EU whistleblower anonymity laws & anonymous whistleblowing protection in 2023

The EU Whistleblowing Directive recommends but does not mandate full whistleblower anonymity when it comes to reporting wrongdoings. Generally, anonymous whistleblowers are not protected in most EU Member States. Employees who disclose misconduct must do so under the condition that they will be identified during the whistleblower investigation. Croatia, Cyprus, France, and Portugal have adopted laws that support anonymous disclosures of misconduct. The Netherlands and Spain have also drafted rules that allow whistleblower anonymity. Yet, for many other Member States, implementing a requirement for anonymous reports has posed a challenge. For example, legal experts and rights advocates have criticized Poland, Germany, and Lithuania for not introducing measures that are comprehensive enough.  

Whistleblower Anonymity in the EU

Most EU businesses are already familiar with dealing with breaches of confidentiality. They may have contract clauses or policies related that restrict disclosure of trade secrets and keep sensitive financial or personal information confidential. The EU Directive adds another layer of complexity to the issue of confidentiality. Member States are now required to mandate organisations and businesses to maintain confidentiality during the whistleblowing process. This requirement can pose a challenge to small groups of employees.

Confidentiality is different than whistleblower anonymity. Anonymous reporting is a process by which employees can disclose wrongdoing without revealing their identity. Under the current EU Whistleblowing Directive, each Member State may decide if anonymous whistleblowers are protected when dealing with such disclosures. This means several countries continue to have varying approaches to whistleblowing. Some choose not to allow anonymous reporting by employees. Others make it a requirement for all disclosures. A few of them leave it to companies to provide anonymity without publicizing the option, while others choose not to investigate anonymous reports at all.

EU Member States’ Approach to Whistleblower Anonymity

The different approaches to dealing with anonymous reporting mean that several Member States have developed their own rules regarding whistleblower anonymity. In Lithuania, organizations are required to set up an internal whistleblowing channel that guarantees confidentiality and provides accessible information to all employees. While this is in line with the EU Whistleblower Directive rules, there is no national requirement mandating anonymous reports in order to protect the whistleblower’s identity. However, if there is reason to believe that a breach of confidentiality has taken place or attempts have been made to hide the wrongdoing, then disclosure to external authorities is encouraged for public interest.

The EU Directive states the following: “Member States may decide whether private and public entities and competent authorities accept and follow up on anonymous reports of breaches falling within the scope of this Directive.” In Poland, whistleblower protection rules have been criticized for not being comprehensive enough. In June 2022, law makers shared a draft of the Polish Whistleblower Act that did not include anonymous reporting. According to Polish law, anonymous reports by whistleblowers are not considered legitimate disclosures. This means people who choose to disclose wrongdoings may be exposed to retaliation for whistleblowing or have their identity revealed. The choice is left up to the business or organisation to use an anonymous whistleblowing system or not. There is no assurance that a whistleblower’s identity will be protected if they report violations internally or to external authorities.

In Latvia, Whistleblowing rules were introduced in 2018. Whistleblowers have since been allowed to file their complaint anonymously. However, once the investigated is completed, the report and identity of the employee are made public. In January 2022, Latvia amended its rules to better align with the Directive and Cabinet Ministers have stated that whistleblower anonymity is now protected under the law. It is the only Member State to include climate crimes as legitimate wrongdoings.

In Germany, law makers have proposed letting each company decide how to deal with anonymity. Ireland and Denmark have not included a provision for anonymous reports. Anonymous reports are accepted because they help maintain confidentiality. The nation encourages anonymous reporting and views breaches in confidentiality as violating human rights and existing data protection laws. However, disclosing trade secrets can lead to penalties.

EU Directive and Anonymity: Transposition Challenges

The varying approaches complicate the ability of Member States to protect whistleblowers against retaliation. While there are anti-retaliation protections in place, it is up to each individual country to decide what type of penalties to levy against companies or individuals who retaliate, breach confidentiality, or try to stop whistlebowers from reporting wrongdoings to authorities. That said, the EU Directive has placed the burden of proof on companies and organisations to prove that any suspension, lay-off, dismissal, demotion is not based on the report employees submit.

For example, Hungarian whistleblower protection only applies when a complaint is filed with external regulators. There are few if any internal reporting mechanisms in the private sector, although companies are encouraged to use whistleblowing hotlines and tools. Companies are not required to receive anonymous complaints and authorities will not take reports from anonymous whistleblowers if the report is made in bad faith. The definition of ‘good faith’ is not clear, which can increase the risk of confidentiality breaches because the decision is left to the individual or entity.

Throughout her career, Maltese journalist Daphne Cruana Galizia reported on her government’s corrupt practices and ties to organized crime. As a result, she was subjected to threats, intimidation, lawsuits, and arrests. In 2017, she was killed when a car bomb exploded in her vehicle. This raises important concerns about Malta’s approach to whistleblower protection. The law clearly states that whistleblower reports made anonymously are not protected. As it is, Maltese whistleblower rules provide some protection against retaliation such as dismissal or harassment, but employees must reveal their identity in order to qualify. This has created the perception that Malta’s law is unreliable and inefficient.

Solutions for Whistleblowing Anonymity

Because EU Member States have adopted different approaches to dealing with whistleblowing anonymity, companies are left with making the decision on their own. If you’ve decided to implement an internal anonymous reporting channel, there are a few things to consider as you develop and implement your strategy.  

Specialized training on how to handle cases and ensuring confidentiality should be provided to those who work in internal compliance or ethics. Topics may include:

  • Understanding the different approaches Member States are taking when it comes to anonymity
  • Developing an anti-retaliation strategy
  • Explaining the EU Directive requirements for confidentiality (and non-requirements for anonymity)
  • Knowing how internal mechanisms for reporting help maintain confidentiality and/or anonymity.  
  • Implementing a strong whistleblower software tool that will take the guess work out of the process.

When employees don’t have a secure, anonymous way of reporting wrongdoings, they are less likely to use internal procedures and more likely to reach out to public channels such as the media. To learn more about why employees choose not to disclose misconduct, read our article about speak-up culture. Transparency is key to implementing a culture that will support the new EU whistleblower rules. Whistleblowers should be able to review, approve, and edit the report and any interview notes recorded during the case assessment process.