The EU has adopted a Directive and not a Regulation to regulate the whistleblowing policies on the European territories. As opposed to a Regulation which is automatically enforceable toward all the European Members states, a Directive is just a general legal framework that requires, to be enforceable, that each European members states transpose it in their own local legislations. This has for consequence that the legislations may differ a little bit from one European country to another one depending on the interpretation of the Directive by each Member State.
- The transposition of the European Directive on the whistleblowing in France
In a nutshell, the new French regulations regarding whistleblowing, in accordance with the European directive, are as follow:
– Evolution of the whistleblower definition: the main evolution lies on the fact that while a whistleblower was previously required to act in a « disinterested » manner, it is now sufficient for the whistleblower to act without receiving » direct financial compensation;
– In addition, it is no longer necessary that the whistleblower denounces a “serious” and “clear” violation. This change may have a stronger impact in France where the material scope of the alert is broader than the one used in the European directive, which lists the violations covered;
– It is no longer necessary for the whistleblower to have personal knowledge of the facts that are the subject of the alert if the information was obtained in the context of his professional activity;
– The subject of the whistleblowing is no longer necessarily only a violation, but can also be an attempt to conceal a violation, which broadens the scope of whistleblower protection;
– The protection has also been extended to additional persons (either physical person or legal entities), namely:
- Facilitators (any natural or legal person under private non-profit law) who assist a whistleblower in making a report or disclosure. This may notably include employees’ representatives and union members;
- Individuals in contact with a whistleblower who are at risk of retaliation in the context of their professional activities by their employer, their client or the recipient of their services (colleagues or relatives);
- The legal entities controlled by the whistleblower, for which he works or to which he is linked in a professional context;
– Companies with more than 50 employees still have the obligation to implement an internal process for collecting reports. An additional decree should provide for more precision regarding the conditions of such process;
– Companies with less than 250 employees can share their procedures for handling alerts:
– New regulations have also reinforced the protections granted to a whistleblower (civil and criminal immunity; protection against retaliations; increased sanctions).
For example, French law confirms that facts or documents covered by (i) national defense secrecy, (ii) medical secrecy, and (iii) attorney-client privilege are excluded from the whistleblower regime. To this list is also added the secrecy of judicial deliberations and of the judicial inquiry or investigation.
Groups of company can also share their whistleblowing process – the conditions under which information relating to an alert within one of the companies of the group may be transmitted to another of its companies with a view to ensuring or completing its processing are yet to be specified by the French government.
Regarding the internal/external alerts
Reporting channels have also been amended: the previous regulations required the whistleblower to firstly bring an alert to his (direct or indirect) manager or a representative designated for this purpose, before being able to reach to the judicial or administrative authorities (or professional orders), while ultimately being able to disclose publicly the alert in case the previous interlocutors did not intervene in due time. As of September 1st, 2022, the whistleblower can now choose between an internal or external (i.e. authorities) alert without being required to bring it first to his employer. But from the point of view of a firm that works with employers, it would be highly recommended that they set up an incentive for employees to use an internal alert rather than an external one in order to foster social relations within the company.
In addition, the possibility to bring an internal alert has been extended to employees whose contract has been terminated, candidates, shareholders, associates and holders of voting rights in the general assembly of the entity, external and occasional collaborators, co-contractors of the entity concerned, their subcontractors, or, in the case of legal entities, members of the administrative, management or supervisory body of these co-contractors and subcontractors, as well as members of their staff.
Regarding the personal data
The elements likely to identify the whistleblower can only be disclosed with his or her consent, except to the judicial authority when the persons in charge of collecting and processing the whistleblower’s reports are obliged to denounce the facts to the judge. In this case, the whistleblower would be informed of such disclosure to the judicial authority, unless such information would jeopardize the judicial proceedings.
The law adds conditions concerning the retention of data relating to whistleblowing. They may only be kept for the time strictly necessary and proportionate to their processing and to the protection of their authors, the persons concerned and the third parties mentioned in these alerts, taking into account possible further investigations.
Regarding the investigations
It is a formal investigation of potential wrongdoing involving the company and/or its employees, designed to identify relevant facts to assist the company in taking appropriate decisions and corrective action. This investigation must be carried out by one or more qualified persons, appointed by the company’s management, and must result in the formal drafting of an investigation report that establishes or removes the suspicion, as well as the method followed. The internal investigation report concludes on the action to be taken on the report.
- The transposition of the European Directive on the whistleblowing in Germany
In Germany, the Whistleblower Directive will not be implemented on time. Probably due to the change of government in late 2021, the project has fallen behind slightly. Currently, the draft bill of the Federal Ministry of Justice dated April 13, 2022 is available. A formal legislative bill for the Whistleblower Protection Act has not yet been introduced in the Bundestag. Thus, only forecasts based on the draft bill are currently possible. It cannot be ruled out that the current draft bill, although already well advanced, will still undergo changes in the legislative process.
The planned new German regulations regarding whistleblowing, in accordance with the European directive, are as follows:
– Evolution of the whistleblower definition and summary of the regulations already existing in various individual laws: The personal scope defined in the Whistleblower Protection Act now includes all persons who have obtained information about violations in their professional environment and report/disclose them. Furthermore, trainees and civil servants are also included. The material scope of application includes the reporting of criminal violations or violations subject to fines, as well as other violations of federal, state or European law, which serves, among other things, consumer or environmental protection, the protection of energy, transportation and food safety or data protection. This provision is consistent with the areas of law provided for in the Directive.
– Whistleblowers are free to choose whether to report to an internal or external reporting office. The reporting offices must document the reports and (with exceptions) treat them confidentially. Detailed regulations are provided for the establishment of the reporting offices and the procedure; among other things, internal reporting offices must only be established by companies with more than 250 (from 17.12.2023: 50) employees. However, we would also recommend that smaller entities voluntarily set up internal hotlines.
– Whistleblowers are largely afforded protection from reprisal, provided they have complied with reporting channels/disclosure requirements. There is a reversal of the burden of proof in the case of occupational discrimination; if such discrimination occurs in connection with a report, it is presumed that such discrimination constitutes reprisal.
– In the case of unlawful reprisals, the person who caused the reprisal is liable for damages ; in the case of an intentional/grossly negligent false report, the person who provided the information is liable for damages.
– Fines are planned, for example, for failure to establish an internal reporting channel despite an obligation to do so or for breaches of confidentiality.
Regarding the internal/external alerts
Except for specific sectors (banks, insurance companies, etc.), whistleblowing was unregulated in Germany. Especially after the entry into force of the GDPR, this has led to major conflicts with the information and disclosure obligations regulated therein, which are now to be resolved with the Whistleblower Protection Act. The planned Whistleblower Protection Act will now introduce specific regulations. Reporting channels will be created. The Act adopted and in force once, the whistleblower can now choose between an internal or external (i.e. authorities) alert without being required to bring it first to the employer. But from the point of view of a firm that works with employers, it would be highly recommended to create internal reporting channels which are easy to use in order to avoid external alerts to a maximum.
Regarding the personal data
Internal and external reporting offices must protect the identity of the reporting person. It is envisaged that this mechanism will also override corresponding information obligations from the GDPR. The elements likely to identify the whistleblower can only be disclosed with his or her consent, except to the authority when the persons in charge of collecting and processing the whistleblower’s reports are obliged to denounce the facts in order to allow the authorities to proceed.
The law adds conditions concerning the documentation and retention of data relating to whistleblowing. Such documentation may only be kept for 2 years.
In view of the fact that European states are bound by both EU and local whistleblower legislation, it seems more reasonable to comply with these provisions and avoid any conflict of law with US legislation.
Indeed, as you can see, EU and local laws provide for very specific obligations and definitions, which may differ across jurisdictions, and which may also differ from US regulations.
This is the reason why it appears that trying to extend an US policy through EU might, at best, lead to inconsistencies and, at worst, insufficiently cover us in light of the applicable regulations.