The deadline for EU states to implement Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law lapses this December. In the case of entities from the private sector employing from 50 up to 249 employees, the deadline for the implementation has been extended until December 2023. There is still some time to prepare your company (e.g. to implement some procedures, appoint dedicated persons/team) for obligations coming from the Directive, but please note that above are final deadlines. Each EU state may perform the implementation earlier, so it’s worth to check now what is happening in your country re: this Directive.
We may assume that some EU states (including Poland) may extend the scope of implementation by breaches of its own national law (the Directive concerns breaches of the EU law). In Poland, we already have regulations on whistleblowers in the scope concerning e.g. the AML regulation. Notwithstanding this fact, a team for implementing the above-mentioned Directive has been appointed.
The Directive concerns disclosing by (future, former or present) members of an organisation of an illegal or unethical practice being under their employers’ supervision to natural persons or entities which are able to take up effective measures. The above means that the scope of entities which may submit a report is "broad".
In fact, there will be 3 channels to submit a report on a breach, i.e.:
- internal (within the organisation) – in principle, it should be the first choice for whistleblower,
- external (to a competent authority), or
- within public disclosure (if two other channels fail).
With certain exceptions, the Directive orders that i.a. entities of the private sector employing at least 50 employees should establish internal channels and procedures for the needs of submitting reports. Each EU state may introduce stricter rules and lower the limit to e.g. employers employing at least 25 employees or less.
The channels of submitting reports may be ensured externally by a “trusted&independent” third person (e.g. an advocate your organization cooperetes with) or handled internally by a person / team appointed to that purpose. Keeping high level confidentiality has significant value here! Moreover, entities in the private and public sectors as well as competent authorities will also be obliged to maintain the register of reports and store them no longer than necessary and proportional.
The Directive rightly attaches a great importance to the issue of supportive measures for whistleblowers and their protection, including ones against retaliatory actions and disclosure of their identity (obligation of confidentiality and issue of penalties). The protection will cover the whistleblower who has “reasonable grounds” to think that the information contained in their report on a breach is true at submitting the report. The protection should exclude persons submitting a report in bad faith, frivolous complaints or those constituting abuse.
The issue of accepting “anonymous reports” within both internal and external channels will be left to the discretion of the EU states. As a side note, the anonymity of reports (in certain states it is allowed, in others it is not) is one of the most controversial problems. In certain cases, “unnamed whistleblowers” may feel unpunished in spreading fake news about others, but, on the other hand, the anonymity may ensure sense of safety and protection. The problem of contacting an anonymous whistleblower may be a separate problem e.g. in the case of reporting by hardcopy mail or using an unlisted phone number.