The EU Whistleblower Directive - a View from 15,000 Feet

In 2019, the European Union Council of Ministers adopted what would become known as the EU Whistleblower Directive, or commonly called the WB Directive.  The Directive was put in place specifically to protect whistleblowers from retaliation and encourage the reporting of violations of Union law by driving common standards.  The law is now fully in effect, and we are in frequent discussions with our clients regarding their use of our systems and their compliance with the WB Directive.  So not to bore you with legalese and the nuances (I’ll leave that to your more than capable GC’s!), I’d like to touch on a couple areas that you need to make sure are buttoned down, and why.

First, are you impacted?

There are a couple basic tests, such as if you have more than 250 employees in 2021 and if you will have more than 50 employees in 2023.  If you are under 250 now, but over 50, you have a little more time to become compliant.  If you’re already over 250 and are not sure if you are compliant or know you need to be, ETHIX360 can quickly do a no-cost assessment to help you put the systems and controls in place to become compliant.  

But even these counts are not especially well-defined, and therein lies some confusion.  Each member state will now likely codify the WB Directive into law to have cross-border consistency.  Some, in fact, already have even more stringent legislation in place.  Another issue to understand is the definition of “employee,” which the law defines simply as a work-based relationship.  This means it can be interpreted to include not just full and part time employees, but also temps, self employed gig workers, contractors, sub-contractors, trainees,  and even paid or unpaid interns and volunteers.

If you’re impacted, what should you do?

Overall, what the WB Directive instructs the covered entity to do is to create a “Whistleblower Scheme.” The Directive lays out the guidelines that are to be in the WB Scheme.  There’s an internal part and an external part to the requirements.  

Let’s touch on the internal first.  Internally, do you have policies in place that comply with the intent of the WB Directive and GDPR (General Data Privacy Requirements)?  A quick policy audit is in order if you are not sure.  That policy audit will confirm the policies that are appropriate and identify any gaps.  Typically, a part of that process is to author draft policies that you can then tailor and adopt quickly.  

The second part of the WB Scheme includes the components (generally enabling technologies) that allow the organization to be compliant.  Interestingly, Directive Premise 33 instructs that appropriate reporting systems must be in place.  These can include a traditional 3rd party hotline, but even the Directive itself notes that use of traditional call center hotlines are in rapid decline. Instead, companies should anticipate greater use of web portals as well as texting and 3rd party apps, all of which require enabling technology.  This puts companies in the position to make a “build or buy” decision. The cost and security capabilities related to cloud-based solutions make them a more affordable, sustainable, and reliable path to meet this Directive.

What if you’re a U.S. corporation with employees in the EU?

This is probably the most asked question we get.  U.S. companies operating in any EU Member States should begin to take steps now to comply with this EU Whistleblower Directive, taking into consideration several open questions that will be resolved as EU Member States incorporate the Directive into their own national legislation. These companies must also prepare for the possibility that some states may offer greater protections to whistleblowers (for example, the Netherlands law already calls for compliance with companies with only 50 employees, far below the 2021 threshold in the WB Directive). U.S. companies with operations in the EU should therefore closely monitor state implementations in order to evaluate their existing channels, procedures, and policies for compliance.

Only a few short years ago, almost no EU member states had legislation protecting whistleblowers.  This Directive attempts to create a healthy, safe, and consistent environment to allow and even encourage whistleblowers to come forward without fear of retaliation - basically the core premise of all hotline and whistleblower solutions.  Checking the box is one thing but implementing a program or scheme that is effective is quite another.  If you want to avoid the many pitfalls in implementing this type of technology, we’d suggest a quick read of “The Seven Deadly Sins of a Corporate Hotline Program.”

The ETHIX360 blog brings you weekly updates on all things human resources and compliance.

MEET THE AUTHOR

J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.

ABOUT ETHIX360

RELATED BLOGS