Whistleblowing

Employers in the EU with 50 or more workers must have in place whistleblowing policies and procedures, and it’s common for companies to apply their policies on a global basis. Companies that don’t comply are at risk of fines in various countries. Attempts to block whistleblower reports also attract penalties.

Key themes

  • Many EU member states implemented the EU Whistleblowing Directive in 2023, later than the December 2021 deadline.
  • Penalties for breaching whistleblowing rules vary widely from country to country.
  • The U.S. Securities and Exchange Commission (SEC) is clamping down on clauses that purport to prevent employees reporting breaches of securities law. 
Quote

The U.S. Securities and Exchange Commission (SEC) is clamping down on clauses that purport to prevent employees reporting breaches of securities law.

Quote

The U.S. SEC has increased its enforcement actions targeting employers that try to stop or deter a whistleblower from reporting possible breaches of securities law to the SEC.

The biggest regulatory change last year in the EU was belated action by member states to implement the EU Whistleblowing Directive. Several countries did not amend their laws by the December 2021 deadline, but most have now done so.

Public sector organisations and private sector employers with 50 or more workers must have whistleblowing procedures. These should allow employees and others – including the self-employed, non-executive directors and volunteers – to report alleged breaches of EU law. Processes must meet minimum requirements. Employers should provide feedback within three months of a complaint, ensure confidentiality for complainants and signpost how to report concerns externally. An employer cannot stop an employee (or anyone else covered by the directive) from reporting externally in some situations.

The changes have been significant in certain countries, depending on what whistleblowing protection was already in place. Italy had a whistleblowing law, so needed to bring this in line with EU requirements. France had existing protection for whistleblowers but amended it in 2022 to allow external reporting without having to report internally first and to protect a wider group of whistleblowers. The Dutch government made similar changes in 2023. Most large organisations in Germany, which implemented the directive in July 2023, already had whistleblowing procedures so the legislation hasn’t had a major impact.

In both Italy and Germany employers that fail to comply with whistleblowing requirements face administrative fines of up to €50,000. Higher fines of up to €60,000 apply in France. In contrast, the Spanish law that came into force in 2023 treats failures to have internal whistleblowing procedures as very serious infringements attracting fines of up to €1 million.

For cultural and historic reasons, whistleblowing legislation has been more contentious in some parts of Europe, mostly in former Eastern Bloc countries. This has created challenges for U.S. corporations in particular, if U.S. law requires them to have whistleblowing policies and procedures.

Hungary introduced whistleblowing legislation around 10 years ago, which eased the conflict with U.S. requirements. Employers hoped the government would repeal more prescriptive requirements of Hungarian law when it implemented the directive. One example is normally having to complete an investigation into a whistleblowing allegation within 30 days. In practice, the new law retains existing requirements while protecting a wider group of whistleblowers.

Sanctions for failing to comply with the new law are minimal. Obstructing a whistleblowing report is a minor offence punishable by a fine of roughly €800. The only sanction for other breaches, including not having a whistleblowing procedure, is a direction from the employment authority to the employer to correct the defect.

Although the Polish government proposed draft legislation to implement the directive it didn’t pass so the legislative process will start afresh this year. The European Commission referred Poland and seven other member states to the Court of Justice in February 2023 because they failed to transpose the directive by the deadline. Most of the countries, including Germany, Spain, Italy and Hungary, have now met their obligations.

No major changes are expected to the whistleblowing framework in the United States or the United Kingdom. The UK government’s 2023 whistleblowing review explored whether the law facilitates disclosures and protects workers. Its purpose was to inform future policy decisions but there probably won’t be any developments before the general election.

The U.S. SEC has increased its enforcement actions targeting employers that try to stop or deter a whistleblower from reporting possible breaches of securities law to the SEC. Employers are known to include terms in employee or separation agreements that could have that effect. Terms may limit the right to recover whistleblower awards, restrict lodging complaints with the agency and ban disclosing information outside the company without prior authorisation.

According to the SEC, these restrictions breach Commission Rule 21F-17. It says individuals cannot be prevented from communicating directly with the SEC about potential violations. This includes by enforcing or threatening to enforce confidentiality agreements. Penalties for breaching the rule include fines of up to US$1 million. Employers should avoid breaches by carving out disclosures to the SEC from non-disclosure or non-disparagement clauses.

Few countries in Asia-Pacific have whistleblowing legislation, although there are sector-specific rules. For example, Singapore’s Prevention of Corruption Act guarantees anonymity to employees who report wrongdoing covered by the Act unless allegations are false. In Hong Kong, the Corporate Governance Code requires listed companies to establish whistleblowing policies and reporting systems. In practice, multinationals tend to apply their whistleblowing policies globally and include requirements in local handbooks. 

Related content

All change? UK government reviews whistleblowing laws

Read more

Whistleblowing Directive: Navigating challenges for multinational companies in EU implementation

Read more

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG.  For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.