OPINION No 4/2018

(pursuant to Article 325(4) TFEU)

concerning the proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law

(2018/C 405/01)

THE COURT OF AUDITORS OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 325(4) thereof,

Having regard to the proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law (COM(2018) 218 final),

Having regard to the Parliament's and the Council's requests of 29 May 2018 for an opinion on the abovementioned proposal,

HAS ADOPTED THE FOLLOWING OPINION:

GENERAL REMARKS

1.

Following a number of high-profile whistleblowing cases and several initiatives at Member State (1) and international level (2), on 23 April 2018 the Commission proposed a Directive on the protection of persons reporting on breaches of Union law (‘the proposal’). The Directive was accompanied by a communication on strengthening whistleblower protection at EU level (3).

2.

We note that Member States currently have a wide range of approaches to whistleblowing (4). We further note that the Union acquis takes a piecemeal approach to the reporting of breaches. A comprehensive, well designed and user-friendly Directive could be an effective tool to ensure that people are deterred from breaching Union law and that breaches, where they do occur, do not go unpunished. To the extent that breaches might affect the EU's financial interests, preventing them through timely and effective reporting could contribute to the protection of the EU budget, sound financial management and accountability.

3.

We warmly welcome the proposal as we consider that the introduction or extension of whistleblowing systems in all Member States, as envisaged by the proposal, would help improve the management of EU policies from the bottom up through the actions of citizens and employees, as a complement to top-down enforcement such as actions for infringement initiated by the Commission against Member States under Article 258 TFEU (5). In this sense, the Directive could increase citizens' awareness of their legal rights and the fact that they can play a crucial role in applying EU law. Where a specific breach highlights a more systemic problem, reporting it could help the Commission to put together a case against a Member State.

4.

Furthermore, where a reported breach concerns the EU's financial interests, whistleblowing has the potential to generate savings for the EU budget through the recovery of sums unduly paid. In the longer term, where whistleblowing draws attention to loopholes or gaps in the financial management of EU programmes, it will enable the Union's legislator to enact the necessary changes to the rules following a proposal by the Commission.

5.

As the Union's external auditor, we would not play a direct role in the system of reporting envisaged by the proposal. In carrying out our mandate in Article 287 TFEU, we do not automatically initiate audits or investigations on the basis of information received from third parties. However, when planning our audit work we give serious consideration to any relevant information reported through external channels. When one of our auditors is alerted to non-compliance by a whistle blower, any undisclosed information may feed into the audit work (6). Reports due to whistleblowing could also usefully inform our future working priorities (7).

6.

We note that the proposal does not cover whistleblowing by EU staff concerning the activities of EU institutions, offices and bodies, which is currently dealt with by the Staff Regulations (8).

PREPARATORY WORK BY THE COMMISSION

7.

We note that the Commission undertook a considerable amount of preparatory work during 2017. It organised a 12-week public consultation, resulting in 5 707 replies, as well as three online consultations targeting stakeholders, two workshops with national experts and one workshop with academic and advocacy experts. It also commissioned an external study and carried out an impact assessment (9): following an initial negative opinion, this was approved by the Regulatory Scrutiny Board (10).

8.

In its impact assessment, the Commission estimates the current risk in the EU owing to fraud and corruption at 179 euro to 256 billion euro per annum (11). It calculates that the proposal would give 40 % of the EU's workforce the right to whistleblower protection and improve the level of protection for nearly 20 %. Finally, it estimates that the proposal would cost the public and private sectors a total of 747,8 million euro in one-off costs and 1 336,6 million euro in annual operational costs.

SPECIFIC REMARKS

This section covers only those articles of the proposal on which we have specific comments.

Article 1 — Material scope

9.

The proposal purports to protect persons reporting breaches in four main categories: — breaches falling within the scope of Union acts in a limited number of areas (12). The acts concerned are listed in an annex, the second part of which contains acts which already include specific rules on reporting of breaches. Recitals 19 and 82 allow consideration to be given to amending (i.e. extending) the annex every time whistleblower protection is relevant for a new Union act, — breaches of competition rules, — breaches affecting the financial interests of the Union as defined in Article 325 TFEU (on combating fraud), with particular reference to the PIF Directive (13) and the OLAF Regulation (14), — breaches relating to the internal market, regarding acts which breach the rules of corporate tax or arrangements whose purpose is to obtain a tax advantage defeating the purpose or object of the applicable corporate tax law.

10.

Given that many EU legal acts already contain elements of whistleblowing procedures, the proposal states that sector-specific rules (for example those in the Market Abuse Directive (15)) would take precedence. However, the proposal would apply to all matters not regulated in a sector-specific act.

Our analysis

11.

We welcome the Commission's intention to ensure the Directive covers many areas of Union activity. This reflects the recommendation of the Council of Europe to put in place a ‘comprehensive and coherent’ normative framework (16).

12.

However, whilst fully recognising the need to respect the division of powers between the Union and its Member States, and acknowledging the Directive's intrinsic limitations as a legal instrument, we are concerned by the complexity of the material scope and the implications this might have in practice for the effective protection of whistleblowers. In its accompanying Communication, the Commission specifically encourages Member States to ‘consider extending’ the scope of the Directive to ‘other areas’ and to ‘ensure a comprehensive and coherent framework at national level’ (17). If there is no such voluntary scope extension in national law, end-users could be faced with making complex assessments requiring expert knowledge which they might not always possess. A potential whistleblower would need to understand whether the breach they were planning to report concerned an act listed in the annex (possibly amended and consolidated in the meantime) so that they could benefit from the protection afforded by the Directive and the national transposing legislation. This complexity could reduce the legal certainty for potential whistleblowers and thus deter them from reporting on breaches of Union law.

13.

In our view, the complexity of the scope is partly mitigated by the various provisions of the proposal to assist potential whistleblowers with clear and easily accessible information, advice and assistance (18), and by the fact that it would be sufficient to have reasonable grounds to believe that a report fell within the scope (19).

14.

We welcome the Commission's intention to cover all breaches affecting the EU's financial interests as defined by Article 325 TFEU, which is seen as a ‘core area in which enforcement of Union law needs to be strengthened’ (20). The PIF Directive defines the ‘Union's financial interests’ as ‘all revenues, expenditure and assets covered by, acquired through, or due to: (i) the Union budget; (ii) the budgets of the Union institutions, bodies, offices and agencies established pursuant to the Treaties or budgets directly or indirectly managed and monitored by them’ (21). This would include, for instance, all EU funds, VAT and customs duties, but would exclude instruments which are not established under Union law and do not entail EU revenue or expenditure, such as the European Stability Mechanism.

Article 2 — Personal scope

15.

The proposal covers reporting persons in the public or private sector who acquire information on breaches in a work-related context, including volunteers, unpaid trainees and persons in the process of being recruited.

Our analysis

16.

We welcome the breadth of this provision, in particular the fact that it takes account of breaches affecting the EU's financial interests in complex projects involving a variety of actors (contractors, sub-contractors, consultants, volunteers, etc.) who are all potential whistleblowers.

Article 4 — Obligation to establish internal channels and procedures for reporting and follow-up of reports

17.

The proposal would require Member States to ensure that legal entities in the private and public sectors established internal channels and procedures for whistleblowing. The use of such internal channels must be open to employees and could be open to further categories, such as shareholders, contractors or trainees.

18.

Private legal entities with fewer than 50 employees or with a turnover or balance sheet total of less than 10 million euro would be excluded, with the exception of entities operating in certain sensitive areas.

19.

Public legal entities are defined as state and regional administrations, municipalities with more than 10 000 inhabitants and other entities governed by public law.

Our analysis

20.

We understand the Commission's wish to exempt certain private and public entities from the obligation to establish internal reporting channels, which, as the Commission states in its impact assessment, has a financial and administrative cost. It is also clear that this exemption would not prevent whistleblowers from making use of external channels.

21.

However, we consider that the exemption of certain municipalities from the obligation to establish internal reporting channels could significantly reduce the protection afforded to whistleblowers, since the average size of municipalities in the EU is 5 887 inhabitants, with wide variations between Member States (22). We understand that the proposed threshold is already being used in a number of Member States (Belgium, France, Spain) to define smaller municipalities. Nevertheless, we consider that the Commission should provide its reasons for the threshold to the Parliament and the Council, explaining to what extent it mirrors the employee and turnover limits which would serve to exempt entities in the private sector.

Article 5 — Procedures for internal reporting and follow-up of reports

22.

The proposal gives details of the procedures for internal reporting, in particular the setting-up of confidential channels and the designation of a person or department responsible for diligently following up whistleblowing reports, and sets a reasonable timeframe — not exceeding three months — for providing feedback to whistleblowers.

Our analysis

23.

The detailed obligations concerning internal reporting include the provision of ‘clear and easily accessible information’ regarding procedures and reporting, which is welcome. However, in our view they do not sufficiently cover awareness-raising or the training of staff. We would insist on the importance, in both the public and the private sector, of fostering a positive and trusting environment in which whistleblowing is an accepted part of the corporate culture (23).

Article 13 — Conditions for the protection of reporting persons

24.

This article lays down the conditions for reporting persons to qualify for protection under the Directive. Whichever channel was used (internal, external or public), they must have reasonable grounds to believe that the information reported was true at the time of reporting and that the information fell within the scope of the Directive.

25.

To qualify for whistleblower protection when reporting externally (i.e. outside their company/office to a national competent authority), a person: — Must have first reported internally, but without appropriate action being taken within the ‘reasonable timeframe’ (not exceeding three months), or — Must be unable to report internally, or could not be reasonably expected to be aware of the possibility of internal reporting, or — Must be in a category for which internal reporting was not mandatory (e.g. contractors, unpaid trainees), or — Could not reasonably be expected to use internal reporting channels given the ‘subject-matter of the report’, or — Must have reasonable grounds to believe that internal reporting would jeopardise the effectiveness of investigative action by a competent authority, or — Must be entitled by Union law to report externally.

26.

To qualify for whistleblower protection when reporting publicly, a person: — Must have first reported internally and/or externally in conformity with the Directive, or — Could not reasonably be expected to use internal and/or external channels owing to imminent or manifest danger for the public interest, or due to the particular circumstances of the case, or where there was a risk of irreversible damage.

Our analysis

27.

We consider that the determining factor should be the public interest of the information revealed by whistleblowing. Member States should therefore be prevented from enacting any exclusion of protection based on a whistleblower's subjective intentions or specific motivations.

28.

We consider the general rule requiring prior recourse to internal channels to be sound in principle and conducive to a culture of acceptance of whistleblowing. However, we would note that the widely-drafted exceptions to this rule would require further interpretation (administrative and judicial) in order to avoid creating uncertainty for potential whistleblowers. Furthermore, care must be taken to ensure that the proposed cascade system, due to the accumulation of deadlines, does not create obstacles to the prevention of a breach, which would frustrate the purpose of the Directive.

29.

Finally, although, given the specificity of the EU's institutional set-up, the two situations are not directly comparable, we note that the current approach in the Staff Regulations to whistleblowing by EU staff is different to the rules proposed here by the Commission. Under the Staff Regulations, EU staff may, without exception, benefit from whistleblower protection by going direct to OLAF without first having to exhaust internal channels (24).

30.

Concerning the exceptions which allow for the bypassing of internal reporting channels, we would have expected in Article 13(2) to see such a possibility for whistleblowers who have reasonable grounds to believe that internal reporting would put their personal safety or legitimate interests at risk.

31.

The European Court of Auditors regularly receives a number of spontaneous denunciations of suspected fraud from third parties (29 such denunciations were received in 2017), including cases that could fall within the personal and material scope of the proposal. Following examination, we transfer any relevant cases to OLAF (25). We welcome the fact that the proposal (26) guarantees to these whistleblowers the same protection as if they reported to the competent authorities of their Member State.

32.

Finally, we believe that persons who have reported anonymously should not be denied whistleblower protection if their identity is subsequently revealed. This would be consistent with the Union's encouragement of anonymous reporting to OLAF, inter alia, from inside a Member State (27) and with the Commission's policy in the field of competition law (28). In the context of our work on this opinion, the Commission confirmed to us that protection would indeed be extended to anonymous whistleblowers whose identity was subsequently revealed.

Article 15 — Measures for the protection of reporting persons against retaliation

33.

The proposal obliges Member States to take the necessary measures against retaliation. It provides a non-exhaustive list of seven measures: — public information requirements, — assistance from competent authorities, — non enforceability vis-à-vis the whistleblower of contractual and non-contractual restrictions on disclosure (e.g. a confidentiality clause in a contract), — reversal of the burden of proof in judicial proceedings relating to a detriment suffered by the whistleblower (e.g. the employer must prove that dismissal was not a consequence of the whistleblowing but was exclusively based on other duly justified grounds), — access to remedial measures including interim relief, — exemption from measures, procedures and remedies in the Trade Secrets Directive (29), and the possibility of invoking the whistleblowing in order to seek dismissal of legal proceedings, — legal aid, and legal and financial assistance.

Our analysis

34.

Overall, we agree with the Commission and welcome the proposal for a Directive. We particularly welcome the extensive list of examples of measures against retaliation, which however does not prevent employers from taking duly justified employment-related decisions, even against whistleblowers. We would particularly insist on the importance, in both the public and the private sector, of fostering a positive environment in which whistleblowing is an accepted part of the corporate culture. We also note that the Directive is silent on the question of temporal limits, meaning that Member States cannot introduce or maintain such limits on whistleblower protection.

Article 21 — Reporting, evaluation and review

35.

Member States would be required to provide the Commission with all relevant information regarding the implementation and application of the Directive. The proposal then sets out a two-stage approach. By 15 May 2023, i.e. two years after the end of the transposition period on 15 May 2021, the Commission would have to submit a report to the Parliament and the Council on the implementation and application of the Directive.

36.

Member States would also be required to transmit certain statistics to the Commission on an annual basis ‘if they are available at a central level in the Member State concerned’. The statistics concerned relate to the number of reports received by competent authorities, the number and final outcome of investigations and proceedings initiated as a result, and the estimated financial damage and amounts recovered. In its explanatory memorandum, the Commission states that these data would in turn feed into the current reports of OLAF and could be complemented by the annual reports of the European Public Prosecutor's Office and the EU Ombudsman.

37.

By 15 May 2027, taking these statistics into account, the Commission would have to submit a further report to the Parliament and Council assessing the impact of national law transposing the Directive. Among other things, the report would assess the need for any amendments to extend the material scope of the Directive.

Our analysis

38.

We consider that there is room to improve the transparency and extent of the proposed reporting requirements. In our view, the fact that the sending of statistics would be optional for certain Member States (those without statistics already available centrally), and that the statistics would not be broken down by policy area, would reduce the effectiveness of this provision. Furthermore, it would be necessary to wait six years from the transposition deadline and eight years from the entry into force of the Directive to benefit publicly from any information contained in the statistics. This period appears to be disproportionately long and in contradiction with the Article 21(2) obligation on Member States to provide the Commission with ‘all relevant information’ regarding implementation and application of the Directive.

39.

We note that the optional nature of Member State reporting has a precedent, namely in the PIF Directive (30). However, we do not consider that this consistency, in and of itself, warrants perpetuating such weak reporting provisions. Whilst recognising the cost implications of a wider obligation, we would draw the attention of the Parliament and the Council to the fact that the availability of these statistics could be crucial at a later stage to measuring the performance of the much larger financial and administrative investment which Member States and public and private entities would have to make in implementing the Directive. In its preparatory work, the Commission was able to draw on lessons learned in different jurisdictions around the world; this was partly due to the availability of data from those jurisdictions concerning the implementation of their whistleblowing arrangements. If necessary, the Commission could examine the various possibilities for delivering EU funding to assist the Member States with data collection.

40.

We believe that statistical information on whistleblowing in Member States needs to be of the highest possible quality, and in particular it should be available by country, by legal act and by subject area and should include the final outcomes of civil and criminal cases. We share the view of the UK National Audit Office that publishing comprehensive statistics on whistleblowing investigations, including their outcomes, is a means of increasing employees' confidence in whistleblowing arrangements, as it enables them to see that reporting is taken seriously (31).

---

(1)  See the Commission's analysis of the Member States' legislative framework, available here as ‘Annex 6’: https://ec.europa.eu/info/sites/info/files/1-11_annexes.pdf

(2)  See inter alia: Council of Europe, Criminal Law Convention on Corruption, European Treaty series No 173, Strasbourg, 27/01/1999; Council of Europe, Protection of whistleblowers, Recommendation CM/Rec(2014)7 and explanatory memorandum; UN General Assembly Resolution 58/04 of 31 October 2003: United Nations Convention against Corruption; G-20 anti-corruption action plan on protection of whistleblowers: Study on whistle blower protection frameworks, compendium of best practices and guiding principles for legislation (2011).

(3)  COM(2018) 214 final.

(4)  See the Commission's analysis of the Member States' legislative framework, available here as ‘Annex 6’: https://ec.europa.eu/info/sites/info/files/1-11_annexes.pdf

(5)  On this matter, see our landscape review, published on 3 September 2018: ‘Putting EU law into practice: The European Commission's oversight responsibilities under Article 17(1) of the Treaty on European Union’.

(6)  International Standard on Auditing (ISA) 250 (Revised), Consideration of Laws and Regulations in an Audit of Financial Statements, A17. ‘The auditor may become aware of information concerning an instance of non-compliance with laws and regulations other than as a result of performing the procedures in paragraphs 13-17 (e.g. when the auditor is alerted to non-compliance by a whistle blower).’

(7)  For the current year, see our work programme for 2018.

(8)  Article 22c of Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community, as last amended (OJ 45, 14.6.1962, p. 1385); also see the European Ombudsman's inquiry into these rules, closed on 27.2.2015 (Case OI/1/2014/PMC).

(9)  SWD(2018) 116.

(10)  SEC(2018) 198.

(11)  SWD(2018) 116, page 46.

(12)  Public procurement; financial services, prevention of money laundering and terrorist financing; product safety; transport safety; protection of the environment; nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data, and security of network and information systems.

(13)  Directive (EU) 2017/1371 of the European Parliament and of the Council of 5 July 2017 on the fight against fraud to the Union's financial interests by means of criminal law (OJ L 198, 28.7.2017, p. 29).

(14)  Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).

(15)  Directive 2014/57/EU of the European Parliament and of the Council of 16 April 2014 on criminal sanctions for market abuse (OJ L 173, 12.6.2014, p. 179).

(16)  CM/Rec(2014)7, paragraph 7.

(17)  COM(2018) 214 final, page 12.

(18)  Article 5(1)(e) for legal entities in the private and public sector, Article 10 for competent authorities and Article 15(2) and (3) for Member States.

(19)  Article 13(1).

(20)  Recital 16.

(21)  Article 2(1)(a) of Directive (EU) 2017/1371.

(22)  OECD, Subnational governments in OECD Countries: Key Data, 2018 edition, pages 5-6.

(23)  See UK National Audit Office, Making a whistleblowing policy work, Report by the Comptroller and Auditor General, HC 1152, Session 2013-14, 18 March 2014; Chartered Institute of Internal Auditors, Whistleblowing and corporate governance, the role of internal audit in whistleblowing, January 2014.

(24)  Article 22a(1) of the Staff Regulations, as amended.

(25)  Decision 43-2017 of the European Court of Auditors on cooperation between the European Court of Auditors (ECA) and the European Anti-fraud Office (OLAF) concerning cases of suspected fraud identified by the ECA during its audit work or provided to it as unsolicited denunciations from third parties.

(26)  Article 13(3).

(27)  Regulation (EU, Euratom) No 883/2013, Article 5 (Opening of investigations) paragraph 1: ‘The Director-General may open an investigation when there is a sufficient suspicion, which may also be based on information provided by any third party or anonymous information, that there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union.’ (emphasis added).

(28)  Commission Notice on Immunity from fines and reduction of fines in cartel cases (OJ C 298, 8.12.2006, p. 17).

(29)  Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).

(30)  Article 18(2) of Directive (EU) 2017/1371.

(31)  UK National Audit Office, Making a whistleblowing policy work, Report by the Comptroller and Auditor General, HC 1152, Session 2013-14, 18 March 2014, point 4.18.