Better protection for whistleblowers on its way
Employees often play a key role in exposing and preventing breaches of important legislation by the company or organization they work for. These breaches can often be very harmful to the public interest. However, potential whistleblowers are often discouraged from reporting such breaches for fear of retaliation.
Therefore, on 23 October 2019, the European Parliament and the European Council adopted Directive No. (EU) 2019/1937 on the protection of persons who report breaches of Union law. The Directive applies to both the private and public sectors and applies to anyone acting in a work-related context. (Ex-)Employees, civil servants, consultants, (un)remunerated trainees, directors, shareholders: they are all protected when they report a breach.
The material scope of the Directive is wide. It concerns breaches in the areas of financial services and markets, money laundering, public procurement, transport safety, protection of the environment, consumer protection and public health, as well as breaches relating to the internal market. National legislation can extend this scope with a view to ensuring that there is a comprehensive and coherent whistleblower protection framework.
The Directive imposes the following minimal obligations:
- Internal procedures - Every company in the private sector with 50 or more employees must provide for a sufficiently confidential and secure channel or procedure for internal reporting by whistleblowers. In the public sector, in principle, all entities are targeted, but the Member State can provide for certain exemptions (e.g. for entities with fewer than 50 employees);
- External procedures – Member States must provide for an independent and adequate external reporting channel. There is no obligation to use the internal channel first, but Member States should encourage its prior use;
- Prohibition of retaliatory measures – There is a prohibition of retaliatory measures (dismissal, but also e.g. a negative evaluation, a modification of the working conditions, disciplinary sanctions) against whistleblowers. Legal or contractual obligations, such as loyalty clauses or confidentiality obligations, cannot prevent the application of the protection;
- Effective sanctions – Member States should provide for effective sanctions, for example against those who obstruct reports or take retaliatory measures;
- Data protection – Since whistleblowing involves the processing of personal data, the general obligations of the GDPR apply and must be fulfilled.
Belgium must implement the Directive in national legislation by 17 December 2021. This means that, by this date, new rules will have to be in place for the entire private sector, as there is currently no legislative framework for whistleblowers, other than in the banking and insurance sectors. This legislation and the existing rules in the public sector will have to be assessed against the minimum standards of the Directive.
Companies or organizations that do not yet have a procedure for whistleblowers will have to check whether these regulations apply and, if necessary, provide for specific procedures. In principle, this should also be done by 17 December 2021, but Member States may decide that the obligation should only apply to companies in the private sector with 50 to 249 employees as from 17 December 2023.
Companies or organizations that already have procedures for whistleblowers (e.g. because they are already covered by existing regulations or belong to an international group that requires such procedures globally) will have to review their existing procedures in the light of the new legislation.