On 15 February 2023, the new whistleblower scheme has come into force. It aims to provide better protection for whistleblowers in private companies, including for professionals bound by professional secrecy. The aim is to better protect whistleblowers from retaliation. They will also be able to call on support and will be able to report wrongdoing more easily.
Do the names Edward Snowden, Chelsea Manning, Antoine Deltour or Frances Haugen ring a bell? They are some of the most famous whistleblowers who publicly exposed violations by organisations or agencies they worked for. But even in Belgium, certain scandals would never have come to light without whistleblowers. Just think of the environmental scandal at 3M in Zwijndrecht, the health crisis with fipronil eggs in 2017, the financial malpractices at the German Wirecard or the Nethys affair* (dixit Minister of Economy Pierre-Yves Dermagne).
However, there are considerable personal, legal and political consequences for individuals who accuse their employers of egregious violations of the law. Often, fear of retaliation deters potential whistleblowers from reporting their concerns or suspicions. Therefore, Europe found it necessary to enforce their protection through a specific directive in 2019 (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law). Its transposition into Belgian law has implications for public services and the private sector as well.
What exactly is the whistleblower directive about?
The directive contains rules and procedures to protect "whistleblowers," individuals who report information acquired in a work-related context about breaches of EU law in key areas. Breaches include both acts or omissions.
The names quoted in our introduction could give the impression your name has to be known in the press to be a whistleblower, which is not the case. Anyone who discloses information about a violation orally or in writing (internally or externally) will also be considered a whistleblower, even if they do not suffer any retaliation or their identity will never be made public.
What breaches are we talking about?
The reported facts must consist of the violation (unlawful acts or omissions) of a Union act in one of the areas listed in the Directive, such as environment, public health, cyber security, public procurement, financial services, product safety and compliance, consumer protection, competition and state aid rules, protection of privacy and personal data (GDPR) ...
On the other hand, reports related to national security and legal and medical professional secrecy are excluded from the scope of the directive.
The directive applies not only to established breaches, but also to reasonable suspicions, about actual or potential breaches, which have occurred or are very likely to occur, and to attempts to conceal such breaches.
The directive complements the existing specific EU legislation containing rules on whistleblowing (notably on financial services, money laundering, terrorist financing, transport safety and protection of the environment).
Currently in Belgium, the only existing framework is for reporting breaches in the financial sector and for French-speaking community officials. A broader project for the introduction of a similar system in the federal public services is currently under consideration. It seems that in Flanders the text is still at the draft stage.
Who does this directive protect?
The directive applies to a wide variety of individuals working in the private and public sectors:
- former or current employees, self-employed persons, shareholders, persons belonging to the administrative, management or supervisory body of a company, volunteers, paid or unpaid trainees and job applicants;
- people who help whistleblowers confidentially, people related to a whistleblower who may face retaliation at work, and legal entities with ties to the whistleblower.
Individuals are protected when they raise their concerns publicly, provided that they:
- either they have first reported breaches (internally and) externally, but no action was subsequently taken;
- or have reasonable cause to believe there is an imminent or clear danger to the public interest (emergency situation or risk of irreversible harm) and that in case of external reporting, there is a risk of retaliation or the breach is unlikely to be effectively remedied due to particular circumstances (e.g. destruction of evidence or where an authority may be in collusion with the violator or involved in reported breach).
- or a low likelihood that their concerns will be adequately addressed.
The motives of the reporting persons in reporting should be irrelevant in deciding whether they should receive protection. Anyone who deliberately and knowingly reports or discloses wrong or misleading information will have no protection and will be subject to sanctions determined by the individual Member States. If the reporting person can nevertheless indicate that they passed on inaccurate information by honest mistake at the time of the report, the protection remains in place.
Indeed, what matters is that the whistleblower had reasonable grounds to believe that the reported information on a breach was true at the time of reporting
How far does whistleblower protection extend?
The directive requires from the Member States that whistleblowers:
-
be protected from all forms of retaliation (an act or omission which causes or may cause undue hardship to the author of the alert), such as dismissal, demotion or withholding of promotion, intimidation and blacklisting, suspension, transfer of duties, change of location of place of work, reduction in wages, change in working hours, withholding of training, a negative performance assessment or employment reference, imposition or administering of any disciplinary measure, such as a financial penalty, coercion, intimidation, harassment or ostracism, discrimination, failure to renew, or early termination of, a temporary employment contract, early termination or cancellation of a contract for goods or services, cancellation of a licence or permit ...
-
have access to appropriate support measures, in particular information, complete and independent advice, as well as legal aid in accordance with EU rules on legal aid in criminal proceedings and cross-border civil proceedings;
In Belgium, information, guidance and support will be provided through the intervention of two bodies:- The Federal Ombudsman acts as the federal coordinator of external reports. The Ombudsman receives the external reports, reviews them for admissibility, and transfers the information to the competent authority. In exceptional cases, the Ombudsman also conducts the substantive investigation and handles the protection files.
-
The Federal Institute for the protection and promotion of Human Rights (FIRM/IFDH) will provide whistleblowers with professional legal and psychological support. This can be done through the institute itself or through third parties such as law firms or psychologists specialising in this area.
-
have access to legal remedies and compensation. The appropriate remedy could take the form of actions for reinstatement, for instance, in the event of dismissal, transfer or demotion, or of withholding of training or promotion, or for restoration of a cancelled permit, licence or contract; compensation for actual and future financial losses, for example for lost past wages, but also for future loss of income; and compensation for other economic damage, such as legal expenses and costs of medical treatment, and for intangible damage such as pain and suffering.
How to report?
The draft law creates 3 channels to make it easier for whistleblowers to report matters:
-
an internal channel within the company
Companies with over 50 employees will need to appoint a reporting manager and ensure the security and confidentiality of the reporting channel. This internal channel will allow companies to better identify and fix problems within their organisation.Reports can be made in writing, by phone or in person. The reporting manager must acknowledge receipt of the report within 7 days and respond within the maximum 3-month period. He shall also keep a record of reports received. The identity of the reporting person shall not be disclosed without their express consent to anyone other than the authorised staff members responsible for receiving or following up on reports.
The labour inspectorate will be able to carry out checks and will ensure that the internal channel set up by the company provides all the necessary guarantees in terms of security and confidentiality of the reports.
-
an external channel with the government
Employees may also use an external channel set up by the government if they believe their complaint has not resulted in a satisfactory outcome. If an employee has no confidence in the company, the external channel can be used as well. If preferred, the employee may complain directly to the Federal Ombudsman, who will ensure the follow-up of the report by the government. - a disclosure through the press
Finally, a report can also be made through the press if, for example, there is an immediate threat to the public interest or risk of destruction of evidence.
What does Belgium provide?
Initially, the European directive was supposed to be transposed into national legislation by 17 December 2021, but Belgium and several other European Member States experienced delays.
Typically, a European directive imposes minimum standards, which Member States must expand upon at the national level. The Belgian law goes beyond the European Whistleblower Directive.
- Contrary to the provisions of the European directive, tax and social fraud will also fall within the scope of the Belgian approach. This is an important step in the fight against major tax and social fraud.
- Anonymous reports are also possible through the external channel and through the internal reporting channel for companies with more than 50 employees.
- The directive's optional condition, which states that the motives of the reporting person must be positive, disinterested and in good faith to enjoy protection, was not retained to provide the best protection. The whistleblower will be presumed to be acting in good faith.
- Finally, the request from numerical professions (tax consultants, accountants, etc) for professional secrecy was rejected. Professional secrecy remains reserved for lawyers who must defend their client in court and for doctors. This means numerical professionals will be able to become whistleblowers.
What are the implications for companies?
All entities (NV, BV, vzw ...) with 50 or more employees, government agencies, authorities and municipalities with 10,000 or more inhabitants are required to provide internal hotlines, provide information on the reporting procedures to interested parties and establish appropriate internal reporting channels.
Sector |
What does the directive say? |
Which facilitations are possible? |
Private sector |
All entities (NV, BV, vzw ...) with 50 or more employees are required to establish an internal hotline |
Belgium may grant an additional two-year grace period (until 17 December 2023) to companies with 50 to 250 employees. |
Public sector |
All entities are required to establish an internal hotline, regardless of the number of employees |
Belgium may provide an exemption for small municipalities or other public bodies with fewer than 50 employees. |
Source securex
With a few exceptions (mainly SMEs active in finance), companies with less than 50 employees are in principle not required to set up internal reporting channels. This means small companies do not need to take any initiatives in this regard (although it is not a bad idea for them to do so anyway, see below).
Given that it is up to the Member States to determine a number of matters relating to compliance, a company with branches in multiple countries should take into account the fact that compliance may differ in European jurisdictions. Thus, compliance in one Member State does not necessarily lead to compliance in all other Member States.
The first Whistleblower Report 2021 does show that many companies have already proactively set up hotlines and received reports that have enabled them to better manage risks within their organisations. As a matter of fact, establishing internal whistleblower schemes is increasingly becoming a part of corporate governance in large companies.
Of course, whistleblowing is distinct from ordinary complaints. Similarly, with respect to trade secrecy, there is already a directive providing exceptions, to take into account the exercise of freedom of speech and warnings to protect the public interest.
What can you do as a company right now?
Even if, as a company, you do not have 50 employees or are not (yet) currently required to set up an internal hotline, it is a good idea to provide one anyway. Surely every company wants to protect its reputation and avoid a report to a government agency or in the press. By providing an internal channel, you increase the likelihood that employees and other professional contacts will effectively make their reports through that internal channel. You must, of course, respect the principles of the directive for any report (independence, confidentiality, data protection and secrecy).
Don't have an internal hotline yet? Then it's time to start the preparations:
-
Which person or position within the organisation will assume responsibility for receiving and following up on reports? You can entrust that responsibility internally, for example to the head of HR, the company lawyer, the compliance officer or the GDPR officer, or entrust it to an external specialised third party. They will set up the hotline and will receive and investigate complaints on your behalf.
-
Determine what your whistleblowing process will look like. How will the hotline be set up technically? How do you ensure the confidentiality of the whistleblower's identity?
Consulting with the social partners regarding the procedure is usually appropriate. You might consider giving unions a more formal supporting role for employees who want to speak up (because that remains a difficult thing to do in any case!). - Determine how you will handle a report. Pay particular attention to every action you take in relation to the reporting person. After all, some actions could be seen as retaliatory, putting you at risk of a compensation claim. To reinforce this, the directive provides a reversal of the burden of proof. Once the reporting person makes it plausible they have suffered harm following a report, as an employer you must demonstrate that your action is in no way related to the report.
-
Remember you are required to provide information about the whistleblower scheme and the various options for reporting, at least to your employees but also to third parties such as external service providers.
-
Tip: Check if your social secretariat has a model policy or checklists related to whistleblowing schemes!
-
Would you like to carefully read the directive yourself? You can find it here.
Sources: Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law; press release Minister Dermagne; Securex