The E.U. directive is best considered as a set of minimum requirements, with the member states being able to extend its scope. Some have already decided to extend the scope from reporting on E.U. law breaches to the reporting on national law breaches of public interest. Whistleblowers who want to report on these matters will need to be protected against any form of retaliation.

Experts Expect Regulations Will Have Indirect, Extraterritorial Effects

Many non-E.U. multinationals with European subsidiaries work with a centralized whistleblowing program/hotline operated on a group level. This will need to be revised because the E.U. subsidiaries with more than 50 employees will be required to set up parallel whistleblowing functions and procedures for internal reporting. E.U. organizations with more than 250 employees will need to establish their compliance within a delay of two to six months depending on the E.U. member state. E.U. organizations with fewer than 250 employees will receive two more years.

The local whistleblowing function will need to be implemented in accordance with the case governance principles of competence, diligence and impartiality.

• Impartiality: This is the most difficult to organize because it presumes there is no interference from the business. The only function that can justify its full independence from the business and at the same time is not conflicted is the compliance officer. Management reporting is best organized through an ethics committee.
• Diligence: This governance principle requires consistent and timely follow-up on cases. A risk-scoring methodology will be needed to ensure a consistent approach and support a defensible position. In order to ensure a timely follow-up, organizations will need to organize themselves around the feedback deadlines (notification within seven days, status reporting within three months, etc.).
• Competence: This presumes that the case recipient has experience with handling such reported matters and the handling of whistleblowers in general. Regulators have already indicated that if organizations are missing an internal compliance function that is experienced with whistleblowing, they should consider outsourcing case handling.

A local confidential reporting setup will be required. Whistleblowers should know to whom they report, and individuals outside the initial recipient can only obtain access to the content and the identity with the approval of the whistleblower. This excludes the use of general email addresses or personal mailboxes that are accessible to IT administrators. Although the reporting channels (web, voice, mail, post) are free of choice, the new regulations require a secure setup. All communication around whistleblowing is therefore best encrypted. Web-based reporting systems are the easiest way to justify a secure setup.

E.U. Firms Should Prioritize Secure Local Reporting

Will the transfer of whistleblowing data outside Europe still be possible? Yes, on condition that there is a valid legal basis for the processing in accordance with the GDPR and you work with binding corporate rules that are based on the standard data protection clauses issued by the European Commission. Even though it will be theoretically possible to justify the transfer of whistleblowing data outside Europe, I would recommend keeping all data in Europe because it will support the creation of the ideal circumstances for internal whistleblowing.

According to the new regulations, all reporting stakeholders, which includes employees, temporary personnel, directors, shareholders, applicants, former employees, contractors and suppliers, will have the free choice between internal reporting and direct external reporting to competent authorities. The more secure whistleblowers feel, the more likely they are going to stay inside with their reports. Setups that require the transfer of whistleblowing data outside Europe are likely to be perceived as less secure than local reporting setups and therefore will increase the risk for direct reporting into competent authorities. The same accounts for anonymous reporting, even though it is not legally required, are recommendable from a corporate governance and risk management perspective because they will increase the perception of safety and help to improve the circumstances for internal reporting.

Employees of non-E.U. multinationals could also be eligible for whistleblower protection if they report on E.U. law infringements within a work-related context. This protection is independent from the nationality of the whistleblower. If the receiving party is one of your E.U. subsidiaries, they will only be able to communicate with you about the reported matters if they receive the consent of your employee. In case the receiver would be a third party, such as an E.U. customer, it would complicate things even more because they will be responsible for taking measures that protect your employee against retaliation. I expect that open communication in these circumstances will only be possible if the non-European multinational voluntarily accepts the E.U. whistleblower protection clauses.

Some consider the risk of enforcement in some E.U. member states to be low. Even if this could be true for some member states, the main non-compliance risk is not fines but reputation damage. Not facilitating secure confidential reporting or non-diligent follow up on feedback deadlines can result in public disclosure immunity. As a result, whistleblowers could be given the opportunity to go public and reveal their griefs in the press or in social media, while remaining eligible for protection against any form of retaliation.