Whistleblower Protection Compliance Tool
Previously saved progress has been found. Do you want to:
This tool has been developed by Blueprint for Free Speech to evaluate the local transposition of Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the EU Whistleblowing Directive). The accompanying report Getting Whistleblower Protection Right: A Practical Guide to Transposing the EU Directive can be downloaded from the menu.
The tool consists of a survey with six groups of questions, which should be completed with reference to an existing law or legislative proposal. Once completed, a score will be calculated, assessing the law on three separate criteria, namely compliance with the Directive, conformity with international standards, and whether the law or proposal forms an adequate response to the issues raised by the COVID-19 pandemic.
For a detailed explanation of how our scoring works, you can look at our worked example.
The tool will automatically save your progress by storing your answers in your web browser's Local Storage. If you reload the page and a previously stored survey is available you will be given the option to reload and resume.
Note that if you are viewing this page in a Private Browsing or Incognito window your progress will not be saved automatically. This is because Local Storage will be cleared by the browser when you close the window.
In this case, you can save your progress to an external file by selecting the Save to File option in the dropdown menu. A previously saved survey can be reloaded using the Load from File option.
If you wish to clear any stored survey data from your browser select Clear Data from the menu.
At the end of the survey you will be given an opportunity to share your responses with Blueprint for Free Speech. This is to help our research into implementation of the EU Directive. You are not obliged to share any data with us and no survey data will uploaded without your express consent.
This online tools will help you determine if a draft or actual law complies with the EU Directive protecting whistlelblowers. It may also be helpful to evaluate other laws outside Europe as well against the new European standards brought in by the Directive.
In the scoring, there are three core parts of the Directive that must be present in order to get a passing score. Without them, regardless of whether the other sections provide enough points to pass, the proposed law fails to meet the standard. These are:
Below is the contents of the save file. You can copy and paste this into to a file, or you can click the Save button to save the named file to a location of your choosing.
Click Open File to select the saved file you wish to load or copy and paste the contents below and click Load Contents:
Warning: This will overwrite any survey data currently in progress. If you wish to keep such data please Save to File first.
This will clear survey data from your browser. If you wish to keep the data please Save to File first.
Blueprint for Free Speech does not collect any personal information during the usage of this survey. If you are viewing this survey online some web server logs may be created.
You can complete this survey offline by downloading the Offline Tool from the website. If working Offline the survey does not make any requests to other servers, unless you choose to submit your results at the end, which is entirely optional
If you choose to submit your results at the end we will ask for some additional details to provide context to the results, namely the country they refer to. You will be issued with a random identifier that will be included in your survey results so you can request future deletion if you so choose.
If you choose to submit your results the data will be encrypted prior to submission, when it will be sent through a web form to Blueprint for Free Speech.
By sharing your with Blueprint you make it easier for us to track how governments across Europe are progressing in passing national laws to protect whistleblowers. Below you will see an encrypted copy of your survey results which will be uploaded to Blueprint for Free Speech. We ask you to select which country the survey was completed in regard to and you can include some further information about yourself if you wish. The survey will be submitted via a web form. If you would prefer not to submit via a web form please copy and paste the contents below into an email and send to compliancescore@blueprintforfreespeech.net.
The creators of this online tool thank Professor David Lewis of Middlesex University, Tom Devine and Samantha Feinstein of the Government Accountability Project (GAP), as well as legal firm Latham & Watkins for their valuable insights and reviews.
Blueprint for Free Speech gratefully acknowledges the support of the Open Society Initiative for Europe within the Open Society Foundations. The Expanding Anonymous Tipping (E.A.T.) Project also gratefully acknowledges the Internal Security Fund of the European Union.
The EU Directive adopts a broad, horizontal approach that ties whistleblower protection to the working of the Single Market and matters affecting the financial interests of the Union. This means that the Directive comes close to covering everything the EU could legislate on.
See Directive 2(1)
Issues outside of EU competence are not covered by the Directive, and the decision to extend reportable wrongdoing on other matters is reserved to EU Member States. The Directive includes an explicit carve out for national security matters. Nevertheless, the Directive is clear that it should be regarded as a minimum standard and that Member States can provide stronger and more expansive protections if they wish.
Best practice is to ensure that all whistleblowers, including in the national security, police and intelligence sectors, do have some form of recourse, whether that be to a specialised internal mechanism or to an oversight institution.
See Directive 2(2), 3(2), 3(3)
To look at the limits of the Directive from another angle, strictly speaking it covers only EU regulations and those Directives which have been applied in national law.
See Directive 2(1)
The Directive encourages Member States to go over and above what is required. In order to ensure that the scope of whistleblower protections are intelligible to non-specialists, they should be extended to cover matters covered in national legislation only.
Member States may also wish to consider whether whistleblower reports about breaches of ethics codes and similar standards that do not have legal status should be protected.
The Directive defines a breach as an act or omission that is either unlawful or defeats the object or purpose of the law. Omissions in this sense should include purposeful omissions (not enforcing regulations) as well as non-purposeful ones (negligence). Protection extents to information on potential breaches or efforts to cover them up.
See Directive 5(1), 5(2)
Waste and inefficiencies do not necessarily result from negligence and are an example of issues that may well form the subject matter of valuable reports but are not explicitly covered by the Directive. This may be an area where Member States or individual organisations wish to expand on the Directive standards.
In any case, the Directive provides that a whistleblower is entitled to protection if they had reasonable grounds to believe that their report was within the scope of the Directive.
See Directive 6(1)(a)
While there is no explicit language in the Directive about reports with cross border implications, it is clear from implication that these should be covered, at least where the other country is also an EU Member State.
See Directive 6(4), 20(1)(c), 27(3)
The personal scope of the Directive is very broad and covers anyone who acquires information on breaches in a work-related context – that includes shareholders, former employees, volunteers and those going through a recruitment process. “Work-related context” should be interpreted broadly: it does not matter what the nature of those activities are.
See Directive 4(1), 4(2), 5(9)
The requirement for information to have been acquired in the context of work activities does, nevertheless, means that the Directive falls short of protecting all citizens. A hospital patient would not be covered, nor someone who witnesses a wrongful arrest. Some proposals recommend extending coverage in this area. Whistleblowing schemes that are open to the public already exist in some EU Member States, such as France and Spain.
France: Loi Sapin II https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000033558528&categorieLien=id
Spain: Ley, de la Generalitat, de la Agencia de Prevención y Lucha contra el Fraude y la Corrupción de la Comunitat Valenciana / General Law on the Antifraud Agency of the Community of Valencia https://www.antifrau.cat/sites/default/files/noticies/20161118-agencia-prevencio-contra-frau-valencia.pdf
The Directive requires that someone making a report should have acquired that information in the course of their work-related activities and that the information concerns an organisation they are or have been in contact with.
There is no requirement for a whistleblower to be in a direct working relationship with the subject of their report, or to have been in one in the past.
See Directive 5(2), 5(9)
Good faith requirements are onerous for whistleblowers and their absence from the Directive is deliberate. Neither are whistleblowers required to establish their allegations to a legal standard of proof.
A whistleblower is required only to have reasonable grounds to believe that the information in their report is true. If an investigation later determines that a report is not well-founded, the person who made that report does not lose their entitlement to protection.
Knowingly false reports or public disclosures are not protected by the Directive and may be subject to penalties.
See Directive 6(1), 23(2)
See Directive Recital 32
Whistleblowers who are entitled to protection under the Directive rules can seek dismissal of legal proceedings on a range of grounds, including defamation, breach of copyright, data protection and disclosure of trade secrets.
The situation is slightly more complicated when it comes to criminal liability. The Directive provides that there is an exemption to general immunity from prosecution if the acquisition or access of information does not constitute a “self-standing criminal offence.”
This clause provides a potential of legal uncertainty. It is not uncommon for the acquisition of internal information a whistleblower relies on in their report to be characterised as theft. Preventing these kinds of legal vexatious proceedings was, in fact, one of the inspirations behind the Directive.
The Directive recitals clarify the situation somewhat, specifying physical trespass and computer misuse as examples where national criminal law should apply. Nevertheless, care should be taken here too.
Computer misuse laws are typically expansive and lack a public interest test. It is likely that many disclosures related to data protection or network security – both areas that are explicitly covered by the Directive – could also constitute technical breaches of computer crimes statutes.
If immunity is not to be extended to these areas, then national courts should carefully consider the necessity and proportionality of such actions in relation to the report or public disclosure at issues.
See Directive 21(3), 21(4), 21(7)
See Directive Recital 92
The Directive recognises that not only do whistleblowers often seek the assistance of third parties, those individuals and organisations can themselves become the subject of retaliation. Relatives and colleagues of the whistleblower and legal entities directly connected to the whistleblower are entitled to all the protections the Directive provides.
There is also a provision for the protection of “facilitators”, who are defined as natural persons who “assist a reporting person in the reporting process” in a confidential manner.
See Directive 4(4), 5(8)
The facilitators provision excludes legal entities, but it is open to Member States to improve on the baseline protections in the Directive. Consideration could be given to whether legal entities – such as media organisations, NGOs and professional organisations should also be granted protection.
The ability of whistleblowers to make a choice about where to make a report – whether to their employer, to an external regulator or, in more limited circumstances, to the media – is a key feature of the Directive.
Mandatory internal reporting – an obligation for a whistleblower to make a report to their employer before having recourse anywhere else – was a contentious issue while the Directive was being concluded. It was ultimately rejected.
While the overwhelming majority of whistleblowers - over 90% - will typically make an internal report first, the ability to have initial recourse to a regulator is critical in the minority of cases where an employer is likely to disregard a report or, worse, penalise the whistleblower and destroy evidence when alerted to wrongdoing.
The Directive allows Member States to encourage internal reporting, but not at the expense of providing full information about when a whistleblower might choose to go elsewhere.
Meeting the required standard in this area of the Directive is an essential part of an effective transposition.
The US experience showed that the absence of mandatory internal channels overloads competent authorities with false or irrelevant reports.
See Directive 7, 10, 15
The Directive also regulates the creation and functioning of external channels, typically defined as Competent authorities.
Some reporting routes are not explicitly mentioned in the Directive, for instance national governmental or representative bodies. Given that recourse to EU institutions or agencies is defined as external reporting in the Directive, there may be merit in defining a similar situation for domestic institutions in national law.
Existing rights to go to law enforcement or trades unions should not be affected by the Directive.
See Directive 3(4), 6(4)
A large number of whistleblowing cases involve individuals being penalised for communicating information as part of their normal work duties. This is particularly the case for those in compliance, audit and health and safety roles. Creating a specific protected channel for whistleblower disclosures should not leave work-related speech that happens elsewhere vulnerable to retaliation. While the Directive’s recitals state that duty speech is protected, member states may want to ensure this is explicit in transposition.
See Recital 62
One of the most significant provisions of the Directive is the obligation it places on employers to set up secure and confidential internal channels to handle whistleblowing reports.
Private and public sector organisations employing 50 or more people are obliged to set up these channels. This does not override existing obligations for companies in some sectors (such as financial services) where these are more onerous.
Member States have the option of exempting municipalities with less than 10,000 inhabitants from these requirements.
Organisations in the private sector employing fewer than 250 people are allowed to share resources for the receipt and investigation of reports, as long as all the requirements for internal channels are met.
See Directive 8(1, 3-6, 9)
Member States have the option of extending these requirements to private sector entities employing fewer than 50 people. The Directive suggests this may be appropriate for the management of risks to public health and the environment in particular organisations.
Where Member States wish to extend internal channel obligations in this way, they are obliged to notify the Commission with their reasons and criteria relied on in their risk assessment.
Non-profits are not specifically mentioned in the Directive but might be best considered as a subset of legal entities in the private sector.
See Directive 8(7-8)
Private sector organisations are allowed to contract third parties to operate internal reporting channels on their behalf. Identical standards apply to those third parties as they do to organisations operating their own channels.
See Directive 8(5)
Where whistleblowing channels are contracted out to third parties, there is the potential for conflict of interest and detriment caused to whistleblowers as a result. Consideration should be given to whether minimum standards should be set down in law, as they are in the Netherlands.
Netherlands: Wet Huis voor klokkenluiders https://wetten.overheid.nl/BWBR0037852/2018-06-13
The Directive sets out some specific requirements for how internal channels should operate. They are supposed to be designed with confidentiality in mind and made the specific responsibility of an individual or department.
There must be scope for reports to be made in writing, orally and in person, if that is requested.
Those charged with operating the channel are expected to keep communication with the whistleblower open. A reporting person is entitled to have their report acknowledged within seven days and receive feedback within three months.
See Directive 9
Internal channels must be open to employees, but organisations have the option of opening their whistleblowing to others who do have been in contact with it in the course of their working activities. This includes volunteers, contractors and shareholders.
Facilitating anonymous reporting is suggested as an option in the Directive. The use of online dropboxes allows for anonymous reporting that maintains a means of communication between the whistleblower and the person receiving the report.
Training for those operating internal channels is not required under the Directive but, given that it is mandatory for those operating external channels, it should be regarded as best practice.
Similarly, while there is a requirement for those operating internal channels to keep records for the purpose of investigating reports, there is no obligation to maintain or publish statistics on the number of reports received and outcome of investigations. Employers may wish to consider doing so as a means of showing that their measures are working as intended.
See Directive 8(2)
Requirements for external channels under the Directive are similar to those for internal channels, but more onerous in some respects. This reflects not only that external channels are likely to handle the most serious initial reports and those escalated from internal channels.
Those operating external channels are expected to provide training to those dealing with whistleblower complaints and have set procedures for transmitting reports to those best placed to investigate them. Those procedures need to be set up in specified manners regarding the granting of confidentiality of personal data, reporting and accessibility.
Member States are granted significant freedom in the institutional design of external whistleblowing schemes and may explicitly consider the introduction of dedicated independent oversight.
EU regulators have included “relevant institutions, bodies, offices or agencies of the Union” as eligible recipients for external reports, which suggests national agencies should be treated in the same way.
See Directive 11,12
What constitutes a public disclosure for the purposes of the Directive is not defined. While much discussion of public reporting focuses on the relationship between whistleblowers and journalists, there is nothing that says that journalists necessarily have to be involved in such disclosures.
Direct publication, for instance the publication of an op-ed, a blog or a post on social media, should also be understood as types of public reporting.
See Directive 15
While whistleblowers are able to make their report public in the first instance, the Directive sets a high bar for this. A report must either “constitute an imminent or manifest danger to the public interest” with the risk of emergency or serious damage, or the whistleblower has reason to believe that using other channels will be fruitless or risky.
Public reporting is also protected in situations where other reporting channels have been tried and no appropriate action has been taken in the given timeframe. The Directive recitals clarify that this covers situations where investigations have been conducted but appropriate remedial action has not been taken. If a report has been wrongly assessed as being of minor importance, the recitals suggest this may be a reason to go public.
Where national laws already offer greater protections – for instance in Sweden, where source protection is guaranteed at a constitutional level – these are not affected by the Directive.
See Directive 15
See Directive Recital 79
Courts are likely to interpret “imminent or manifest danger” narrowly. Member states may therefore wish to consider whether the Directive’s treatment of public reporting offers effective protection to whistleblowers who have information on issues of considerable public importance. To strengthen legal certainty, clear definitions of what constitutes imminent or manifest dangers to the public interest should be included.
Notwithstanding the prominence of anonymous disclosures in public debates around whistleblowing, the provision of anonymous reporting channels was a contentious issue during Directive negotiations.
The Directive contains one firm commitment on anonymity, to ensure that whistleblowers who make anonymous reports are not deprived of protections. Where the identity of someone who has made an anonymous report becomes known, they are entitled to the same duty of confidentiality and protections against retaliation as whistleblowers who have used other channels.
See Directive 6(2-3)
See Directive Recital 14
Beyond this commitment, the Directive suggests that Member States consider whether to require internal or external channels to facilitate and investigate anonymous reports.
The duty of confidentiality is a key part of the Directive. A key characteristic of ineffective or compromised reporting channels is that they communicate the identity of a whistleblower to those who are the subject of their report.
The Directive therefore lays down detailed rules about the treatment of personal data and the need for this to be restricted to authorised persons. Those operating reporting channels have a responsibility to comply with data protection rules, with the purpose of information collection in this context to be to ensure that an investigation can be properly carried out.
Confidentiality applies not only to personal data, but also to other information from which the identity of the reporting person could be deduced.
There should be penalties for those who breach this duty of confidentiality.
See Directive 8(6), 9 (1), 12 (1), 13, 16, 23(1)(d)
An additional means of protecting against breaches of confidentiality is to allow whistleblowers to make their report anonymously. Member States should consider mandating the provision of options for anonymous reporting and ensuring that such reports are investigated.
Encrypted online drop-box systems allow for follow up of anomymous reports, which greatly assists investigation.
There are limited exemptions from the general duty of confidentiality, for the purpose of investigating a report or for judicial proceedings.
A whistleblower’s identity may be disclosed if they give explicit consent or if it is assessed to be “necessary and proportionate” for investigation purposes, in the context of national law. Where this is the case, a whistleblower should be sent notification and an explanation in writing.
“Disclosure” in this context means disclosure to indivduals who are not authorised staff members, rather than disclosure to the public.
See Directive 16
The operation of these provisions depends to a great extent on national legal frameworks. Member states should refer to relevant legal obligations when putting these provisions into national law.
All forms of retaliation, and attempts at retaliation, are prohibited under the Directive. The Directive text includes a non-exhaustive list of many types of retaliation and Member States should ensure that informal and social varieties of reprisal are encompassed in their definition.
See Directive 19
Notwithstanding that the Directive’s list of examples is non-exhaustive, it is possible that some retaliatory measures are not recognised as such. Due to its cross-jurisdictional nature, extradition is not always understood as a variety of retaliation, despite increases in its use against both whistleblowers and journalists.
Should a case involving a whistleblower end up in legal proceedings, it is for the employer to show that any action taken against a whistleblower was not as a consequence of their report.
This reversed burden of proof is an important clause in the Directive, which makes a significant difference for the ability of whistleblowers to receive the protections they are entitled to in law.
See Directive 21(5)
The Directive requires Member States to introduce penalties for retaliating against or obstructing a whistleblower (or attempts to do so), breaching the confidentiality due to a whistleblower or for a whistleblower to make a knowingly false report or public disclosure.
The nature of these penalties is left up to the discretion of the Member States. It is important that a proportionate approach is taken, lest the overall objective of the legislation – to encourage whistleblowers to come forward – is compromised.
See Directive 23
The issue of penalties for making a knowingly false report are a case in point. Laws against defamation are likely to already be present in most EU jurisdictions.
Where a new course of action or criminal offence is proposed, this may impact freedom of expression rights as well as whistleblower protection. Such proposals require very careful examination.
Rights and remedies provided for in the Directive cannot be waived or abrogated in any kind of agreement, including settlements and non-disclosure agreements.
See Directive 24
Many kinds of support for whistleblowers are envisioned in the Directive, but most are optional and left up to the discretion of Member States to put into law.
Obligatory elements include the provision of free and independent advice. Internal channels must make information on how to make a report and methods of recourse available to employees. Operators of external channels must publish information online.
Member States are also obliged to provide legal aid to whistleblowers in criminal and cross-border civil proceedings.
See Directive 20(1)
Member States may wish to consider whether the compulsory legal aid requirement in the Directive is comprehensive enough to cover all the types of legal action a whistleblower might be subjected to. In particular, consideration should be given to the costs a whistleblower might encounter during employment and other civil proceedings.
Other types of support Member States may choose to provide include health and psychological support, interim relief and financial assistance. They may wish to introduce a certification scheme whereby a whistleblower can demonstrate their status pending investigation.
Member States may also establish a dedicated agency responsible for providing whistleblowers with information or support.
See Directive 20(2-3)
The Directive includes an assertion of basic rule of law principles for those who are the subject of reports (“persons concerned”), including the presumption of innocence and a fair trial. There is a duty of confidentiality towards persons concerned as there is for whistleblowers.
See Directive 22
One area for remedy that requires careful consideration are penalties for those who use whistleblowing channels to make knowingly false reports, or disclose such information publicly.
Care should be taken to ensure that the approach taken here is proportionate and does not act as a disincentive to those who are considering making a report, as that would defeat the point of the Directive.
Laws against defamation are likely to already be present in most EU jurisdictions. Where a new course of action or criminal offence is proposed, this may impact freedom of expression rights as well as whistleblower protection. Such proposals require careful examination.
See Directive 23
The Directive establishes record-keeping duties for operators of internal and external channels in order to ensure that investigations can be conducted properly.
Operators of external channels are expected to keep records of the individual report, which can be inspected by the whistleblower on request, together with aggregated data on the total number of reports received, the outcome of investigations and the funds recovered as a result.
The standards for internal channels are less onerous and require only that proper records of reports be taken for the purposes of an investigation.
See Directive 18
Operators of internal channels may wish to consider keeping aggregated statistics on the number of records received and outcomes. There may be a reputational value in doing so, in addition to building confidence in the system.
We suggest that in addition to keeping records of investigation outcomes, operators of external channels record the reasons for not launching investigations. Large numbers of reports are being closed as trivial or repetitive may warrant further investigation.
The Directive mandates the collection of certain statistics on the national level. These include the total number of reports received by external channels and the number of investigations launched on the basis of those reports together with an estimate of the financial loss caused by the matters under discussion and any funds recovered.
See Directive 27
It may also be valuable to aggregate data on the outcome of reports and any legal proceedings initiated in relation to reports. This should include any proceedings for retaliation or for making a knowingly false report.
The European Commission intends to conduct a review of how the legislation is operating after four years.
The Directive does not stipulate what review processes should take place at the national level, other than that certain statistics should be recorded and that a review of external channels needs to take place at least every three years.
In practice civil society plays an important role in reviewing how national systems are working and we can expect that to continue.