Background
The EU Whistleblower Protection Directive[1] (the ”Directive”) was adopted in October 2019. The Directive shall be implemented in the Member States at the latest on 17 December 2021. As regards regulations in the Directive requiring organisations with between 50 and 249 workers to introduce internal reporting channels, this may be brought into force by 17 December 2023.
Already in 2014, the European Commission reported the need for more effective protection of whistleblowers due to several scandals such as the Cambridge Analytica and Panama Papers, which were revealed by whistleblowers.
According to the Directive, the Member States shall ensure that persons who report irregularities shall be protected against reprisals such as e.g. termination of employment, refusal of promotions or salary, transfers or change of work place and discrimination.
The Directive stipulates that all private legal entities with 50 or more employees will need to establish secure reporting channels. Companies which are operating in specific fields, such as financial services, products and markets and companies that are vulnerable to money laundering or terrorist financing will also need to comply. Furthermore, all public legal entities will also need to comply, with some exceptions for smaller municipalities and public entities.
Swedish legislation on whistleblowing
The protection offered by current Swedish law is focused on monetary compensation to whistleblowers which have been subject to reprisals by the employer. With the new Swedish Act on Whistleblowing, which will replace the current Swedish act on protection against reprisals for whistleblowers, Swedish authorities and companies will be forced to establish strong compliance schemes to enable secure and effective whistleblowing reporting channels. The proactive approach of the Directive and the Swedish legislation implementing the Directive requires extensive efforts to adapt to this new legal framework.
Companies with over 50 employees will have to establish an internal whistleblowing channel. The same applies to municipalities of more than 10,000 inhabitants. Information on whistleblowers identity shall be treated with confidentiality.
What kind of internal channel needs to be implemented?
It shall be possible to sound the alarm in writing, orally, or at a physical meeting. The reporting channel shall offer the possibility to receive reports about irregularities and have contact with the whistleblowers, follow up the report, and provide feedback on the follow up to those who have reported.
The whistleblowing function may be internal or external, i.e. either employees within the organisation are appointed or an external third party which will handle the reporting channels and the procedures on behalf of the employer. Such third parties need to guarantee confidentiality, data protection, secrecy and independence.
Companies with between 50 and 249 employees will be allowed to share whistleblowing reporting channel with others companies. Larger companies must have their own reporting channels. Municipalities and regions are permitted to share reporting channels with municipal companies, foundations and associations.
What can whistleblowers report on?
Whistleblowers will be able to sound the alarm on a range of issues and remain protected from recrimination when they do so. Issues include inter alia public procurement, anti-money laundering, protection of the environment, data protection, protection of financial interests, food and product safety and nuclear safety. The relevant Unions laws are set out in the Annex to the Directive.
Who can report?
Everybody who works in the private or public sector can report. Not only employees are covered but also job applicants, self-employed persons, volunteers, trainees, persons within an organisation’s administrative body and management and shareholders that are active in the business. Protection is afforded also before someone has begun to work for an organisation and after that a person has quit the organisation provided that the person received the information during the employment/period during which the person was active in the business.
Breach of secrecy
A whistleblower is protected although a breach of confidentiality is at hand. This requires that the whistleblower had a reasonable ground to assume that the reporting of the information was necessary in order to reveal the irregularitites which were reported. It is not permitted to breach so called qualified secrecty which, according to the Swedish Act on Public Access to Information and Secrecy restricts the right to make information public. It is also not allowed to breach secrecy duty according to the Swedish Act on Defence Inventions or to hand out documents which contain confidential information.
What happens if a whistleblower reports something that was not an irregularity?
A whistleblower may be protected even if information has been provided that was not erroneous if it was a mistake. To be protected the whistleblower must at the time of the reporting, have had reasonable reason to believe that the information reported was true. Persons who intentionally report wrongful or misleading information are not protected.
What happens if you fail to comply?
The law stipulates penalties against those who hinder or attempt to hinder reporting, or who retaliate against whistleblowers. An employer may be liable to pay damages.
Processing of personal data
The act is supplementing the GDPR. Personal data may only be processed if it is necessary in order to follow up reporting in the whistleblowing system. Only such persons that have been appointed as authorised or persons that work in units that have been authorised to receive, follow up and provide feed back on reports may have access to the personal data.
[1] Directive (EU) 2019/1937 of the European Parliament and of the council of 23 October 2019 on the protection of persons who reports breaches of Union law.