At the end of 2019, the European Parliament and the Council of the European Union (“EU”) agreed to the text of the EU Directive for the Protection of Whistleblowers. The Annex to the Directive specifies the extensive list of Union legal acts violations of which whistleblowers are encouraged to report, and for which the reporting of they are protected. EU directives require member states to achieve a certain result, establishing a goal that all states are required to achieve.  To achieve that goal, however, each state must enact its own, individual legislation, using its own internal legislative procedures.

The deadline is normally two years, and as the EU Whistleblower Directive was adopted on December 16, 2019, member states had until December 2021 to complete the transposition. As of that date a few months ago, only two states, Denmark and Sweden, had completed the transposition process by adopting national legislation that complied with the Directive. Of the remaining twenty-five, most were in the process of drafting the legislation, though Ireland, Germany, Austria and the Netherlands were not even in the drafting process. Both Ireland and the Netherlands already had national policies in place that needed only slight modification to be in compliance.

Though the process has been delayed, there is no reason to expect that all member states will not soon come into compliance with the Directive.  Moreover, national courts are often influenced by the policies in EU directives when interpreting their own pre-existing national law.

The EU Whistleblower Directive requires that companies with fifty or more employees, or that have annual sales exceeding ten million euros must provide secure internal reporting channels for those wishing to expose wrongdoing.  Moreover, public institutions and any local governmental authorities with jurisdiction over ten thousand or more inhabitants also must provide such secure channels.

The identities of those making these reports must be kept confidential. Any employee, full- or part-time, freelancer, supplier, service provider or business partner should be able to use this channel to report violations of European law.  Those making the report, however, are only protected if they “have reasonable grounds to believe, in light of the circumstances and the information available to them at the time of reporting, that the matters reported by them are true.”

Though the company or other organization maintaining this secure reporting channel is allowed the first opportunity to address the problems reported, if that organization does not respond to the complaint in a reasonable time and manner, the whistleblower who made the report has the right to contact the relevant authorities directly. The Directive specifies that whistleblowers should be able to expect such responses within three months.

If the organization fails to provide a secure channel, the whistleblower is, again, entitled to contact the relevant authorities directly.  The Directive makes clear, therefore, that the appropriate authorities establish external reporting channels to which whistleblowers can make reports. The Directive also requires national laws establish procedures that will ensure that authorities will diligently follow up on the reports received diligently and give feedback to the reporting person in a reasonably prompt fashion.

The Directive also mandates that persons making these reports be protected from retaliation.  This protection against retaliation should extend not only to the reporting persons themselves but also against what the Directive calls “indirect” retaliation.  That means not only the whistleblower should be protected, but also her colleagues, relatives who might also have some work-related connection to the employer, and those who assisted or facilitated in making the report in some way.