EU Whistleblower Directive to be Transposed into Maltese Law by 17th December 2021: Key Considerations for Companies

Author: Ann Bugeja

EU Directive 2019/1937 on the protection of persons who report breaches of Union law (“the Directive”), sets out a framework for procedures in terms of which persons who acquired information on breaches in the context of their work-related activities may report or publicly disclose information on such breaches, and serves to set minimum standards for the protection of persons reporting said breaches.

The Directive, which was introduced in October 2019, must be transposed into Maltese legislation by 17^th December 2021, whilst those provisions relating to the establishing of internal reporting channels for legal entities operating in the private sector with 50 to 249 workers must be transposed two years after that, by 17^th December 2023.

Main Differences Between the Current Act and Directive

Currently, in Malta, whistleblower protection is regulated by the Protection of the Whistleblower Act, Chapter 527 of the Laws of Malta (“the Act”), which was introduced in September 2013. The Directive aims to create common minimum standards of protection across the EU to whistleblowers who raise breaches of EU law with their employers. The new rules will require the creation of safe channels for reporting both within an organisation (through internal reporting channels) and also to public authorities (through external reporting channels). It will also provide protection to whistleblowers against retaliation and require national authorities to adequately inform citizens and train public officials on how to deal with whistleblowing.

One of the main novelties of the Directive is the introduction of the protection of persons who make public disclosures, that is, where persons make information on breaches available in the public domain. Additionally, whilst protection under the Act relates to “employees”, the Directive extends such protection to “reporting persons”, also covering shareholders and persons belonging to the administrative, management or supervisory body of the entity, including non-executive members, as well as volunteers and paid or unpaid trainees.

The definition of “detrimental action” under the Act has also been extended in the Directive which shall cover any form of “retaliation” including suspension, lay-off, dismissal or equivalent measures; demotion or withholding of promotion; transfer of duties, change of location of place of work, reduction in wages, change in working hours; withholding of training; a negative performance assessment or employment reference; and discrimination, disadvantageous or unfair treatment, among others.

Who Does the Directive Apply to?

The Directive covers all natural persons working in the private or public sector who acquired information on breaches in a work-related context, including:

1. any worker (i.e. a person who, for a certain period of time, performs services for and under the direction of another person, in return for which they receive remuneration, and including civil servants);
2. any person who is self-employed;
3. any shareholders and persons belonging to the administrative, management or supervisory body of the entity, including non-executive members, as well as volunteers and paid or unpaid trainees; and
4. any person working under the supervision and direction of contractors, subcontractors and suppliers.

The Directive also applies to reporting persons who no longer work for the entity in question (where they report information on breaches acquired in their work-related activities through their relationship with the entity which has since ended), as well as reporting persons whose work-based relationship is yet to begin (in cases where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations).

What kinds of Breaches may be Projected under the Directive?

In order for a disclosure to fall within the scope of the Directive, it must relate to a “breach”, that is, an act or omission that:

1) Is unlawful and relates to acts of the European Union that concern the following areas:

1. Public procurement;
2. Financial services, products and markets, and prevention of money laundering and terrorist financing;
3. Product safety and compliance;
4. Transport safety;
5. Protection of the environment;
6. Radiation protection and nuclear safety
7. Food and feed safety, animal health and welfare;
8. Public health;
9. Consumer protection;
10. Protection of privacy and personal data, and security of network and information systems;

as well as breaches affecting the financial interests of the Union (i.e. in relation to the fight against fraud, corruption and any other illegal activity affecting Union expenditure, the collection of Union revenues and funds or Union assets) and breaches relating to the internal market, including breaches of Union competition and State aid rules, and breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law; or

2) Defeats the object or the purpose of the rules in the Union acts and areas falling within the areas specified under (i) above.

The Directive shall not apply to reports of breaches related to procurement involving defence or security aspects unless they are covered by the relevant acts of the Union.

Internal and Ecterna Reporting Channels

By virtue of the Directive, all legal entities operating in the public sector and legal entities with 50 or more workers operating in the private sector will be required to establish channels and procedures for internal reporting and for follow-up, which shall enable the entity’s workers to report information on breaches.

These internal reporting channels will need to be designed and operated in a secure manner, ensuring that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected. The internal reporting channel is to acknowledge the receipt of a report within 7 days of that receipt, and shall provide feedback to the reporting person within a reasonable time frame, that is, not exceeding 3 months from the acknowledgement of receipt.

The Directive also establishes that Member States shall empower the authorities competent to receive, give feedback, and follow up on reports, through external reporting channels. A reporting person may opt to file a disclosure through the external reporting channels after having first reported through internal reporting channels, or by directly reporting through external reporting channels in situations where, for example, such reporting person has valid reasons to believe that:

1. He/she would suffer retaliation in connection with the reporting, including as a result of a breach of confidentiality; or
2. The external reporting channel would be better placed to take effective action to address the breach where, for example, the ultimate responsibility holder within the work-related context is involved in the breach, or there is a risk that the breach or related evidence could be concealed or destroyed.

Public Desclosures

Persons who make information on breaches available in the public domain shall qualify for protection if any of the following conditions is fulfilled:

1. The person first reported internally and subsequently externally, or directly externally as per the procedures indicated above, but no appropriate action was taken in response to the report within the relevant timeframes; or
2. The person has reasonable grounds to believe that:
   • the breach may constitute an imminent or manifest danger to public interest, such as where there is an emergency situation or a risk of irreversible damage; or
   • in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed, or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.

Next Steps

While the Directive has not been transposed into Maltese law as of yet, Bill 249 of 2021, the Protection of the Whistleblower (Amendment) Bill was published on the 15^th November 2021, seeking to amend the Act in line with the Directive. It is still unclear whether the Directive will be transposed into Maltese law by the deadline as set out in the Directive, that is the 17^th December 2021.

With the deadline for transposition just a couple of weeks away, we recommend that companies would begin putting into place new Whistleblowing Policies or revising current Policies, so as to begin preparations to comply with the Directive.PRINT THIS PAGE