Directive on the protection of persons reporting on breaches and companies' need to assess their notification routines
The EU has adopted a Directive on the protection of whistleblowers to ensure a high level of protection for this group. The Directive, which is considered to be EEA-relevant, requires Member States to transpose the Directive into national law by 17 December 2021. Homble Olsby | Littler has extensive experience in assisting clients in handling notification cases. We recommend that our clients review their notification routines to ensure that these routines meet all requirements for the protection of whistleblowers, including requirements for the proper handling of personal data.
The Directive on the protection of persons reporting on breaches, which applies to both private and public enterprises, differs in several ways from the current rules on notification in the Working Environment Act.
Compared with the rules in the Working Environment Act, the Directive allows for a larger circle of people to have the status of whistleblowers. In addition to employees, the Directive also applies to other groups associated with the company. Amongst others, self-employed persons, suppliers and shareholders are included.
According to the Directive on the protection of persons reporting on breaches, a person can be given the status of a whistle-blower before the employment relationship has begun. This may be relevant in cases where the person has received information about matters worthy of criticism in the company during the recruitment process or in contract negotiations.
The Directive also covers persons who have previously worked in the company. In addition, the Directive applies to persons who have a relationship with the whistle-blower, and who therefore risk retaliation in the workplace. For example, colleagues and relatives may be people who have such a relationship with the whistle-blower.
The Directive also sets stricter requirements for the employer's case processing when handling notifications compared with the requirements contained in the Working Environment Act today. Under the Directive, private companies with 50 or more employees have a duty to establish internal notification systems. The same applies to all public enterprises, regardless of the number of employees.
Our experience is that good notification systems make companies better able to handle alleged breaches in a responsible manner. That is why we offer Littler Whistle Protect to our clients. Littler Whistle Protect, which is designed to meet strict requirements for whistle-blower protection and requirements for proper processing of personal data, is a safe and user-friendly digital whistleblowing system. For more information on this digital notification system, see here.
The Directive on the protection of person reporting on breaches also requires companies to follow up on notifications within certain deadlines. Compared with the requirements of the Working Environment Act today, the Directive sets stricter requirements on this point. In addition, the Directive contains provisions on professional secrecy. According to the Directive, the identity of the whistle-blower shall not be made known to anyone other than the persons dealing with the whistleblowing case.
The same applies to information that can be directly or indirectly linked to the whistle-blower. The Directive also protects the identity of the person or persons referred to in the notification. Littler Whistle Protect meets these requirements in a responsible manner.
As of today, the Directive on the protection of persons reporting on breaches has not been implemented in Norwegian law. It is being considered by the Ministries that assess whether the directive is EEA-relevant and how it should be implemented in Norway. Several factors suggest that the Directive is EEA-relevant. First, the Directive is marked as EEA-relevant by the EU. Secondly, a key purpose of the Directive is to improve compliance with EU rules in areas such as public procurement, consumer protection and personal data. These areas are relevant to the EEA Agreement.
We expect that the Directive on the protection of persons reporting on breaches will be implemented in Norway and that several changes will be made to the current regulations. Companies that want to take notification seriously and be at the forefront of changes in the Working Environment Act should therefore already now review their established routines and adapt these to all requirements that apply to the protection of whistleblowers, including requirements for proper processing of personal data.