Clifford Chance

Directive (EU) 2019/1937 was published in the Official Journal of the European Union on 26 November 2019, and sets forth the minimum legislative provisions that Member States must adopt to safeguard the protection of persons who report breaches of some EU law ("whistleblowers").The Italian legislature is therefore called on to amend the current framework, first and foremost by making it mandatory for all undertakings with more than 50 workers, regardless of whether they have adopted systems and controls (i.e., the model) pursuant to Legislative Decree 231/2001.Member States must implement the provisions of the Directive by 17 December 2021, or by 17 December 2023 in relation to the obligation to create internal reporting channels for legal entities with more than fifty and less than 250 workers.

Current whistleblowing legislation

Italy currently governs whistleblowing by way of sector legislation and a recently piece of legislation, issued with the aim of establishing general laws applicable alongside the sector legislation, but limited to legal entities that that have adopted of systems and controls under Legislative Decree 231/2001 in connection with preventing the commission of criminal offences.

Law on whistleblowing

In extreme summary1, Law 179/2017 governs whistleblowing for the private sector, by creating an obligation for legal entities that have adopted of systems and controls under Legislative Decree 231/2001 to put in place suitable reporting channels that guarantee confidentiality of the whistleblower's identity and prohibit retaliation against the whistleblower for reasons directly or indirectly connected to the reporting and disclosure.

Sector legislation

Sector legislation works alongside Law 179/2017 to require legal entities that operate in a specific sector implement suitable procedures to ensure confidentiality and protection against retaliation as well as a specific, independent and autonomous channel to report violations of applicable legislation to an internal body of the same entity or to external entities such as the Bank of Italy, CONSOB, IVASS, ANAC, or a Court, depending on the reference sector.

Sector legislation in codified2 in:

• the Italian Consolidated Banking Act (TUB);
• the Italian Consolidated Finance Act (TUF);
• anti-money laundering provisions (Legislative Decree 231/2007);
• the Insurance Code; and
• the Consolidated Public Employment Act.

The whistleblowing directive

The minimum provisions set out in the new Directive are broad in scope, and cover both the private and the public sector. In certain matters, Italy's current legislation is aligned with the provisions of the Directive. Other provisions of the Directive, however, will require significant amendment of the Italian legislative framework, as well as a different approach.

The personal and material scope of application

The Directive has an extremely broad personal scope, and applies to persons who report breaches of the law in a work-related context including without limitation the following (as set out in Article 4 of the Directive):

• subordinate employees;
• workers having self-employed status;
• shareholders;
• members of the administrative, management or supervisory bodies of an undertaking, including non-executive members;
• volunteers and trainees, including those who do not receive a salary;
• any persons working under the supervision and direction of contractors, subcontractors or suppliers;
• reporting persons whose work-based relationship has since ended or is yet to begin, in cases where the information on breaches has been acquired during the recruitment process or pre- contractual negotiations; and
• facilitators, third persons who are connected with the reporting person (such as colleagues or relatives), and the legal entities owned by, or otherwise connected to, the reporting person in a work-related context.

The material scope of the Directive too is quite broad: it concerns a very high number of breaches of European Union law, listed in Article 2 of the Directive and in the related annex.

Anyway, whistleblowers can benefit from protection under EU law only if they have reasonable grounds to believe that the information reported falls within the scope of the Directive and was true when reported.

The characteristics of the reporting

The Directive provides for three types of reporting:

• internal reporting: legal entities in the private sector (with at least fifty workers) must establish channels and procedures for the internal reporting of breaches that guarantee confidentiality of the identity of the reporting person and protection for any third parties who may be reported.
  
  Undertakings with less than fifty workers are exempt from this obligation unless a Member State decides otherwise, following an appropriate risk assessment and taking into account the nature of the activities of the undertakings.
  
  The reporting person must be provided with an acknowledgment of receipt of the report within seven days of that receipt, and must be provided with feedback within three months;
  
  
• external reporting: by the deadline for implementation of the Directive, Member States must designate the authorities that will receive the reports through independent and autonomous external channels.
  
  The designated authorities must acknowledge receipt and provide feedback within the timeframes applicable to internal reporting, and must communicate to the reporting person the final outcome of the investigation in accordance with the provisions of national law; and
  
  
• public disclosure (which is the making of information on breaches available in the public domain, as defined in Article 5 of the Directive): public disclosure is protected under the Directive provided that the whistleblower (i) first reported the breach internally or externally, but no appropriate action was taken in response to the report, or (ii) has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest or, in the case of external reporting, there is a risk of retaliation or low prospect of the breach being addressed effectively.

Duty of confidentiality

The Directive requires that the identity of the reporting person – absent the person's own express consent – not be disclosed to anyone beyond the authorised persons responsible for receiving and following up on the reports, except where there is a necessary and appropriate obligation to so disclose imposed by EU or national law in the context of investigations by national authorities or judicial proceedings. In such case, the reporting person must be informed before the disclosure and must receive a written explanation of the reasons for the disclosure of the confidential data.

Moreover, the competent authorities must ensure that the identity of the whistleblower is protected also while any investigation commenced after the report or public disclosure are pending.

Protection measures

Member States are required to take measures to prohibit any form of retaliation against whistleblowers. The Directive offers a non-exhaustive list of prohibited retaliatory acts, which includes not only dismissal and detrimental changes at work, but also acts in the form of harm to the whistleblower's reputation, particularly in social media; blacklisting; or psychiatric or medical referrals.

Moreover, any harm to a whistleblower within the meaning of the Directive will be deemed to be retaliation as a result of the report, until the person who implemented the harmful measure proves otherwise.

Provided that reporting persons had reasonable grounds for filing a report or making public disclosure under the Directive, they will not incur any liability for defamation, breach of copyright, breach of secrecy, breach of data protection, disclosure of trade secrets or any other restrictions to disclosure of information in connection with the report or disclosure.

Reporting persons will also not incur any liability in respect to the acquisition of or access to the information that is reported or disclosed, provided that such acquisition or access does not constitute a self-standing criminal offence.

The Directive also requires Member States to make available to whistleblowers support measures such as information and advice on the procedures and remedies available to protect against retaliation, effective assistance from the competent authorities and, possibly, access to legal aid, in accordance with applicable national and EU law.

Finally, Member States may, at their discretion, also provide for additional financial assistance and psychological support to reporting persons.

Penalties

The Directive requires Member States to provide for effective, proportionate and dissuasive penalties applicable to persons who hinder or attempt to hinder reporting, retaliate or bring vexatious proceedings against reporting persons or breach the duty of maintaining the confidentiality of their identity.

Effective, proportionate and dissuasive penalties – in addition to measures for compensating damages – must be put in place also against reporting persons who knowingly reported or publicly disclosed false information.

Conclusions

Member States must implement the provisions of the Directive on or before 17 December 2021, or on or before 17 December 2023 in relation to the obligation to create internal reporting channels for legal entities with more than fifty and less than 250 workers.

Currently applicable law is substantially aligned with the provision of the Directives and no material amendments appear necessary3.

Nevertheless, EU legislation offers diverse approaches that the legislature should consider with a view of updating and amending the applicable legislation.

First, whistleblower protection can no longer be required only from those undertakings that have adopted systems and controls under Legislative Decree 231/2001, and only in relation to reporting of breaches relevant under that decree or the systems and controls.

All legal persons in the private sector with more than fifty workers must establish appropriate systems to allow reporting and to ensure the necessary protection to the wide range of persons as provided for in the Directive.

One aspect that may give rise to interesting developments is the identification of the persons responsible for receiving internal reports and of the authorities designated to receive external reporting in connection with undertakings in unregulated sectors.

Secondly, Italian legislation will necessarily have to be amended to comply with the obligations to provide reporting persons with an acknowledgement of receipt and follow-up on the report within the appropriate timeframe, as well as to guarantee suitable support measures.

Finally, an extension beyond the scope of Legislative Decree 231/2001 is necessary to ensure that a whistleblower will not incur any liability for the disclosure of trade and professional secrets and confidential information.