An Overview of the Implementation of the Whistleblowing Directive in the Nordics

Written By

michaelgorm madsen Module
Michael Gorm Madsen

Partner
Denmark

I'm a partner and head of our skilled and dedicated Privacy and Data Protection group in Denmark, advising on a wide range of data protection and e-privacy matters.

tobias brautigam module
Tobias Bräutigam

Partner
Finland

I am a partner and the head of our Privacy and Data Protection group in Helsinki, where I advise our local and international clients on complex privacy and data issues.

Part 1: The status quo

The objective of this three-part series is to analyse how the Nordic countries are going to implement the Whistleblowing Directive. We are going to start the series with an overview of the Directive itself as well as with a summary of the current situation in Denmark, Finland, Norway and Sweden. In later parts of the series, we will analyse what laws have been passed to implement the Directive and in particular how the objective to provide channels to report corporate misbehaviour can be reconciled with the protection of personal data. 

1. Whistleblowing Directive in a nutshell

The Whistleblowing Directive, i.e. Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law entered into force in December 2019. Member States have to implement the Directive by 17th December, 2021. The EU Commission reported the need for effective protection of whistleblowers already in 2014 against the background of several scandals ("Panama Papers"; "Cambridge Analytica") that were revealed to the public by whistleblowers. 

The Whistleblowing Directive aims for a more uniform protection of persons who report breaches of Union law (Art. 1). Qualified reporters of wrongdoing are the employees and officers who have encountered misconduct or illegal activities in connection with their work. Article 2 lists the material scope, i.e. a list of areas of law where reporters of potential misconduct must be protected, such as public health, public procurement, product safety and compliance, transport safety, consumer protection, and protection of privacy and security of network and IT systems. Typically, those are areas where breaches could cause serious harm to the public interest and where it is hard to enforce Union law without help of whistleblower witnesses. While Article 2 on the material scope of the Directive is extensive, it is not exhaustive, i.e. Member States may go beyond what is covered in the Directive.

Currently, whistleblower protection varies between countries. The Directive's objective is to enable confidential reporting and protect whistleblowers against termination of employment, refusal of promotions or salary, transfers or change of work place and discrimination. 

Member States must ensure that the whistleblowing channels are established

The Whistleblowing Directive is directed to Member States, which must ensure that their national legislation mandates internal and external whistleblowing channels according to the following minimum standard:

  1. Companies with over 50 employees have to establish an internal whistleblowing channel. The same applies to municipalities of more than 10,000 inhabitants. Member States may also outsource those channels to third parties. In that case, the third parties need to guarantee confidentiality, data protection, secrecy and independence.
  2. Member States are required to establish external reporting channels, by designating an authority competent to receiving reports, giving feedback and doing follow-up.

Both channels must ensure confidentiality of the processes and that the whistleblowers shall not face any kind retaliation.

A whistleblower shall be granted protection under Art. 6(1) of the Directive:

  • if they had reasonable grounds to believe that the information reported about the potential breach was true at the time of reporting and such information is in the scope of the Directive (and the implementing act); and
  • if the whistleblower used the designated reporting channels.

Member States are required to provide at least the minimum requirements to protect whistleblowers, such as providing them with comprehensive information and advice on legal protection, assistance of an authority and granting certain rights in regard to legal procedures.

2. Finland

Finland does not have general legislation on whistleblowing. Some sector specific laws exist for, e.g. credit institutions, the securities market, fund management companies and insurance companies. Media and non-governmental organisations also have some ethical obligations and means to protect the identities of the reporters. 

In Finland, the Ministry of Justice has set up a working group to assess the implementation of the Whistleblowing Directive with a mandate extending from February 2020 to March 2021. The group will assess the need for a new implementing legislation. Further, the group will review the need to regulate whistleblowing also for the breaches of national legislation and designate the competent authority to supervise external reports.

Under the GDPR, a legal basis, such as consent, legitimate interest or legal obligation, is required for processing personal data (Art. 6–9 of the GDPR). Currently employers mainly rely on legitimate interest as a legal basis for data processing in the context of operating whistleblowing channels. The Finnish Act on the Protection of Privacy in Working Life (759/2004) includes restrictions for processing employee personal data, which makes the use of legitimate interest in the employment context challenging. As a general rule set forth in the Act, employee's consent is required to process data collected from other sources than from the employee herself. However, as pointed out by the European Data Protection Board, securing "GDPR grade" consent in employment context is challenging due to inherent imbalance in every employee-employer relationship and thus other legal bases are recommended. 

In the course of the implementation of the Whistleblowing Directive, it remains to be seen if Finland chooses to enact a law on whistleblowing. This would clarify the current uncertainty regarding the legal basis as legal obligation, Art. 6(1)(c) GDPR, would apply. If the legislator so chooses, such an act could also bring breaches of national law, for instance on sexual harassment or discrimination, under the scope of the Directive.

3. Sweden

In Sweden, there are several provisions in various areas of law concerning the protection of whistleblowers. For example, whistleblowers in the public sector, including companies that are wholly or partly financed with public funds, are protected by the Swedish Constitution and cannot be reprimanded by the employer for using their right to communicate information (Sw: repressalieförbud). Moreover, whistleblowers, in both public and private sectors, are assured certain protection in accordance with the Act on Special Protection Against Reprisals for Whistleblowing Concerning Serious Irregularities (The Whistleblowing Act). As the name reveals, the Whistleblowing Act only applies to the reporting of serious irregularities, meaning offences that can lead to imprisonment, such as fraud and bribery.

Up until the Whistleblowing Directive, the protection offered by Swedish law is strongly focused on monetary compensation to whistleblowers that have been subject to reprisals by the employer. With the new Directive, Swedish authorities and companies will instead be forced to build and implement strong compliance frameworks to facilitate safe and effective reporting channels. Thus, the proactive approach of the Directive will require extensive efforts to adapt to the new legal framework.
              
To initiate the implementation work, the Government has appointed a commission of inquiry with the task to assess the various options for implementing the Directive in Swedish law. The Government has specified that the commission is to examine e.g. to which areas should the rules apply, how the rules relate to other regulation regarding the protection of whistleblowers, measures to protect whistleblowers and other individuals concerned, the establishment and design of internal and external channels and follow-up reporting as well as the issuing of sanctions. The commission of inquiry presented its proposal on June 29th, which will form the basis for the Government's proposal for the new legislation.

4. Denmark

Historically there has not been much regulation on whistleblowing schemes in Denmark. Before the Whistleblowing Directive the existing two pieces of legislation related to mandatory whistleblowing schemes for certain financial institutions (implementing Art. 71 of the CRD IV Directive 2013/36/EU) and the Act on Detecting and Preventing Money Laundering and Terrorist Financing. In June 2020 the Business Authority introduced a new whistleblower hotline targeting fraud in relation to the government compensation packages, which were introduced to support businesses affected by the Covid-19 crisis.

According to the Ministry of Justice, a draft bill on the implementation of the Whistleblowing Directive is expected to be presented to the Parliament in the beginning of 2021. The Ministry is considering whether to expand the scope of the legislation under the Directive to also include reporting on breaches of national legislation in addition to EU legislation, but whether this will happen is uncertain.

In the absence of statutory regulation, the use of whistleblowing schemes has been widespread in Denmark on a voluntary basis. Before the application of the GDPR all whistleblowing schemes had to be notified to and approved by the Danish Data Protection Agency as such schemes potentially require processing of information on criminal behaviour. In their guidelines from this period we know that the Data Protection Agency set up certain conditions for approval, most important of which was that only serious offences could fall within the scope of the whistleblowing scheme. Other offences should be reported through other channels. Further, the Data Protection Agency was of the opinion that no other sensitive data and purely private information than information on criminal behaviour should be processed in the whistleblowing scheme. The legal basis used in Denmark for processing personal data in the context of whistleblowing schemes, both before and after the GDPR, is legitimate interest. In Denmark, information on criminal behaviour may be processed by private data controllers if it is necessary for the purpose of safeguarding a legitimate interest and this interest clearly overrides the interests of the data subject (The Data Protection Act, Section 8).

5. Norway

In Norway, whistleblowing is regulated in the Norwegian Working Environment Act ("WEA") Chapter 2A. Under the Norwegian provisions employees are entitled to report censurable conditions in the undertaking. In addition to employees, a number of other personnel groups are regarded as employees in terms of whistleblowing, such as students, military personnel, inmates, patients, persons who for training purposes or in connection with work-oriented measures are placed in undertakings without being employees and persons participating in labour market schemes. Censurable conditions include, among others, breaches of law or other ethical standards, such as danger to life and health, climate or environmental hazard, corruption or other financial crime, dangerous working environment, harassment and breach of personal data security. Whistleblowing exclusively related to an employee’s own employment is not be covered by the definition censurable conditions.

Under Norwegian law employees are also required to report harassment and discrimination as well as risks to life or health. 
Any form of retaliation against a whistleblower is prohibited, and any breach in this regard is subject to liability for economic and non-economic damages. The employer has to investigate whistleblower complaints within a reasonable time and employers with five or more employees are obligated to establish a written whistleblowing procedure. 

The relevant legal bases for processing personal data in relation to whistleblowing under the GDPR are Art. 6.1 c) compliance with a legal obligation and f) legitimate interest. Special categories of personal data can be processed if this is necessary to comply with the employer's obligations and rights pursuant to the Norwegian Personal Data Act, Section 6. 

The main difference between the Whistleblowing Directive and the current Norwegian legislation is that the Whistleblowing Directive covers a wider sphere of personnel, but includes a more limited selection of topics the whistleblower complaints may address. New rules are also introduced, for instance, concerning whistleblowing channels. 

The Whistleblowing Directive is marked as EEA relevant by the EU and is under scrutiny by the EEA/EFTA for incorporation into the EEA agreement. There is no conclusion on the EEA relevance for the time being. In Norway the Whistleblowing Directive is under assessment by the Ministry of Labour and Social Affairs together with the Ministry of Justice and Public Security and the Ministry of Foreign Affairs.  

6. Conclusion

The current state of Whistleblowing regulation in the Nordics varies significantly between the countries – some already regulate more extensively than others, but in general, in all countries the existing regulation is concentrated on limited areas and rather serious offences. The upcoming Whistleblowing Directive will require efforts from all Nordic countries to implement the required channels in both private and public sector and to extend them to fields not previously regulated. Most importantly, all the countries must reinforce their measures for protecting whistleblowers.

In the next part of this series, we will take a look on the working groups' processes in more detail and discuss some specific points of concerns and their suggested solutions.

We have co-operated with Advokatfirmaet Selmer AS, Norway and their Senior Lawyer Anja Lange for insight from Norway.

View part 2 here 

 

Latest insights

More Insights
Curiosity line teal background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More