Insights | September 15, 2020
EU’s new Whistleblower Protection Directive expected to have a number of implications for Finnish companies
With little more than a year to go until the national implementation of the new EU directive on the protection of persons who report breaches of EU law, this article summarizes what Finnish companies should consider in light of what we know about the new whistleblower protection to date.
Several matters relating to whistleblower protection still subject to national implementation
The new EU directive on the protection of persons who report breaches of EU law (WP Directive) entered into force in December 2019. EU Member States are required to implement the directive into their national laws and to comply with it by 17 December 2021. The WP Directive only sets out the common minimum standards for whistleblower protection. Therefore, the exact scope is subject to the national laws implementing the WP Directive.
In Finland, the Ministry of Justice has set up a national working group on the transposition of the WP Directive. The working group will assess, among other things, whether it is necessary to pass a new law relating to whistleblower protection and whether the national scope should be broader than the minimum standards set out in the WP Directive.
However, what we already know is that:
- Companies located in the EU with 50 or more employees will be required to implement an internal channel for reporting a wide range of compliance issues. Such companies must also ensure that reports received are diligently followed up, including the designation of an impartial person or department responsible for the follow-up, acknowledgement of the receipt of the report within seven days, and provision of feedback to the whistleblower within three months from the acknowledgement of the receipt.
- The material scope of the WP Directive is limited to specific areas of EU law and covers breaches relating to e.g. the following areas: public procurement; financial services; money laundering and terrorist financing; product and transport safety; consumer protection; protection of the environment; protection of privacy and personal data; security of network and information systems; competition and state aid rules; and corporate tax. EU employment law is not covered.
- In order to comply with the requirements set out in the WP Directive for the implementation of an internal reporting channel, the channel has to be designed, established and operated in a secure manner that ensures the completeness, integrity and confidentiality of the reported information. The channel must also enable appropriate record keeping of the reports received.
- Whistleblowers are free to select whether to report a concern internally or directly externally to the competent supervisory authority. If no appropriate action has been taken in response to the report within the time limit of three months, or if the whistleblower has reason to believe that the reported concern is in the public interest, they can also make a public disclosure (e.g. by informing the media).
- All companies, irrespective of the number of employees, are required to ensure that whistleblowers are protected against any form of retaliation, including termination of employment, suspension, negative impact on promotions, reduction in salary, transfer of duties, change in working hours, negative performance assessment, harassment, discrimination or unfair treatment.
- To qualify for protection, whistleblowers must have reasonable grounds to believe that the matters reported by them are true.
- Protection is granted not only to employees who report work-related concerns but also to former employees, job applicants, “facilitators” or individuals who assist the whistleblower in the reporting process and third parties connected with the whistleblower who could suffer retaliation in a work-related context (such as colleagues of the whistleblower).
- According to the WP Directive, there must be “effective, proportionate, and dissuasive penalties” for non-compliance. However, the severity of such sanctions may vary as this is a matter to be governed by the Member States at national level.
It is also worth noting that, in the event of e.g. any court proceedings between a company and a whistleblower relating to detriment suffered by the whistleblower, there is a presumption that the detriment occurred in retaliation for the report. In other words, the natural or legal person taking a detrimental measure has the burden of proof to show that the measure (such as termination of employment or withholding promotion) is based on justified grounds.
Deadline for compliance depends on the size of the company
In summary, Finnish companies with 50 or more employees must be prepared to implement an internal reporting channel and, if such channel already exists, to ensure that it meets the confidentiality and other requirements set out in the WP Directive. Companies also need to ensure that they are capable of following up reports received appropriately and in a timely manner. Details and sanctions are still subject to laws implementing the WP Directive at national level. Companies with 250 or more employees are expected to comply by 17 December 2021. However, companies with between 50 and 249 employees have a further two years as the new rules will apply to them only from 17 December 2023 onwards.
All things considered, the expectation is that the WP Directive will have a positive impact in generally encouraging a speak-up culture. However, it is also likely to have a number of implications for e.g. employment and data protection matters. We will continue to closely monitor developments at national level.
We are happy to assist should you have any questions relating to the WP directive and/or your company’s readiness.