Clifford Chance

The tech industry, much like other industries, has certain characteristics that make it particularly vulnerable to whistleblowing. Its rapid and ever-increasing growth, overarching presence in our daily lives and the surge of government contracts over recent years combine to create the perfect storm for whistleblowing.

It is essential that tech companies have the appropriate measures in place to handle whistleblower complaints and investigations thoroughly and effectively, while maintaining compliance with all relevant regulations. This is especially true considering the newly imposed EU Whistleblower Protection Directive ("EU Directive"), which may require companies to change the way they conduct whistleblower investigations in the EU altogether.

What's Changing: EU Whistleblower Developments

Compared to the US, the EU has historically been far less accepting of whistleblowers, and protections against retaliation for whistleblowing were few and far between. However, that is changing with the EU Directive, which is aimed at making whistleblowing channels more accessible and preventing retaliation against those who do come forward in the EU. All entities incorporated in the EU with more than 50 employees, no matter the industry, will be subject to requirements mandated by EU Directive, as well as any additional requirements that the Member States decide to impose. While only seven participating Member States have adopted the requisite legislation so far, nearly all remaining Member States have draft laws or proposals in place.

Companies with formal whistleblower procedures and policies have traditionally conducted whistleblower investigations centrally, often with centralized policies, investigation procedures, and reporting led by head office. This centralized approach assures not only efficient use of resources and expertise, but can be a critical part of adequate enterprise-wide risk management. Such centralization may no longer be available to certain companies. Under the EU Directive, each EU-incorporated entity with 250 or more workers is required to establish a separate local whistleblower channel and conduct the investigation of reports covered by the EU Directive within the subsidiary. The subsidiary receiving the complaint is prohibited from sharing the report with head office or outside the subsidiary without the whistleblower's consent, which will of course be complicated by anonymous whistleblower reports. Entities with 50 – 249 workers must also establish separate whistleblower mechanisms, but can share resources for the investigation with other entities, although the extent of this is not clear under the EU Directive and will depend on the local implementing legislation and interpretation. Given some of the apparent ambiguities in the EU Directive, and the ability of each member state to expand the coverage under the implementing legislation, the actual requirements may differ across the EU. Further, the information-sharing restrictions are on top of the restrictions mandated by GDPR.

In practice, these requirements may limit a company's ability to properly identify, investigate and address serious concerns that arise throughout the group, and likely require companies to make risk-based decisions on how to address reports that may impact the company group beyond the subsidiary receiving the report. Given the impending implementation of the new or proposed rules, companies with EU-based subsidiaries are well advised to consider how to manage these requirements within the respective risk tolerance profiles, and to implement new procedures accordingly.

Why You Need to Pay Attention Now: Factors Increasing the Whistleblowing Environment

The tech sector, particularly with respect to online software and the development and use of data-derived products built with information from online interactions, continues to grow rapidly. Fintech and the development of new uses for blockchain technologies to facilitate more efficient transactions, both financial and non-financial, are another area of explosive growth. The COVID-19 pandemic has fueled the growth of tech companies and accelerated the notion of working tech jobs from anywhere.

Some of the whistleblowing catalysts in this environment are similar to those in other industries where fast growth can create change-fatigue and unhappiness with continuously changing procedures. Rapid growth poses challenges to workforce management and general internal governance. Lack of clear procedures, rapid hiring decisions and other aspects that sometimes come with quick growth are catalysts which may lead employees to raise concerns outside their chain of command or outside their organization. The tech sector is also being fueled by waves of wishful investment from investors and company employees hoping for big payouts through rapid growth, buy outs or public offerings. When wishes don't come true, disgruntled employees may be spurred to look for lapses in corporate practice that could be punishable under law. Another issue in the tech space that might foster an increase in whistleblowing is the propensity for job jumping between companies. While the ability to move easily between companies might lessen the likelihood of some employees to formally raise issues of concern, it might embolden others. This is particularly true given the potential isolation or detachment some workers may feel in the remote work environments now broadly adopted by those tech companies that produce software, applications and services that do not require the use of collective space.

Additionally, governments across the globe are investing in and/or consuming web-based services and data for a variety of purposes, creating competition over lucrative public sector contracts. As these relationships come under greater scrutiny, oversight agencies will seek information from whistleblowers. Finally, with respect to big data companies in particular and increasing focus on how such companies have significant impact on how we live our daily lives, company insiders are raising what they believe are conflicts between profitability and civic responsibility. Recent high-profile whistleblowing and unauthorized disclosure situations both in government and the private sector may serve as examples for these concerned individuals to follow.

But Wait, There's More: Legal Bases for Rewards or Compensation in the United States

The US has numerous laws in place to protect whistleblowers. However, many of these laws do more than just protect – some offer monetary rewards to persons who provide the government with information it can use to prosecute misconduct. For example, under the False Claims Act ("FCA"), whistleblowers may be entitled to a reward for disclosing acts of fraud resulting in a financial loss to the federal government. The SEC also encourages external whistleblowing under Dodd-Frank which rewards whistleblowers for coming forward with legitimate information about violations of federal laws, including the Foreign Corrupt Practices Act ("FCPA"). More recently, the Anti-Money Laundering Act of 2020 ("AMLA") has beefed up provisions that provide for rewards for information leading to the recovery of stolen foreign government assets or penalties against those violating Bank Secrecy Act ("BSA") regulations. The rewards offered by these laws are not restricted to persons within the United States – companies with global operations should be keenly aware that persons outside the United States may begin to seek rewards in the United States in this ripening environment.

In addition to offering financial rewards to government tipsters, Dodd-Frank and the AMLA also provide mechanisms for relief to employees who have suffered retaliation for whistleblowing. Specifically, a whistleblower who makes a successful retaliation claim under these laws may be reinstated to their previous position, awarded up to two times backpay with interest and compensated for litigation and attorneys' fees. This scheme is common amongst many other statutes with whistleblower protections, including Sarbanes-Oxley ("SOX"), the Consumer Financial Protection Act ("CFPA") and the Criminal Antitrust Anti-Retaliation Act ("CAARA"). Unlike Dodd-Frank and the AMLA, however, these statutes do not reward external whistleblowers for sharing evidence of misconduct with authorities.

The US approach in this respect contrasts with the approach in Europe where the granting of financial incentives for whistleblowers is generally renounced. For example, relevant German legislation directs that reports must not be based on profit motives. Other European countries may have isolated instances for rewarding whistleblowers, as may be the case in some jurisdictions with respect to reporting the existence of anti-competitive cartels. Whether Europe develops a posture more favorable to rewarding whistleblowers remains to be seen.

How We Can Help

Clifford Chance can discuss with you how your company should prepare for the implementing legislation in the various EU countries relevant to your operations, including changes that need to be made to ensure compliance with the new regime while still allowing the company to properly and effectively manage the enterprise risks raised by whistleblowers through the local whistleblower mechanism. The nature of the tech industry makes it primed to see a growing number of whistleblower complaints in the future, and now that the EU Directive is in effect, it is especially critical that tech companies be prepared for the changes to come.