On April 23 2018,[1] the European Commission published a proposal for a Directive (the proposal or the Directive) on whistleblower protections in response to a request from the European Parliament, thereby promoting a significant mechanism for both fighting corruption and protecting individuals, employees or others against abuses (e.g., retaliation or sexual harassment). Whistleblower protections have already made a notable entry into Union law, most recently in the trade secrets Directive,[2] which precludes whistleblowers from liability for reporting misconduct or illegal activity, even if it involves the disclosure of trade secrets. However, the latest Directive is significantly more ambitious. Beyond merely reaffirming the legal protections granted to whistleblowers,[3] it will create a genuine whistleblowing system within the Union, because a Directive implies that the EU Member States will adapt their legislation within a specified time to meet its aims and requirements.

1. A particularly broad scope of application

As suggested by its name, the purpose of this Directive is to protect those reporting violations of Union law, which undoubtedly falls within the Union's powers. The whistleblowing systems to be implemented under the Directive broadly cover illegal activities or abuses of rights — real or potential — which contravene public procurement rules, competition rules, legislation on financial services, money laundering and terrorist financing, safety of products placed on the Union internal market, food safety, transport safety, nuclear and radiation safety, protection of the environment, animal health and welfare, public health and consumer protection, protection of privacy and personal data, and security of networks and information systems.

The proposal would also protect whistleblowing involving breaches of corporate tax rules and arrangements that aim at obtaining a tax advantage and evading legal obligations, insofar as they are likely to harm the proper functioning of the Union internal market through “unfair tax competition” and “extensive tax evasion.”[4]

As for whistleblowers, their status is based on the freedom of speech enshrined in Article 11 of the Charter of Fundamental Rights of the European Union (the Charter) and Article 10 of the European Convention on Human Rights (ECHR). Whistleblowers are those who, in one capacity or another (employees, trainees, volunteers, persons working under the supervision and direction of contractors, subcontractors, suppliers, etc.), report or disclose information on breaches they have learned about in the course of their professional activities, whether in the public or private sector.

Further, there are very limited exceptions to implementing a whistleblowing system.

In the private sector, only entities employing fewer than 50 persons and those having an annual turnover or a balance sheet of less than EUR 10 million are exempted (unless their activities give rise to specific risks). Since there are around 25 million SMEs[5] (defined as employing fewer than 250 employees) in the Union, this Directive intends to apply to tens of millions of economic players. Moreover, no exemption is provided for the financial services sector, or for companies “vulnerable to money laundering or terrorist financing.” Setting up an internal whistleblowing system therefore seems to have become a European norm. 

In the public sector, all state, regional and departmental administrations; municipalities with more than 10,000 inhabitants; and “other entities governed by public law” (which may include local authorities, public state establishments and territorial cooperation establishments, as to be specified by the French law implementing the Directive) are affected by the implementation of such a mechanism.

2. A confidential formalized procedure

The proposal distinguishes between internal and external alert systems, but the conditions governing them are similar.

Both systems provide for the reporting of whistleblower alerts in diverse forms: written alerts in electronic or paper form; oral alerts by telephone, recorded or not; or meetings with the person or the service designated to receive the alerts.

Further, they guarantee the following protections:

  • Safeguarding the confidentiality of the identity of the whistleblowers
  • Restricting access to the information sent to the only persons authorized to have access to it
  • Giving feedback to the whistleblowers within a maximum period of three months (which may be extended to six months when the alert is received externally)

In response to the reports received internally, the entity should provide “clear and easily accessible information regarding the procedures and information on how and under what conditions reports can be made externally to competent authorities,” whether administrative or judicial. When they receive a report and have duly processed it, these authorities “communicate to the reporting person the final outcome of the investigations.” Moreover, any authority that receives a report but is not competent to address the reported breach should transmit the report to a competent authority and inform the reporting person thereof.

In addition, competent authorities will have to dedicate a separate, easily identifiable and accessible section on their website, notably informing the public on communication channels, the confidentiality regime applicable to reports, the conditions that must be fulfilled by whistleblowers in order to be protected, and the remedies and procedures available against retaliation. Further, “a statement clearly explaining that persons making information available to the competent authority in accordance with this Directive are not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and are not to be involved in liability of any kind related to such disclosure” must be made. Competent authorities should also update their alert systems at least once every two years, keep a record of all alerts received, and allow the whistleblowers to check, rectify and agree to the transcription or reporting of their alerts.

It is noteworthy that, in any case, whistleblowers — as well as concerned persons — should be protected in terms of data protection by the European General Data Protection Regulation, in addition to any other applicable national laws as in France, where the French Data Protection Statute has been amended in order to comply therewith.[6]

Further, the proposal does not provide for anonymity of reports, thus leaving Member States to decide on that point.

3. What protection is to be granted to the whistleblowers and persons affected by the reports?

In order to benefit from the protection offered by the Directive, whistleblowers must fulfill two critical conditions:

  • Good faith: At the time of the alert, they should have reasonable grounds to believe in the veracity of the information and not act maliciously.
  • Following a graduated procedure under the rules laid down by the European Court of Human Rights (ECtHR)[7]: They should first make an internal report. If the report is met with no response, they can report externally, but should be able to (a) justify that there is an imminent or manifest danger for the public interest, (b) demonstrate the particular circumstances of the case, and (c) demonstrate that there is a risk of irreversible damage. 

Upon fulfilling these conditions, whistleblowers shall be afforded a legal protection against any form of direct or indirect retaliation, including suspension, dismissal (or equivalent), layoff, demotion or denial of promotion, disciplinary measures, harassment and intimidation, reputational damage, blacklisting, discrimination, disadvantage, unfair treatment, etc. In accordance with national laws, whistleblowers may also obtain compensation where such measures have been taken against them.

Moreover, advice on existing procedures and remedies; public, free, comprehensive, independent information; and assistance from the competent authorities should be provided to the whistleblowers. The Directive also states that “in addition to providing legal aid to reporting persons in criminal and in cross-border civil proceedings in accordance with Directive (EU) 2016/1919 and Directive 2008/52/EC of the European Parliament and of the Council, and in accordance with national law, Member States may provide for further measures of legal and financial assistance and support for reporting persons in the framework of legal proceedings.”

Whistleblowers should also be able to disclose the content of an alert in the context of legal proceedings for defamation, violation of copyright, violation of secrecy, or compensation requests based on private, public or collective labor law.

The proposal also imposes “effective, proportionate and dissuasive” penalties, notably in cases of retaliation, breach of confidentiality of the alert. 

Regarding the protection of the persons affected by the alert, the proposal provides them with the right to an effective remedy and to a fair trial, presumption of innocence and the rights of defense, including the right to be heard and to have access to the file on the proceedings brought under the Charter. In addition, competent authorities should ensure that affected persons’ identities are protected throughout the ongoing investigation.

Finally, effective, proportionate and dissuasive penalties to sanction malicious or abusive alerts, as well as measures aiming to compensate the losses of the persons affected by such alerts, should also be provided for.

4. What room for maneuvering do Member States have?

Once the Directive is adopted, Member States will have until May 15, 2021, at the latest, to implement the Directive, which gives them time to consider any related modalities. However, as often occurs, the principles set forth in this Directive will undoubtedly be taken into account by national courts in the event of litigation, or even by the Union judge when it comes, for example, to assessing the protection granted to whistleblowers and the persons concerned by the alerts revealing trade secrets (with regard to the provisions of the “trade secrets” Directive transposed into French law).

It should also be noted that the Directive will only partially harmonize the related regimes applicable in the Union, given that Member States may introduce or keep more favorable provisions.

This Directive is not “the end of a story” for whistleblowers and is evolutionary in nature. Significantly, the Directive requires the European Commission to submit, six years after its transposition, a report assessing the impact of national laws in order to consider making further changes.


[1] Proposal for a Directive on the protection of persons reporting on breaches of Union law, 23 April 2018.

[2] Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, 8 June 2016.

[3] Nevertheless, this protection remains at the very heart of reporting by a whistleblower, as shown by the Antoine Deltour case. Deltour had reported in 2014 the large-scale optimization practices of several multinationals in Luxemburg. The case for stealing documents is currently being retried (following the judgment of the Supreme Court of the Grand Duchy of Luxembourg, 11 January 2018, No. 3912) by a Luxembourgish court of appeal.

[4] It is clearly stated that the Directive “should be without prejudice to the protection of national security.”

[5] There were over 23.8 million SMEs in 2017: http://ec.europa.eu/eurostat/statistics explained/index.php/Structural_business_statistics_overview/fr#Couverture.2C_unit.C3.A9s_et_nomenclatures.

[6] Noëlle Lenoir, Hélène Bérion et Alizée Dill, « Alerte professionnelle et protection des données personnelles », JCP G, n° 19-20, 7 May 2018.

[7] ECtHR, 21 June 2016, Soares v. Portugal, n° 79972/12; ECtHR, 21 July 2011, Heinisch v. Germany, n° 28274/08; ECtHR, 12 February 2008, Guja v. Moldova, n° 14277/04.