On 16 April 2019, the European Parliament adopted a new Directive to protect Whistleblowers.

Brief chronology of the legislation

On 23 April 2018, the European Commission proposed the Directive on the Protection of Persons Reporting on Breaches of European Law (“the Directive”). In the FAQ document produced alongside the proposal, the Commission explicitly referred to scandals such as that of Cambridge Analytica and the LuxLeaks which had been uncovered by whistleblowers as highlighting the reason for a need for better protection.

On  16 April 2019, following unsuccessful attempts to water down the legislation, the proposal was adopted by the European Parliament and runs to some 112 recitals and 28 articles.

Essential components of the Directive

Who is protected: The Directive protects not only employees, but also protects trainees, volunteers, and self-employed workers.

What is protected: The Directive specifically protects disclosures relating to ten key areas including fraud / money laundering, tax evasion and data breaches provided that: (1) The disclosure was made in good faith; and (2) The whistleblower had reasonable grounds to believe the information was true at the time of the disclosure.

How are they protected: The Directive forbids retaliation in the form of suspension, demotion or dismissal and any other form of intimidation. The Directive further mandates that member states must provide whistleblowers access to comprehensive independent information on both whistleblowing procedure and remedy. If legal proceedings occur against someone who has blown the whistle in one of the ten protected areas, then member states are also obliged to provide legal aid as well as financial and psychological support to the whistleblower.

Reporting Process: There is a three-tier reporting system put in place.

Tier One: The Directive mandates that companies (both private and public) with 50 employees or more set up an internal reporting system. Whistleblowers are encouraged in the Directive to use this method and it is, of course, intended to be confidential and dealt with within 3 months.

Tier Two: National Authorities are also required to establish independent external reporting channels. Reports to this channel are to be dealt with within 3 months (or 6 in “duly justified” cases)

Tier Three: Whistleblowers are also permitted to report publicly, but only in cases of imminent danger to public interest, because of a risk of retaliation or where no appropriate action was taken in response to the initial report at either tier one or two.

Comparison between Directive and Public Interest Disclosure Act 1998 (PIDA 1998)

As was noted by the Commission in 2018, the UK already had one of the most advanced whistleblowing protection systems in the EU through PIDA 1998 (which inserted extensive whistleblowing protections into the Employment Rights Act 1996 (“ERA 1996”).

The two fundamental additions provided by the Directive are that:

1. PIDA 1998 does not require employers to have an internal whistleblowing policy. As can be seen above, the Directive will impose such an obligation on companies with more than 50 employees.

2. The Directive directly covers breaches of EU law (although arguably such was covered under “any legal obligation” s. 43B ERA 1996)

12KBW have produced a quick comparison sheet (see below) to show what is protected under each piece of legislation. In essence, the Directive will serve to reinforce an already comprehensive package of protections already in existence in the UK.

Reactions to the Directive

Much was made during the passage of the Directive as to whether it should be mandatory for employees to have to report a matter internally before going to the press in order to benefit from protection under the Directive. For example, in the LuxLeaks scandal of 2014, two whistleblowers directly reported to the media on the revelations. They were subsequently prosecuted, convicted, and received suspended prison sentences and fines. Had the Directive been in force at the time of their disclosures to the press, these individuals would still not have enjoyed the protection of the Directive.

In the event, the European Parliament has adopted a halfway house whereby whistleblowers have the option of reporting internally (which is encouraged) or to an external agency as a first course of action, and if nothing is done within a longstop 3/6 months, they will be able to report breaches to the media, unless it falls within one of the third tier exceptions as listed above.

Pragmatically, the Directive adds very little to the scheme currently in operation in the UK, as these protections are already fully enshrined in the ERA 1996. In fact, on close inspection, the disclosures that would amount to qualifying disclosures under the Directive are more limited than under the ERA 1996. However, it is to be hoped that the UK will take this opportunity to expand the protections afforded to whistleblowers to be all encompassing of our EU obligations as will doubtless form part of any trade deal formed with the continent following Brexit.

Henry King


12KBW Quick Comparison Sheet

Protected under PIDA 1998 Protected under the Directive
Qualifying disclosures under s.43B ERA 1996 tends to show one or more of the following:

(a) that a criminal offence has been committed, is being committed or is likely to be committed,

(b) that a person has failed, is failing or is likely to fail to comply with any legal obligation to which he is subject,

(c) that a miscarriage of justice has occurred, is occurring or is likely to occur,

(d) that the health or safety of any individual has been, is being or is likely to be endangered,

(e) that the environment has been, is being or is likely to be damaged, or

(f) that information tending to show any matter falling within any one of the preceding paragraphs has been, is being or is likely to be deliberately concealed.

Article 2(a):

(i) public procurement;

(ii) financial services, products and markets and prevention of money laundering and terrorist financing;

(iii) product safety;

(iv) transport safety;

(v) protection of the environment;

(vi) radiation protection and nuclear safety;

(vii) food and feed safety, animal health and welfare;

(viii) public health;

(ix) consumer protection;

(x) protection of privacy and personal data, and security of network and information systems.

Article 2.2: This Directive is without prejudice to the possibility for Member States to extend protection under national law as regards areas or acts not covered by paragraph 1.