Part 2: The status of implementation
The objective of this three-part article series is to analyse how the Nordic countries are implementing the new Whistleblowing Directive (2019/1937). In the first part we described the requirements of the Whistleblowing Directive. In the first part we described the requirements of the Whistleblowing Directive. In Part 2 of this series, we will look at the current implementation status in Finland, Sweden, Denmark, and Norway. Whereas in some of these countries the law has already been passed, in others it is only at the preparatory stage. We will also discuss some specific points of concerns in the proposed or accepted laws and their suggested solutions as well as look at how the objective to provide channels to report corporate misbehaviour can be reconciled with the protection of personal data. In the third part, we will analyse the laws passed in the countries that are currently lacking behind in the implementation process.
1. Finland
Until now, Finland has not had any general legislation on whistleblowing as such legislation was only implemented in some specific sectors like banking. A working group tasked with preparing the implementation of the directive proposed a new general Whistleblowing Act (" ilmoittajansuojelulaki") to be enacted in 2021. A government proposal to that effect was published on 19th of September 2022. Finland is therefore late with implementing the Whistleblowing Directive as the deadline has already expired some time ago, on 17th of December 2021 to be precise.
In the proposal, the responsibility to establish a whistleblowing reporting channel is given to all establishments who have 50 or more permanent employees. More specific requirements may follow from national legislation. Under the current proposal, notifiers may report defined issues from national and European Union law a whistleblowing reporting channel. The defined issues are listed in an appendix attached to the new Act and include, for example, environmental protection and data privacy legislation. Notifications not falling under these sectors are not afforded protection. The task of separating between sectors afforded protection and sectors afforded no protection can be challenging for notifiers in practice. The proposal allows group companies to share notification channels, which is a welcome proposition.
Interestingly, the draft proposal does not lay out any direct sanctions for organizations missing a proper notification channel. However, if the notification channels are missing, the notifier can make a notification to specifically named public authorities, such as the Finnish Data Protection Ombudsman.
The proposal states that the companies operating the notification channels are usually acting as controllers in respect of the processing. Under data protection law, all processing needs a legal basis (Article 6 or 9 GDPR for the data protection pros among you). For the processing covered by the proposal, the processing would count as a "legal obligation". Thus, the legal basis for the collection and other processing of personal data in the notification channels would be covered and no employee consent is needed. The draft proposal does not specify the legal basis for processing notifications that do not fall under scope of application the legislation. Taking the Finnish Act on Privacy in Working Life into account, consent would be a possible option here. However, consent in employment is always a tricky legal basis, as it can always be withdrawn. The Act on Privacy Working Life is currently being amended and we might see an answer to this problem in the coming year.
According to Finnish legislation, the purpose and introduction whistleblowing notification channels is governed by the cooperation procedure referred to, for example, in the Act on Cooperation within Undertakings. The cooperation can also help the employer to demonstrate accountability in accordance with the General Data Protection Regulation (“GDPR). Additionally, the Finnish DPA has stated that a Data Protection Impact Assessment (“DPIA”) regulated in Article 35 of the GDPR should be carried out on the notification channels by the controller.
According to the draft proposal, a notifier may bring a claim against his or her employer, claiming that countermeasures were taken against him/her. To be able to prove that such alleged countermeasures were not taken against a notifier because of a notification, the organization must retain all notifications as well as the information on who inside of the organization had knowledge of them. The proposal states that the retention time for this information should be five years from the submission of the notification unless a longer retention time is foreseen by law or because retaining the data is necessary for the establishment, exercise or defence of legal claims. Personal data that is clearly not necessary for the handling of the notification should be deleted without further delay. Sensitive information or information relating to criminal convictions can be processed only if necessary.
2. Sweden
The Swedish Government’s proposal on new legislation, implementing the Whistleblowing Directive, was published in May 2021. The proposal, approved on 29th Septermber 2021 by the Swedish Parliament, implemented the Whistleblowing Directive by replacing existing legislation with the new Act on Protection of Persons who Report Wrongdoings (2021:890)) (the “Act”). The new Act and the amendments to the Public Access to Information and Secrecy Act entered into force on 17 December 2021.
To start with, the group of individuals protected by the whistleblowing regime will be extended to include not only employees, but also further individuals in work-related context, e.g., candidates, former employees, voluntary workers, and interns. The provisions apply to both the public and the private sector and all municipalities fall under the scope of the bill. From a company group perspective, a shared and user-friendly whistleblowing channel is allowed for companies with 50-249 employees.
Regarding processing of personal data in the context of operating whistleblowing channels, Chapter 7 of the new Act sets out supplementary requirements to the GDPR. According to Chapter 7 Section 3, data processing is only lawful if it is necessary to follow up on the reports. Hence, one appropriate legal basis for processing in the context of operating whistleblowing channels will likely be legal obligation. Consent from the data subject may also be used as legal basis. However, if consent is used it must be ensured that the consent is freely given which can be difficult if there is inequality or a dependent relationship between the data subject and data controller.
Personal data processed to follow up on the reports may also be processed to fulfil a disclosure of information that (1) is necessary for actions to be taken based on what has emerged in a case; (2) is necessary in case reports needs to be used as evidence in legal proceedings; or (3) the processing takes place in accordance with law or regulation. Processing may be conducted for additional purposes provided that the data is not processed in a manner that is incompatible with the purpose for which the data was collected.
In addition to the above, the Act sets out limitation requirements regarding the persons which should have access to the personal data to follow-up the reports. Personal data in a follow-up of a report may not be processed for more than two years after the case was closed according to the Act. Given the sensitive nature of data processing related to whistleblowing, the Swedish Privacy Protection Authority has stated that any implementation of systems for whistleblowing reporting channels will most likely trigger the requirement to conduct a DPIA.
3. Denmark
On 25 February 2021, the Danish Ministry of Justice introduced a bill on the protection of whistleblowers, implementing the EU-Whistleblowing Directive. On 24 June 2021 the bill was enacted resulting in the birth of the Danish Act on the Protection of Whistleblowers (the “Act”). The Act entered into force on 17 December 2021.
According to the Act, an internal whistleblower scheme must be made available only to employees. It is optional whether the internal whistleblower scheme is also to be made available to external partners, e.g., suppliers, volunteers, trainees etc. The Act applies to reporting on breaches of certain areas within EU-legislation as well as “serious offences and other serious matters”. The latter part of the scope does not follow from the EU-Whistleblowing Directive and as such the Danish Ministry of Justice has extended the scope of the Act than required under the Directive. According to the preparatory work, serious offences and other serious matters include cases of sexual harassment and other serious personal conflicts in the workplace, including serious cases of harassment. The Act allows for group companies to share reporting channels and investigative capabilities. However, the Danish Minister of Justice has the authority to disallow group-wide shared schemes for larger private companies with 250 or more employees.
The Act appears to only permit processing of personal data in connection with whistleblower schemes established in accordance with the Act, which allows for processing of ordinary personal data, special categories of personal data as well as data about (potential) criminal offences, provided it is necessary to handle the report, as underlying principles of the GDPR must be adhered to at any time. However, this means that whistleblower schemes which fall outside the scope of the Act, may not rely on the legal basis for processing of personal data found in the Act. Consequently, the legal basis for processing of such personal data must be located directly in the GDPR and the Danish supplementary data protection legislation.
It follows from the Act, that the employer, acting as data controller, must keep records of every report received in compliance with the confidentiality obligation under the Act and reports must be stored for no longer than it is necessary and proportionate to comply with the requirements of the Act. Thus, no time limit is included in the Act and, therefore, the designated whistleblower unit must conduct individual and continued assessments on whether a report falls within the scope of the Act, if it is necessary to store a report and, in that case, for how long.
Further, the employer is also required to adhere to transparency requirements found in GDPR articles 13-14, when processing personal data under a whistleblower scheme. When establishing a whistleblower scheme, the need for a DPIA must also be considered. The Danish DPA has not publicly taken a stance on the need for a DPIA, however, this should be assessed on a case-by-case basis.
4. Norway*
Norway is not a member state of the EU but associated with the Union by membership in the European Economic Area (EEA). When the EU adopts directives regulating the internal market, these must also be included in the EEA agreement and as a result implemented in Norwegian legislation. The Whistleblowing Directive is still under scrutiny by EEA/EFTA who are considering its relevance for the EEA and whether it will be included in the EEA agreement.
The Norwegian government ordered a report conducted by the law firm Lund & Co ("the Implementation Report") regarding the obligations following from the Directive, mainly whether implementation in the EEA will require changes in Norwegian regulation of whistleblowing, and, if so, which changes will be needed. The government received the report in February 2022 and published it for public hearing in June 2022, with deadline for responses in September 2022. The Implementation Report and further processing of the Directive is still under consideration by the government.
Norwegian employment legislation already offers protection for employees reporting on their working conditions. However, Norway does not have a designated Whistleblowing Act offering protection to a wider scope of persons than employees or hired employees.
The Implementation Report recommends implementing the Whistleblowing Directive by adopting a new EEA Whistleblower Act (EØS-varslerloven), accompanied by supplementary regulations for some of the Directive's provisions. If this Act is adopted, Norway will have one scheme for employees reporting on censurable conditions as defined in the Norwegian Working Environment Act (WEA) with their employer and one scheme for a wider scope of persons reporting on breaches of EEA law. Reporting on breaches of other national law will not be offered protection, which differs from the whistleblowing acts in both Finland, Sweden, and Denmark.
The proposed Act does not contain any specific data protection provisions. The Implementation Report states that specific regulation is not needed as the Norwegian Personal Data Act (Nw. personopplysningsloven), implementing the GDPR, will cover the processing of personal data when handling whistleblowing reports regulated by the Act. Further, persons handling whistleblowing reports are bound by a confidentiality obligation.
The Implementation Report notes that the legal basis for processing of personal data is legal obligation. However, the Report does not suggest any legal basis for processing when the legal entity receiving a whistleblowing report is not obliged to handle the report and, thus, another legal basis is necessary in these cases. The proposed Act also states that information from whistleblowing reports governed by the Act can only be stored for as long as necessary to comply with the obligations of the Act or provisions of other laws. A fixed maximum time limit is not proposed. Finally, the Implementation Report does not consider whether there is an obligation to carry out DPIA's on whistleblowing report systems.
It is not yet known when the Norwegian government will submit a draft bill to the Parliament. This might take several months and could also be affected of the effectiveness of the adoption process in the EEA.
*We have co-operated with Advokatfirmaet Selmer AS, Norway and their Partner Nils Kristian Einstabland for insight from Norway.