Whistleblowing is being redefined . The Legislative Decree implementing the EU Directive 2019/1937 “on the protection of persons who report Union law violations” (the “Directive“) is almost ready. It will bring significant changes compared to the rules that came into force in 2012 (Law 6 November 2012, no. 190) in the public sector and at the end of 2017 (Law 30 November 2017, no. 179) in the private sector.
On 23 October 2019, the European Parliament and the Council adopted the Directive laying down “common minimum standards” to ensure adequate protection of whistleblowers in the Member States’ legal systems. The aim is to give consistency to heterogeneous or fragmented national regulations and enhance the value of this tool.
On 23 April 2021, Law no. 53/2021 (the European Delegation Law) was published in the Official Gazette. This Law consists of 29 articles containing delegated provisions for transposing European directives and adapting national legislation to certain EU regulations.
With this Law, the Parliament delegated the Government to adopt a legislative decree to implement the Directive. In art. 23 of the delegated law, it is stated that the Government, in the exercise of the delegation, must observe the following principles and directive criteria:
- under the Directive, amend the existing legislation on the protection of those reporting violations of which they have become aware within a public or private working framework and those listed in Article 4, paragraph 4 of the same Directive;
- ensure coordination with existing provisions, and a high level of protection and safeguard of those referred to in letter a), by carrying out the necessary repeals and adopting the appropriate transitional provisions;
- exercise the option provided for in Art. 25 paragraph 1 of the Directive, which introduces or maintains provisions more favourable to the rights of those reporting and those listed in the Directive, to ensure the maximum level of protection and safeguard.
This rule will affect national regulations. The impact of the new European regulation seems to concern its extension more than its content. In the matters covered by the Directive, the protection of whistleblowers does not differentiate between the public and private sectors, as in Law no. 179/2017.
Having said this, let us go into detail on the main innovations introduced by the Directive.
Personal scope of application
The Directive better defines the reporting person, i.e. the individual who reports or discloses information on violations acquired in their working framework.
This includes (i) self-employed persons working for a public or private sector entity, (ii) shareholders and members of the administrative, management or supervisory body of a company, including non-executive members, volunteers and paid and unpaid trainees, and (iii) any person working under the supervision and direction of contractors, subcontractors and suppliers.
The protective measures may be applied to colleagues or relatives of whistleblowers where there is a risk of retaliation at work due to the report.
The personal scope of application is broader than under Italian Law and, therefore, the list of protected whistleblowers should be reviewed in the light of the new European rules.
Conditions for the protection of whistleblowers
Unlike the current Law 179/2017, for the application of the protections provided in favour of the reporting person, it will not be necessary for the reports to be based on unlawful conduct, relevant under Legislative Decree no. 231/2001 and based on precise and concordant facts.
It will be sufficient that the reporting person had, at the time of reporting, reasonable grounds to believe that the information reported was accurate and that the report or public disclosure was necessary to bring to light a violation of public interest falling within the scope of the Decree. The reasons underlying the whistleblower’s report are considered irrelevant to their protection.
The Directive requires the establishment of internal reporting channels before reporting through external channels (i.e., reporting to the authorities designated by the Member States and relevant authorities at a European level), “where the breach can be effectively dealt with internally and the reporting person considers that there is no risk of retaliation.”
Companies with more than 50 employees, regardless of the nature of their activities, and legal entities in the public sector, including those owned or controlled by them, must have internal reporting channels. The exemption of small and medium-sized enterprises from this requirement does not apply to companies falling within the AML/CFT framework scope.
In addition, following an appropriate risk assessment, Member States may require companies with a smaller number of employees to establish internal reporting channels in some cases.
For public disclosures of wrongdoing, the Directive provides that the protection of the reporting person is triggered only if one of the following conditions is met:
- they have previously reported the offence internally or externally without adequate follow-up within the prescribed time limits; or
- at the time of the report, they have reasonable grounds to believe that:
- the breach may constitute an imminent or clear danger to the protected public interest or there is a risk of irreversible damage, including to the physical safety of one or more persons; or
- in the case of an internal or external report, there would have been a risk of retaliation, or the report would not have provided sufficient guarantees of effectiveness according to the case circumstances.
The above-mentioned public disclosure (under certain conditions) is not reflected in Italian Law.
Protection of whistleblowers
According to the Directive, Member States must ensure that the reporting person’s identity is not disclosed, without their explicit consent, to anyone other than the authorised personnel responsible for receiving or following up reports. This is without prejudice to specific exceptions. The same applies to any other information from which the reporting person’s identity can be deduced directly or indirectly.
Under the Directive, Member States must take the necessary measures to prohibit any form of retaliation against a whistleblower, including dismissal, change of job, reduction of salary or modification of working hours and imposition of disciplinary sanctions.
Personal data processing
Data collection and processing shall be carried out under Regulation (EU) 2016/679 on the protection of personal data.
Personal data that is manifestly not useful for the processing of a specific report, according to the Directive, must not be collected or, if accidentally collected, must be deleted without delay.
According to the Directive, high sanctions should be applied to those who obstruct reporting persons. Sanctions should be imposed on those who publicly report or disclose information about violations that is knowingly false.
All that remains is to wait for the publication in the Official Gazette of the Legislative Decree transposing the Directive.
Other related insights: