EUROPEAN COMMISSION
Brussels, 23.4.2018
COM(2018) 218 final
2018/0106(COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
FMT:Underlineon/FMT the protection of persons reporting on breaches FMT:Underlineof/FMT Union FMT:Underlinelaw/FMT
{SWD(2018) 116 final}
{SWD(2018) 117 final}
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Unlawful activities and abuse of law may occur in any organisation, whether private or public, big or small. They can take many forms, such as corruption or fraud, malpractice or negligence. And if they are not addressed, they can sometimes result in serious harm to the public interest. People who work for an organisation or are in contact with it in their work-related activities are often the first to know about such occurrences and are, therefore, in a privileged position to inform those who can address the problem.
Whistleblowers, i.e. persons who report (within the organisation concerned or to an outside authority) or disclose (to the public) information on a wrongdoing obtained in a work-related context, help prevent damage and detect threat or harm to the public interest that may otherwise remain hidden. However, they are often discouraged from reporting their concerns for fear of retaliation. For these reasons, the importance of providing effective whistleblower protection for safeguarding the public interest is increasingly acknowledged both at European and international level.
Lack of effective whistleblower protection raises further concerns on its negative impacts on the freedom of expression and the freedom of the media, enshrined in Article 11 of the EU Charter of Fundamental Rights (‘the Charter’). Discussions at the second Annual Colloquium on Fundamental Rights on ‘Media pluralism and Democracy’, organised by the Commission in November 2016, highlighted that protecting whistleblowers as sources of information for journalists is essential for investigative journalism to fulfil its ‘watchdog’ role.
Lack of effective whistleblower protection can also impair the enforcement of EU law. Alongside other means to collect evidence, whistleblowing is a means of feeding national and EU enforcement systems with information leading to effective detection, investigation and prosecution in breaches of Union rules.
The whistleblower protection currently available across the EU is fragmented. Lack of whistleblower protection in a Member State can have a negative impact on the functioning of EU policies in that Member State, but also spill-over impacts in other Member States. At EU level, whistleblower protection is provided for only in specific sectors and to varying degrees. This fragmentation and these gaps mean that, in many situations, whistleblowers are not properly protected against retaliation. Where potential whistleblowers do not feel safe to come forward with the information they possess, this translates into underreporting and therefore ‘missed opportunities’ for preventing and detecting breaches of Union law which can cause serious harm to the public interest.
Indications about the magnitude of underreporting by whistleblowers can be drawn from surveys such as the 2017 Special Eurobarometer on corruption: 81 % of Europeans indicated that they did not report corruption that they experienced or witnessed. 85 % of respondents to the 2017 public consultation carried out by the Commission believe that workers very rarely or rarely report concerns about threat or harm to the public because of fear of legal and financial consequences. Illustrating negative impacts on the proper functioning of the single market, a 2017 study carried out for the Commission estimated the loss of potential benefits due to a lack of whistleblower protection, in public procurement alone, to be in the range of EUR 5.8 to EUR 9.6 billion each year for the EU as a whole.
To address this fragmentation of protection across the EU, EU institutions and many stakeholders have been calling for action at EU level. The European Parliament, in its resolution of 24 October 2017 on ‘Legitimate measures to protect whistleblowers acting in the public interest and its resolution of 20 January 2017 on the role of whistle-blowers in the protection of the EU’s financial interests, called on the Commission to present a horizontal legislative proposal to guarantee a high level of protection for whistleblowers in the EU, in both the public and private sectors, as well as in national and EU institutions. The Council encouraged the Commission to explore the possibility for future action at EU level in its Conclusions on tax transparency of 11 October 2016. Civil society organisations and trade unions have consistently called for EU-wide legislation on the protection of whistleblowers acting in the public interest.
In its 2016 Communication ‘EU Law: Better Results through Better Application’, the Commission noted that enforcing EU law remains a challenge and set out its commitment to put ‘a stronger focus on enforcement in order to serve the general interest’. In particular, it highlighted that ‘[O]ften, when issues come to the fore — car emission testing, water pollution, illegal landfills, transport safety and security — it is not the lack of EU legislation that is the problem but rather the fact that the EU law is not applied effectively […]’.
In line with this commitment, this proposal aims at fully exploiting the potential of whistleblower protection with a view to strengthening enforcement. It sets out a balanced set of common minimum standards providing robust protection against retaliation for whistleblowers reporting on breaches in specific policy areas where:
i) there is a need to strengthen enforcement;
ii) underreporting by whistleblowers is a key factor affecting enforcement; and
iii) breaches may result in serious harm to the public interest.
•
Consistency with existing policy provisions in the policy area
In a number of policy areas and instruments, the EU legislator has already acknowledged the value of whistleblower protection as an enforcement tool. Rules providing — in varying levels of detail — for reporting channels and the protection of people reporting on breaches of the rules concerned exist in different instruments related for instance to financial services, transport safety and environmental protection.
The proposal reinforces the protection provided in all these instruments: it complements them with additional rules and safeguards, aligning them to a high level of protection, while preserving their specificities.
To ensure that the scope of the Directive remains up to date, the Commission will pay special attention to the possible need to include provisions amending the Annex in any future Union law where whitleblower protection is relevant and can contribute to more effective enforcement. The possible extension of the scope of the Directive to further areas or Union acts will also be given consideration when the Commission reports on implementation of the Directive.
•Consistency with other Union policies
Ensuring robust whistleblower protection as a means of strengthening the enforcement of Union law in the areas falling within the scope of the proposal will contribute to the Commission’s current priorities, in particular in ensuring the effective functioning of the single market, including improving the business environment, increasing fairness in taxation and promoting labour rights.
The introduction of robust whistleblower protection rules will contribute to protecting the budget of the Union and to ensuring the level playing field needed for the single market to properly function and for businesses to operate in a fair competitive environment. It will contribute to preventing and detecting corruption, which acts as a drag on economic growth, by creating business uncertainty, slowing processes and imposing additional costs. It will enhance business transparency, contributing to the EU strategy on sustainable finance. It further supports the Commission’s actions to ensure fairer, more transparent and more effective taxation in the EU, as outlined in the Communication responding to the Panama Papers scandal. In particular, it complements recent initiatives aimed at protecting national budgets against harmful tax practices, as well as the proposed reinforcement of the rules on money laundering and terrorist financing.
Enhanced whistleblower protection will raise the overall level of the protection of workers, in line with the aims of the European Pillar of Social Rights and in particular its principles 5 (fair working conditions) and 7b (protection in case of dismissals). Providing a common high level of protection to people who acquire the information they report through their work-related activities (irrespective of their nature) and who run the risk of work-related retaliation will safeguard the rights of workers in the broadest sense. Such protection will be of particular relevance for those in precarious relationships, as well as, for those in cross-border situations.
Rules on whistleblower protection will run parallel to existing protection in the field of other EU legislation: (i) on equal treatment, which provide for protection against victimisation as a reaction to a complaint or to proceedings aimed at enforcing compliance with this principle and (ii) on protection against harassment at work.
The Directive is without prejudice to the protection afforded to employees when reporting on breaches of Union employment and social law. Whistleblower protection in a work-related context runs in parallel to the protection that workers and workers' representatives enjoy under existing EU employment legislation when raising issues of compliance with their employers. With respect to rules on health and safety at work, Framework Directive 89/391/EEC provides that workers or workers' representatives may not be placed at a disadvantage because they consult or raise issues with the employer regarding measures to mitigate hazards or to remove sources of danger. Workers and their representatives are entitled to raise issues with the competent national authorities if they consider that the measures taken and the means employed by the employer are inadequate for the purposes of ensuring safety and health. The Commission promotes better enforcement and compliance with the existing EU regulatory framework in the area of occupational health and safety.
As regards EU institutions and bodies, EU staff enjoys whistleblower protection under the Staff Regulations and the Conditions of Employment of Other Servants of the European Union. Since 2004, Council Regulation (EC, Euratom) No 723/2004 amended the Staff Regulations, i.a., to put in place procedures for reporting any fraud, corruption or serious irregularity, and provide protection to EU staff reporting on breaches from adverse consequences.
Social partners have an essential, multifaceted role to play in the implementation of whistleblower protection rules. Independent workers' representatives will be vital to promote whistleblowing as a mechanism of good governance. Social dialogue can ensure that effective reporting and protection arrangements are put in place taking into account the reality of Europe’s workplaces, the needs of workers and businesses. Workers and their trade unions should be fully consulted on envisaged internal procedures for facilitating whistleblowing; such procedures can also be negotiated in the framework of collective bargaining agreements. Moreover, unions can act as recipients of whistleblowers' reports or disclosures and have a key function in terms of providing advice and support to (potential) whistleblowers.
Finally, the proposal will contribute to strengthening the effective implementation of a range of core EU policies which have a direct impact on the completion of the single market, relating to product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, competition, protection of privacy and personal data and security of network and information systems.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
The proposal is based on Articles 16, 33, 43, 50, 53(1), 62, 91, 100, 103, 109, 114, 168, 169, 192, 207 and 325 of the Treaty on the Functioning of the European Union (TFEU) and Article 31 of the Treaty establishing the European Atomic Energy Community (the Euratom Treaty). These Articles provide the legal basis to enhance the enforcement of Union law:
(i)by introducing new provisions on whistleblower protection to strengthen the proper functioning of the single market, the correct implementation of Union policies related to product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, protection of privacy and personal data and security of network and information systems, competition, and the financial interests of the Union;
(ii)to ensure consistent high standards of whistleblower protection in sectorial Union instruments where relevant rules already exist.
•Subsidiarity
The objective of strengthening the enforcement of Union law through whistleblower protection cannot adequately be achieved by Member States acting alone or in an uncoordinated manner. Fragmentation of protection at national level is expected to persist. This means that also the negative impacts of such fragmentation on the functioning of various EU policies within individual Member States, but also spill-over impacts in other Member States are bound to persist.
Breaches of EU public procurement rules or competition rules result in distortions to competition in the single market, an increase in costs for doing business and a less attractive environment for investment. Aggressive tax planning schemes give rise to unfair tax competition and loss of tax revenues for Member States and for the EU budget. Breaches in the areas of product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, protection of privacy and personal data and security of network and information systems, can result in serious risks which go beyond national borders. On the protection of financial interests of the Union, the Treaty stipulates in Articles 310(6) and 325(1) and (4) TFEU, the need for Union legislative action on setting out equivalent and deterrent measures to protect them against unlawful activities.
It is therefore clear that only legislative action at Union level can improve the enforcement of EU law by ensuring minimum standards of harmonisation on whistleblower protection. Moreover, only EU action can provide coherence and align the existing Union sectorial rules on whistleblower protection.
•Proportionality
This proposal is proportionate to the objective of strengthening the enforcement of Union law and does not go beyond what is necessary to achieve it.
Firstly, it lays down common minimum standards for the protection of people reporting breaches only in areas where: i) there is a need to enhance enforcement; ii) under-reporting by whistleblowers is a key factor affecting enforcement and iii) breaches may result in serious harm to the public interest.
It therefore focuses on areas with a clear EU dimension and where the impact on enforcement is the strongest.
Secondly, the proposal merely sets minimum standards of protection, leaving to Member States the possibility to introduce or retain provisions more favourable to the rights of whistleblowers.
Thirdly, the costs of implementation (i.e. to establish internal channels) for medium-sized businesses are not significant, while the benefits in terms of increasing business performance and reducing distortions to competition appear to be substantial. Subject to specific exceptions in the area of financial services, small and micro-companies are generally exempted from the obligation to establish internal procedures for reporting and follow up of reports. The costs of implementation for Member States have also been estimated as limited, since Member States can transpose the new obligation building on the existing structures put in place based on the current sectorial legal framework.
•Choice of the instrument
In line with the principle of proportionality, a minimum harmonisation Directive is the appropriate instrument to exploit the potential of whistleblowing as a component of the enforcement of Union law.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Stakeholder consultations
The proposal builds on the results of the extensive consultation work carried out by the Commission throughout 2017, in the form of a 12-week open public consultation, cited above, three targeted online stakeholder consultations, two workshops with Member States’ experts and a workshop with academic and advocacy experts.
The Commission received 5 707 replies to the public consultation. Of these, 97 % (5 516) were from respondents taking part as private individuals. The remaining 3 % came from respondents acting on behalf of an organisation (191 replies). Two-thirds of all respondents (individuals and organisations) came from Germany and France (43 % and 23 % respectively), responses from Spain accounted for 7 % of the total, Italy and Belgium 5 % each and Austria 6 %. The remaining responses were spread across the other Member States.
Almost all respondents (99.4 %) agreed that whistleblowers should be protected and 96 % expressed very strong support for setting legally binding minimum standards on whistleblower protection in Union law. The top four areas where whistleblower protection is needed according to respondents are: (i) the fight against fraud and corruption (95 % of respondents); (ii) the fight against tax evasion and tax avoidance (93 % of respondents); (iii) the protection of the environment (93 % of respondents); and (iv) the protection of public health and safety (92 % of respondents).
In the workshops organised by the Commission and in response to the public consultation, a few Member States raised the point that an EU legislative initiative would need to respect the principle of subsidiarity.
•Collection and use of expertise
An external study was commissioned to assess quantitative and qualitative impacts and benefits of implementing whistleblower protection in different areas covering Union and national law. This study analysed and provided evidence that fed into the definition of the problem and the assessment of the options considered by the Commission.
•Impact assessment
An impact assessment was carried out for this proposal. The Regulatory Scrutiny Board (‘the Board’) first issued a negative opinion with detailed comments on 26 January 2018. On 5 March, the Board issued a positive opinion with a few comments on the revised version of the impact assessment submitted on 15 February, which have been taken into account in the final impact assessment report.
Four policy options have been assessed beside the baseline scenario (i.e. maintaining the status quo) and two options have been discarded.
The two options that were discarded are: (i) a legislative initiative based on Article 50(2)(g) TFEU on enhancing the integrity of the private sector by introducing minimum standards for setting up reporting channels, and (ii) a legislative initiative based on Article 153(1)(a) and (b) TFEU on improving the working environment to protect workers’ health and safety and on working conditions.
In the first case, the legal basis would not have allowed covering the public sector, while the availability and design of external reporting channels (i.e. to the competent authorities) and the availability and forms of whistleblower protection against retaliation would have been left to the discretion of Member States laws.
In the second case, the personal scope of the Directive would have been limited to employees, leaving unprotected other types of potential whistleblowers, such as self-employed people, contractors etc., who, according to evidence available and international standards can be key in exposing threats or harm to the public interest and also need protection against retaliation. The limited scope would constitute a main gap in whistleblower protection at EU level while, by excluding from protection crucial categories of potential whistleblowers, such an initiative would also have limited effectiveness in terms of improving the enforcement of Union law. The limited personal scope would not be compensated by a more extensive protection, as the legal basis would not offer any additional protection in comparison to the policy options retained. Moreover, extending protection to include situations where there is no cross-border dimension or other spill-over impact, where there is no connection with Union law or with the financial interests of the EU, would be a far-reaching — and consequently also quite costly — EU regulatory intervention.
The policy options examined were: i) a Commission Recommendation providing guidance to Member States on key elements of whistleblower protection complemented by flanking measures to support national authorities; ii) a Directive introducing whistleblower protection in the area of the financial interests of the Union complemented by a Communication setting a policy framework at EU level, including measures to support national authorities; iii) a Directive introducing whistleblower protection in specific areas (including the financial interests of the Union) where it is necessary to address whistleblowers' underreporting in order to enhance the enforcement of Union law, as breaches would lead to serious harm to the public interest; iv) a Directive as sub iii) complemented by a Communication as sub ii).
The latter is the option chosen for this proposal. A legislative initiative with such a broad scope is particularly apt to address the current fragmentation and enhance legal certainty so as to effectively address underreporting and enhance the enforcement of Union law in all the areas identified, where breaches can cause serious harm to the public interest. The Communication accompanying it, setting out additional measures envisaged by the Commission and good practices that can be taken at Member States’ level will contribute to ensuring effective whistleblower protection.
The preferred option will have economic, societal and environmental benefits. It will support national authorities in their efforts to detect and deter fraud and corruption to the EU budget (the current risk of loss revenue is estimated to be between EUR 179 billion and EUR 256 billion per annum). In other areas of the single market, such as in public procurement, the benefits are estimated to be in the range of EUR 5.8 to EUR 9.6 billion each year for the EU as a whole. The preferred option will also effectively support the fight against tax avoidance resulting in loss of tax revenues from profit-shifting for Member States and the EU, estimated to about EUR 50-70 billion per annum. The introduction of robust whistleblower protection will improve the working conditions for 40 % of the EU workforce who are currently unprotected from measures against retaliation and will increase the level of protection for nearly 20 % of the EU workforce. It will enhance the integrity and transparency of the private and the public sector, contribute to a fair competition and a level playing field in the single market.
The implementation costs for the public sector are expected to amount to EUR 204.9 as one-off costs and EUR 319.9 million as annual operational costs. For the private sector (medium-sized and large companies) the projected total costs are expected to amount to EUR 542.9 million as one-off costs and EUR1 016.6 million as annual operational costs. The total costs for both the public and private sector are EUR 747.8 million as one-off costs and EUR 1 336.6 million as annual operational costs.
•Regulatory fitness and simplification
In order to take into account the size of the private businesses, as a general principle, the proposal exempts micro-and small companies from the obligation to put in place internal reporting channels. Reporting persons working in such businesses may report directly externally to competent national authorities. The general exemption does not apply to small and micro companies operating in the area of financial services. All such companies shall remain obliged to establish internal reporting channels, in line with the current obligations set by Union financial services legislation. The cost for those companies is minimal (sunk costs) since they are already obliged to establish internal reporting channels under existing Union rules. Member States may, following an appropriate risk assessment, require small companies in specific sectors to establish internal reporting channels, if necessary, according to their own analysis and national needs. The risk assessment shall take into account the specific nature of the sector and assess the risks and necessity of establishing the obligation to set up internal channels. Costs for medium sized businesses obliged to establish internal reporting channels are not significant. The average costs per medium sized enterprise will amount to: average one-off implementation cost estimated at EUR 1,374 and average annual operational cost estimated at EUR 1,054.6 per year. The general exemption of small-and micro companies does not apply to companies active in the area of financial services or vulnerable to money laundering or terrorist financing.
•Fundamental rights
By increasing the current level of protection for whistleblowers, the proposal will have a positive impact on fundamental rights, in particular:
i)Freedom of expression and right to information (Article 11 of the Charter): Insufficient whistleblower protection against retaliation affects the individuals’ freedom of expression as well as the public’s right to access information and media freedom. Strengthening protection of whistleblowers and clarifying the conditions for that protection also when they disclose information to public, will encourage and enable whistleblowing also to the media.
ii)The right to fair and just working conditions (Articles 30 and 31 of the Charter): a higher level of whistleblower protection will be secured by establishing reporting channels and improving protection against retaliation in the work-related context.
iii)The right to respect for private life, protection of personal data, healthcare, environmental protection, consumer protection, (respectively, Articles 7, 8, 35, 37 and 38 of the Charter), and the general principle of good administration (Article 41) will also be positively impacted in as far as the proposal will increase the detection and prevention of breaches.
More generally, the proposal will increase reporting and deterrence of all fundamental rights violations within the implementation of Union law in the areas falling within its scope.
The proposal pursues a balanced approach to ensure the full respect of further rights that may be affected, such as the right to private life and to the protection of personal data (Articles 7 and 8 of the Charter) of whistleblowers but also of the people concerned by the reports, as well as the presumption of innocence and the rights of defence of the latter (Articles 47 and 48 of the Charter). In the same vein, the impacts on the freedom to conduct a business (Article 16 of the Charter) are in line with Article 52(1) of the Charter.
4.BUDGETARY IMPLICATIONS
This initiative does not have implications for the EU budget.
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
The Commission will submit a report to the European Parliament and the Council on the implementation and application of the proposed Directive, respectively 2 and 6 years after the expiry of the deadline for transposition. This will ensure that there is a sufficient period of time to evaluate the way in which the proposed Directive has operated and to assess the need for additional measures, including the possible extension of whistleblower protection in further areas.
The Commission will also submit a report to the European Parliament and Council assessing the impact of national law transposing the proposed Directive 6 years after the expiry of deadline for transposition. To this end benchmarks have been established to reflect progress both in the transposition and in the implementation of the future Directive (see section 8 of the impact assessment. To feed the future implementation report and to assess the targeted benchmarks, the proposal includes an obligation to Member States to collect data on the number of whistleblowers reports received, on the numbers of procedures triggered as a result of reporting by whistleblowers, on the areas of law concerned, as well as on the outcome of the procedures and their economic impact in terms of recovery of funds and on reported cases of retaliation. This set of data will in turn feed the current reports of the European Anti-Fraud Office (OLAF) and could be complemented by the annual reports of the European Public Prosecutor's Office (EPPO) and the EU Ombudsman.
Secondly, the above data collection will be complemented by other relevant sources of data, such as the Commission’s Eurobarometer on Corruption and the implementation reports of the existing EU sectorial legislation providing whistleblower protection.
•Detailed explanation of the specific provisions of the proposal
The proposal draws upon the case law of the European Court of Human Rights on the right to freedom of expression enshrined in Article 10 of the European Convention on Human Rights 10 ECHR, and the principles developed on this basis by the Council of Europe in its 2014 Recommendation on Protection of Whistleblowers, as well as further international standards and good practices, cited above, and EU fundamental rights and rules.
Chapter I (Articles 1-3) circumscribes the scope of the Directive and outlines the definitions.
Article 1 lists the areas where, according to available evidence, whistleblower protection is necessary to strengthen enforcement of Union rules whose breaches can cause serious harm to the public interest.
Article 2 sets forth the personal scope of the Directive. Based on the Council of Europe Recommendation on Protection of Whistleblowers, it encompasses the broadest possible range of categories of persons, who, by virtue of work-related activities (irrespective of the nature of these activities and whether they are paid or not), have privileged access to information about breaches that can cause serious harm to the public interest and who may suffer retaliation if they report, as well as to other categories of persons who can be assimilated to them for the purposes of the Directive, such as shareholders, volunteers, unpaid trainees and job applicants.
The definitions set out in Article 3 are based on the principles of the Council of Europe Recommendation on Protection of Whistleblowers. In particular, the notions of reporting persons and retaliation are defined in the broadest possible manner, in order to ensure effective protection of whistleblowers as a means of enhancing the enforcement of Union law.
Chapter II (Articles 4-5) sets out the obligation for Member States to ensure that legal entities in the private and public sectors establish appropriate internal reporting channels and procedures for receiving and following-up on reports. This obligation is meant to ensure that information on actual or potential breaches of Union law reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible.
Article 4 translates the principle that the obligation to put in place internal reporting channels should be commensurate with the size of the entities, and in the case of private entities, take into account the level of risk their activities pose to the public interest. With the exception of businesses operating in the area of financial services as provided under Union legislation, micro and small companies are exempted from the obligation to establish internal channels.
Article 5 sets out the minimum standards that internal reporting channels and procedures for following up on reports should meet. In particular, it requires that reporting channels guarantee the confidentiality of the identity of the reporting person, which is a cornerstone of whistleblower protection. It also requires that the person or department competent to receive the report diligently follows it up and informs the reporting person within a reasonable timeframe about such follow up. Moreover, the entities having in place internal reporting procedures are required to provide easily understandable and widely accessible information on these procedures as well as on procedures to report externally to relevant competent authorities.
Chapter III (Articles 6-12) obliges Member States to ensure that competent authorities have in place external reporting channels and procedures for receiving and following-up on reports and sets out the minimum standards applicable to such channels and procedures.
According to Article 6, the authorities to be designated as competent by Member States should, in particular establish independent and autonomous external reporting channels, which are both secure and ensure confidentiality, follow up on the reports and provide feedback to the reporting person within a reasonable timeframe. Article 7 sets out the minimum requirements for the design of the external reporting channels. Article 8 requires that competent authorities have staff members dedicated to and specifically trained for handling reports and outlines the functions to be exercised by such staff members.
Article 9 provides the requirements to be met by procedures applicable to external reporting, e.g. as regards further communications with the reporting person, the timeframe for giving feedback to the reporting person and the applicable confidentiality regime. In particular, these procedures should ensure the protection of the personal data of both reporting and concerned persons. Article 10 provides that competent authorities should publicly disclose and make easily accessible user-friendly information about the available reporting channels and the applicable procedures for the receipt of reports and their follow up. Article 11 provides for adequate record-keeping of all reports. Article 12 provides for a regular review by national competent authorities of their procedures for receiving and following up on reports.
Chapter IV (Articles 13-18) sets out minimum standards on the protection of reporting persons and of persons concerned by the reports.
Article 13 outlines the conditions under which a reporting person shall qualify for protection under the Directive.
More specifically, it requires that the reporting persons had reasonable grounds to believe that the information reported was true at the time of reporting. This is an essential safeguard against malicious or abusive reports, ensuring that those who knowingly report wrong information do not enjoy protection. At the same time, it ensures that protection is not lost where the reporting person made an inaccurate report in honest error. In the same vein, reporting persons should be entitled to protection under the Directive if they had reasonable grounds to believe that the information reported falls within its scope.
Moreover, reporting persons are generally required to use internal channels first; if these channels do not work or could not reasonably be expected to work, they may report to the competent authorities, and, as a last resort, to the public/ the media. This requirement is necessary to ensure that the information gets to the persons who can contribute to the early and effective resolution of risks to the public interest as well as to prevent unjustified reputational damages from public disclosures. At the same time, by providing for exceptions from this rule in cases where internal and/or external channels do not function or could not reasonably be expected to function properly, Article 13 provides the necessary flexibility for the reporting person to choose the most appropriate channel depending on the individual circumstances of the case. Moreover, it allows for the protection of public disclosures taking into account democratic principles such as transparency and accountability, and fundamental rights such as freedom of expression and media freedom.
Article 14 provides a non-exhaustive list of the many different forms that retaliation can take.
Article 15 requires that retaliation in any form be prohibited and sets out further measures that Member States should take to ensure the protection of reporting persons, including:
·Making easily accessible to the public and free of charge independent information and advice on procedures and remedies available on protection against retaliation;
·Exempting reporting persons from liability for breach of restrictions on disclosure of information imposed by contract or by law;
·Providing for the reversal of the burden of proof in legal proceedings so that, in prima facie cases of retaliation, it is up to the person taking action against a whistleblower to prove that it is not retaliating against the act of whistleblowing;
·Putting at the disposal of reporting persons remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with the national framework;
·Ensuring that, in legal actions taken against them outside the work-related context, such as proceedings for defamation, breach of copyright or breach of secrecy, whistleblowers can rely on having made a report or disclosure in accordance with the Directive as a defence.
Article 16 makes clear that those concerned by the reports shall fully enjoy their rights under the EU Charter of Fundamental Rights, including the presumption of innocence, the right to an effective remedy and to a fair trial, and their rights of defence.
Article 17 provides for effective, proportionate and dissuasive penalties which are necessary:
·on the one hand, to ensure the effectiveness of the rules on the protection of reporting persons, so as to punish and proactively discourage actions aimed at hindering reporting, retaliatory actions, vexatious proceedings against reporting persons and breaches of the duty of maintaining the confidentiality of their identity, and,
·on the other hand, to discourage malicious and abusive whistleblowing which affects the effectiveness and credibility of the whole system of whistleblower protection, and to prevent unjustified reputational damage for the concerned persons.
Article 18 refers to the application of the EU rules on protection of personal data to any processing of personal data carried out pursuant to the Directive. In this regard, any processing of personal, including the exchange or transmission of such data, shall comply with the rules established by Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EC) 45/2001.
Chapter V (Articles 19-22) sets out the final provisions.
Article 19 specifies that Member States retain the possibility of introducing or maintaining more favourable provisions to the reporting person, provided that such provisions do not interfere with the measures for the protection of concerned persons. Article 20 relates to the transposition of the Directive.
Article 21 requires Member States to provide the Commission with information regarding the implementation and application of this Directive, on the basis of which the Commission shall submit a report to the Parliament and the Council by 2 years after transposition. This provision further requires Member States to submit annually to the Commission, if they are available at a central level in the Member State concerned, statistics inter alia on the number of reports received by the competent authorities; the number of proceedings initiated based on the reports and the outcome of such proceedings. Article 21 also provides that the Commission shall, by 6 years after transposition, submit a report to the Parliament and to the Council assessing the impact of national law transposing this Directive and consider the need for additional measures, including, where appropriate, amendments with a view to extending whistleblower protection to further areas or Union acts.
2018/0106 (COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of persons reporting on breaches of Union law
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16, 33, 43, 50, 53(1), 62, 91, 100, 103, 109, 114, 168, 169, 192, 207 and 325(4) thereof and to the Treaty establishing the European Atomic Energy Community, and in particular Article 31 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee,
Having regard to the opinion of the Committee of the Regions
Having regard to the opinion of the Court of Auditors,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Persons who work for an organisation or are in contact with it in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in this context. By ‘blowing the whistle’ they play a key role in exposing and preventing breaches of the law and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation.
(2)At Union level, reports by whistleblowers are one upstream component of enforcement of Union law: they feed national and Union enforcement systems with information leading to effective detection, investigation and prosecution of breaches of Union law.
(3)In certain policy areas, breaches of Union law may cause serious harm to the public interest, in the sense of creating significant risks for the welfare of society. Where weaknesses of enforcement have been identified in those areas, and whistleblowers are in a privileged position to disclose breaches, it is necessary to enhance enforcement by ensuring effective protection of whistleblowers from retaliation and introducing effective reporting channels.
(4)Whistleblower protection currently provided in the European Union is fragmented across Member States and uneven across policy areas. The consequences of breaches of Union law with cross-border dimension uncovered by whistleblowers illustrate how insufficient protection in one Member State not only negatively impacts on the functioning of EU policies in that Member State but can also spill over into other Member States and the Union as a whole.
(5)Accordingly, common minimum standards ensuring effective whistleblower protection should apply in those acts and policy areas where i) there is a need to strengthen enforcement; ii) under-reporting by whistleblowers is a key factor affecting enforcement, and iii) breaches of Union law cause serious harm to the public interest.
(6)Whistleblower protection is necessary to enhance the enforcement of Union law on public procurement. In addition to the need of preventing and detecting fraud and corruption in the context of the implementation of the EU budget, including procurement, it is necessary to tackle insufficient enforcement of rules on public procurement by national public authorities and certain public utility operators when purchasing goods, works and services. Breaches of such rules create distortions of competition, increase costs for doing business, violate the interests of investors and shareholders and, overall, lower attractiveness for investment and create an uneven level playing field for all businesses across Europe, thus affecting the proper functioning of the internal market.
(7)In the area of financial services, the added value of whistleblower protection was already acknowledged by the Union legislator. In the aftermath of the financial crisis, which exposed serious shortcomings in the enforcement of the relevant rules, measures for the protection of whistleblowers were introduced in a significant number of legislative instruments in this area. In particular, in the context of the prudential framework applicable to credit institutions and investment firms, Directive 2013/36/EU provides for protection of whistleblowers, which extends also to Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms.
(8)As regards the safety of products placed into the internal market, the primary source of evidence-gathering are businesses involved in the manufacturing and distribution chain, so that reporting by whistleblowers has a high added value, since they are much closer to the source of possible unfair and illicit manufacturing, import or distribution practices of unsafe products. This warrants the introduction of whistleblower protection in relation to the safety requirements applicable both to ‘harmonised products’ and to ‘non-harmonised products’. Whistleblower protection is also instrumental in avoiding diversion of firearms, their parts and components and ammunition, as well as defence-related products, by encouraging the reporting of breaches, such as document fraud, altered marking or false declarations of import or export and fraudulent intra-communitarian acquisition of firearms where violations often imply a diversion from the legal to the illegal market. Whistleblower protection will also help prevent the illicit manufacture of homemade explosives by contributing to the correct application of restrictions and controls regarding explosives precursors.
(9)The importance of whistleblower protection in terms of preventing and deterring breaches of Union rules on transport safety which can endanger human lives has been already acknowledged in sectorial Union instruments on aviation safety and maritime transport safety, which provide for tailored measures of protection to whistleblowers as well as specific reporting channels. These instruments also include the protection from retaliation of the workers reporting on their own honest mistakes (so called ‘just culture’). It is necessary to complement the existing elements of whistleblower protection in these two sectors as well as to provide such protection to enhance the enforcement of safety standards for other transport modes, namely road and railway transport.
(10)Evidence-gathering, detecting and addressing environmental crimes and unlawful conduct against the protection of the environment remain a challenge and need to be reinforced as acknowledged in the Commission Communication "EU actions to improve environmental compliance and governance" of 18 January 2018. Whilst whistleblower protection rules exist at present only in one sectorial instrument on environmental protection, the introduction of such protection appears necessary to ensure effective enforcement of the Union environmental acquis, whose breaches can cause serious harm to the public interest with possible spill-over impacts across national borders. This is also relevant in cases where unsafe products can cause environmental harm.
(11)Similar considerations warrant the introduction of whistleblower protection to build upon existing provisions and prevent breaches of EU rules in the area of food chain and in particular on food and feed safety as well as on animal health and welfare. The different Union rules developed in these areas are closely interlinked. Regulation (EC) No 178/2002 sets out the general principles and requirements which underpin all Union and national measures relating to food and feed, with a particular focus on food safety, in order to ensure a high level of protection of human health and consumers’ interests in relation to food as well as the effective functioning of the internal market. This Regulation provides, amongst others, that food and feed business operators are prevented from discouraging their employees and others from cooperating with competent authorities where this may prevent, reduce or eliminate a risk arising from food. The Union legislator has taken a similar approach in the area of ‘Animal Health Law’ through Regulation (EU) 2016/429 establishing the rules for the prevention and control of animal diseases which are transmissible to animals or to humans
(12)Enhancing the protection of whistleblowers would also favour preventing and deterring breaches of Euratom rules on nuclear safety, radiation protection and responsible and safe management of spent fuel and radioactive and would be reinforce the enforcement of existing provisions of the revised Nuclear Safety Directiveon the effective nuclear safety culture and, in particular, Article 8 b (2) (a), which requires, inter alia, that the competent regulatory authority establishes management systems which give due priority to nuclear safety and promote, at all levels of staff and management, the ability to question the effective delivery of relevant safety principles and practices and to report in a timely manner on safety issues.
(13)In the same vein, whistleblowers’ reports can be key to detecting and preventing, reducing or eliminating risks to public health and to consumer protection resulting from breaches of Union rules which might otherwise remain hidden. In particular, consumer protection is also strongly linked to cases where unsafe products can cause considerable harm to consumers. Whistleblower protection should therefore be introduced in relation to relevant Union rules adopted pursuant to Articles 114, 168 and 169 TFEU.
(14)The protection of privacy and personal data is another area where whistleblowers are in a privileged position to disclose breaches of Union law which can seriously harm the public interest. Similar considerations apply for breaches of the Directive on the security of network and information systems which introduces notification of incidents (including those that do not compromise personal data) and security requirements for entities providing essential services across many sectors (e.g. energy, health, transport, banking, etc.) and providers of key digital services (e.g. cloud computing services). Whistleblowers' reporting in this area is particularly valuable to prevent security incidents that would affect key economic and social activities and widely used digital services. It helps ensuring the continuity of services which are essential for the functioning of the internal market and the wellbeing of society.
(15)Reporting by whistleblowers is necessary to enhance the detection and prevention of infringements of Union competition law. This would serve to protect the efficient functioning of markets in the Union, allow a level playing field for business and deliver benefits to consumers. The protection of whistleblowers would enhance Union competition law enforcement, including State aid. As regards competition rules applying to undertakings, the importance of insider reporting in detecting competition law infringements has already been recognised in the EU leniency policy as well as with the recent introduction of an anonymous whistleblower tool by the European Commission. The introduction of whistleblower protection at Member State level would increase the ability of the European Commission as well as the competent authorities in the Member States to detect and bring to an end infringements of Union competition law. With respect to State aid, whistleblowers can play a significant role in reporting unlawfully granted aid and informing when aid is misused, both at national, regional and local levels.
(16)The protection of the financial interests of the Union, which relates to the fight against fraud, corruption and any other illegal activity affecting the use of Union expenditures, the collection of Union revenues and funds or Union assets, is a core area in which enforcement of Union law needs to be strengthened. The strengthening of the protection of the financial interests of the Union also encompasses implementation of the Union budget related to expenditures made on the basis of the Treaty establishing the European Atomic Energy Community. Lack of effective enforcement in the area of the financial interests of the Union, including fraud and corruption at national level, causes a decrease of the Union revenues and a misuse of EU funds, which can distort public investments and growth and undermine citizens’ trust in EU action. Whistleblower protection is necessary to facilitate the detection, prevention and deterrence of relevant fraud and illegal activities.
(17)Acts which breach the rules of corporate tax and arrangements whose purpose is to obtain a tax advantage and to evade legal obligations, defeating the object or purpose of the applicable corporate tax law, negatively affect the proper functioning of the internal market. They can give rise to unfair tax competition and extensive tax evasion, distorting the level-playing field for companies and resulting in loss of tax revenues for Member States and for the Union budget as a whole. Whistleblower protection adds to recent Commission initiatives aimed at improving transparency and the exchange of information in the field of taxation and creating a fairer corporate tax environment within the Union, with a view to increasing Member States’ effectiveness in identifying evasive and/or abusive arrangements that could otherwise go undetected and will help deter such arrangements.
(18)Certain Union acts, in particular in the area of financial services, such as Regulation (EU) No 596/2014 on market abuse, and Commission Implementing Directive 2015/2392, adopted on the basis of that Regulation, already contain detailed rules on whistleblower protection. Such existing Union legislation, including the list of Part II of the Annex, should be complemented by the present Directive, so that these instruments are fully aligned with its minimum standards whilst maintaining any specificities they provide for, tailored to the relevant sectors. This is of particular importance to ascertain which legal entities in the area of financial services, the prevention of money laundering and terrorist financing are currently obliged to establish internal reporting channels.
(19)Each time a new Union act for which whistleblower protection is relevant and can contribute to more effective enforcement is adopted, consideration should be given to whether to amend the Annex to the present Directive in order to place it under its scope.
(20)This Directive should be without prejudice to the protection afforded to employees when reporting on breaches of Union employment law. In particular, in the area of occupational safety and health, Article 11 of Framework Directive 89/391/EEC already requires Member States to ensure that workers or workers' representatives shall not be placed at a disadvantage because of their requests or proposals to employers to take appropriate measures to mitigate hazards for workers and/or to remove sources of danger. Workers and their representatives are entitled to raise issues with the competent national authorities if they consider that the measures taken and the means employed by the employer are inadequate for the purposes of ensuring safety and health.
(21)This Directive should be without prejudice to the protection of national security and other classified information which Union law or the laws, regulations or administrative provisions in force in the Member State concerned require, for security reasons, to be protected from unauthorised access. In particular, Moreover, the provision of this Directive should not affect the obligations arising from Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information or Council Decision of 23 September 2013 on the security rules for protecting EU classified information.
(22)Persons who report information about threats or harm to the public interest obtained in the context of their work-related activities make use of their right to freedom of expression. The right to freedom of expression, enshrined in Article 11 of the Charter of Fundamental Rights of the European Union (‘the Charter’) and in Article 10 of the European Convention on Human Rights (ECHR), encompasses media freedom and pluralism.
(23)Accordingly, this Directive draws upon the case law of the European Court of Human Rights on the right to freedom of expression, and the principles developed on this basis by the Council of Europe in its 2014 Recommendation on Protection of Whistleblowers.
(24)Persons need specific legal protection where they acquire the information they report through their work-related activities and therefore run the risk of work-related retaliation (for instance, for breaching the duty of confidentiality or loyalty). The underlying reason for providing them with protection is their position of economic vulnerability vis-à-vis the person on whom they de facto depend for work. When there is no such work-related power imbalance (for instance in the case of ordinary complainants or citizen bystanders) there is no need for protection against retaliation.
(25)Effective enforcement of Union law requires that protection is granted to the broadest possible range of categories of persons, who, irrespective of whether they are EU citizens or third-country nationals, by virtue of work-related activities (irrespective of the nature of these activities,whether they are paid or not), have privileged access to information about breaches that would be in the public’s interest to report and who may suffer retaliation if they report them. Member States should ensure that the need for protection is determined by reference to all the relevant circumstances and not merely by reference to the nature of the relationship, so as to cover the whole range of persons connected in a broad sense to the organisation where the breach has occurred.
(26)Protection should, firstly, apply to persons having the status of 'workers', within the meaning of Article 45 TFEU, as interpreted by the Court of Justice of the European Union, i.e. persons who, for a certain period of time, perform services for and under the direction of another person, in return of which they receive remuneration. Protection should thus also be granted to workers in non-standard employment relationships, including part-time workers and fixed-term contract workers, as well as persons with a contract of employment or employment relationship with a temporary agency, which are types of relationships where standard protections against unfair treatment are often difficult to apply.
(27)Protection should also extend to further categories of natural or legal persons, who, whilst not being 'workers' within the meaning of Article 45 TFEU, can play a key role in exposing breaches of the law and may find themselves in a position of economic vulnerability in the context of their work-related activities. For instance, in areas such as product safety, suppliers are much closer to the source of possible unfair and illicit manufacturing, import or distribution practices of unsafe products; in the implementation of Union funds, consultants providing their services are in a privileged position to draw attention to breaches they witness. Such categories of persons, including self-employed persons providing services, freelance, contractors, sub-contractors and suppliers, are typically subject to retaliation in the form of early termination or cancellation of contract of services, licence or permit, loss of business, loss of income, coercion, intimidation or harassment, blacklisting/business boycotting or damage to their reputation. Shareholders and persons in managerial bodies, may also suffer retaliation, for instance in financial terms or in the form of intimidation or harassment, blacklisting or damage to their reputation. Protection should also be granted to candidates for employment or for providing services to an organisation who acquired the information on breaches of law during the recruitment process or other pre-contractual negotiation stage, and may suffer retaliation for instance in the form of negative employment references or blacklisting/business boycotting.
(28)Effective whistleblower protection implies protecting also further categories of persons who, whilst not relying on their work-related activities economically, may nevertheless suffer retaliation for exposing breaches. Retaliation against volunteers and unpaid trainees may take the form of no longer making use of their services, or of giving a negative reference for future employment or otherwise damaging their reputation.
(29)Effective detection and prevention of serious harm to the public interest requires that the information reported which qualifies for protection covers not only unlawful activities but also abuse of law, namely acts or omissions which do not appear to be unlawful in formal terms but defeat the object or the purpose of the law.
(30)Effective prevention of breaches of Union law requires that protection is also granted to persons who provide information about potential breaches, which have not yet materialised, but are likely to be committed. For the same reasons, protection is warranted also for persons who do not provide positive evidence but raise reasonable concerns or suspicions. At the same time, protection should not apply to the reporting of information which is already in the public domain or of unsubstantiated rumours and hearsay.
(31)Retaliation expresses the close (cause and effect) relationship that must exist between the report and the adverse treatment suffered, directly or indirectly, by the reporting person, so that this person can enjoy legal protection. Effective protection of reporting persons as a means of enhancing the enforcement of Union law requires a broad definition of retaliation, encompassing any act or omission occurring in the work-related context which causes them detriment.
(32)Protection from retaliation as a means of safeguarding freedom of expression and media freedom should be provided both to persons who report information about acts or omissions within an organisation (internal reporting) or to an outside authority (external reporting) and to persons who disclose such information to the public domain (for instance, directly to the public via web platforms or social media, or to the media, elected officials, civil society organisations, trade unions or professional/business organisations).
(33)Whistleblowers are, in particular, important sources for investigative journalists. Providing effective protection to whistleblowers from retaliation increases the legal certainty of (potential) whistleblowers and thereby encourages and facilitates whistleblowing also to the media. In this respect, protection of whistleblowers as journalistic sources is crucial for safeguarding the ‘watchdog’ role of investigative journalism in democratic societies.
(34)It is for the Member States to identify the authorities competent to receive and give appropriate follow up to the reports on breaches falling within the scope of this Directive. These may be regulatory or supervisory bodies in the areas concerned, law enforcement agencies, anti-corruption bodies and ombudsmen. The authorities designated as competent shall have the necessary capacities and powers to assess the accuracy of the allegations made in the report and to address the breaches reported, including by launching an investigation, prosecution or action for recovery of funds, or other appropriate remedial action, in accordance with their mandate.
(35)Union law in specific areas, such as market abuse, civil aviation or safety of offshore oil and gas operations already provides for the establishment of internal and external reporting channels. The obligations to establish such channels laid down in this Directive should build as far as possible on the existing channels provided by specific Union acts.
(36)Some bodies, offices and agencies of the Union, such as the European Anti-Fraud Office (OLAF), the European Maritime Safety Agency (EMSA), the European Aviation Safety Agency (EASA) and the European Medicines Agency (EMA), have in place external channels and procedures for receiving reports on breaches falling within the scope of this Directive, which mainly provide for confidentiality of the identity of the reporting persons. This Directive does not affect such external reporting channels and procedures, where they exist, but will ensure that persons reporting to those bodies, offices or agencies of the Union benefit from common minimum standards of protection throughout the Union.
(37)For the effective detection and prevention of breaches of Union law it is vital that the relevant information reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible. This requires that legal entities in the private and the public sector establish appropriate internal procedures for receiving and following-up on reports.
(38)For legal entities in the private sector, the obligation to establish internal channels is commensurate with their size and the level of risk their activities pose to the public interest. It should apply to all medium-sized and large entities irrespective of the nature of their activities, based on their obligation to collect VAT. As a general rule small and micro undertakings, as defined in Article 2 of the Annex of the Commission Recommendation of 6 May 2003, as amended, should be exempted from the obligation to establish internal channels. However, following an appropriate risk assessment, Member States may require small undertakings to establish internal reporting channels in specific cases (e.g. due to the significant risks that may result from their activities).
(39)The exemption of small and micro undertakings from the obligation to establish internal reporting channels should not apply to private undertakings active in the area of financial services. Such undertakings should remain obliged to establish internal reporting channels, in line with the current obligations set forth in the Union acquis on financial services.
(40)It should be clear that, in the case of private legal entities which do not provide for internal reporting channels, reporting persons should be able to report directly externally to the competent authorities and such persons should enjoy the protection against retaliation provided by this Directive.
(41)To ensure in particular, the respect of the public procurement rules in the public sector, the obligation to put in place internal reporting channels should apply to all public legal entities, at local, regional and national level, whilst being commensurate with their size. In cases where internal channels are not provided in small public entities, Member States may provide for internal reporting within a higher level in the administration (that is to say at regional or central level).
(42)Provided the confidentiality of the identity of the reporting person is ensured, it is up to each individual private and public legal entity to define the kind of reporting channels to set up, such as in person, by post, by physical complaint box(es), by telephone hotline or through an online platform (intranet or internet). However, reporting channels should not be limited to those amongst the tools, such as in-person reporting and complaint box(es), which do not guarantee confidentiality of the identity of the reporting person.
(43)Third parties may also be authorised to receive reports on behalf of private and public entities, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy. These can be external reporting platform providers, external counsel or auditors or trade union representatives.
(44)Internal reporting procedures should enable private legal entities to receive and investigate in full confidentiality reports by the employees of the entity and of its subsidiaries or affiliates (the group), but also, to any extent possible, by any of the group’s agents and suppliers and by any person who acquires information through his/her work-related activities with the entity and the group.
(45)The most appropriate persons or departments within a private legal entity to be designated as competent to receive and follow up on reports depend on the structure of the entity, but, in any case, their function should ensure absence of conflict of interest and independence. In smaller entities, this function could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.
(46)In the context of internal reporting, the quality and transparency of information provided on the follow up procedure to the report is crucial to build trust in the effectiveness of the overall system of whistleblower protection and reduces the likelihood of further unnecessary reports or public disclosures. The reporting person should be informed within a reasonable timeframe about the action envisaged or taken as follow up to the report (for instance, closure based on lack of sufficient evidence or other grounds, launch of an internal enquiry and possibly its findings and/or measures taken to address the issue raised, referral to a competent authority for further investigation) as far as such information would not prejudice the enquiry or investigation or affect the rights of the concerned person. Such reasonable timeframe should not exceed in total three months. Where the appropriate follow up is still being determined, the reporting person should be informed about this and about any further feedback he/she should expect.
(47)Persons who are considering reporting breaches of Union law should be able to make an informed decision on whether, how and when to report. Private and public entities having in place internal reporting procedures shall provide information on these procedures as well as on procedures to report externally to relevant competent authorities. Such information must be easily understandable and easily accessible, including, to any extent possible, also to other persons, beyond employees, who come in contact with the entity through their work-related activities, such as service-providers, distributors, suppliers and business partners. For instance, such information may be posted at a visible location accessible to all these persons and to the web of the entity and may also be included in courses and trainings on ethics and integrity.
(48)Effective detection and prevention of breaches of Union law requires ensuring that potential whistleblowers can easily and in full confidentiality bring the information they possess to the attention of the relevant competent authorities which are able to investigate and to remedy the problem, where possible.
(49)Lack of confidence in the usefulness of reporting is one of the main factors discouraging potential whistleblowers. This warrants imposing a clear obligation on competent authorities to diligently follow-up on the reports received, and, within a reasonable timeframe, give feedback to the reporting persons about the action envisaged or taken as follow-up (for instance, closure based on lack of sufficient evidence or other grounds, launch of an investigation and possibly its findings and/or measures taken to address the issue raised; referral to another authority competent to give follow-up) to the extent that such information would not prejudice the investigation or the rights of the concerned persons.
(50)Follow up and feedback should take place within a reasonable timeframe; this is warranted by the need to promptly address the problem that may be the subject of the report, as well as to avoid unnecessary public disclosures. Such timeframe should not exceed three months, but could be extended to six months, where necessary due to the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require a lengthy investigation.
(51)Where provided for under national or Union law, the competent authorities should refer cases or relevant information to relevant bodies, offices or agencies of the Union, including, for the purposes of this Directive, the European Anti-Fraud Office (OLAF) and the European Public Prosecutor Office (EPPO), without prejudice to the possibility for the reporting person to refer directly to such bodies, offices or agencies of the Union.
(52)In order to allow for effective communication with their dedicated staff, it is necessary that the competent authorities have in place and use specific channels, separate from their normal public complaints systems, that should be user-friendly and allow for written and oral, as well as electronic and non-electronic reporting.
(53)Dedicated staff members of the competent authorities, who are professionally trained, including on applicable data protection rules, would be necessary in order to handle reports and to ensure communication with the reporting person, as well as following up on the report in a suitable manner.
(54)Persons intending to report should be able to make an informed decision on whether, how and when to report. Competent authorities should therefore publicly disclose and make easily accessible information about the available reporting channels with competent authorities, about the applicable procedures and about the dedicated staff members within these authorities. All information regarding reports should be transparent, easily understandable and reliable in order to promote and not deter reporting.
(55)Member States should ensure that competent authorities have in place adequate protection procedures for the processing of reports of infringements and for the protection of the personal data of the persons referred to in the report. Such procedures should ensure that the identity of every reporting person, concerned person, and third persons referred to in the report (e.g. witnesses or colleagues) is protected at all stages of the procedure. This obligation should be without prejudice to the necessity and proportionality of the obligation to disclose information when this is required by Union or national law and subject to appropriate safeguards under such laws, including in the context of investigations or judicial proceedings or to safeguard the freedoms of others, including the rights of defence of the concerned person.
(56)It is necessary that dedicated staff of the competent authority and staff members of the competent authority who receive access to the information provided by a reporting person to the competent authority comply with the duty of professional secrecy and the confidentiality when transmitting the data both inside and outside of the competent authority, including where a competent authority opens an investigation or an inquiry or subsequent enforcement activities in connection with the report of infringements.
(57)Member States should ensure the adequate record-keeping of all reports of infringement and that every report is retrievable within the competent authority and that information received through reports could be used as evidence in enforcement actions where appropriate.
(58)Protection of personal data of the reporting and concerned person is crucial in order to avoid unfair treatment or reputational damages due to disclosure of personal data, in particular data revealing the identity of a person concerned. Hence, in line with the requirements of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter also referred to as 'GDPR'), competent authorities should establish adequate data protection procedures specifically geared to the protection of the reporting person, the concerned person and any third person referred to in the report that should include a secure system within the competent authority with restricted access rights for authorised staff only.
(59)The regular review of the procedures of competent authorities and the exchange of good practices between them should guarantee that those procedures are adequate and thus serving their purpose.
(60)To enjoy protection, the reporting persons should reasonably believe, in light of the circumstances and the information available to them at the time of the reporting, that the matters reported by them are true. This reasonable belief should be presumed unless and until proven otherwise. This is an essential safeguard against malicious and frivolous or abusive reports, ensuring that those who deliberately and knowingly report wrong or misleading information do not enjoy protection. At the same time, it ensures that protection is not lost where the reporting person made an inaccurate report in honest error. In a similar vein, reporting persons should be entitled to protection under this Directive if they have reasonable grounds to believe that the information reported falls within its scope.
(61)The requirement of a tiered use of reporting channels, as a general rule, is necessary to ensure that the information gets to the persons who can contribute to the early and effective resolution of risks to the public interest as well as to prevent unjustified reputational damage from public disclosure. At the same time, some exceptions to its application are necessary, allowing the reporting person to choose the most appropriate channel depending on the individual circumstances of the case. Moreover, it is necessary to protect public disclosures taking into account democratic principles such as transparency and accountability, and fundamental rights such as freedom of expression and media freedom, whilst balancing the interest of employers to manage their organisations and to protect their interests with the interest of the public to be protected from harm, in line with the criteria developed in the case-law of the European Court of Human Rights.
(62)As a rule, reporting persons should first use the internal channels at their disposal and report to their employer. However, it may be the case that internal channels do not exist (in case of entities which are not under an obligation to establish such channels by virtue of this Directive or applicable national law) or that their use is not mandatory (which may be the case for persons who are not in an employment relationship), or that they were used but did not function properly (for instance the report was not dealt with diligently or within a reasonable timeframe, or no action was taken to address the breach of law despite the positive results of the enquiry).
(63)In other cases, internal channels could not reasonably be expected to function properly, for instance, where the reporting persons have valid reasons to believe that they would suffer retaliation in connection with the reporting; that their confidentiality would not be protected; that the ultimate responsibility holder within the work-related context is involved in the breach; that the breach might be concealed; that evidence may be concealed or destroyed; that the effectiveness of investigative actions by competent authorities might be jeopardised or that urgent action is required (for instance because of an imminent risk of a substantial and specific danger to the life, health and safety of persons, or to the environment. In all such cases, persons reporting externally to the competent authorities and, where relevant, to bodies, offices or agencies of the Union shall be protected. Moreover, protection is also to be granted in cases where Union legislation allows for the reporting person to report directly to the competent national authorities or bodies, offices or agencies of the Union, for example in the context of fraud against the Union budget, prevention and detection of money laundering and terrorist financing or in the area of financial services.
(64)Persons making a public disclosure directly should also qualify for protection in cases where a breach remains unaddressed (for example, it was not properly assessed or investigated or no remedial action was taken) despite having been reported internally and/or externally following a tiered use of available channels; or in cases where reporting persons have valid reasons to believe that there is collusion between the perpetrator of the breach and the competent authority is reasonably suspected , that evidence may be concealed or destroyed, or that the effectiveness of investigative actions by competent authorities might be jeopardised; or in cases of imminent and manifest danger for the public interest, or where there is a risk of irreversible damage, including, inter alia, harm to physical integrity.
(65)Reporting persons should be protected against any form of retaliation, whether direct or indirect, taken by their employer or customer/recipient of services and by persons working for or acting on behalf of the latter, including co-workers and managers in the same organisation or in other organisations with which the reporting person is in contact in the context of his/her work-related activities, where retaliation is recommended or tolerated by the concerned person. Protection should be provided against retaliatory measures taken vis-à-vis the reporting person him/herself but also those that may be taken vis-à-vis the legal entity he/she represents, such as denial of provision of services, blacklisting or business boycotting. Indirect retaliation also includes actions taken against relatives of the reporting person who are also in a work-related connection with the latter’s employer or customer/recipient of services and workers’ representatives who have provided support to the reporting person.
(66)Where retaliation occurs undeterred and unpunished, it has a chilling effect on potential whistleblowers. A clear prohibition of retaliation in law has an important dissuasive effect, further strengthened by provisions for personal liability and penalties for the perpetrators of retaliation.
(67)Potential whistleblowers who are not sure about how to report or whether they will be protected in the end may be discouraged from reporting. Member States should ensure that relevant information is provided in a user-friendly way and is easily accessible to the general public. Individual, impartial and confidential advice, free of charge, should be available on, for example, whether the information in question is covered by the applicable rules on whistleblower protection, which reporting channel may best be used and which alternative procedures are available in case the information is not covered by the applicable rules (‘signposting’). Access to such advice can help ensure that reports are made through the appropriate channels, in a responsible manner and that breaches and wrongdoings are detected in a timely manner or even prevented.
(68)Under certain national frameworks and in certain cases, reporting persons suffering retaliation may benefit from forms of certification of the fact that they meet the conditions of the applicable rules. Notwithstanding such possibilities, they should have effective access to judicial review, whereby it falls upon the courts to decide, based on all the individual circumstances of the case, whether they meet the conditions of the applicable rules.
(69)It should not be possible to waive the rights and obligations established by this Directive by contractual means. Individuals’ legal or contractual obligations, such as loyalty clauses in contracts or confidentiality/non-disclosure agreements, cannot be relied on to preclude workers from reporting, to deny protection or to penalise them for having done so. At the same time, this Directive should not affect the protection of legal and other professional privilege as provided for under national law.
(70)Retaliatory measures are likely to be presented as being justified on grounds other than the reporting and it can be very difficult for reporting persons to prove the link between the two, whilst the perpetrators of retaliation may have greater power and resources to document the action taken and the reasoning. Therefore, once the reporting person demonstrates prima facie that he/she made a report or disclosure in line with this Directive and suffered a detriment, the burden of proof should shift to the person who took the detrimental action, who should then demonstrate that their the action taken was not linked in any way to the reporting or the disclosure.
(71)Beyond an explicit prohibition of retaliation provided in law, it is crucial that reporting persons who do suffer retaliation have access to legal remedies. The appropriate remedy in each case will be determined by the kind of retaliation suffered. It may take the form of actions for reinstatement (for instance, in case of dismissal, transfer or demotion, or of withholding of training or promotion) or for restauration of a cancelled permit, licence or contract; compensation for actual and future financial losses (for lost past wages, but also for future loss of income, costs linked to a change of occupation); compensation for other economic damage such as legal expenses and costs of medical treatment, and for intangible damage (pain and suffering).
(72)The types of legal action may vary between legal systems but they should ensure as full and effective a remedy as possible. Remedies should not discourage potential future whistleblowers. For instance, allowing for compensation as an alternative to reinstatement in case of dismissal might give rise to a systematic practice in particular by larger organisations, thus having a dissuasive effect on future whistleblowers
(73)Of particular importance for reporting persons are interim remedies pending the resolution of legal proceedings that can be protracted. Interim relief can be in particular necessary in order to stop threats, attempts or continuing acts of retaliation, such as harassment at the workplace, or to prevent forms of retaliation such as dismissal, which might be difficult to reverse after the lapse of lengthy periods and which can ruin financially the individual — a perspective which can seriously discourage potential whistleblowers.
(74)Action taken against reporting persons outside the work-related context, through proceedings, for instance, related to defamation, breach of copyright, trade secrets, confidentiality and personal data protection, can also pose a serious deterrent to whistleblowing. Directive (EU) 2016/943 of the European Parliament and of the Council exempts reporting persons from the civil redress measures, procedures and remedies it provides for, in case the alleged acquisition, use or disclosure of the trade secret was carried out for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest. Also in other proceedings, reporting persons should be able to rely on having made a report or disclosure in accordance with this Directive as a defence. In such cases, the person initiating the proceedings should carry the burden to prove any intent on the part of the reporting person to violate the law.
(75)A significant cost for reporting persons contesting retaliation measures taken against them in legal proceedings can be the relevant legal fees. Although they could recover these fees at the end of the proceedings, they might not be able to cover them up front, especially if they are unemployed and blacklisted. Assistance for criminal legal proceedings, particularly in accordance with the provisions of Directive (EU) 2016/1919 of the European Parliament and of the Council and more generally support to those who are in serious financial need might be key, in certain cases, for the effective enforcement of their rights to protection.
(76)The rights of the concerned person should be protected in order to avoid reputational damages or other negative consequences. Furthermore, the rights of defence and access to remedies of the concerned person should be fully respected at every stage of the procedure following the report, in accordance with Articles 47 and 48 of the Charter of Fundamental Rights of the European Union. Member States should ensure the right of defence of the concerned person, including the right to access to the file, the right to be heard and the right to seek effective remedy against a decision concerning the concerned person under the applicable procedures set out in national law in the context of investigations or subsequent judicial proceedings.
(77)Any person who suffers prejudice, whether directly or indirectly, as a consequence of the reporting or disclosure of inaccurate or misleading information should retain the protection and the remedies available to him or her under the rules of general law. Where such inaccurate or misleading report or disclosure was made deliberately and knowingly, the concerned persons should be entitled to compensation in accordance with national law.
(78)Penalties are necessary to ensure the effectiveness of the rules on whistleblower protection. Penalties against those who take retaliatory or other adverse actions against reporting persons can discourage further such actions. Penalties against persons who make a report or disclosure demonstrated to be knowingly false are necessary to deter further malicious reporting and preserve the credibility of the system. The proportionality of such penalties should ensure that they do not have a dissuasive effect on potential whistleblowers.
(79)Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, should be undertaken in accordance with Regulation (EU) 2016/679, and with Directive (EU) 2016/680 of the European Parliament and of the Council, and any exchange or transmission of information by Union level competent authorities should be undertaken in accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council. Particular regard should be had to the principles relating to processing of personal data set out in Article 5 of the GDPR, Article 4 of Directive (EU) 2016/680 and Article 4 of Regulation (EC) No 45/2001, and to the principle of data protection by design and by default laid down in Article 25 of the GDPR, Article 20 of Directive (EU) 2016/680 and Article XX of Regulation (EU) No 2018/XX repealing Regulation No 45/2001 and Decision No 1247/2002/EC.
(80)This Directive introduces minimum standards and Member States should have the power to introduce or maintain more favourable provisions to the reporting person, provided that such provisions do not interfere with the measures for the protection of concerned persons.
(81)In accordance with Article 26(2) TFEU, the internal market needs to comprise an area without internal frontiers in which the free and safe movement of goods and services is ensured. The internal market should provide Union citizens with added value in the form of better quality and safety of goods and services, ensuring high standards of public health and environmental protection as well as free movement of personal data. Thus, Article 114 TFEU is the appropriate legal basis to adopt the measures necessary for the establishment and functioning of the internal market. In addition to Article 114 TFEU, this Directive should have additional specific legal bases in order to cover the fields that rely on Articles 16, 33, 43, 50, 53(1), 62, 91, 100, 103, 109, 168, 169 and 207 TFEU and Article 31 of the Euratom Treaty for the adoption of Union measures. Since this Directive also aims at better protecting the financial interests of the Union, Article 325(4) TFEU should be included as a legal basis.
(82)The material scope of this Directive is based on the identification of areas where the introduction of whistleblower protection appears justified and necessary on the basis of currently available evidence. Such material scope may be extended to further areas or Union acts, if this proves necessary as a means of strengthening their enforcement in the light of evidence that may come to the fore in the future or on the basis of the evaluation of the way in which this Directive has operated.
(83)Whenever subsequent legislation relevant for this Directive is adopted, it should specify where appropriate that this Directive will apply. Where necessary, Article 1 and the Annex should be amended.
(84)The objective of this Directive, namely to strengthen enforcement in certain policy areas and acts where breaches of Union law can cause serious harm to the public interest through effective whistleblower protection, cannot be sufficiently achieved by the Member States acting alone or in an uncoordinated manner, but can rather be better achieved by Union action providing minimum standards of harmonisation on whistleblower protection. Moreover, only Union action can provide coherence and align the existing Union rules on whistleblower protection. Therefore, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve this objective.
(85)This Directive respects fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. Accordingly, this Directive must be implemented in accordance with those rights and principles. In particular, this Directive seeks to ensure full respect for freedom of expression and information, the right to protection of personal data, the freedom to conduct a business, the right to a high level of consumer protection, the right to an effective remedy and the rights of defence.
(86)The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on […]
HAVE ADOPTED THIS DIRECTIVE:
CHAPTER I
SCOPE AND DEFINITIONS
Article 1
Material scope
1.With a view to enhancing the enforcement of Union law and policies in specific areas, this Directive lays down common minimum standards for the protection of persons reporting on the following unlawful activities or abuse of law:
a) breaches falling within the scope of the Union acts set out in the Annex (Part I and Part II) as regards the following areas:
(i)public procurement;
(ii)financial services, prevention of money laundering and terrorist financing;
(iii)
product safety;
(iv)transport safety;
(v)protection of the environment;
(vi)nuclear safety;
(vii)food and feed safety, animal health and welfare;
(viii)public health;
(ix)consumer protection;
(x)protection of privacy and personal data, and security of network and information systems.
b) breaches of Articles 101, 102, 106, 107 and 108 TFEU and breaches falling within the scope of Council Regulation (EC) No 1/2003 and Council Regulation (EU) No 2015/1589;
c)breaches affecting the financial interests of the Union as defined by Article 325 TFEU and as further specified, in particular, in Directive (EU) 2017/1371 and Regulation (EU, Euratom) No 883/2013;
d)breaches relating to the internal market, as referred to in Article 26(2) TFEU, as regards acts which breach the rules of corporate tax or arrangements whose purpose is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.
2.Where specific rules on the reporting of breaches are provided for in sector-specific Union acts listed in Part 2 of the Annex, those rules shall apply. The provisions of this Directive shall be applicable for all matters relating to the protection of reporting persons not regulated in those sector-specific Union acts.
Article 2
Personal scope
1.This Directive shall apply to reporting persons working in the private or public sector who acquired information on breaches in a work-related context including, at least, the following:
a)persons having the status of worker, with the meaning of Article 45 TFEU;
b)persons having the status of self-employed, with the meaning of Article 49 TFEU;
c)shareholders and persons belonging to the management body of an undertaking, including non-executive members, as well as volunteers and unpaid trainees;
d) any persons working under the supervision and direction of contractors, subcontractors and suppliers.
2.This Directive shall also apply to reporting persons whose work-based relationship is yet to begin in cases where information concerning a breach has been acquired during the recruitment process or other pre-contractual negotiation.
Article 3
Definitions
For the purposes of this Directive, the following definitions shall apply:
(1)‘breaches’ means actual or potential unlawful activities or abuse of law relating to the Union acts and areas falling within the scope referred to in Article 1 and in the Annex;
(2)‘unlawful activities’ means acts or omissions contrary to Union law;
(3)‘abuse of law’ means acts or omissions falling within the scope of Union law which do not appear to be unlawful in formal terms but defeat the object or the purpose pursued by the applicable rules;
(4)‘information on breaches’ means evidence about actual breaches as well as reasonable suspicions about potential breaches which have not yet materialised;
(5)‘report’ means the provision of information relating to a breach which has occurred or is likely to occur in the organisation at which the reporting person works or has worked or in another organisation with which he or she is or was in contact through his or her work;
(6)‘internal reporting’ means provision of information on breaches within a public or private legal entity;
(7)‘external reporting’ means provision of information on breaches to the competent authorities;
(8)‘disclosure’ means making information on breaches acquired within the work-related context available to the public domain;
(9)‘reporting person’ means a natural or legal person who reports or discloses information on breaches acquired in the context of his or her work-related activities;
(10)‘work-related context’ means current or past work activities in the public or private sector through which, irrespective of their nature, persons may acquire information on breaches and within which these persons may suffer retaliation if they report them.
(11)‘concerned person’ means a natural or legal person who is referred to in the report or disclosure as a person to whom the breach is attributed or with which he or she is associated;
(12)‘retaliation’ means any threatened or actual act or omission prompted by the internal or external reporting which occurs in a work-related context and causes or may cause unjustified detriment to the reporting person;
(13)‘follow-up’ means any action taken by the recipient of the report, made internally or externally, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including actions such as internal enquiry, investigation, prosecution, action for recovery of funds and closure;
(14)‘competent authority’ means any national authority entitled to receive reports in accordance with Chapter III and designated to carry out the duties provided for in this Directive, in particular as regards the follow up of reports.
CHAPTER II
INTERNAL REPORTING AND FOLLOW UP OF REPORTS
Article 4
Obligation to establish internal channels and procedures for reporting and follow-up of reports
1.Member States shall ensure that legal entities in the private and in the public sector establish internal channels and procedures for reporting and following up on reports, following consultations with social partners, if appropriate.
2.Such channels and procedures shall allow for reporting by employees of the entity. They may allow for reporting by other persons who are in contact with the entity in the context of their work-related activities, referred to in Article 2(1)(b),(c) and (d), but the use of internal channels for reporting shall not be mandatory for these categories of persons.
3.The legal entities in the private sector referred to in paragraph 1 are the following:
a)private legal entities with 50 or more employees;
b)private legal entities with an annual business turnover or annual balance sheet
total of EUR 10 million or more;
c)private legal entities of any size operating in the area of financial services or vulnerable to money laundering or terrorist financing, as regulated under the Union acts referred to in the Annex.
4.Following an appropriate risk assessment taking into account the nature of activities of the entities and the ensuing level of risk, Member States may require small private legal entities, as defined in Commission Recommendation of 6 May 2003, other than those referred to in paragraph 3(c) to establish internal reporting channels and procedures.
5.Any decision taken by a Member State pursuant to paragraph 4 shall be notified to the Commission, together with a justification and the criteria used in the risk assessment. The Commission shall communicate that decision to the other Member States.
6.The legal entities in the public sector referred to in paragraph 1 shall be the following:
a)state administration;
b)regional administration and departments;
c)municipalities with more than 10 000 inhabitants;
d)other entities governed by public law.
Article 5
Procedures for internal reporting and follow-up of reports
1.The procedures for reporting and following-up of reports referred to in Article 4 shall include the following:
a)channels for receiving the reports which are designed, set up and operated in a manner that ensures the confidentiality of the identity of the reporting person and prevents access to non-authorised staff members;
b)the designation of a person or department competent for following up on the reports;
c) diligent follow up to the report by the designated person or department;
d) a reasonable timeframe, not exceeding three months following the report, to provide feedback to the reporting person about the follow-up to the report;
e)clear and easily accessible information regarding the procedures and information on how and under what conditions reports can be made externally to competent authorities pursuant to Article 13(2) and, where relevant, to bodies, offices or agencies of the Union.
2.The channels provided for in point (a) of paragraph 1 shall allow for reporting in all of the following ways:
(a) written reports in electronic or paper format and/or oral report through telephone lines, whether recorded or unrecorded;
(b) physical meetings with the person or department designated to receive reports.
Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party, provided that the safeguards and requirements referred to in point (a) of paragraph 1 are respected.
3.The person or department referred to in point (b) of paragraph 1 may be the same person who is competent for receiving the reports. Additional persons may be designated as “trusted persons” from whom reporting persons and those considering reporting may seek confidential advice.
CHAPTER III
EXTERNAL REPORTING AND FOLLOW UP OF REPORTS
Article 6
Obligation to establish external reporting channels and to follow up on reports
1.Member States shall designate the authorities competent to receive and handle reports.
2.Member States shall ensure that the competent authorities:
a)establish independent and autonomous external reporting channels, which are both secure and ensure confidentiality, for receiving and handling information provided by the reporting person;
b)give feedback to the reporting person about the follow-up of the report within a reasonable timeframe not exceeding three months or six months in duly justified cases;
c)transmit the information contained in the report to competent bodies, offices or agencies of the Union, as appropriate, for further investigation, where provided for under national or Union law.
3.Member States shall ensure that competent authorities follow up on the reports by taking the necessary measures and investigate, to the extent appropriate, the subject-matter of the reports. The competent authorities shall communicate to the reporting person the final outcome of the investigations.
4.Member States shall ensure that any authority which has received a report but does not have the competence to address the breach reported transmits it to the competent authority and that the reporting person is informed.
Article 7
Design of external reporting channels
1.Dedicated external reporting channels shall be considered independent and autonomous, if they meet all of the following criteria:
a)they are separated from general communication channels of the competent authority, including those through which the competent authority communicates internally and with third parties in its ordinary course of business;
b)they are designed, set up and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access to non-authorised staff members of the competent authority;
c)they enable the storage of durable information in accordance with Article 11 to allow for further investigations.
2.The dedicated reporting channels shall allow for reporting in at least all of the following ways:
a)written report in electronic or paper format;
b)oral report through telephone lines, whether recorded or unrecorded;
c)physical meeting with dedicated staff members of the competent authority.
3.Competent authorities shall ensure that a report received by means other than dedicated reporting channels referred to in paragraphs 1 and 2 is promptly forwarded without modification to the dedicated staff members of the competent authority by using dedicated communication channels.
4.Member States shall establish procedures to ensure that, where a report being initially addressed to a person who has not been designated as responsible handler for reports that person is refrained from disclosing any information that might identify the reporting or the concerned person.
Article 8
Dedicated staff members
1.Member States shall ensure that competent authorities have staff members dedicated to handling reports. Dedicated staff members shall receive specific training for the purposes of handling reports.
2.Dedicated staff members shall exercise the following functions:
a)providing any interested person with information on the procedures for reporting;
b)receiving and following-up reports;
c)maintaining contact with the reporting person for the purpose of informing the reporting person of the progress and the outcome of the investigation.
Article 9
Procedures applicable to external reporting
1.The procedures applicable to external reporting shall provide for the following:
a)the manner in which the competent authority may require the reporting person to clarify the information reported or to provide additional information that is available to the reporting person;
b)a reasonable timeframe, not exceeding three months or six months in duly justified cases, for giving feed-back to the reporting person about the follow-up of the report and the type and content of this feed-back;
c)the confidentiality regime applicable to reports, including a detailed description of the circumstances under which the confidential data of a reporting person may be disclosed.
2.The detailed description referred to in point (c) of paragraph 1 shall include the exceptional cases in which confidentiality of personal data may not be ensured, including where the disclosure of data is a necessary and proportionate obligation required under Union or national law in the context of investigations or subsequent judicial proceedings or to safeguard the freedoms of others including the right of defence of the concerned person, and in each case subject to appropriate safeguards under such laws.
3.The detailed description referred to in point (c) of paragraph 1 must be written in clear and easy to understand language and be easily accessible to the reporting persons.
Article 10
Information regarding the receipt of reports and their follow-up
Member States shall ensure that competent authorities publish on their websites in a separate, easily identifiable and accessible section at least the following information:
a)the conditions under which reporting persons qualify for protection under this Directive;
b)the communication channels for receiving and following-up the reporting:
i)the phone numbers, indicating whether conversations are recorded or unrecorded when using those phone lines;
ii)dedicated electronic and postal addresses, which are secure and ensure confidentiality, to contact the dedicated staff members;
c)the procedures applicable to the reporting of breaches referred to in Article 9;
d)the confidentiality regime applicable to reports, and in particular the information in relation to the processing of personal data in accordance with Article 13 of Regulation (EU) 2016/679, Article 13 of Directive (EU) 2016/680 and Article 11 of Regulation (EC) 45/2001, as applicable.
e)the nature of the follow-up to be given to reports;
f)the remedies and procedures available against retaliation and possibilities to receive confidential advice for persons contemplating making a report;
g)a statement clearly explaining that persons making information available to the competent authority in accordance with this Directive are not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and are not to be involved in liability of any kind related to such disclosure.
Article 11
Record-keeping of reports received
1.Member States shall ensure that competent authorities keep records of every report received.
2.Competent authorities shall promptly acknowledge the receipt of written reports to the postal or electronic address indicated by the reporting person, unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of a written report would jeopardise the protection of the reporting person’s identity.
3.Where a recorded telephone line is used for reporting, subject to the consent of the reporting person, the competent authority shall have the right to document the oral reporting in one of the following ways:
a)a recording of the conversation in a durable and retrievable form;
b)a complete and accurate transcript of the conversation prepared by the dedicated staff members of the competent authority.
The competent authority shall offer the possibility to the reporting person to check, rectify and agree the transcript of the call by signing it.
4.Where an unrecorded telephone line is used for reporting, the competent authority shall have the right to document the oral reporting in the form of accurate minutes of the conversation prepared by the dedicated staff members. The competent authority shall offer the possibility to the reporting person to check, rectify and agree with the minutes of the call by signing them.
5.Where a person requests a meeting with the dedicated staff members of the competent authority for reporting according to Article 7(2)(c), competent authorities shall ensure, subject to the consent of the reporting person, that complete and accurate records of the meeting are kept in a durable and retrievable form. A competent authority shall have the right to document the records of the meeting in one of the following ways:
a)a recording of the conversation in a durable and retrievable form;
b)accurate minutes of the meeting prepared by the dedicated staff members of the competent authority.
The competent authority shall offer the possibility to the reporting person to check, rectify and agree with the minutes of the meeting by signing them.
Article 12
Review of the procedures by competent authorities
Member States shall ensure that competent authorities review their procedures for receiving reports and their follow-up regularly, and at least once every two years. In reviewing such procedures competent authorities shall take account of their experience and that of other competent authorities and adapt their procedures accordingly.
CHAPTER IV
PROTECTION OF REPORTING AND CONCERNED PERSONS
Article 13
Conditions for the protection of reporting persons
1.A reporting person shall qualify for protection under this Directive provided he or she has reasonable grounds to believe that the information reported was true at the time of reporting and that this information falls within the scope of this Directive.
2.A person reporting externally shall qualify for protection under this Directive where one of the following conditions is fulfilled :
a)he or she first reported internally but no appropriate action was taken in response to the report within the reasonable timeframe referred in Article 5;
b)internal reporting channels were not available for the reporting person or the reporting person could not reasonably be expected to be aware of the availability of such channels;
c)the use of internal reporting channels was not mandatory for the reporting person, in accordance with Article 4(2);
d)he or she could not reasonably be expected to use internal reporting channels in light of the subject-matter of the report;
e)he or she had reasonable grounds to believe that the use of internal reporting channels could jeopardise the effectiveness of investigative actions by competent authorities;
f) he or she was entitled to report directly through the external reporting channels to a competent authority by virtue of Union law.
3.A person reporting to relevant bodies, offices or agencies of the Union on breaches falling within the scope of this Directive shall qualify for protection as laid down in this Directive under the same conditions as a person who reported externally in accordance with the conditions set out in paragraph 2.
4.A person publicly disclosing information on breaches falling within the scope of this Directive shall qualify for protection under this Directive where:
a)he or she first reported internally and/or externally in accordance with Chapters II and III and paragraph 2 of this Article, but no appropriate action was taken in response to the report within the timeframe referred to in Articles 6(2)(b) and 9(1)(b); or
b) he or she could not reasonably be expected to use internal and/or external reporting channels due to imminent or manifest danger for the public interest, or to the particular circumstances of the case, or where there is a risk of irreversible damage.
Article 14
Prohibition of retaliation against reporting persons
Member States shall take the necessary measures to prohibit any form of retaliation, whether direct or indirect, against reporting persons meeting the conditions set out in Article 13, including in particular in the form of:
a)suspension, lay-off, dismissal or equivalent measures;
b)demotion or withholding of promotion;
c)transfer of duties, change of location of place of work, reduction in wages, change in working hours;
d)withholding of training;
e)negative performance assessment or employment reference;
f)imposition or administering of any discipline, reprimand or other penalty, including a financial penalty;
g)coercion, intimidation, harassment or ostracism at the workplace;
h)discrimination, disadvantage or unfair treatment;
i)failure to convert a temporary employment contract into a permanent one;
j)failure to renew or early termination of the temporary employment contract;
k)damage, including to the person’s reputation, or financial loss, including loss of business and loss of income;
l)blacklisting on the basis of a sector or industry-wide informal or formal agreement, which entails that the person will not, in the future, find employment in the sector or industry;
m)early termination or cancellation of contract for goods or services;
n)cancellation of a licence or permit.
Article 15
Measures for the protection of reporting persons against retaliation
1.Member States shall take the necessary measures to ensure the protection of reporting persons meeting the conditions set out in Article 13 against retaliation. Such measures shall include, in particular, those set out in paragraphs 2 to 8.
2. Comprehensive and independent information and advice shall be easily accessible to the public, free of charge, on procedures and remedies available on protection against retaliation.
3.Reporting persons shall have access to effective assistance from competent authorities before any relevant authority involved in their protection against retaliation, including, where provided for under national law, certification of the fact that they qualify for protection under this Directive.
4.Persons reporting externally to competent authorities or making a public disclosure in accordance with this Directive shall not be considered to have breached any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and incur liability of any kind in respect of such disclosure.
5.In judicial proceedings relating to a detriment suffered by the reporting person, and subject to him or her providing reasonable grounds to believe that the detriment was in retaliation for having made the report or disclosure, it shall be for the person who has taken the retaliatory measure to prove that the detriment was not a consequence of the report but was exclusively based on duly justified grounds.
6.Reporting persons shall have access to remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with the national framework.
7. In addition to the exemption from measures, procedures and remedies provided for in Directive (EU) 2016/943, in judicial proceedings, including for defamation, breach of copyright, breach of secrecy or for compensation requests based on private, public, or on collective labour law, reporting persons shall have the right to rely on having made a report or disclosure in accordance with this Directive to seek dismissal.
8.
In addition to providing legal aid to reporting persons in criminal and in cross-border civil proceedings in accordance with Directive (EU) 2016/1919 and Directive 2008/52/EC of the European Parliament and of the Council, and in accordance with national law, Member States may provide for further measures of legal and financial assistance and support for reporting persons in the framework of legal proceedings.
Article 16
Measures for the protection of concerned persons
1.Member States shall ensure that the concerned persons fully enjoy the right to an effective remedy and to a fair trial as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file, in accordance with the Charter of Fundamental Rights of the European Union.
2.Where the identity of the concerned persons is not known to the public, competent authorities shall ensure that their identity is protected for as long as the investigation is ongoing.
3.The procedures set out in Articles 9 and 11 shall also apply for the protection of the identity of the concerned persons.
Article 17
Penalties
1.Member States shall provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons that:
a)hinder or attempt to hinder reporting;
b)take retaliatory measures against reporting persons;
c)bring vexatious proceedings against reporting persons;
d)breach the duty of maintaining the confidentiality of the identity of reporting persons.
2.Member States shall provide for effective, proportionate and dissuasive penalties applicable to persons making malicious or abusive reports or disclosures, including measures for compensating persons who have suffered damage from malicious or abusive reports or disclosures.
Article 18
Processing of personal data
Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be made in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680. Any exchange or transmission of information by competent authorities at Union level should be undertaken in accordance with Regulation (EC) No 45/2001. Personal data which are not relevant for the handling of a specific case shall be immediately deleted.
CHAPTER V
FINAL PROVISIONS
Article 19
More favourable treatment
Member States may introduce or retain provisions more favourable to the rights of the reporting persons than those set out in this Directive, without prejudice to Article 16 and Article 17(2).
Article 20
Transposition
1.Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 15 May 2021, at the latest. They shall forthwith communicate to the Commission the text of those provisions.
2.When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
Article 21
Reporting, evaluation and review
1.Member States shall provide the Commission with all relevant information regarding the implementation and application of this Directive. On the basis of the information provided, the Commission shall, by 15 May 2023, submit a report to the European Parliament and the Council on the implementation and application of this Directive.
2.Without prejudice to reporting obligations laid down in other Union legal acts, Member States shall, on an annual basis, submit the following statistics on the reports referred to in Chapter III to the Commission, if they are available at a central level in the Member State concerned:
a)the number of reports received by the competent authorities;
b)the number of investigations and proceedings initiated as a result of such reports and their final outcome;
c) the estimated financial damage, if ascertained and the amounts recovered following investigations and proceedings related to the breaches reported.
3.The Commission shall, by 15 May 2027, taking into account its report submitted pursuant to paragraph 1 and the Member States’ statistics submitted pursuant to paragraph 2, submit a report to the European Parliament and to the Council assessing the impact of national law transposing this Directive. The report shall evaluate the way in which this Directive has operated and consider the need for additional measures, including, where appropriate, amendments with a view to extending the scope of this Directive to further areas or Union acts.
Article 22
Entry into force
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 23
Addressees
This Directive is addressed to the Member States.
Done at Brussels,
For the European Parliament
For the Council
The President
The President