Skip to content

EU Whistleblowing Directive – the most comprehensive protection?

Table of contents:


The computer on the screen of which the graphWhat is the Directive of the EU on whistleblowers protection and how it changes the way of doing business — not so many people have heard about it. However, most of us know something about at least one of the latest top cases of fraud: LuxLeaks, Operation Car Wash, Panama Papers, and the loudest scandal with Cambridge Analytica.

They come from different parts of the world, but still share one factor: whistleblowers started it all.

The purpose of the EU Directive is defined clearly: to ensure the freedom of speech and protect the EU's financial interests. A lot of positive amendments to existing laws were made in pursuit of the latter, yet there are some tricky moments that need to be discussed. Spoiler alert: for big businesses in the EU, it is a serious reason to step it up.


Step 1: Start from the definition


Indeed, the definition of whistleblower existed long before 2019 — but less than in half of the EU member countries. Now the whistleblower can be determined as such in legal proceedings and gets an individual approach depending on the case he reported. A whistleblower is any person who reports or discloses information obtained in a work-related context. The information should serve public or individual interest (protection of human rights) and prevent possible damage.

What is NEW: the broadest definition of whistleblower which currently exists. Not only full-time employees but volunteers, self-employed persons, candidates for employment, contractors, and many more can enjoy the protection of this Directive. 


Step 2: Grounds for reporting


The whistleblower should consider the information he reports or discloses true at the moment of submitting the report and is required to use internal channels first (established by the company). Two important clarifications here:

  • The information reported can be not true. The whistleblower has a right to make an honest mistake and still enjoy protection. The reputation of the accused person, in this case, can be significantly damaged and compensation is not provided.
  • The whistleblower can report directly to mass media (in case of an urgent threat to the public interest) or external channels, in case there are reasons to believe that internal channels do not work. Again, the employer loses a chance to avoid publicity and will not be compensated.

What is NEW: a so-called reversal of the burden of proof. Before this, the whistleblower had to prove that he suffered retaliation and provide evidence. Now this burden shifts to the accused person in case the whistleblower are right at first sight.


Step 3: channels and obligations


Two types of channels were introduced for implementation: internal and external. External channels should be created by State members, while internal channels are the responsibility of public and private entities. The current requirements for reporting channels are:

  • different types of channels available (hotline, online form, personal meeting)
  • strict confidentiality
  • obligatory follow-ups on cases with a final term (not longer than three months)
  • information about whistleblower hotlines should be easily accessible

What is NEW: both public and private entities should implement internal channels for whistleblower reports (with particular attention to the financial sector). Only non-financial small companies (up to 50 people) are exempt from this liability.


Step 4: Data protection and the right to protection/defence

The lock with blue circles around it

Every time you collect data, you should follow the principles of the General Data Protection Regulation (GDPR). All the people involved should be guaranteed protection from data leaks: the reporting person, the concerned person, and the third person mentioned in the report. Only authorized persons can have access to gathered information.

 A reporting person gets the right to protection, while the concerned can defend himself as soon as the investigation starts. The employer can collect all the evidence in his favour and should have full access to the files.

What is NEW: member states should ensure the opportunity to get legal advice and assistance for the whistleblower in financial need. Before this, whistleblowers had to cover all legal expenses themselves.


Step 5: Penalties and Compensation


All offences of concerned persons and false reports made by informants will be penalized in an obligatory way. However, we don't know the numbers yet: penalties will be defined by state members individually. It's already done in France and the UK, even though sanctions are mostly referred to confidentiality breaches.

 What we can know for sure: the European Parliament rejected the strategy of the US in giving rewards to whistleblowers. Whistleblowers should act with good reasons and have no financial interest — a contentious moment considering all the risks that the whistleblower takes.

What is NEW: in particular cases, the employer will be legally obliged to offer a whistleblower remedy chosen by the court. This means that now the employer can't offer compensation instead of reinstatement on a regular basis (because it may discourage other whistleblowers).


Step 6: Ouch


A man in a mask and a black hoodie stretched out his handWe finally came to the most tricky part of the EU Directive: trade secret and reputation protection. Only bad news for business owners here, since in the majority of cases the whistleblower will enjoy protection under the new Directive and win in the conflict of interests.

Talking about the trade secret: it is allowed to disclose the information containing the trade secret in a work-related context. If the information about the breach of the law couldn't be disclosed without trade secret revelation, whistleblowers are not responsible for the consequences.

As a result, poorly organized internal channels can result in significant, material losses for the company.

Another controversial point of the new Directive is the way the whistleblower can obtain the information. The whistleblower can reveal not only the information to which he has direct access but also emails of his coworkers, and pictures of facilities he usually doesn't have access to (criminal offence such as hacking or physical damage is still punished). Despite the illicit actions of the whistleblower, the court should consider the case individually and take into account all the circumstances.



As a final result, damage to reputation may be not reimbursed.

We've introduced only the main points of the Directive on the protection of persons reporting on breaches of Union law — it has many more details that you should be aware of as a whistleblower or business owner. The Directive is way stricter than all previous legislations in the field of whistleblowing.

Currently, it is the most comprehensive law on the protection of informants. The Directive can significantly influence the rate of corruption in the EU countries and prevent violation of human rights — the whole picture can be seen only after 2021 (when the Directive is fully implemented).