Legal provisions of COM(2024)269 - - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2024)269 - . |
|---|---|
| document | COM(2024)269 |
| date | July 3, 2024 |
1. INTRODUCTION
1. Background
Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law1 (the ‘Directive’) is a crucial instrument of Union law. It sets minimum standards at EU level, aiming to guarantee a high level of balanced and effective protection for persons who report information on breaches of EU law in key policy areas2 where such breaches may cause harm to the public interest3. Persons who acquired such information in the context of their work-related activities and report about it (‘whistleblowers’) feed national and EU enforcement systems. This helps to prevent and address breaches of EU law. Providing whistleblowers with strong protection against retaliation is essential to encourage reporting and strengthen the effectiveness of EU law. Giving whistleblowers this protection is also key for safeguarding their freedom of expression, enshrined in Article 11 of the Charter of Fundamental Rights of the European Union.
The Directive requires Member States to ensure that: (i) whistleblowers have at their disposal effective channels to report breaches of EU rules confidentially, both internally (within an organisation) and externally (to a competent authority), (ii) whistleblowers’ reports are properly investigated and acted upon by the organisations and competent authorities; and that (iii) whistleblowers are protected from retaliation.
2. Objective and scope of the report
Under Article 26(1) of the Directive, Member States had to transpose the Directive into their national legal order by 17 December 2021. Article 27(1) of the Directive requires the Commission to submit to the European Parliament and the Council a report on its implementation and application.
Overall, there was a significant delay in the transposition of the Directive in the Member States (see below). Given the short time of application of the Directive and the absence of meaningful relevant information at the time of publication of this report, the report does not cover the application of the Directive.
This report is based on the national measures transposing the Directive, notified by the Member States to the Commission, and on external research commissioned by the Directorate General for Justice and Consumers. It assesses the measures notified by the Member States that had declared complete transposition by 17 December 2023.
The report assesses the compliance of the national measures with the Directive, i.e. whether the Directive’s provisions have been transposed completely and correctly, and highlights the main shortcomings identified. It focuses on the core provisions of the Directive, grouped in the following sections: material and personal scope; conditions for protection; reporting channels and procedures; and protection and support measures.
2. STATUS OF TRANSPOSITION
By the transposition deadline of the Directive (17 December 2021), only 3 Member States had adopted and notified complete transposition measures4. 8 Member States notified complete transposition in 20225 and 13 Member States in 20236.
To enforce the transposition of the Directive, in January 2022 the Commission opened infringement proceedings against 24 Member States for failing to transpose and notify complete transposition measures7. In March 2023, the Commission referred 6 Member States8 to the Court of Justice of the European Union (the ‘Court’) for failure to transpose the Directive and failure to notify transposition measures, asking the Court to impose financial sanctions.9 The Court has already delivered its judgment in one of these cases10. As of the date of publication of this report, further to the 5 cases still pending before the Court, infringement proceedings are ongoing for 6 Member States11.
Specifically for the obligation on private legal entities with 50-249 workers to set up internal reporting channels, the Directive provides a second transposition deadline, which expired on 17 December 2023. In January 2024, the Commission sent letters of formal notice to the 2 Member States12 that did not transpose this obligation by that deadline.
3. ASSESSMENT OF TRANSPOSITION MEASURES
1. Material and personal scope
1. Material scope
Articles 5(1) and 5(2) lay down the types of ‘breaches’ that can be reported. Article 2 lays down the material scope of the Directive. Article 3 lays down the Directive’s relationship with (i) specific rules on the reporting of breaches provided for in other EU acts and (ii) EU or national provisions on the protection of specific types of information and on criminal procedure. These provisions set out the subject matter of the reports and public disclosures covered by the Directive. Their correct transposition is key to ensuring the Directive is effective in achieving its aim of strengthening the enforcement of EU law in key policy areas.
Several Members States have restrictively transposed the definition of breaches under Article 5(1), in particular by omitting the breaches that defeat the object or the purpose of the rules falling within the material scope (i.e. the cases of abuse of law). This excludes the reporting of such cases in particular in the area of corporate tax law. Furthermore, several Member States have failed to transpose key elements of the definition of ‘information on breaches’ under Article 5(2), such as ‘reasonable suspicions’, breaches that are ‘very likely to occur’ or ‘attempts to conceal’ breaches, thus narrowing the scope of information that can be reported.
There is variation across Member States in the legal technique used to transpose the policy areas laid down in: (i) Article 2 and (ii) the EU acts listed in the Annex of the Directive. Most Member States have mirrored the areas of Article 2 into the transposition laws, including the acts referred to in the Annex, either by explicitly reproducing the acts or by cross-referring to the Annex. However, several Member States have failed to include in the material scope the legal acts added to the Annex, including the legal acts adopted after the entry into force of the Directive13.
Some Member States have incorrectly transposed the material scope since their laws do not list the areas of law laid down in Article 2, but merely cross-refer to the Directive as a whole, which does not provide sufficient legal certainty. In one Member State, the material scope covers reports on breaches in the areas of the Directive, provided they are made to protect the public interest.
Roughly half of the Member States have incorrectly transposed Article 2 in relation to the definition of breaches affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (‘TFEU’) or of breaches relating to the internal market as referred to in Article 26(2) TFEU, because they did not include a clear reference to the EU rules applying in these areas.
A large majority of Member States extended the scope of their transposition laws to areas or acts not covered by the Directive14. A few Member States included in the material scope all breaches of EU law. Several extended the scope to breaches of national rules which do not implement EU law but pertain to the areas listed in the Directive. Roughly half of the Member States extended the scope to further specific areas of national law, such as corruption offences or (serious) criminal and/or administrative offences. A few Member States extended the scope of their transposition laws to specific areas such as labour law or occupational health and safety. Several Member States have included all (serious) breaches of national law that may harm the public interest.
According to Article 3(2), the Directive must not affect the responsibility of Member States to ensure national security or their power to protect their essential security interests. The Commission stresses that Member States should find an appropriate balance between: (i) the objective of the Directive, i.e. the effective enforcement of the rules falling within its scope (including rules governing mixed public procurement contracts involving defence or security aspects) and (ii) the protection of national security. The Commission also stresses that Article 3(3)(a) requires Member States to find an appropriate balance between: (i) the objective of the Directive and (ii) the protection of classified information from unauthorised access.
Non-conformity issues have been identified in about half of the Member States. Some fully exclude from the scope of the transposition laws information related to national security and/or classified information even when such information relates to the policy areas covered by the Directive. In a few cases¸ it is not clear whether reports on breaches of procurement rules concerning defence or security aspects covered by relevant EU legislation fall within the scope of the transposition laws. A few Member States have relied on Article 3(2) to exclude from the scope of the transposition laws whole categories of persons, such as defence, military or intelligence personnel.
The exemption of protection for reports covered by legal and medical professional privilege and by the secrecy of judicial deliberations (Articles 3(3)(b) and 3(3)(c)) has been incorrectly transposed in most Member States. In some of these Member States, the exemption for legal professional privilege has been unduly extended beyond the protection of confidentiality of communications between lawyers and their clients. Other transposition laws: (i) exempt reports covered in general by an obligation of professional secrecy or (ii) extend the exemption for the secrecy of judicial deliberations to cover all activities of judges or legal proceedings more generally.
2. Personal scope
The objective of Article 4 is to ensure that protection is granted to the broadest range of persons who have privileged access to information on breaches, by virtue of their work-related activities, and who may suffer retaliation if they report such information.
Article 4(1) contains an indicative list of categories of persons that fall under the Directive. A few Member States provided for an exhaustive list, while several Member States have failed to transpose some categories listed in Article 4(1), such as ‘paid and non-paid trainees’, ‘volunteers’, ‘contractors’ or ‘suppliers’. Most Member States have transposed the concepts of ‘workers’ and ‘self-employed persons’ without the references to Articles 45(1) and 49 TFEU, respectively, thus limiting these concepts to their definition under national law and undermining the uniform application of these autonomous concepts of EU law across the Member States.
Article 4(4) also provides protection from retaliation to other persons beyond the reporting persons, as relevant, such as facilitators and third persons connected with the reporting persons who could also suffer retaliation in a work-related context, including relatives and colleagues. This provision is restrictively transposed in some Member States which do not properly cover facilitators or third persons.
2. Conditions for protection
Articles 6, 7, 10 and 15 set out the conditions for the protection against retaliation of persons who make a report or a public disclosure.
Article 6(1) lays down the conditions under which reporting persons qualify for protection, including that they have reasonable grounds to believe that the information was true at the time of the reporting. This means that the reporting persons do not lose protection if they reported inaccurate information by honest mistake and that their motives are irrelevant. Article 6(1) has been incorrectly transposed by a few Member States whose laws appear to take into account the persons’ motives for the purposes of protection.
Articles 7(1) and 7(2) lay down the principle that reporting persons are free to choose whether to first report internally or directly report externally. Article 6(4) provides that persons reporting to relevant institutions and bodies of the EU qualify for protection under the same conditions as persons who report externally. Several Member States incorrectly impose an obligation to report internally first or allow for direct external reporting only under specific circumstances. Some Member States have not explicitly provided for the protection of persons reporting to EU institutions.
Article 15 of the Directive sets out the conditions for the protection of public disclosures.
Specifically, Article 15(1)(b) lays down the conditions for making direct public disclosures, i.e. without first having reported internally and externally or at least externally. It requires that the persons have reasonable grounds to believe that: (i) the breach may constitute an imminent or manifest danger to the public interest or (ii) in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed. It also lists specific circumstances constituting cases falling under (i) or (ii), such as circumstances where there is a risk of irreversible damage or where evidence may be concealed or destroyed.
Several Member States have not transposed the constitutive circumstances set out in Article 15(1)(b). A few have incorrectly defined the situation of danger to the public interest or the risk of retaliation.
3. Reporting channels and procedures
1. Internal reporting channels and procedures
Article 8 of the Directive defines the legal entities in the private and public sector required to set up channels and procedures for internal reporting. It also sets out the conditions under which such channels may be shared or operated externally by a third party.
Article 8(3) requires all legal entities in the private sector with 50 or more workers to set up internal channels. Article 8(6) allows private legal entities with 50-249 workers to share resources for receiving reports and conducting investigations, aiming to alleviate burdens for these entities. A few Member States incorrectly extended the flexibility provided by Article 8(6) also to larger entities. More specifically, they allowed corporate groups to set up reporting channels solely at group level, thus exempting all entities belonging to the same group from the obligation to set up their own internal channel. This runs counter to the objective of the Directive to ensure accessibility and proximity of the channels for potential whistleblowers.
Article 9 sets out the requirements applying to internal reporting procedures. Different elements of this provision, such as the obligation to follow up diligently on reports, or the timeframes for the acknowledgement of receipt or for the physical meetings, have not been correctly transposed in most Member States.
2. External channels and procedures
Article 11 sets out the obligations to set up external reporting channels and to follow up on reports.
Some of these obligations have been incorrectly transposed. One Member State excludes the follow-up of reports on breaches committed more than 2 years before, a temporal limitation that undermines the effectiveness of the Directive in terms of strengthening the enforcement of EU law. A few Member States do not provide the necessary legal certainty as to which are the designated competent authorities.
Article 11(6) sets out specific obligations for the authorities receiving reports and not having the competence to address them. About half of the Member States have incorrectly transposed it. This is for instance the case where they impose these obligations only on certain authorities; where they omit the obligation to transmit the reports to the competent authorities in a reasonable time, in a secure manner; or they omit the obligation to promptly inform the reporting person.
3. Handling of anonymous reports
According to Article 6(2), the Directive does not affect Member States' power to decide whether to oblige legal entities in the private or public sector and competent authorities to accept and follow up on anonymous reports. The Commission stresses that, if the Member States do impose such an obligation to accept anonymous reports, these reports must be handled like all other reports, in terms of the procedural rights of the reporting persons and in terms of the obligations of the entities and authorities to follow-up on these reports.
Around half of the transposition laws regulate anonymous reports, with most imposing an obligation to accept and follow up on anonymous reports on competent authorities or more broadly on all legal entities operating reporting channels. A few amongst them provide however for derogations from the requirements of the Directive, for example for acknowledgement of receipt and feedback, or for follow up. One Member State provides for a completely different procedure for handling and following up on anonymous reports.
4. Duty of confidentiality
Article 16 lays down the confidentiality requirements applicable to both external and internal reporting to protect the identity of the reporting persons. In the same vein, Article 5(8) requires that any assistance provided by facilitators be confidential.
Article 16(1) requires Member States to ensure that the identity of the reporting person is not disclosed to anyone beyond the authorised staff members competent to receive and follow up on the reports, without the explicit consent of that person. Article 16(2) lays down the conditions for derogations from the duty of confidentiality. Several Member States have incorrectly transposed this derogation, for example by omitting the reference to the context of investigations or judicial proceedings. Several Member States have not correctly transposed the safeguards to which the use of this derogation is subject under Article 16(3), e.g. that the reporting person is informed before their identity is disclosed or that the competent authority sends them a statement explaining the reasons for the disclosure.
On Article 5(8), several Member States have transposed the notion of ‘facilitators’ omitting the confidentiality requirement. This affects the confidentiality of the identity of both the reporting persons and the persons concerned. It also affects the role of the facilitators in the reporting process, as they could be assimilated to recipients of public disclosures.
3. Protection and support measures
Articles 19 to 23 set out the protection and support measures for the persons referred to in Article 4, and for persons concerned by reports or public disclosures.
1. Prohibition of retaliation
Article 19 requires Member States to prohibit any form of retaliation, including threats and attempts of retaliation, and provides a non-exhaustive ̶̶ but constitutive – list of prohibited retaliatory measures.
Several Member States have omitted the prohibition of threats and attempts of retaliation. A few Member States transposed Article 19 by means of a generic prohibition of retaliation, without replicating the list set out in this Article. Roughly half of the Member States that did include an indicative list of prohibited types of conduct omitted or incorrectly transposed certain forms of retaliation listed in this Article.
2. Support measures
Article 20 requires Member States to ensure access to support measures, in particular: (i) comprehensive, independent information and advice, free of charge; (ii) effective assistance from competent authorities, and (iii) legal aid.
Some Member States do not ensure access to individual advice, but only require information to be made available on a website. Several transposition laws do not ensure the provision of effective assistance by competent authorities. Several Member States do not include cross-references to applicable legislation on legal aid, thereby creating legal uncertainty.
Article 20(2) grants Member States the option to provide for financial assistance and other support measures as part of legal proceedings. A few Member States have provided for financial support under certain conditions, e.g. in case of serious deterioration of the reporting person’s financial situation, whilst psychosocial support is also envisaged in some Member States.
3. Protection against retaliation and remedial measures
Article 21 sets out the measures for protection against retaliation, including exemptions from liability and the reversal of the burden of proof, as well as remedial measures, including interim relief and compensation. Article 23(2) provides for measures to compensate damage suffered by persons concerned.
Article 21(2) exempts under certain conditions the reporting persons from liability for breaches of restrictions on disclosure of information, such as loyalty clauses or non-disclosure agreements. This provision has been incorrectly transposed in several Member States which provide for additional conditions, for example by requiring that the reporting person has acted in good faith, or do not apply the exemption from liability to reports in some areas of law or to public disclosures.
Article 21(7) first subparagraph sets out an exemption from any liability in legal proceedings for, among other, defamation, breach of data protection rules, the disclosure of trade secrets or compensation claims. Most Member States restricted the scope of this exemption, e.g., by excluding (i) facilitators or third persons connected with the reporting person, (ii) certain types of legal proceedings or (iii) public disclosures. The second subparagraph of Article 21(7) specifies the conditions for exemption from liability if the information on breaches reported or publicly disclosed includes trade secrets. Several Member States incorrectly transposed the requirement that the disclosure of trade secrets must be considered lawful under the applicable EU law where the person who reported or publicly disclosed this information meets the conditions of the Directive.
Article 21(3) provides for an exemption from liability for acts committed for the acquisition of – or access to – the information reported or publicly disclosed, unless they constitute self-standing criminal offences, i.e. are unrelated to the reporting or public disclosure or are not necessary for revealing a breach. Roughly half of the Member States have incorrectly transposed this provision, in most cases by omitting the requirement relating to the notion of ‘self-standing’, thus depriving the exemption of its effectiveness.
Article 21(5) sets out a reversal of the burden of proof in proceedings related to retaliation against the reporting person, i.e. it places on the person who took the detrimental measure the burden to prove that the measure was not linked in any way to the reporting. Several Member States have incorrectly transposed this provision, e.g. by requiring the reporting person to prove the legality of the reporting or to establish prima facie that a certain measure was taken in retaliation for the report. In one Member State, the reversal of the burden of proof applies only for a period of 2 years.
According to Articles 21(6) and 21(8), persons who have suffered retaliation must have access to remedial measures, including interim relief, and to measures for compensating damage. Several national laws have not adequately transposed the provisions on interim relief and on compensation. In particular these laws do not provide for interim relief or they create legal uncertainty by not including cross-references to applicable general provisions. Moreover, in a few cases, compensation is limited to monetary damages while some laws do not ensure that the remedial measures are available to all persons entitled to protection.
Article 23(2) requires Member States to provide measures to compensate damage suffered by persons concerned where the reporting persons knowingly reported or publicly disclosed false information. Roughly half of the Member States have failed to properly transpose this provision, e.g. by not including appropriate cross-references to applicable laws.
4. Penalties
Articles 23(1) and 23(2) require Member States to provide for effective, proportionate and dissuasive penalties for persons that hinder or attempt to hinder reporting; retaliate or bring vexatious proceedings against persons entitled to protection; breach the duty of maintaining the confidentiality of the identity of reporting persons, and for persons who knowingly report or publicly disclose false information.
Several Member States: (i) defined the sanctioned conduct in vague terms, e.g. by penalising breaches or abuses of the national transposition law in general; or (ii) introduced penalties that appear too low to be considered dissuasive. A few Member States have not correctly transposed the penalties for ‘attempts’ to hinder reporting or have defined the notion of ‘hindering’ by means of an exhaustive list, thereby narrowing the notion. Penalties for retaliation have been overall correctly transposed, with a few compliance issues caused by: (i) lack of legal certainty as to what constitutes sanctionable conduct, (ii) ineffectively low fines or (iii) the penalisation of retaliation only against reporting persons and not against other categories referred to in Article 4 (such as facilitators). Several Member States failed to correctly transpose the penalties for vexatious proceedings by not laying down a specific penalty or by not including a cross-reference to other relevant legislation. The penalties for breaches of confidentiality have been incorrectly transposed in some cases, e.g. due to a lack of appropriate cross-references to applicable legislation.
3. CONCLUSION
The adoption of the Directive aimed at improving the enforcement of EU law by facilitating the reporting of breaches and by providing robust protection to the reporting persons. The Directive provides added value by setting clear common standards that address the previous situation of fragmented and uneven protection across the EU and across policy areas.
Providing legal certainty is key to this purpose. People must be able to fully understand the extent of their rights and the conditions for protection. They must be able to take informed decisions about whether and how to report or make a public disclosure, without running the risk of ’falling between the cracks’ because of the vagueness or ambiguity of the applicable rules.
All Member States have transposed the Directive’s main provisions e.g. on the conditions for protection, on the requirements for the set up and the operation of the internal and external reporting channels, on the prohibition of retaliation and the measures of protection and support to reporting persons. A large majority of Member States have extended the Directive’s protection regime to other areas of national law. Several Member States have provided for additional measures of support, such as financial and psychological assistance to reporting persons.
While the Commission recognises the efforts made by Member States so far, it regrets the overall very late transposition of the Directive. As recognised by the Court, the lack of adoption of the provisions necessary to ensure the complete and precise transposition of this Directive is particularly serious, given its importance for safeguarding the public interest15. The Commission stresses that the lack of confidential reporting channels and appropriate protection has a chilling effect on potential whistleblowers, with negative impacts far beyond the Directive itself. It undermines both the effective enforcement of all EU legal acts falling within its material scope and freedom of expression.
Moreover, this report shows that the transposition of the Directive needs to be improved on certain key areas, such as the material scope, the conditions for protection and the measures of protection against retaliation, in particular the exemptions from liability and the penalties.
The Commission will continue to assess Member States’ compliance with the Directive and will take appropriate measures to ensure its full and correct transposition throughout the EU, including by launching infringement proceedings where necessary.
After a sufficient period of implementation, and no later than 2026, the Commission will submit to the European Parliament and the Council the report referred to in Article 27(3), assessing the functioning of the Directive and considering the need for additional measures, including amendments with a view to extending its scope to further EU acts or areas.
1 OJ L 305, 26.11.2019, p. 17.
2 For example, these include breaches of rules on public procurement, financial services, anti-money laundering, transport safety and protection of the environment, breaches of rules on public health, consumer protection, data protection, and breaches affecting the financial interests of the Union or relating to the internal market.
3 See judgment of 25 April 2024, in case C-147/23, Commission v Poland, ECLI:EU:C:2024:346, paragraph 73.
4 Malta, Portugal, Sweden.
5 Cyprus, Denmark, France, Croatia, Ireland, Lithuania, Latvia, Romania.
6 Austria, Bulgaria, Czechia, Germany, Greece, Spain, Italy, Finland, Hungary, Luxembourg, the Netherlands, Slovenia, Slovakia.
7 All Member States except for Malta, Portugal and Sweden.
8 Czechia, Germany, Estonia, Luxembourg, Hungary and Poland.
9 In line with Articles 258 and 260(3) TFEU.
10 Judgment in case C-147/23, cited above.
11 Austria, Belgium, Greece, Lithuania, the Netherlands and Slovakia.
12 Estonia and Poland.
13 Since the entry into force of the Directive, four acts have been added in its Annex: Regulation (EU) 2020/1503 on European crowdfunding service providers; Regulation (EU) 2022/1925 on the Digital Markets Act, and Regulation (EU) 2023/1114 on markets in crypto assets; Regulation (EU) 2024/573 on fluorinated greenhouse gases amending Directive (EU) 2019/1937 and repealing Regulation (EU) No 517/2014.
14 The Commission has been consistently encouraging Member States, when transposing the Directive, to consider extending its scope of application to other areas, and more generally to ensure a comprehensive and coherent framework at national level. See Commission Communication ‘Strengthening whistleblower protection at EU level’ of 23.4.2018, COM(2018) 214 final.
15 See judgment in case C-147/23, cited above, paras. 73 and 97.
EN EN