Broad jurisdiction and remit. First off, if you’re reading this and thinking “well, it won’t apply to me, because…” please think again. The Directive’s language about jurisdiction is written extremely broadly and covers any behavior that impacts residents of the Union. That means that employees outside the EU who raise concerns about behavior at their multinational that has EU operations are arguably in-scope. If you have any questions about whether the Directive applies to your organization and which employees might be covered, strongly consider taking a “just do this for everyone” approach.
Broad – very broad – definition of retaliation. Naturally, a whistleblower directive is going to be focused on retaliation, but the Directive defines retaliation broadly. For example, it covers harm to reputation, noting “effective protection of reporting persons as a means of enhancing the enforcement of Union law requires a broad definition of retaliation, encompassing any act or omission occurring in a work-related context and which causes them detriment.” It contemplates both direct and indirect retaliation as well, “vis-à-vis facilitators, colleagues or relatives of the reporting person who are also in a work-related connection with the reporting person’s employer or customer or recipient of services.”
Broad definition of matters a whistleblower might report. The Directive covers both breaches of Union law that have already taken place as well as breaches that have not yet materialized but are likely to take place. Don’t have evidence of a breach, but you have reasonable concerns or suspicions that one might occur soon? You’re covered as a whistleblower. Companies must therefore prepare to protect even those who raise concerns and prevent a breach of law the same way that they would protect an individual who reports an already-committed crime from retaliation.
This will mean making sure that any retaliation training or monitoring does not depend on substantiation of the underlying facts. Now is a good time to review the way in which you train and support investigators to make sure every person who raises a concern gets the same expectation-setting conversation at the front of an investigation, regardless of how they may raise the issue or which function is handling the investigation.
Member States shall take the necessary measures to prohibit any form of retaliation against persons referred to in Article 4, including threats of retaliation and attempts of retaliation including in particular in the form of: (a) suspension, lay-off, dismissal or equivalent measures; (b) demotion or withholding of promotion; (c) transfer of duties, change of location of place of work, reduction in wages, change in working hours; (d) withholding of training; (e) a negative performance assessment or employment reference; (f) imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty; (g) coercion, intimidation, harassment or ostracism; (h) discrimination, disadvantageous or unfair treatment; (i) failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment; (j) failure to renew, or early termination of, a temporary employment contract; (k) harm, including to the person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income; (l) blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry; (m) early termination or cancellation of a contract for goods or services; (n) cancellation of a licence or permit; (o) psychiatric or medical referrals
Broad responsibilities to follow up with reporters. The Directive codifies good investigatory practices for internal reports, including following up with reporters within a reasonable time frame—specifically defined as not more than three months later—about the action(s) taken in response to their report. It affirms an obligation to inform the reporter of “the investigation’s progress and outcome,” and sets an expectation that a response will be provided to an initial report inside of seven days.
This should trigger a review of your current processes to both launch and close an investigation. How personalized is your response to an employee? Does it name the person who will be following up? If you rely on the reply from your third-party hotline provider, what’s your follow up protocol to that? When it comes time to close an investigation, how do you notify the known reporter? Do you have a process whereby the closure of an investigation requires going back to the person who started the inquiry to say thank you, we’re finished, and find out how their experience went? If not, consider implementing such a process.
Broad burden-shifting in the event of allegations of retaliation. This may be the biggest piece of the Directive in terms of impact. Due to the difficulty of demonstrating retaliation, once a reporter demonstrates prima facie that she reported breaches and suffered a detriment, “the burden of proof should shift to the person who took the detrimental action, who should then be required to demonstrate that the action taken was not linked in any way to the reporting or the public disclosure.” In other words, if I raise a concern, and after something happens to me that falls within the Directive’s very broad definition of retaliation, that is all I must show to claim retaliation. The burden then shifts to my company to show that what happened to me wasn’t retaliation.
This shift should trigger a long conversation about how managers need to be prepared to watch for indications that employees who raise a concern are experiencing negative effects from that act of courage (remember: the definition of retaliation is very broad, and your managers are best suited to prevent all of it). If you are not already training managers specifically on how to prevent retaliation in their parts of your business – beyond merely noting in harassment training that retaliation is prohibited – this should be a high priority.
Bottom line, if you operate in the EU, now is the time to look at your investigations process and make sure you have established protocols to follow up with reporters both at the beginning and the end of an investigation. You should also review your average days to close and make sure you are under 90 days in most cases, so that your follow up is reasonable. You also need to review how you are talking to your managers about retaliation prevention, since managers are in the best position to prevent the kinds of actions the Directive contemplates, especially ostracism. Finally, carefully review how you are monitoring for indicia of retaliation like negative performance evaluations; does your system automatically flag known reporters when their performance evaluations change?
About the Expert:
Erica Salmon Byrne is Executive Vice President for Ethisphere , where she has responsibility for the organization’s data and services business and works with Ethisphere’s community of clients to assess ethics and compliance programs and promote best practices across industries. Ms. Salmon Byrne also serves as the Chair of the Business Ethics Leadership Alliance; she works with the BELA community to advance the dialogue around ethics and governance, and deliver practical guidance to ethics and compliance practitioners around the globe.
