By 17 December 2021, EU Member States were required to transpose the EU Whistleblower Protection Directive into their national law. But what does this mean for multinational industries and organizations?
The Directive’s purpose is to provide more robust protection for people living and working within EU countries who report misconduct, unethical behavior, or breaches of the law. Wherever an organization is located, employees of that organization based within the EU must now be provided with clear reporting channels and be protected from retaliation if they make a report.
This summary covers the updates presented in our monthly round-up webinar. It focuses on the Finnish transposition of the EU Directive and the pressing questions directed at our experts.
Speakers included Jan Stappers, EU Whistleblowing Specialist at NAVEX, and Laila Sivonen, Principal Associate, Roschier, Attorneys Ltd.
Since the previous round-up session, there have been no additional transpositions within the EU. However, Italy, Spain and Bulgaria are taking steps to present the law’s final draft to their highest institutions. We expect to see developments very soon within these three member states.
The Finnish transposition – status and updates
The draft government bill for the transposition of the EU Directive was initially presented in 2021. The Finnish Compliance Act community had a significant amount of feedback and practical considerations to raise from the initial draft, which delayed the issue of the government bill while the draft content was reviewed.
As of September 2022, the government bill has been issued, although it is subject to change while additional committees review it. Even so, the act’s implementation is not far from coming into force.
There are a few differences in how the Finnish transposition adheres to the EU Whistleblower Protection Directive’s material scope.
In Finland, the material scope of the transposition will cover the minimum standards laid out by the Directive and the corresponding areas of national law. For example, a whistleblower will not be required to determine whether the misconduct occurring is based on national or EU law, as legislators wished to cover both.
Another difference in the Finnish transposition involves the permission of group-level reporting across a common reporting channel. In Finland, channels for shared reporting across different company groups/subsidiaries will be permitted, but this will be limited only to companies with 50-249 employees. This is the same approach Sweden and Denmark adopted in their transpositions of the Directives at the time of writing.
How does this differ from the EU Whistleblower Protection Directive?
As stated by the European Commission, every “legal entity” within the EU – whether part of a group or not – falling within the employee number threshold must have its own reporting channel. That said, a channel does not have to be an internal resource. A growing number of subsidiaries operating as individual legal entities leverage third-party experts to manage their whistleblowing channels in-house.
Ultimately, there are many options for organizations to address these requirements effectively as long the way the whistleblowing channels are managed considers the requirements of the EU Directive, national law and GDPR. It depends on the characteristics of each entity and what options suit their structure best.
How specific should the information on different stages of the whistleblowing procedure be?
This question focuses on what happens when an organization has already received a whistleblowing report. From the moment a report is submitted, the organization is now under a legal obligation to update the whistleblower on the progress of the investigation. In line with the EU Whistleblower Protection Directive’s requirements, the time limit for this is three months.
To quote the Directive itself, the information provided to the whistleblower should be specific, detailing actions “as far as legally possible and in the most comprehensive way possible.” Feedback should cover the internal investigation and findings if any are discovered; actions contemplated or taken, with reasoning; any referrals to a competent authority; and closure of the procedure. Communication should be viewed as a means to support whistleblowers in their actions, involving them in the resolution process and ensuring they feel heard. This requires that they are fully informed of what steps have been taken in response to their concerns.
There can sometimes be difficulties around what information can be provided to the whistleblower. This is especially relevant if a report is submitted about another person. Though it is essential to make sure the whistleblower knows what is happening in the process of the investigation, it is also necessary to consider the rights of the person(s) reported of misconduct and the whistleblower about GDPR and their data being handled – particularly if a whistleblower wishes to remain anonymous.
What challenges have Finnish legislators faced during the process of transposition?
There are some complications around what issues can be reported via standard whistleblowing channels in Finland. Employment law issues – for example, workplace harassment – sit outside the scope of the Directive and Finland’s national law.
The problems that arise in this respect, especially from an employment law perspective, are that the employer’s obligations to investigate employment law-related cases are broader than the ones relating to misconduct within the Directive. This raises the question of whether employers should allow reporting of misconduct relating to employment law through the same channels as issues within the Directive’s or the national law’s scope.
For example, suppose a harassment case is reported anonymously. In that case, it can be difficult for the employer to work out how to proceed with an investigation if they are unable to get further information from the whistleblower. Under Finnish law, employers should seek additional information or details to proceed with the investigation. On the other hand, within the EU Directive, if an employer cannot get further information from an anonymous whistleblower to advance with the case, it can be considered grounds to close the investigation.
Should each entity offering a whistleblowing channel perform a Data Protection Impact Assessment (DPIA)? If so, how often?
The Finnish Government Bill specifically mentions DPIA to prevent data protection risks. Furthermore, the Data Protection Ombudsman in Finland has issued a list of types of data being processed where a DPIA will be required. Whistleblowing is one of the items on this list, so when establishing a channel in a Finnish company, a DPIA should be performed.
However, this is not a final action when commencing internal investigations based on reports received through a reporting channel. Reports should be analyzed on a case-by-case basis to decide if a new DPIA should be performed about that specific inquiry. This is because these types of investigations generally involve more intrusive actions or tools than the processes related to receiving a whistleblowing channel report. Furthermore, best practices and rules may vary if it is a cross-border matter, so it is crucial to consider DPIA requirements if a report falls into this category.
For more information about the EU Whistleblower Protection Directive and precisely what requirements EU members must meet to comply, download our seven top tips guide: