Protections Afforded to Whistleblowers in the EU: An Update

Until recently, whistleblowing raised many concerns in France and other European countries. Reporting on colleagues’ behavior, even if unlawful, was seen as risky business that could lead to dismissals and criminal sanctions for the whistleblower.

Times have changed. Few openly criticize a practice that society now recognizes as serving the public interest. Investigative journalism has played a role by uncovering corrupt practices that resulted in damaging consequences for corporations ranging from reputational harm to criminal prosecutions — consequences that could have been prevented had such practices been detected at an earlier stage. In this vein, whistleblowers are increasingly considered in Europe as key players in corporate risk management. 

However, to date, only ten European Union (EU) member states have whistleblower legislation in place.^[1] For this reason, in 2016, the European Commission, recognizing that compliance with EU law remains a major challenge, underlined the need “for a stronger focus on enforcement in order to serve the general interest.”^[2] On this basis, the commission proposed European legislation to harmonize the protection of whistleblowers within the EU, and the Directive on the protection of persons reporting breaches of EU law (Directive)^[3] was adopted on April 16, 2019. While the Directive only concerns infringements of EU law, its provisions will likely be used as a point of reference for national legislators to pass new, or amend existing, legislation concerning whistleblowers. Indeed, it is difficult to see how a national legislator could put in place different alert procedures depending on whether the offense at issue infringes local or EU law. Both the whistleblower and those responsible for following up on the alert would have difficulties coping with this complicated system.

The Directive is inspired by a 2014 Council of Europe recommendation and by the extensive case law of the European Court of Human Rights (ECHR),^[4] while at the same time deviating in some respects from this case law. The French system for the protection of whistleblowers, established by Law No. 2016-1691 of Dec. 9, 2016 (Sapin II Law), is in line with the case law of the ECHR. In this respect, it is worth reflecting on the possibility of France adapting the Sapin II Law to the new European framework.

A scope determined by the principle of subsidiarity

The objective scope of the Directive, by virtue of the principle of subsidiarity, is limited to infringements of EU law. These infringements are listed in Article 2 of the Directive and concern the following sectors: public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; product safety; transport safety; protection of the environment; radiation protection and nuclear safety; food and feed safety; animal health and welfare; public health; consumer protection; protection of privacy and personal data; and security of network and information systems.

The Directive also applies to breaches affecting the financial interests of the EU, to breaches relating to the internal market (including breaches of the competition and state aid rules), and to violations of European regulations applicable to corporate taxation (intra-Community VAT).

A legal activity which could appear to be contrary to the general interest (e.g., tax optimization, unless it is considered to be illegal state aid) would therefore not be directly covered by the Directive. In this respect, the Directive is less restrictive than the French regime, which provides that any disclosure of a threat or serious prejudice to the general interest falls within the scope of the mechanism providing protection to whistleblowers.^[5]

Member states will naturally be able to extend the EU protection to all offenses punished by their respective systems.^[6] The possibility of extending the scope of protection is also included in the procedure for revising the Directive.^[7]

The subjective scope of the Directive, as set forth in Article 4, includes not only persons working in the private or public sectors but also shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including nonexecutive members, as well as volunteers and paid or unpaid trainees and any persons working under the supervision and direction of contractors, subcontractors and suppliers. Persons who report or disclose information acquired in a work-based relationship which has ended or not yet started, facilitators, and third parties connected with the reporting persons, such as colleagues or relatives, are also protected as whistleblowers. The Directive also extends its protections to legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context. The subjective scope of this Directive is therefore broader than what is provided for by French law, which protects only natural persons and not legal entities.^[8]

Broad interpretation of the notion of whistleblower

In order to benefit from the Directive’s protections, the whistleblower must, according to Article 5, fulfill three conditions:

• Have reasonable grounds to believe that the information reported was true at the time of reporting
• Have reasonable grounds to believe that the information fell within the scope of the Directive
• Comply with the requirements of the Directive on alert channels and the procedures in place

The Directive does not limit protection to facts which the whistleblower had personal knowledge of, as is the case under French law. The Directive appears to allow for the whistleblower to declare facts observed by third parties, provided that this information has been obtained in a professional context.

In addition, and in further contrast with French law, the Directive does not explicitly condition the status of whistleblower to the need to act in a “selfless manner.” It thus leaves it to the member states to reward whistleblowers. In France, the Sapin II Law has ruled out this possibility with regard to anti-corruption. However, whistleblower rewards are possible based on the Anti-Fraud Act of October 23, 2018,^[9] which was designed to strengthen the measures to fight against taxpayers’ failure to comply with their tax and social duties. Under this law, the tax administration may reward any person outside the public administration who provides information on any material breach of tax legislation. Initially planned in 2017 on an experimental basis,^[10] this system was extended by the 2018 act to remain permanent.

In comparison, the United States has for more than a century offered rewards to whistleblowers. Several mechanisms, such as the False Claims Act,^[11] the IRS Whistleblower Reward Program^[12] and the Securities and Exchange Commission (SEC) Whistleblower Reward Program,^[13] are intended to encourage whistleblowers to provide information on illegal acts. The amounts paid can be significant. For example, the SEC has paid out $326 million to 59 whistleblowers since 2010.^[14] However, in light of the recent high payouts, the SEC is considering reviewing its rules by capping the amount of each reward to $30 million.^[15] In March 2018, the SEC granted $50 million and $33 million, respectively, to two whistleblowers.^[16] In September 2018, it awarded $39 million to a whistleblower.^[17] On March 26, 2019, it paid $50 million to two whistleblowers.^[18] More than half of all awards granted through this program, which has been in place for seven years, were paid in 2018. The EU is probably far from implementing the same practices, which can ultimately raise ethical issues.

Finally, Article 5 of the Directive allows member states to decide whether or not to allow the alert to be anonymous. The same provision states that whistleblowers who were initially anonymous and were later identified should be protected in the event of retaliation. While the Sapin II Law does not expressly address the issue of anonymous alerts (Article 9 merely guarantees “the strict confidentiality of the whistleblower”), the AU-004 framework on alert systems set forth by CNIL, the French data protection authority, was amended in 2017 to provide for the anonymity of certain alerts, in particular if the seriousness of the facts is established and the factual elements are sufficiently detailed.^[19] As a result, it seems unlikely that the Sapin II Law will be amended in the short term to remove the option of anonymizing alerts.

Non-hierarchical reporting channels

The Directive requires member states to ensure that companies with more than 50 employees or local municipalities that have more than 10,000 inhabitants establish internal channels and procedures for the alerts.^[20] It should be noted that the same thresholds are provided for in the Sapin II Law.^[21]

The Directive provides for three types of reporting: internal, external and public.

Originally, the European Commission’s proposal, based on the case law of the ECHR incorporated in the Sapin II Law, required whistleblowers to use the entity’s internal channels to launch the alert before bringing it to the attention of the administrative or judicial authorities. This procedure constituted an important point of discrepancy between the European Parliament and the Council, the latter of which, at the initiative of France, wished to prioritize the internal alert. Indeed, in France, the alert must first be made internally (to the employee’s direct or indirect superior or to a named representative).^[22] It is only in the absence of an “action by the person to whom the alert is addressed” within a reasonable period of time that the alert “to the judicial authority, the administrative authority or the professional bodies” is possible. The Directive changes this approach by allowing first-line external or internal reporting, while encouraging internal alerting. According to Article 10 of the Directive, the whistleblower can therefore choose between two channels — internal and external — to issue an alert. Hence, there is no longer a procedural hierarchy between internal and external alerts.

With respect to the possibility of revealing information publicly, whether via social networks or to the press, the Directive provides that the public alert will only be protected if:

• There is no reaction from the addressees of the internal and/or external alerts for a period of three or six months or
• The whistleblower has reasonable grounds to fear an imminent or manifest danger for the public interest (e.g., an emergency situation or a risk of irreversible damage) or
• The whistleblower has reasonable grounds to fear a risk of retaliation or there is a low prospect that the breach would be effectively addressed due to the particular circumstances of the case.^[23]

Similarly, French law also allows alerts to be made public in the absence of a response from the administrative or judicial authorities within three months.^[24] It also provides for an emergency procedure “in the event of serious and imminent danger or in the presence of a risk of irreversible damage.”^[25]

Enhanced protection for whistleblowers

The Directive prohibits any form of retaliation against the employee. The prohibited retaliatory measures are very broad, exceeding the protections offered under employment contracts or under statutes for civil servants. In this respect, Article 19 of the Directive provides that sanctions are to be imposed for, among other actions, any suspension, dismissal, refusal of promotion, disciplinary measures, discrimination, unfair treatment, intimidation or damage to the person’s reputation, or blacklisting.

According to Article 21 of the Directive, the person who has complied with the legal reporting procedures may not be prosecuted for breach of professional secrecy, with the exception of reporting that concerns national security, legal and medical professional secrecy, and the secrecy of judicial deliberations. A similar provision is provided for by French law.^[26] In 2017, the Toulouse First Instance Court for the first time acquitted an employee sued for slander after publicly denouncing various problems within an institute offering care services for severely disabled children.^[27] In addition, applying the Sapin II Law, in October 2018, the Court of Cassation overturned the conviction of a labor inspector prosecuted for breach of professional secrecy after disclosing Tefal’s confidential documents to several departmental and regional trade unions, suggesting that the company’s management was putting pressure on her through her superior.^[28]

Under Article 20 of the Directive, member states must ensure that whistleblowers have access to independent legal aid and independent counseling. States are also invited to provide whistleblowers with financial and psychological support. Such actions were laid out in the Sapin II Law, which designated the Human Rights Defender as the person responsible for providing whistleblowers with aid or financial assistance. However, the Constitutional Court declared that this role did not fall within the scope of the Human Rights Defender’s powers, as laid down in the Constitution of France.^[29] 

In the event of proceedings before a court or authority relating to retaliatory measures suffered by the reporting person, the Directive provides for a shifting of the burden of proof. In this respect, Article 21.5 of the Directive provides that subject to the whistleblower “establishing that he or she made a report or public disclosure and suffered a detriment, it shall be presumed that the measure was taken as retaliation for the report or disclosure.” It will therefore be up to the employer to prove that the measures adopted (e.g., disciplinary measures) were motivated by factors unrelated to the alert. In this sense, French law is in line with the Directive, since it also provides for the shifting of the burden of proof in the event of measures taken against the whistleblower following an alert.^[30]

Finally, the Directive requires member states to establish “effective, proportionate and dissuasive” penalties in the event of hindering or attempting to hinder whistleblower reporting, bringing retaliatory or vexatious proceedings against whistleblowers, or breaching the duty to maintain the confidentiality of the whistleblowers’ identity.^[31] The Sapin II Law has already introduced criminal sanctions for this type of behavior, which may result in sanctions such as up to two years’ imprisonment and a €30,000 fine.^[32]

In summary, the Directive is intended to provide the foundation on which member states will adopt increasingly uniform alert systems throughout Europe. Some elements of the alert systems, including those concerning whistleblower rewards and anonymization, will still be left to the discretion of the member states, while other elements will be harmonized. This is a positive step: not only does the Directive make it easier for companies operating in different member states to comply with relevant legislation, but above all the Directive recognizes the idea that each member of a professional community is responsible for ensuring that deviant conduct cannot prosper and thus endanger the company or administration in which it occurs.^[33] Everyone becomes responsible for everyone else’s safety, particularly in terms of ethics. The “speak up” culture is thus encouraged in forms that are similar to those promoted across the Atlantic.

In this respect, Article 25 of the Directive reserves the right for member states to go beyond its recommendations. It also states that member states must under no circumstances reduce the level of protection already granted to whistleblowers when transposing this Directive.

The Directive must be transposed within the two years following its adoption. France will therefore have to amend its legislation on the whistleblower system in order to comply with the Directive, in particular by facilitating access to the external reporting procedure.

^[1] States such as France, Ireland and the United Kingdom have a general legislation; 17 member states have only sectoral legislation (public, private or financial sector); there is no protection for the private sector in 13 member states; and Cyprus and Latvia have no legislation at all.

^[2] Communication from the Commission, EU law: Better results through better application, C/2016:8600.

^[3] http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P8-TA-2019-0366+0+DOC+PDF+V0//EN.

^[4] Council of Europe, Recommendation CM/Rec (2014)7 protecting whistleblowers.

^[5] Article 6 of the Sapin II Law.

^[6] Article 2.2 of the Directive.

^[7] Article 27.3 of the Directive.

^[8] Article 6 of the Sapin II Law.

^[9] Article 21 of the Law No. 2018-898 of October 23, 2018.

^[10] Article 109 of the Finance Law No. 2016-1917 of December 29, 2016.

^[11] 31 U.S.C. § 3729 et seq.

^[12] 26 U.S.C. § 7623.

^[13] 15 U.S.C. § 78u-6.

^[14] SEC, Whistleblower Program Annual Report 2018.

^[15] https://www.sec.gov/rules/proposed/2018/34-83557.pdf.

^[16] https://www.sec.gov/news/press-release/2018-44.

^[17] https://www.sec.gov/news/press-release/2018-179.

^[18] https://www.sec.gov/news/press-release/2019-42.

^[19] CNIL, Projet du référentiel relatif aux traitements de donnée à caractère personnel destines à la mise en œuvre d’un dispositif d’alerte.

^[20] Article 8 de la Directive.

^[21] Article 8.III de la loi Sapin II.

^[22] Article 8 of the Sapin II Law.

^[23] Article 15 of the Directive.

^[24] Article 8.I of the Sapin II Law.

^[25] Article 8.II of the Sapin II Law.

^[26] Article 7 of the Sapin II Law.

^[27] TGI Toulouse, Nov. 21, 2017, n° 4363/17.

^[28] French Supreme Court, Oct. 17, 2018, n° 17-80485.

^[29] Decision n° 2016-741 DC of Dec. 8, 2016.

^[30] Article 16 of the Sapin II Law.

^[31] Article 23 of the Directive.

^[32] Articles 9.II and 13 of the Sapin II Law.

^[33] Article 25 of the Directive.