Posted by Legal Futures’ Associate Gary Yantin, Director of Best Practice, VinciWorks 
In a recent webinar, I had the pleasure of interviewing Maria Mollica, the EU Commission’s Policy Officer, to discuss the upcoming EU Directive on Whistleblowing. Maria has been heavily involved in writing the new EU Whistleblowing Directive. The directive is expected to be in force by the end of 2021.
During the interview, Maria shared why the Commission felt it was important to introduce a EU-wide legislation, which organisations and individuals the Directive affects, guidance on how to prepare and more. Here are some of the highlights from the conversation.
Note: this article contains only the highlights from the conversation and the text has been edited for readability. You can view the full webinar and related resources here .
Gary Yantin: Can you give us a brief introduction on what the Directive is designed to do?
Maria Mollica: The directive is designed to protect whistleblowers when they come forward with information about breaches of Union law, and it is meant to meet two main purposes. Firstly, it is meant to strengthen the enforcement of Union law, and secondly, it is meant to protect the freedom of expression of the whistleblower, including media freedom, because whistleblowers are essential sources of information for investigative journalism. Let me explain a bit further the link between whistleblower protection and strengthened enforcement of unions. In the recent past, a number of wide scale scandals were brought to light by whistleblowers. Think of the LuxLeaks, the Panama Papers and the Cambridge Analytica scandals to mention a few. These major wrongdoings caused serious harm to the public interest across the Union and would have gone unnoticed without whistleblowers’ revelation because certain types of violations can only be detected by insiders.
We’re talking about the new EU Directive that’s coming in. Lots of countries in the EU have got protection for whistleblowers, such as the Public Interest Disclosure Act 1998 (PIDA) in the UK. Why the need for a new Union-wide directive?
While some 10 member states have comprehensive legislation in place that covers whistleblowers substantially we analysed the situation in the whole European Union and noticed that most Member States offer only protection within certain sectors. For example, only in the fight against corruption or only in the public sector. Further, at EU level, we already have some element of protection for whistleblowers but only in limited sectors like the financial sector, because in the aftermath of the financial crisis, there was an urgent need to ensure that EU law was correctly implemented. However, against this background, our assessment was that the fragmented and uneven way whistleblower protection, which is currently available across the EU, impairs the effective enforcement of EU law in areas where violations may seriously harm the public interest. Where weaknesses of enforcement have been identified in such areas, and where whistleblowers are in a privileged position to disclose breaches of EU law, it is necessary to enhance enforcement by ensuring effective protection of whistleblowers and to do that, only action at EU level is fit for purpose.
I understand the Directive is relevant in different stages depending on the size of the organisation. What’s the process? What do people need to know? And when do they have to be compliant by?
On 7 October this year, the council endorsed the text and on 23 October, both parliament and council officially signed the Directive. The next step now is the publication of the Directive in the official journal, which is expected to take place on the 26 November. Then, 20 days after this publication, the Directive will finally enter into force. Starting from that day, Member States will have two years to transpose the Directive into national law. As you mentioned, there is one specific provision for which a delay of two additional years has been granted, which is the obligation to set up internal reporting channels for medium-sized companies. The Commission envisages to set up an expert group of national representatives to accompany and monitor Member States’ transposition of the Directive into their legal orders.
What about organisations with under 50 staff?
Micro and small companies are not obligated to set up internal reporting channels. Member States can decide after a risk assessment is conducted on the ground whether or not to make this obligatory.
What should an organisation include within its internal reporting channel?
Well, before even talking about the internal reporting channel, an organisation, both in the private and public sector, has to put in place a system of clear and accessible information regarding the procedures for reporting within the organisation and procedures for reporting externally to competent authorities. Companies with 50 or more employees are bound by the obligation of setting up reporting channels and small and micro-companies are exempt. This excludes small and micro companies in the financial sector because, in accordance with existing Union law, these companies need to have internal reporting channels due to the high risks which arise from the activities.
What if the report implicates that team or a person in that department? Do you have to run two systems at the same time, or a backup plan? How does that work?
Your question is very interesting because it leads me to the issue of hierarchical or non-hierarchical uses of reporting channels. In the case you just described, by definition the whistleblower will not be confident reporting internally because he or she suspects that the person to whom he or she should make the report is involved in the breach. So, this is a typical scenario where the whistleblower would be a hundred percent justified in reporting directly to the relevant competent authority.
What about if the whistleblower determines that the breach should be made public straight away? How would a whistleblower know whether or not to disclose information, say, directly to a media organisation?
To make a public disclosure, there are strict rules, as opposed to whether to choose to report internally or externally. There are two situations where the whistleblower can disclose information to the media or to the general public. Firstly, in a case where the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest such as an emergency situation or the risk of irreversible damage. Secondly, in a case where the whistleblower has reasonable grounds to believe that reporting to the authorities would either entail a risk of retaliation or there is a low chance of the breach being effectively addressed due to the particular circumstances of the case. An example would be a case where the authorities are in collusion with the perpetrator of the breach and there is therefore no point in going to the authorities because they are involved in the breach.
If a company or organisation doesn’t have a whistleblowing policy in place at the moment, should they just wait until the whistleblower Directive comes into force or should organisations be getting ready and putting a voluntary system in place ahead of the introduction of the Directive?
It is in the very interest of the organisation to have in place a system that encourages whistleblowers to come forward and that facilitates this process as much as possible for two main reasons. Firstly, to avoid possibly unjustified reputational damage, and secondly, to very quickly and effectively address the breach if there is one straight away because nobody is better placed than the company to take action. As I mentioned, if whistleblowers consider that within the organisation where they work whistleblowing is badly perceived, they should consider themselves justified and should report directly to the competent authorities and report there, or even disclose publicly. The announcement of the new Directive is an opportunity for the organisation concerned to solve the problem quickly, without any reputational damage. Organisations therefore only stand to benefit by implementing solid whistleblowing systems and procedures sooner rather than later.
VinciWorks’ whistleblowing solution addresses the challenge of improving awareness of employees’ rights and responsibilities surrounding whistleblowing. Their solution includes a reporting tool for staff to anonymously report inappropriate or suspicious behaviour and interactive whistleblowing training  that is fully customisable.