 awards, making it the second-highest year in terms of dollar amounts and number of awards.[7] Since the beginning of the program, the SEC has paid more than $1.3 billion in 328 awards to individuals for providing information that led to the success of SEC and other agencies' enforcement actions.[8] The SEC also received a record-high number of whistleblower tips alleging wrongdoing. In FY 2022, the commission received over 12,300 whistleblower tips—the largest number received in a fiscal year.[9]

While Americans have had some sort of avenue to safely and anonymously voice concerns about corporate misgivings since the Civil War, whistleblowers have been much less common in other countries, including those that are member states of the European Union (EU) and Brazil. In the absence of incentives for speaking out against corporate wrongdoing in the EU and Brazil, corporate scandals and fraudulent activities have historically been far less likely to be brought to light in the court of public opinion.

In fact, according to a 2022 European Commission poll on corruption, 28% of Europeans believe that cases are not reported because there is no protection for those who report corruption.[10] Back in 2017, “81 percent of respondents said they did not report the corruption they had experienced or witnessed because they did not believe they had adequate protection. Similarly, 85 percent of respondents believed workers ‘very rarely’ or ‘rarely’ report concerns about threat or harm to the public interest due to fear of reprisals.”[11] That is, until recently.

Background of the EU Whistleblower Directive

Whistleblowers help to prevent damage and detect threat or harm to the public interest that may otherwise remain hidden. However, they are often discouraged from reporting their concerns for fear of retaliation. For these reasons, the importance of providing effective whistleblower protection for safeguarding the public interest is increasingly acknowledged both at European and international level.[12]

In April 2019, the European Parliament voted to overhaul whistleblower regulations and standardize protections across its 28 member countries against retaliation for speaking out.[13] The deadline to implement the EU Whistleblower Directive (the Directive) was December 17, 2021.

The Directive intended to offer more resources for whistleblowers to act and is meant to protect all individuals involved, including those affected by the report or disclosure. It expands the scope of whistleblower protection and will protect regular employees, civil servants, interns, volunteers, external contractors and suppliers, previous employees, and any individual who has become aware of violations prior to the start of their employment. Applicable organizations are obliged to establish both internal and external reporting channels with certain procedural requirements. This new legislation will also enhance confidentiality to ensure that all identities involved are protected and will prohibit whistleblower retaliatory measures.

Because the EU Directive only provides a set of minimum standards, it is possible that certain member states decide to create more stringent legislation.[14] As a result, there is a large degree of variation across the EU regarding how the Directive is implemented, including different levels of protection as well as different requirements or thresholds for such protection. As such, the intended harmonization across the EU intended by the Directive has not been achieved. Furthermore, organizations who are navigating multi-jurisdictional requirements are tasked with another level of complexity and must assess region-specific applicable requirements.

Due to variations in member states’ local laws and regulations, there are numerous challenges and questions around implementation for multinational employers who want to apply a consistent approach across all their regions.[15] Due to these challenges, the majority of member states failed to meet the December 17, 2021, deadline.[16] However, 25 of 27 member states have now implemented the Directive into their national laws and regulations, with only Estonia (as of 31/05/2023) and Poland (as of 15/02/2023) having delayed adoptions.[17] In addition to the EU Whistleblower Directive, the EU will soon be responsible for complying with a new law on corporate sustainability due diligence obligations. Specifically, on February 23, 2022, the EU adopted a propsal for the European Supply Chain Act.[18] This new legislation requires EU companies to carefully manage social and environmental impacts along their entire value chain, including direct and indirect suppliers, their own operations, as well as products and services, and to ensure compliance with applicable human rights standards and environmental protection.[19]

These requirements will pose compliance challenges, in particular for multi-national companies with business activities in high-risk countries.[20] Amongst other requirements, affected companies[21] must establish a process for reporting complaints and ensure everyone along the supply chain can access it.[22] Member states will need to evaluate whether to use their existing whistleblower system platform for suppliers and others across the supply chain, and assess how to integrate these new requirements into their existing reporting processes. On June 1, 2023, the EU Parliament voted by a majority in favor of tightening up the original legislative proposal from the EU Commission.[23] As a next step, the EU Parliament, EU Commission, and the Council of Ministers will work together to finalize the directive.[24] Once adopted, member states will have two years to implement the directive into national law.[25]

Minimum Standards of the EU Whistleblower Directive[26]

The EU Whistleblower Directive outlines the following minimum standards for member states within the European Union:

  • Timeline: As mentioned above, implementation by national legislators should have been completed in all member states by December 17, 2021.

  • Purpose: The purpose of the Directive is to enhance the enforcement of EU law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of EU law.[27]

  • Required participants: All legal entities in the private and public sections are required to comply with the Directive. However, this only applies to companies with more than 50 employees and authorities and municipalities with more than 10,000 inhabitants who are obliged to set up channels for reporting legal violations.[28]

  • Material scope: The Directive requires the reporting of violations of EU law. This includes, but is not limited to, the following areas:[29]

    1. public procurement;

    2. financial services, products and markets, and prevention of money laundering and terrorist financing;

    3. product safety and compliance;

    4. protection of the environment;

    5. food and feed safety, animal health, and welfare;

    6. public health;

    7. protection of privacy and personal data, and security of network and information systems; and

    8. violations of national law.

  • Personal scope: The personal scope of the Directive is expansive and includes a wide variety of individuals who are subject to whistleblower protection. The Directive applies to individuals working in the private or public sector or who have acquired information on violations in a work-related context.[30] This includes part-time or self-employed workers; persons working under the supervision of contractors and suppliers; shareholders; and job applicants.[31] Additionally, such work-related context must be interpreted broadly. It includes persons whose employment relationship has already ended or has not yet begun and is in a pre-contractual stage.[32] Furthermore, protection should be provided to others who can experience (indirect) retaliatory measures due to a report. This may include vis-à-vis facilitators, colleagues, or relatives of the reporting person.[33]

  • Conditions for protection of reporting persons: As mentioned above, one of the primary objectives of the Directive is to provide better protection to whistleblowers from retaliation. The Directive outlines various conditions for qualifying for this protection, including requiring that they had reasonable grounds to believe that the information reported was true at the time of reporting.[34]

  • Internal reporting channels: The Directive requires companies and public authorities to establish channels and procedures for internal reporting of violations which promotes the reporting of violations and follow-up of those reports.[35] The new legislation outlines numerous procedural requirements regarding internal reporting channels, including:[36]

    1. Reporting channels which are designed, established, and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person;

      • These channels should enable reporting in writing or orally, or both. Oral reporting shall be possible by telephone or through other voice messaging systems and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.

    2. Acknowledgment of receipt of the report to the reporting person within seven days of that receipt;

    3. The designation of an impartial person or department competent for following up on the reports, which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person;

    4. Diligent follow-up by the designated person or department;

    5. Diligent follow-up, where provided for in national law, for anonymous reporting;

    6. A reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, three months from the expiry of the seven-day period after the report was made; and

    7. Provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities.

    External reporting channels: The Directive requires member states to establish independent and autonomous external reporting channels and outlines numerous requirements for the design and operation of those channels.[37] Specifically, member states are required to designate authorities competent to receive, give feedback, and follow up on reports, and are required to provide them with adequate resources.[38] Member states are also required to ensure that those authorities:[39]

    1. Establish independent and autonomous external reporting channels, for receiving and handling information on breaches;

    2. Promptly, and in any event within seven days of receipt of the report, acknowledge that receipt unless the reporting person explicitly requested otherwise, or the competent authority reasonably believes that acknowledging receipt of the report would jeopardize the protection of the reporting person's identity;

    3. Diligently follow up on the reports;

    4. Provide feedback to the reporting person within a reasonable timeframe not exceeding three months, or six months in duly justified cases;

    5. Communicate to the reporting person the final outcome of investigations triggered by the report, in accordance with procedures provided for under national law;

    6. Transmit in due time the information contained in the report to competent institutions, bodies, offices, or agencies of the Union, as appropriate, for further investigation, where provided for under Union or national law.

    As it relates to external reporting channels, the new legislation also:[40]

    1. Provides criteria for ensuring that external reporting channels are independent and autonomous;

    2. Requires reporting channels than enables reporting in writing and orally; and

    3. Requires specific training for staff members regarding the handling of reports.

  • Information regarding the receipt of reports and their follow-up: The Directive requires that specific information is clearly published and accessible. This includes, for example, the conditions for qualifying for protection under the Directive; contact details for external reporting channels; and procedures applicable to the reporting of violations.[41]

  • Duty of confidentiality: The Directive requires that the identity of the reporting person is not disclosed to anyone beyond the authorized staff members competent to receive or follow-up on reports without the explicit consent of that person.[42]

  • Processing of personal data: Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be carried out in accordance with relevant laws and regulations. Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay.[43]

  • Record keeping of whistleblower reports: The Directive outlines various requirements regarding reports received, specifically how those reports should be stored and to ensure compliance with laws and regulations.[44]

  • Prohibition of retaliation: The Directive requires that member states take the necessary measures to prohibit any form of retaliation, including threats of and attempts at retaliation. This may include a wide range of activities including suspension, layoff, dismissal, or equivalent measures; demotion or withholding of promotion; transfer of duties, change of location of place of work, reduction in wages, change in working hours; discrimination, disadvantageous or unfair treatment; and others.[45]

  • Measures for protection against retaliation: Member states shall take the necessary measures to ensure whistleblowers are protected against retaliation and to ensure that remedies and full compensation are provided for damage suffered by whistleblowers in accordance with national law.[46] Furthermore, there is a reversal of the burden of proof during labor law proceedings which favors the whistleblower.[47] This means that during labor law proceedings, the employer must prove that the dismissal of a whistleblower was not due to their blowing of the whistle, rather than the whistleblower.[48]

  • Penalties for whistleblower blockers: The Directive provides for “effective, proportionate and dissuasive penalties” for individuals or companies who hinder or attempt to hinder reporting; retaliate against whistleblowers; or breach the duty of maintaining the confidentiality of the identity of reporting persons.[49] The Directive further allows whistleblowers to claim compensating damages in such cases.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings