The new EU Whistleblower Directive: envisaged protection, data processing and the Belgian law perspective
Recognizing the key role of persons acting as “whistleblowers” in exposing breaches of the Union law and safeguarding the welfare of society, the EU adopted the Whistleblower Directive (Directive) in December 2019 to guarantee an EU-wide minimum standard for the protection of those persons. As the deadline for Member States to implement the Directive is approaching (17 December 2021), it is useful to recall of the key elements of the Directive and the interaction between whistleblowing and data protection. We will also analyze the Belgian prospects for the transposition of the Directive.
1. General overview of the Directive
The Directive aims at establishing effective, confidential and secure reporting channels and ensuring that persons reporting the breaches of the Union law (“whistleblowers”) are effectively protected. Therefore, it lays down common minimum standards that should provide a high-level protection of whistleblowers in the area of (i) financial services, product safety, transport safety, protection of the environment, food safety, etc.; (ii) breaches affecting the financial interests of the Union and (iii) breaches relating to the internal market, such as competition and state aid rules.
Who are whistleblowers under the Directive? These are persons who work in private or public sector and who acquired information on a breach of the law in the context of a work-related activity, i.e. all workers in a professional context (employees, self-employed workers, volunteers, unpaid trainees, shareholders and members of supervisory bodies; persons working under the supervision and direction of contractors, subcontractors and suppliers; ex-workers and future workers who acquired relevant information during the recruitment process or pre-contractual negotiations).
The Directive establishes three systems for reporting a breach of law:
- Internal reporting channels– the establishment of an internal reporting system is required for all private legal entities employing at least 50 workers and all public legal entities, whereas Member States may exempt public legal entities with less than 50 employees or municipalities with less than 10.000 inhabitants from this obligation. In each case, the procedures for internal reporting and for follow-up needs to be of such nature that channels for receiving the reports operate in a secure manner and protect the confidentiality of the identity of whistleblower and any third party mentioned in the report. A receipt of the report must be acknowledged and the feedback provided in a reasonable timeframe.
- External reporting channels– Member States should designate the authorities competent to receive reports through independent and autonomous external reporting channels, acknowledge the receipt and provide feedback within a reasonable timeframe.
- Public disclosure– a whistleblower can publicly disclose a relevant information and be protected under the Directive only when the breach was reported internally or externally and no appropriate action was taken in à specified timeframe, or when the whistleblower has reasonable grounds to believe that the breach constitutes an imminent or manifest danger to the public interest or, in case of external reporting, if there is a risk of retaliation or a low prospect of the breach being addressed effectively.
What protection is envisaged for whistleblowers? According to Article 6 of the Directive, a whistleblower qualifies for the protection if he/she (i) has reasonable grounds to believe that the information regarding a breach was true at the time of reporting and that such information is covered by the Directive and (ii) he/she has reported a breach either internally or externally or has made a public disclosure.
If qualifying for the protection, the confidentiality of the identity of the whistleblower (but also of reported persons) will be guaranteed. Member States will also have to take the necessary measures to prohibit any form of retaliation against the whistleblower, including suspension, lay-off, dismissal, withholding of promotion, withholding of training, discrimination, etc. Since it may be very difficult for the whistleblower to prove that a change in his/her working status or conditions was the direct result of reporting a breach of law, the Directive shifts a burden of proof on the entity that has taken a measure (Employer). Therefore, the Employer has to provide a proof that the whistleblower’s change in status is not connected to the whistleblower’s report. In addition, Member States should ensure that the whistleblower has access to judicial means, training and counseling regarding protection against retaliation.
It is noteworthy that the approach taken in the Directive differs from the concept developed by the European Court of Human Rights (ECtHR). Namely, the ECHR has already sought to strike a balance between the whistleblower’s right to freedom of expression on the one hand, and the right to reputation of the reported person on the other. In its judgments, the Court has not always been in favor of whistleblowers, i.e. it stressed that the person who is the subject of the whistleblowing is exposed to a prejudice resulting in damage to his/her reputation, which may sometimes outweigh the legitimate interest of the whistleblower. It will be interesting to see if the ECtHR will align its case law with the Directive in order to ensure the same level of protection in Europe.
2. Interaction between “whistleblowing” and data protection
2.1. Protection of personal data of the whistleblower
As mentioned, the confidentiality of the whistleblower is guaranteed, unless the explicit consent is given, and only staff authorized to manage the reporting channel may know the identity of the whistleblower. It is interesting to note that the Directive does not specify whether private or public entities and competent authorities need to accept and follow up on anonymous reports of breaches – it is up to Member States to make a decision.
All personal data of the whistleblower and reported persons have to be handled in accordance with the GDPR. This means, among others, that the reporting channels must function in a way that they process only necessary data, and the whistleblower and reported persons are informed how the reporting channel works and what the possible consequences are as well as their rights under the GDPR. Furthermore, pursuant to Article 17, data which are clearly not necessary for any alert may not be collected or must be deleted without delay.
Given the importance of the data protection in the whistleblowing procedure and potential serious consequences that improper dealing with data can cause, the European Data Protection Supervisor (EDPS) issued Guidelines on processing personal information within a whistleblowing procedure. Even though these Guidelines are addressed to the EU institutions, bodies and agencies to comply with the Regulation 2018/1725 (on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data), they can be useful to all entities that need to establish a whistleblowing mechanism. The EDPS’s Guidelines contains a list of recommendations that includes implementing defined reporting channels and clearly specifying the purpose; ensuring confidentiality of the received information and protecting the identity; applying the principle of data minimization; defining proportionate conservation periods for the personal information processed within the scope of the whistleblowing procedure, etc.
2.2. (Violation of) data protection as a matter forming the object of a “whistleblowing” notification
Another aspect of the interplay between whistleblowing and data protection is reflected in the possibility for the whistleblower to report a breach in the area of privacy and personal data, provided for in Article 2(1)(a)(x) of the Directive.
There is little doubt that the Directive will therefore increase the detection and prevention of data protection breaches and will therefore have a significant positive impact in this area.
3. Overview of the Belgian legislation and prospects for transposition of the Directive
While many Member States have already granted legal protection to whistleblowers, Belgium is on the verge of a legal upheaval since no general rules have been established in Belgian law. There are currently two Belgian texts, and therefore two specific sectors, that protect whistleblowers in Belgium, namely:
- The public sector, which is subject to the Law of 15 September 2013 on the whistleblowing of a suspected breach of integrity within a federal administrative authority by a member of its staff; and
- The financial sector which is subject to the Law of 31 July 2017 establishing an obligation for the Financial Services and Markets Authority(“FSMA”) to provide for whistleblowing procedures and a whistleblower protection system.
The deadline for the transposition of the Directive is approaching and will imply that the regime of facilitation and protection of whistleblower’s reporting will be enlarged to all regions and communities, and to all sectors, public or private. Belgium will furthermore have to designate a Belgian authority competent for receiving alerts. Since the Directive provides for minimum standards, the Belgian legislator will be free to provide for more extensive protection, provided that it complies with the regime set up at European level. As mentioned, the Belgian legislator may choose to exclude certain companies and municipalities from the obligation to establish an internal mechanism for whistleblowing, as well as to provide private legal entities employing 50-249 persons with more time to establish this mechanism (by 17 December 2023 at the latest).
A Bill to provide legal status and protection for whistleblowers was tabled on 24 June 2020 and is under discussion in the Belgian Parliament. However, many of the minimum requirements of the Directive are still neglected from the current version of the Belgian Bill, such as the obligation to establish effective, proportionate and dissuasive penalties for those who hinder reporting or retaliate against reporters, or the duty of confidentiality incumbent on the national authorities competent to receive the report.
In September 2020, a call for tenders was published by the FPS Economy. The objective of the procurement is to assist the federal government in the transposition of the Directive in Belgium, by means of a preliminary study and the preparation of a Bill. The study was entitled “Study on the obligations of the federal government under the EU Directive 2019/1937 and transposition into Belgian law”. Under this procurement contract, the final report was due on 30 April 2021. It can therefore be reasonably assumed that a new Bill will soon be submitted.
The Directive is of great importance for almost all entities in the European Union, since it covers both private and public entities and imposes significant obligations on them. Some questions in that regard have already been raised in practice, e.g. what compliance challenges will franchise companies in the EU face? These companies should put in place user-friendly reporting channels, also called whistleblower hotlines (e.g. mobile apps) that secure privacy of the report, protect whistleblowers from potential retaliation and keep management aware of potential concerns.
As mentioned in the beginning of this note, the Directive provides only the minimum standards for protection of whistleblowers and calls on Member States to secure stronger protection by, for instance, widening the scope of application beyond the areas covered by the Directive, setting up effective and proportionate penalties, etc. Some countries decided to use this possibility, such as Germany, whose draft Whistleblower Protection Act (Hinweisgeberschutzgesetz) ensures the whistleblower protection regime that applies to both breaches of EU law and the infringements of German law in many areas.
As for Belgium, it will have to make considerable additional efforts by the end of this year to provide whistleblowers with a protective and effective regime that accurately reflects the Directive or even enhances this protection.
Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.
 For more information please see: https://strasbourgobservers.com/2018/10/22/comparing-the-proposed-eu-directive-on-protection-of-whistleblowers-with-the-principles-of-the-european-court-of-human-rights/
 ECHR, Catalan c. Roumanie, 9 January 2018, § 57, accessible here https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2018/01/AFFAIRE-CATALAN-c.-ROUMANIE.pdf.
 For instance, France, Hungary, Ireland, the Netherlands, Malta, Lithuania, Sweden, Italy, Slovakia.
 Accessible here : https://www.dekamer.be/FLWB/PDF/55/1380/55K1380001.pdf.