In April 2018, the European Union launched a proposal to create a Directive standardizing whistleblower protection rules and clarifying the proper protection to be given to those reporting a company's misconduct.
Since then, the European Parliament, followed by the Council of the European Union, adopted Directive 1937/2019, which came into force on Dec 16, 2019. Member States have been granted until December 2021 to incorporate these rules into their national laws.
According to this Directive, companies with more than fifty (50) employees or more than €10 million in annual sales must create internal communication channels to receive allegations from employees or third parties. Companies with two hundred and fifty (250) or more employees must comply with this obligation within two years of their country adopting the Directive. In contrast, companies with fifty (50) to two hundred and fifty (250) employees have an additional two-year implementation period. There is no obligation to have channels for misconduct reports for companies with less than fifty (50) employees.
The whistleblower must be allowed to report any misconduct in writing via an online system, by e-mail, correspondence, orally, by a dedicated telephone line or voicemail. At the whistleblower's discretion, companies are even obliged to offer a personal meeting if requested. On the other hand, companies must guarantee the confidentiality of the whistleblower's identity. In some legislation, the French anti-corruption law Sapin II, for example, a penalty is levied if the whistleblower's identity is compromised.
This regulation applies to company employees, job seekers, former employees, the whistleblower's supporters, and even journalists. All these people enjoy legal protection from dismissal, defamation, and any other form of discrimination or retaliation. However, this protection only applies to reports of misconduct or violation of European Union law, such as fraud in bidding processes, tax fraud, money laundering, personal data protection, consumer protection, public procurement violations, road security, product safety, environmental protection, and public health. Despite this limitation introduced by the Directive, the European Union advocates that protection be extended to any allegation related to any Member State's domestic law violation.
Although the whistleblower is encouraged to initially lodge the complaint internally to their company or even to the competent authority, they may publicly denounce the situation and enjoy the Directive's protection incorporated into the local legislation if no action is forthcoming. On the other hand, the Directive leaves the company free to choose which functionary will be responsible for receiving and investigating the complaint. Responsibility may fall to a compliance officer, an HR manager, a legal manager, the CFO, a board member, or even someone external hired for that purpose.
Once a whistleblower lodges a misconduct allegation, the company must confirm its receipt to the whistleblower, if identified, within seven (7) days. It is also the whistleblower's right to receive, within three (3) months, the internal investigation's status and its results, regardless of whether they are an employee of the company or not. Simultaneously, the company must also inform the authority through the channels established for this purpose.
Every investigation must employ adequate security measures and access control to defend all the personal data involved and ensure the preservation of any evidence that may be used later, if necessary.
Any misconduct investigation must follow the rules introduced by the law protecting personal data in the European Union (GDPR). All personal data – whether of the whistleblower, the accused or any other participants – must be handled accordingly.
Finally, the Directive establishes the imposition of penalties on those who (i) hinder or attempt to hinder the whistleblower, (ii) retaliate against the whistleblower, (iii) perpetrate vexing actions against the whistleblower, and (iv) violate the duty to maintain the confidentiality of the whistleblower's identity.