- Hello, everyone, I'm pleased to be with you today to discuss the European whistleblower directive. What it is, what its implications are for whistleblowers in the EU and how it affects employers compliance obligations. My name is Johanna Schwartz Miralles. I am of Counsel at Delcade, a boutique French business law firm with offices in Paris, Bordeaux, Lille, and Biarritz. Today we are going to discuss the European directive on the protection of persons who report breaches of Union law, which for ease of reference, I'll refer to as the European whistleblower directive. This law was adopted by the European Parliament and Council on October 23rd, 2019 and it came into force on November 27th of that year. On paper the directive required EU member states to adopt what we'll call implementing legislation on or before December 17th, 2021. This is also known as transposing the directive. As we'll see later on in the presentation, various countries are more or less on schedule in this transposition process, but all of them ultimately will be responsible for compliance with the directive. And the legislative changes that will result will have broad reaching effects in terms of whistleblower protection and compliance in Europe. So today's discussion will proceed in three main parts. First, we'll review the directive and its key provisions. Second, we'll look at the current state of transposition and third and finally, we'll discuss what recent legislative changes mean for employers with operations in Europe. Before diving into the directive however, I think it's helpful to give some general background on whistleblower laws in Europe. Looking back, Europe has been about 30 years behind the US in terms of legal and cultural developments in the fields of whistleblower protection and compliance more broadly. Whereas American courts and legislators started taking an interest in whistleblower protection in the early 1970s, it wasn't until 1998 that the first standalone whistleblower protection statute was adopted in a European country. This was the Public Interest Disclosure Act in the UK, which has since undergone some amendment but remains enforce today. From there there was not much legislative action except as it concerns general workplace anti-harassment and anti-discrimination legislation until the 20 teens. But in the last 10 years or so, European countries have finally started to legislate. The recent increase in interest in whistleblower protections can be attributed to a number of factors. These include globalization, advocacy on the part of whistleblower protection NGOs, and media coverage of sensational whistleblowing events like Edward Snowden's disclosures of NSA surveillance, the Chelsea Manning affair, the Panama papers and LuxLeaks, which for those of you who aren't familiar with that event was a scandal in Europe involving the disclosure by a PWC auditor of tax rulings affording favorable tax treatment by the Luxembourgish government to some multinational corporations. This nascent interest in whistleblower protection legislation was evident both at the level of individual countries in Europe and at the European level where certain regulations and directives adopted prior to the new whistleblower directive already contained sector specific whistleblower protections. And one example of this at the European level is the Market Abuse Regulation, so these are laws that afforded whistleblower protection, but only in certain specific contexts. So for the disclosures of certain types of information or as applied to certain kinds of employers. It's also important to note that even before European countries adopted specific whistleblower protection laws, European whistleblowers were not entirely at the mercy of those who might seek to retaliate. So on the one hand a number of European countries have statutory and domestic constitutional protections for free speech, which courts have extended at times to whistleblowing activities. And on the other hand, and perhaps more significantly, the European Convention on Human Rights protects free speech. This is in the European Conventions Article 10 which provides in pertinent part, everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. The exercise of these freedoms, since it carries with it duties and responsibilities may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society. Now in a number of important decisions, the European Court of Human Rights has held that Article 10's free speech protections extend to whistleblowers in the public and private sectors. Early cases on whistleblower protection include Fuentes Bobo v. Spain, Marchenko v. Ukraine, Heinisch v. Germany, and Bucur and Toma v. Romania. Those are some leading cases decided by the European Court of Human Rights. But the leading case in the area is Guja v. Moldova, which was decided in 2008. And in which the European Court of Human Rights established a multifactor test for determining whether the disclosure of information by an employee constitutes protected whistleblowing. The Guja test involves examining the public interest in the information disclosed, the truthfulness or accuracy of the information, any harm caused by the disclosure, whether the whistleblower used internal reporting channels where possible prior to making an external disclosure, the good faith of the whistleblower, and this has been interpreted by the European Court of Human Rights as a lack of intent to harm, so subjective intent to harm, and then the severity of the sanction imposed. So those are the factors that the European Court of Human Rights will look at, and domestic courts as well, in fact will look at when determining whether Article 10 of the European Convention protects certain whistleblowing activity. Now this protection under Article 10 is directly applicable in the courts of states' party to the European Convention on Human Rights. And interestingly under French law, these are the only constitutional type protections that are directly applicable by courts at any level. So whether you're talking about a trial court, an appeals court or the Supreme Court, none of these courts can directly declare a law contrary to the French constitution. That prerogative is reserved to the French Constitutional Court, so it's a separate court that's exclusively charged with determining whether laws are or are not consistent with the French constitution. So other French courts at the trial level, the appellate level, and even the supreme court level, so it's a separate supreme court, than the constitutional court, those courts cannot declare a law to be contrary to the French constitution, but those courts may declare that a law or an act in action by a private individual or a public entity contravenes the European Convention on Human Rights. And so Article 10 of the European Convention, because it can be directly applied by domestic courts creates very powerful protections for whistleblowers. It's against this backdrop, so an increasing interest in whistleblower protection, coupled with a patchwork of legal rules in member states that European legislators began to take up the question of whistleblower protections. As mentioned earlier, their interest in the topic was sparked by a combination of factors, but chief among these was a sustained lobbying effort by NGOs, the most prominent of which is Transparency International and high profile events like Snowden's NSA disclosures in 2013. One key milestone worth mentioning, leading up to the 2019 directive was a recommendation published in 2014 by the Council of Europe. And this recommendation was intended to encourage national legislators to adopt whistleblower protection legislation, but the recommendation was not binding. So while some countries, Netherlands, France, Ireland, for example, took steps to voluntarily legislate in the area, other countries were less responsive. And this prompted the EU to begin drafting a directive. The process began in 2018 with requests for public comment and eventually culminated in the directive we're discussing today. Before looking at what the directive entails, I think I just want to highlight that experts in the field consider the directive to be in the words of Transparency International, game changing. According to the compliance hotline operator, NAVEX Global, the EU's new directive grants protection to a far wider range of potential whistleblowers than under existing national law across EU member states. And the president of OHOKAG, the European Trade Union Organization of Professionals and Managers called the directive, "A huge step for Europe." So in order to understand this game changing directive, it's important to touch briefly upon what a directive is. It doesn't have an exact analog in the American legal system, but it is essentially a statute. So a directive is essentially a statute adopted by the EU that sets forth baseline rules in a particular field, but leaves some amount of discretion to member states in determining exactly how to give effect to those rules. So said another way, a directive is a legislative instrument that is binding on member states as to the result to be attained, but it leaves member states free to determine the form and methods of attaining the results that the directive sets forth. So it's kind of like a model law, but one that must be adopted by EU member states and can be modified so long as any modifications don't contravene the terms of the directive. Now, EU member states are responsible for what's called transposing the directive. Transposing means adopting legislation and or regulations that make the baseline rules set forth in the directive part of each member state's domestic law. Now each member state is free to adopt rules that are more protective than what is required by a directive, but the rules that the member state adopts must be at least as stringent as those that the directive sets forth. So in other words, the directive sets floors, not ceilings. In the case of the whistleblower directive, for example, and as we'll see in a few minutes, the directive sets forth a list of the types of retaliation that each member state has to prohibit under its law. But countries remain free to add to this list and to prohibit additional forms of retaliation. Okay, on the other hand a member state cannot fail to include in its domestic law, any prohibition against a form of listed retaliation, a form of retaliation that's listed in the directive. It's also important to note that as mentioned earlier, many, if not all EU member states already have some background whistleblower protection legislation already in force. And it's against this existing legislative backdrop that each member state will be transposing. And the directive expressly prohibits member states from weakening protections for whistleblowers via transposition, so the effect of the transposition can only be for the domestic law of the member state in question to increase protections for whistleblowers, never to decrease them. Once a member state has adopted appropriate legislation and or regulation to meet its obligations to transpose a directive, the member state has to complete the transposition process by reporting on its transposition to the EU Commission. So basically demonstrating that national law provisions are compliant with the directive. Each European directive sets a deadline for its transposition, and in the case of the whistleblower directive, that transposition deadline was December 17th, 2021. Just a little note that member states, while they have to transpose the entirety of the directive by the transposition date, they can give smaller companies a grace period for compliance with all of the compliance obligations and anti-retaliation provisions of the directive. So compliance requirements for smaller companies, those with fewer than 250 employees may be under national law subject to a grace period. Unfortunately member states have not done a great job sticking to the transposition deadline. In fact as of the date of this recording, so June, 2022, there is no member state that has completely transposed the directive. So that is, adopted appropriate laws on the one hand and then reported to the Commission on the other hand. So no country has yet completed that process. A minority of member states, Croatia, Cypress, Denmark, France, Lavia, Lithuania, Malta, Portugal, and Sweden have adopted what appears to be compliant legislation. So this analysis of where different countries are in the transposition process, I'm using thanks to the EU Whistleblowing Monitor, which is a watchdog group created by NGOs to monitor the transposition process. So according to the EU Whistleblowing Monitor, those listed countries appear to have adopted compliant legislation and or regulation, but none of those countries has yet reported on its legislation to the EU Commission, so no country has yet completed the transposition process. Another handful, in fact a majority of member states are in a status that the Whistleblowing Monitor considers delayed. So that means that the country has taken some action toward transposition. So for example, convening a working group or debating draft legislation, but these countries have not yet voted to adopt a compliant law. So 17 member states are currently in this delayed status and at least one member state, Hungary has not yet taken any legislative action at all. Concretely, what this means is that we still find ourselves in a transition period with different legal standards and instruments applicable across EU member states and no certainty yet that the directive's minimum standards will apply. But over the coming month and years, countries whose transposition processes are incomplete will have to bring their legislation into compliance at the risk of being subject to enforcement actions before the European Court of Justice. And even today, the directive could influence courts in countries whose domestic law has not yet been updated to comply with the directive, so that's to say that those countries courts could very well be persuaded to interpret domestic law in the light of the directive, such that the directives protections would already be given some effect in those member states, even though there's not yet completely adopted legislation. And some of the directives provisions could be considered directly enforceable, especially in litigation involving government employers. So for all of these reasons, it's important to know what the directive requires. And so let's turn to that question now. The whistleblower directive requires member states to adopt a certain number of protections for people who raise concerns about suspected wrongdoing in areas within the legislative competence of the European Union. This is however quite a broad category. It includes wrongdoing concerning public procurement, financial services and products, financial markets, money laundering, the financing of terrorism, product safety, transportation safety, protection of the environment, nuclear safety, food safety, animal health and welfare, public health, consumer protection, antitrust, tax, and data privacy and protection. So given how many subject areas the directive covers in order to simplify their legislation member states are highly likely to adopt a broader definition of whistleblowing. So they're likely to cover reporting of any suspected illegality, risk to health or safety or act contrary to the public interest. So this is the case, for example, in France, where I practice, where the law implementing the directive contains a broad definition of whistleblowing that goes beyond merely what kinds of acts fall within the legislative competence of the EU. Who then is protected by the directive? Well, whistleblowers, but more than just whistleblowers. So the directive offers protections to a broader swath of people than we might generally consider whistleblowers. In fact, the directive doesn't use the term whistleblower, but instead the term reporting persons and this term is defined as, "A natural person who reports or publicly discloses information on a breach acquired in the context of his or her work related activities." So this can include current and former employees, job applicants, contractors, subcontractors, volunteers, interns, shareholders, board members. Really the key question is whether the information was obtained in the context of a work related activity. It's also interesting to note that only natural persons benefit from the directive's protections. So juridical persons like associations or corporations are not covered whistleblowers pursuant to the directive. though of course they could be under national law. So a member state could choose to afford protection to juridical persons, but doing so is not required by the directive. However, whistleblowers aren't the only people who receive protection under the directive. It also protects facilitators, which are people who might help the whistleblower to make a report. So for example, a union representative or an ombuds person, or an immediate supervisor, third person, so the directive protects facilitators and it protects third persons like close relatives or work colleagues. And it also protects legal entities that reporting persons own, work for, or are otherwise connected with in a work related context. And this goes well beyond what American statutes generally cover. To constitute protected whistleblowing the reporting person must have a certain state of mind and follow certain reporting procedures. In terms of the whistleblower's state of mind, the directive adopts a reasonable belief standard. This is the standard most widely used in American whistleblower protection statutes, but it's actually quite revolutionary in the European system, which until now required something more akin to a lack of intent to harm or an absence of malice. The directive's reasonable belief rule is also more whistleblower friendly than the standard under European Court of Human Rights case law, which as we said, uses a good faith test pursuant to which personal animus on the part of the whistleblower weighs against protection. It will be interesting to see whether this standard under Article 10 of the European Convention evolves in the years to come to take into account a more objective test under the directive and its implementing legislation. So maybe keep an eye out for that. So under the directive, the subjective intent of the whistleblower is irrelevant. Protection is available so long as the whistleblower reasonably believed, so first that the information reported is true, and second reasonably believed that the information reported fell within the scope of the directive. So constituted a violation of law or regulation within the legislative competence of the EU, as we mentioned earlier. This reasonable belief test contains a subjective and objective component. So the whistleblower must actually believe subjectively. So must actually believe and his or her belief must be objectively reasonable. And although the directive does not specify, it's likely that whether belief was reasonable will be evaluated in light of the individual's personal characteristics, like their background, education, training. In order to receive protection, the whistleblower also has to have followed certain reporting procedures, and these reporting procedures fall into two types. One applies in what one might call normal cases. In such cases there is a two step process. So first the whistleblower must either report internally to a person within the entity where the alleged wrongdoing took place or report to government authorities. The employer or government then has three months to investigate and respond to the reporting person. But in duly justified cases, the government is allowed to take up to six months. And at the end of this investigation period, if the concern persists, then and only then, may the whistleblower publicly disclose the information. The two step procedure does not apply however, in case of emergency or where reporting internally or to public authorities would be futile or present excessive risk to the whistleblower. So as the directive puts it, reporting immediately to the public is protected if, "The breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage" or if "There is a risk of retaliation, or there is a low prospect of the breach being effectively addressed due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach." So just to recap what we've said so far, the directive offers whistleblower protections to a natural person who reports information regarding what he or she reasonably believes to be a violation of EU law of which he or she became aware in the context of work related activities so long as the reporting takes place using prescribed channels. The directive also protects people close to the whistleblower who might be at risk of retaliation. Before turning to what kinds of protections the directive puts in place, I'd like to cover the directive's provisions relating to reporting channels. Because of course, if there's a duty, at least in some cases to report internally, one might expect there to be rules about what kinds of reporting channels have to exist, and in fact, there are. So to receive whistleblower's reports, companies with 50 or more employees will be required to put in place whistleblower reporting procedures. These procedures must allow reporting by current employees. They can also allow reporting by others, but this is not required by the directive though member states might choose again to require it. In terms of operating the reporting system, that can be done either internally or externally, so for example, by means of a hotline. The directive also establishes a number of rules for the receipt and processing of reports. So companies internal procedures must allow reporting by telephone or other voice messaging or in writing. Reporting procedures must guarantee the confidentiality of the identity of reporting persons and any third party mentioned, and access to data must be limited to authorized persons. When a report is received, an acknowledgement of receipt must be provided to the whistleblower within seven days. An impartial department or person must be designated to follow up on reports. And that follow up must be diligent, including providing information on the outcome of an investigation within three months of the date of acknowledgement of receipt. Moreover information must be provided to potential users of the reporting system, concerning procedures for reporting to government authorities. And of course, member states can choose to make these procedural requirements even more robust. These are the minimum requirements under the directive. Please note also that the directive creates obligations for member states in terms of external reporting channels and the receipt and processing of reports by government agencies. But we won't discuss those provisions today. Also, and as mentioned earlier, countries can give companies with fewer than 250 employees, so those within the 50 to 250 range, two extra years to implement these compliance procedures. So look out under domestic legislation for whether this grace period exists or not under the relevant domestic law. There's also an interesting interplay between the directive and the General Data Protection Regulation or GDPR. So because whistleblowers reports are themselves sensitive information and then contain sensitive often personally identifiable information, the provisions of GDPR apply to the processing of this data. And without being exhaustive, here are a few of the obligations that arise out of GDPR with respect to whistleblower reporting. So first Article 35 of GDPR requires a data protection impact assessment anytime that data processing is "Likely to result in a high risk to the rights and freedoms of natural persons." This is almost certainly the case for whistleblower reporting mechanisms. This is because whistleblower's reports can lead to disciplinary action, civil or criminal sanctions, reputational harm, or can contain confidential or privileged information. And so national data authorities, including the French data authorities have opined that whistleblower hotlines meet this threshold and that a data protection impact assessment should be carried out before the compliance program is rolled out. Data protection impact assessments just on a very high level involve identifying the legal basis for the data processing, analyzing risks presented by the data processing, determining ways to reduce those risks, and then in cases where those risks cannot be sufficiently reduced, consulting with national data protection authorities prior to processing the data. If the organization has a data protection officer that person must be involved in this data protection impact assessment. Second, if the organization uses a contractor, so for example, a hotline, for receiving or investigating reports, the organization is responsible for ensuring that the contractor provides "Sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject." So the party's contract must also contain provisions relating to GDPR compliance, so those are important issues to remember if you are using a contractor for the processing of the handling of whistleblower reports. Third, Article 6 of GDPR requires what's called a lawful basis for any processing of personal information. And one of the lawful basis for processing under Article 6 is that processing is necessary to comply with a legal obligation, because whistleblower reporting systems will be legal obligations, this test is met. But what this means is that some information provided by whistleblowers or witnesses cannot and should not be processed. So just to give an example, it may not be legitimate to collect information that is unrelated to whistleblowing. Like let's say the whistleblower raises an alleged affair by the CEO of his employer, and this alleged affair is taking place with a person outside the company, and it has no relationship to the public interest or really to the meat of the report. The whistleblower is merely raising it because the whistleblower has some vendetta, that information should not be recorded pursuant to GDPR. Similarly if a report largely relates to the public interest, so you might imagine a complaint about the bribery of a public official. Again, it might not be legitimate to record irrelevant information provided by the whistleblower. So we talked about an alleged affair or the target's medical condition that's unrelated to the alleged bribery. So to ensure compliance with GDPR, the basic questions companies will have to ask are, first, does the report fall within the scope of the whistleblowing procedure? So is what's being reported an alleged violation of law or an alleged risk to the public interest? If not, that information should not be recorded, but even if the information, the whistleblower's report largely falls within the scope of what would be considered true whistleblowing, some information may be extraneous, so it may not be strictly relevant to the matter being reported. And it might relate to natural persons individuals. So in that case, that information also should not be recorded. This is also consistent actually with the whistleblowing directive, which provides that personal data, which are manifestly not relevant for the handling of a specific report shall not be collected, or if accidentally collected shall be deleted without undue delay. GDPR also grants a number of rights to individuals whose personal data is processed. So processing includes collection, storage, use. So any individual whose personal data is collected is processed within the context of a report has certain rights. And these rights include the right to be informed about the collection and processing of the data, the right to access the data to rectify it, and to have it erased in a timely manner. The whistleblower directive dovetails on GDPR with respect to eraser, access and rectification. So the directive provides, for example, that reports shall be stored for no longer than is necessary and proportionate in order to comply with law, and that any person providing information in connection with reporting must have the opportunity to check, rectify and approve of any written summaries that are made of calls or meetings. So I think it's important to highlight that these data rights can give rise to some significant conflict and the conflict arise out of the fact that the rights to information and access granted by GDPR apply to all data subjects. So that would include people who are implicated by the report who are targets of an investigation. And so by its plain terms, GDPR seems to require immediately providing targets of investigations, information about the existence of a report, its contents, the source of the report. So that could include the identity of the whistleblower, it could include the identities of witnesses who may have provided follow up information. In fact, Article 14 of GDPR requires providing any person whose data has been acquired from a third party the right to know from which source the personal data originate. And so it's pretty obvious how this would give rise to problems, including difficulties protecting witnesses and whistleblower's identities and the potential for the destruction of evidence. National data authorities are still working through how to reconcile these concerns and to date countries have adopted differing approaches. So in Germany, for example, data authorities have opined that whistleblowers should either provide information anonymously or give express consent to allow targets to be informed of the whistleblower's identity, that's the German approach. The French approach is that withholding information about the whistleblower's identity or that of witnesses is not contrary to GDPR's disclosure obligations. The French authority has also advised that targets need not be informed of pending investigations if doing so would risk despoliation of evidence, but that as soon as that risk no longer exists the information must be provided. So it's going to be important to keep abreast of guidance by national data protection authorities on these questions. As you likely know, GDPR also restricts transfers of data outside the European economic area. In the whistleblowing context, there are two primary ways this kind of transfer might take place. So first, if the whistleblower's report is made to or investigated by a person or entity outside the European economic area, and second, if the results of the report or an investigation are shared with a person or entity outside the EEA, so one solution to this problem is limiting transfers outside the EEA, which is advisable where possible. But if a company anticipates transferring personal data outside Europe, it needs to ensure that this transfer does not run a foul of GDPR. Today, two possibilities exist for transfers to the US. So one is the use of a standard contract clause drafted by the European Commission. And the second is the adoption of binding corporate rules approved by the data protection authority of the country from which the transfer will be made. We touched briefly on the question of anonymous reporting, but this was a hot button issue for European legislators for reasons relating to 20th century European history. So in the US it's relatively uncontroversial that it makes sense to allow whistleblowblowers to report anonymously in order to bring the most information about potential wrongdoing to the attention of someone who can put an end to it. In Europe, legislators have been extremely reluctant to allow anonymous reporting for fear of false and malicious reporting. Now the directive reconciles these concerns by leaving it up to member states whether or not to allow anonymous reports. And we saw that the German approach is presently to allow that, some member states may choose not to, and this will be something to keep an eye on. So turning now to what protections whistleblowers enjoy pursuant to the directive, the directive prohibits an extremely wide swath of forms of retaliation. It's definition of retaliation is extremely broad, and it includes almost any conceivable adverse action. These are listed in Article 19 of the directive, so that article provides that member states shall take the necessary measures to prohibit any form of retaliation against reporting persons, against whistleblowers, including threats of retaliation and attempts of retaliation, including in particular in the form of suspension, layoff, dismissal, or equivalent measures, demotion or withholding of promotion, transfer of duties, withholding of training, a negative performance review, the imposition of disciplinary measures, harassment, discrimination, or unfair treatment, failure to hire, so failure to either convert a temporary contract to a permanent one, failure to hire, harm to reputation, blacklisting, early termination of a contract for goods or services, the cancellation of a license or permit and psychiatric or medical referrals. The whistleblower directive also has adopted an extremely plaintiff friendly burden of proof. So plaintiffs merely have to establish that a report was made and that the plaintiff suffered some detriment. There's no obligation to establish causation. And as the directive puts it, if a person establishes that he or she reported and then suffered some kind of detriment, it shall be presumed that the detriment was made in retaliation for the report or the public disclosure. At that point, the burden shifts to the employer to prove that the measure was based on dually justified grounds. The directive provides further protection to whistleblowers by creating an affirmative defense to claims predicated on the disclosure of confidential information. So breach of contract actions, actions for the disclosure of trade secrets or defamation claims, for example, this is however provided that the whistleblower had reasonable grounds to believe that the reporting or public disclosure was necessary for revealing a breach of law. So I just wanna highlight for a moment that there are two different standards for whistleblowers protections under the anti-retaliation provisions of the directive and under the affirmative defense. In the case of the anti-retaliation provisions, whistleblowers are protected from adverse employment action if they had a reasonable belief that the information was true and fell within the scope of the directive. In the case of the affirmative defense, the whistleblower has to meet a higher threshold. So they have to have a reasonable belief that the reporting or disclosure was necessary. Of course, member states have some discretion here and could adopt a less stringent standard for the affirmative defense. Also some duties of confidentiality remain exempt from the directive. So the directive excludes from its scope, disclosures of classified information, information protected by the attorney-client privilege and information covered by the medical professional privilege. Whistleblowers also do not benefit from immunity in criminal actions arising out of unlawfully accessing or acquiring information. So one might think of prosecution for theft or receipt of stolen property or of unauthorized access to computer systems. Some member states will however choose to include this type of immunity. As you likely know, whistleblower rewards are a key part of the American system, but to date they have been largely rejected in Europe. Again, the reason relates to discomfort with snitching and the idea that whistleblowers should be acting exclusively in the public interest and that's why we protect them. To date European countries have very few whistleblower reward laws with limited exceptions in the areas of tax and customs. Given the general discomfort in Europe with whistleblower rewards, it's unsurprising that the directive did not create a reward scheme. It does however allow member states the choice to provide monetary rewards if desired. Now I don't expect to see much of this, at least in the near term, but it's conceivable that a member state could make this choice. So that ends today's overview of the 2019 directive and what it contains. One area we didn't cover is the directive's provisions relating to the creation of whistleblower reporting channels by public authorities, so law enforcement regulators. If you're interested in taking a look at those provisions, I'd invite you to consult the directive, which is provided in the supplemental materials and also available online. So just turning to the final segment of today's presentation, how can companies prepare today for the directive? The first thing for an employer to do of course, is to review existing whistleblower reporting policies to ensure that they're compliant with the law as it currently exists in all relevant jurisdictions. So this review needs to take into account provisions of national law. Often there are labor and employment implications before putting in place a reporting system, a compliance system, a compliance program. So for example, the obligation to consult with employee representatives in creating and or rolling out the program. And of course your review, your compliance review should also take into account the GDPR concerns that we've discussed today. Companies should also take a look at how effective their reporting channels are, so first question is what's the legal framework that we have to comply with? And then the second question is like, how do we want to create a reporting system that is effective? I really believe that the directive and the process by which member states are adopting implementing legislation, so transposing the directive presents companies with an opportunity to reinforce a culture of compliance. This is all the more important because employees in Europe are much less aware of whistleblowing procedures and much less aware of the protections available to them than are their American counterparts. According to a 2018 survey, approximately 30% of Europeans surveyed were aware of workplace conduct that violated the law or their organization's ethical standards occurring over the previous 12 months. But fewer than half of respondents reported that their organization provided employees with a means of reporting misconduct confidentially. So this could be explained in two ways. One explanation might be, there are no reporting channels, but another explanation, and one that I find more persuasive is that there are such channels, but employees are just unaware of them. In fact, a study by the European Commission similarly showed that nearly half, so 42% of respondents to that study did not report suspected wrongdoing because they did not know where or how to report. It's also important to note that many respondents reported a fear of suffering negative consequences, whether reputational, financial or legal. So employers, companies with operations in Europe have a great opportunity to engage their employees with respect to compliance by creating streamlined and effective reporting channels, by informing employees about the use of those channels and by communicating a commitment not to retaliate against employees who speak up. In terms of effectiveness, there are some key questions that organizations will obviously want to ask and answer. So in determining the kind of compliance program, the kind of reporting channels to put in place. So the first big question is what are our risks? And you would evaluate this by looking at the kinds of issues that employees have raised in the past, issues, pitfalls that are common to the industry, concerns that could be common to countries where the organization does business or has partnerships, specific risks arising out of relationships with suppliers or subcontractors and risks arising out of the use of technology. So then given the nature and extent of these risks and the size of the organization, the question then becomes how robust or formalized must a whistleblower reporting system be in order to be effective. And of course, ceteris paribus, the bigger the organization, the more formalized the system, the higher the risks to health, public safety, the risks of illegal activity arising out of your business' operations, ceteris paribus, the more formalized and robust your reporting and follow up system should be. So the next question then of course is how many avenues and what avenues exist for reporting? Do you need more? Do you need fewer but have them just simply be more visible? The next question might be whether the appropriate people have been both selected and equipped to receive and investigate reports, and whether adequate resources have been devoted to the initiative. There will be some very important questions surrounding the protection of both the reports and the follow up information compiled and recorded in the investigation, so how can we preserve, how can we ensure that that information remains confidential and is not unduly disclosed. And then the next question, and depending on domestic law, this answer could of course vary, but will the employer allow anonymous reporting? And if so, how will follow up be facilitated? So once the architecture of your reporting system is in place, it's key to communicate clearly and regularly about the use of the reporting system. So you want to ensure that all stakeholders, all employees management, probably board members, any relevant person who could be considered a whistleblower under the directive, know what the reporting channels are, that they know how any reports will be investigated. Of course, it's important to follow up regularly on these reports and keep the reporting person and any relevant witnesses who may have knowledge of alleged wrongdoing, keep them apprised of the status of the report so that you diminish the risk of external reports if and when those reports are authorized by law. You want to of course provide regular training on procedures and policies, and certain employees may need more training than others. So management level employees, employees in sensitive business units may need more regular and more in depth training than certain other employees who may be less exposed to potential wrongdoing. I also think, and the research bears this out, that publicly commending employees, even if done anonymously for having spoken up can be very helpful in creating a culture of compliance in helping employees feel comfortable, quickly bringing wrongdoing to the light internally in a way that's productive and in a way that puts an end to the alleged wrongdoing and, or responds to the employee's concerns where there has been no wrongdoing and there may not be a risk to public health or safety, but just really addresses an employee's concerns in a way that assuages that employee early on. So by publicly commending employees, you're really encouraging people to start to speak up and to feel comfortable with the idea that it's a good thing to raise your hand if you see something, so if you see something say something. And so that brings us really to the end of the presentation. I just wanted to close with a few key takeaways, and I hope that you've enjoyed today's talk. And obviously, if you have any questions, please feel free to reach out to me. You should be able to find my contact information either on the course website or by online, and I'm happy to receive emails about any topics that may have been raised today. So just by way of conclusion, a few key takeaways, whistleblower protection is becoming more and more robust in Europe. Whistleblower protection is a hot topic. Organizations should be aware that retaliation against whistleblowers has been protected and is prohibited by virtue of not only the European Convention on Human Rights, but also a number of national laws. The European directive will however lead member states to adopt broader protections in coming months and years. So for example, protections will be extended to a wider swath of persons, and there will be no duty for whistleblowers to report internally before contacting public authorities. Organizations with 50 or more employees will also have specific obligations in terms of setting up whistleblower reporting systems. And another key takeaway is that you should ensure compliance with the directive today by reviewing your reporting procedures to ensure that they are both legally compliant and optimally effective. And keep in mind that in that review you will need to ensure compliance with domestic law and that is the domestic law of each of the jurisdictions in which you have operations, and this should be reviewed of course, in creating or updating your compliance programs. So once again, I enjoyed speaking about this topic with you. I think it's a very fruitful area of the law and an area of the law that is evolving and really is worthwhile keeping abreast of for those of you who have clients with operations in Europe, or who are working for an entity with European operations. So thanks again and have a great day goodbye.
Read full transcriptSee less