Clifford Chance

The government chose to extend the scope of the protection of whistleblowers compared to the scope of the EU Whistleblower Directive (EU) 2019/1937 (the "Directive").

The Directive inter alia requires the public legal entities and the private ones counting at least 50 workers to establish an internal reporting channel and procedures in order to facilitate early reporting and provides for an EU-wide standard for the protection of whistleblowers against retaliation.

Luxembourg had until 17 December 2021 to transpose the Directive and is late on the task (as many other EU countries), since the Luxembourg Government waited until 10 January 2022 to publish a draft bill No 7945 (the "Bill").

Providing for a comprehensive general framework

To date, Luxembourg's legal landscape around whistleblowing, which is mainly composed of scattered provisions of the Labour Code, case-law and sectoral rules, is quite difficult to navigate. This is notably the case for the financial and insurance sectors and both the Commission de Surveillance du Secteur Financier (CSSF) and the Commissariat aux Assurances (CAA) have developed procedures for direct reporting of regulatory breaches.

The Bill contemplates to provide for a comprehensive general framework for whistleblower protection in Luxembourg, which shall be superimposed on such existing sector-specific lex specialis. The clarification brough by the various definitions (including that of "whistleblowing" and of a "whistleblower") are welcomed.

For more information about the Directive and Luxembourg's current legal framework on whistleblowing (including sector-specific laws), please refer to our previous publications:

• Are the EU Member States ready for the new whistleblower protections?
• Is Luxembourg ready for the EU Whistleblower Protection Directive?

Key takeaways and contributions

On a number of items, the Bill follows the word of the Directive and proceeds to a faithful transposition. This is notably the case of the broad personal scope, the conditions and measures for protection of reporting persons, the obligation to establish internal reporting channels, the procedures for internal reporting and follow-up, the duty of confidentiality when dealing with report, and the record keeping of the reports.

1. A broader scope of application

The government however chose to extend the material scope of the protection. The protection proposed by the Directive is limited to a number of provisions of EU law in specific sectors (such as public procurement, consumer protection, and public health) – to include any report and/or disclosure made by a whistleblower in relation with any acts or omissions which are illicit or contrary to the purpose of the provisions of Luxembourg or EU law, irrespective of the sector and subject matter. The objective is to guarantee a coherent and complete framework for the protection of whistleblowers.
To be noted that private undertakings with fewer than 50 workers are free to setup internal reporting channels, in which case the provisions of the law will apply.

2. Equivalence between internal and external reporting channels

While the Directive hierarchizes the reporting channels and requires that whistleblowers make first use of internal mechanisms before being able to rely on external ones, the Bill is less prescriptive, even though the use of internal reporting channels is to be preferred. To benefit from the protection offered to whistleblowers, internal and/or external channels need to be exhausted before publicly disclosing a violation.

3. Data protection

As regards data protection, the Bill remains faithful to the Directive, although further guidance would have been welcomed, such as for instance regarding applicable data retention periods. Opinion 1/2006 of the Article 29 Data Protection Working Party remains the reference in this respect.

Granting such protection to whistleblowers is likely to generate more data protection litigation, namely pertaining to the exercise of data subjects' rights or where the report concerns breaches of data protection laws.

4. Outsourcing and resource sharing

Legal entities in the private sector with 50 to 249 workers may share resources as regards the receipt of reports and any investigation to be carried out (whilst complying with their confidentiality obligations).

Reporting channels may be operated internally or provided externally by a third party.

The Bill does not however precise whether the outsourcing can be made to a foreign group entity.

5. Language requirements

Internal and external channels shall at least allow the written or oral reporting in Luxembourg's three administrative languages (i.e., French, German and Luxembourgish), whilst allowing reporting in other languages, such as English, should the entity or authority accept it.

6. Safeguard against malicious and frivolous or abusive reports

To enjoy protection under the Bill, reporting persons should have reasonable grounds to believe, in light of the circumstances and the information available to them at the time of the reporting, that the matters reported by them were true. That requirement is an essential safeguard against malicious and frivolous or abusive reports.

Those who, at the time of the reporting, deliberately and knowingly reported wrong or misleading information do not enjoy protection and are liable to a penalty of up to 3 months imprisonment and a fine ranging between EUR 1,500 and 50,000.

7. Creation of a reporting office

A reporting office (office des signalements) with information, advice and awareness missions is created and placed under the supervision of the Ministry of Justice.

8. Sanctions

In addition to the penalties designed to dissuade wrongful or abusive reports (mentioned under section 6), the 22 competent authorities listed by the Bill that will receive external reports (e.g. the CSSF, CAA, CNPD, ITM, etc.) shall be able to impose an administrative fine ranging between EUR 1,500 and 250,000 against private entities that hinder or attempt to hinder reporting, retaliate or bring vexatious proceedings against reporting persons, or breach the duty of maintaining the confidentiality of the identity of reporting persons.

What's next?

The Bill is still required to be commented by various stakeholders, is subject to possible adaptations, and no intended date for adoption by the Parliament has been announced by the Luxembourg Government. In accordance with the Directive, companies between 50 to 249 workers benefit from a grace period until 17 December 2023.

As highlighted by a 2019 report from the Congress of Local and Regional Authorities "protection for whistleblowers is a first step in the broader mosaic of factors that influence whether reporting will take place, whether appropriate authorities will follow-up on those reports, and what consequences could arise for the whistleblower".