Directive ups protection for whistleblowers
Ireland’s Protected Disclosures Act 2014 (PDA) will undergo some major changes two years from now to comply with a new EU directive on the protection of persons reporting on breaches of European Union law, also referred to as the Whistleblower Directive.
While the preamble encourages EU member states to extend the application of this new law to other areas, the directive lays down minimum standards for the protection of persons reporting breaches of union law in:
- Public procurement,
- Financial services, products and markets, and prevention of money-laundering and terrorist financing,
- Product safety and compliance,
- Transport safety,
- Protection of the environment,
- Radiation protection and nuclear safety,
- Food and feed safety, animal health and welfare,
- Public health,
- Consumer protection,
- Protection of privacy and personal data, and security of network and information systems,
- Breaches affecting the financial interests of the union, and
- Breaches affecting the single market.
The amendment to the current legislation comes at a time when a British all-party parliamentary group on whistleblowing gathered evidence from more than 300 whistleblowers on Britain’s Public Interest Disclosure Act 1998 and concluded that, due to cover-ups and penalisation of whistleblowers, Britain “needs a comprehensive, transparent and accessible framework and an organisation that will support whistleblowers and whistleblowing”. (The report can be found at www.appgwhistleblowing.co.uk.)
Private sector extension
The most notable change will be the extension of protected disclosures law to the private sector. Currently, section 21 of the Irish PDA 2014 makes the establishment and maintenance of procedures for making protected disclosures mandatory for public bodies only.
Under the directive, it will be mandatory for companies with over 50 employees to establish internal channels and procedures for reporting, and following-up on, reports of breaches of EU law.
However, entities of any size falling under EU law relating to financial services, products, markets, prevention of money-laundering and terrorist financing, transport safety, and protection of the environment will have to comply.
Member states may undertake risk assessments on companies with less than 50 employees and, if necessary, require these companies to comply, particularly those operating in the areas of environment and health.
The directive allows that companies with between 50 and 249 employees share resources for the receipt and investigation of reports of wrongdoing.
Tighter timeframes
The directive will impose a much tighter timeframe on recipients for processing protected disclosures. The recipient will have to acknowledge receipt within seven days and to “diligently follow-up on disclosures”.
Feedback, which may not necessarily be the outcome of an investigation, will be required within three months (with a possible extension to six months).
Internal disclosures
The new directive seeks to encourage disclosers to report a disclosure internally in the first instance: “Member states shall encourage the use of internal channels before external reporting, where the breach can be effectively addressed internally and where the reporting person considers that there is no risk of retaliation.” The PDA also adopts this approach.
This may pose challenges for a worker who chooses to report externally in the first instance. If the worker is subsequently penalised in the workplace, it may be harder to establish the causal link between the disclosure and the penalisation, as the employer may argue that they did not know of the disclosure.
Workers’ actions
Further, under the current legislation, if a worker reports externally, the reasonableness of the workers’ actions in so doing are taken into consideration and, if good internal processes have not been used, this may go against the worker.
The directive will also create new legal safeguards for volunteers, shareholders, or non-executive members, who will be able to make a report under the protections of the legislation.
Similarly, those not yet recruited can make a report where the information on a breach has been acquired during the recruitment process or other pre-contractual negotiation.
The PDA currently stipulates that the information disclosed must have come to the worker’s attention “in the connection with the worker’s employment,” while the directive talks about ‘information acquired’ and, as such, appears to offer a wider scope on the source of the information being disclosed.
Prescribed persons
To date, there has been relatively little guidance for prescribed persons in Ireland on their responsibilities and their powers to investigate. The new directive includes a range of specific provisions for ‘competent authorities’.
In the Irish context, competent authorities will likely include prescribed persons and any other relevant bodies to whom disclosures can be made. A further disclosure to the regulator is not uncommon in the process of a protected disclosure.
The new requirements include:
- Maintaining secure systems for the receipt and recording of reports that ensure the confidentiality of the discloser. Reports should be stored for no longer than is proportionate and necessary.
- Establishing a variety of reporting channels that allow for oral and written reports and/or meetings with the discloser, where requested.
- Providing dedicated staff to handle reports and maintaining contact with the reporting person. These staff members must have received specific training.
- Acknowledging receipt of a report within seven days, unless the discloser has explicitly requested otherwise or the competent authority believes that acknowledging the report would jeopardise the discloser’s confidentiality.
- Following up diligently on reports and providing feedback on the response to the report within three months (or six months in duly justified cases).
- Informing the discloser of a decision not to pursue a report in instances where the matter is judged by the competent authority to be minor and not requiring any follow-up on their part, or where there are repetitive reports that do not include any new or meaningful information.
- Transferring the report/case to another competent authority where it is deemed that the receiving body does not have the competence to deal with a report within a reasonable timeframe or in a secure manner, and informing the discloser without delay.
- Communicating the final outcome of an investigation to the discloser in accordance with national law, as well as to other relevant authorities and institutions.
Competent authorities must also publish the following information on their website in an easily accessible section and review and update it every three years:
- The conditions under which reporting persons qualify for protection,
- Information regarding the types of reports that can be made and measures for protecting the discloser from retaliation,
- A clear statement explaining when the discloser will not be liable for a breach of confidentiality relating to the acquisition of or access to the relevant information,
- Details of how to make a report to the authority,
- Details on how the report will be processed, including the timeframes and format for feedback,
- The confidentiality regime for reports and how personal data will be processed,
- The nature of the follow-up that will be given to reports,
- Remedies and procedures available against retaliation and details of where persons contemplating making a report can access confidential advice, and
- Contact information for any other relevant bodies providing independent information and advice to the discloser.
This more prescriptive approach chimes with demands from the British all-party parliamentary group, which called for “an urgent review of the prescribed persons list, a more comprehensive guide to their role, and measures put in place to ensure that they fulfil their responsibilities”.
Definition of penalisation
Under section 12 of the PDA, if an employee is penalised by their employer, or where their employer causes or permits another person to penalise them, they have a right to pursue damages in the Workplace Relations Commission (WRC).
The current definition of penalisation is “any act or omission that affects a worker to the worker’s detriment and, in particular, includes:
- Suspension, lay-off or dismissal,
- Demotion or loss of opportunity for promotion,
- Transfer of duties, change of location of place of work, reduction in wages or change in working hours,
- The imposition or administering of any discipline, reprimand or other penalty (including a financial penalty),
- Unfair treatment,
- Coercion, intimidation or harassment,
- Discrimination, disadvantage or unfair treatment,
- Injury, damage or loss, and
- Threat of reprisal.”
Under section 13 of the PDA, workers are also afforded a remedy in the civil courts for ‘detriment’. The current definition of detriment includes “(a) coercion, intimidation or harassment, (b) discrimination, disadvantage or adverse treatment in relation to employment (or prospective employment), (c) injury, damage or loss, and (d) threat of reprisal”.
Definitions of penalisation
The definitions of penalisation/retaliation are being extended in the new directive to include:
- Withholding of training,
- Negative performance assessment or employment references,
- Ostracism,
- Failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment,
- Failure to renew or early termination of the temporary employment contract,
- Damage to a person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income,
- Blacklisting,
- Early termination or cancellation of a contract for goods and services,
- Cancellation of a licence or permit,
- Psychiatric or medical referral.
While some of these categories may have previously fallen within the ‘injury, damage or loss’ or ‘unfair treatment’ category, this clearer delineation will assist those whistleblowers contemplating legal action. The burden of proof will rest with the employer to prove that any alleged detrimental measure was based on ‘duly justified grounds’.
More support
Under article 14 of the new directive, member states will have to ensure that whistleblowers have access to free comprehensive and independent information on their rights, as well as advice on procedures and remedies available on protection against retaliation.
Significantly, the directive also says that member states shall ensure that whistleblowers have access to legal aid, legal counselling, or other legal assistance in accordance with national law. This potentially has implications for the legal aid regime in Ireland in respect of WRC and Labour Court claims, for which there is currently no legal aid for representation.
The British all-party parliamentary group found that expensive legal disputes were one of the devastating impacts on whistleblowers. It called for “an urgent review of the barriers to justice, including access to legal aid and an introduction of measures to tackle inequality of arms, including protection against costs”.
Defamation proceedings
Under the PDA, disclosers were only offered a ‘qualified privilege’ exemption in defamation proceedings, despite full immunity in other proceedings.
The new directive, under article 21, will oblige member states to offer full immunity: “In judicial proceedings, including for defamation, breach of copyright, breach of secrecy, data protection rules, disclosure of trade secrets, or for compensation requests based on private, public, or on collective labour law, reporting persons shall not incur liability of any kind for having made a report or public disclosure in accordance with this directive and shall have the right to rely on that reporting or disclosure to seek dismissal of the case, provided they had reasonable grounds to believe that the reporting or disclosure was necessary for revealing a breach pursuant to this directive.”
However, if the acquisition of, or access to, the relevant information constitutes a self-standing criminal offence, criminal liability will remain.
Trade secrets
The PDA was amended on 9 June 2018 to incorporate provisions of the EU Protection of Trade Secrets Directive (2016/943). The effect of the amendment was to require whistleblowers to show they were motivated by the ‘general public interest’ when disclosing ‘commercially sensitive information’, even if they reported a crime to the relevant authorities and their allegations were true.
The directive states under article 21(7) that no liability on the discloser shall be incurred if a trade secret is reported and the discloser can show that they had ‘reasonable grounds’ to believe that the reporting or public disclosure was necessary for revealing a breach in accordance with the directive.
‘Reasonable grounds’ should represent a narrower burden of proof for whistleblowers than ‘general public interest’.
Judy O’Loan
Judy O’Loan is managing solicitor of the Transparency Legal Advice Centre