Current status of legislation
In October 2019, the EU adopted Directive 2019/1937 comprising rules to improve the protection of persons reporting breaches of European Union law, also known as ‘whistleblowers’. Member States must implement this directive in their national legislation before the 17th of December 2021.
Dutch legislation already includes rules regarding whistleblowing since 2016. These rules are laid down in the House for Whistleblowers Act and in several provisions of the Dutch Civil Code. To comply with EU Directive 2019/1937 and to bundle all rules in one act, the Dutch legislator published a draft bill in July 2020, proposing amendments to the House for Whistleblowers Act. Since then, an internet-consultation took place, during which anyone, persons, and companies, could submit their feedback on this draft. The government responded to this feedback in February 2021. In March 2021, the advisory body of the government, the Council of State, published an advice on the draft bill. The Ministers of the Dutch government discussed the Council’s advice internally and in May they’ve agreed on a – perhaps adjusted – version of the bill that can be submitted to the House of Representatives. Once that happens, the final bill will be publicly available. The House and the Senate still have to discuss and adopt the bill before it can enter into force.
In this document we provide an overview of the current Dutch whistleblower legislation, what the EU Directive requires of Member States and how the Dutch legislator is planning to implement this Directive.
The House for Whistleblowers Act
The Dutch House for Whistleblowers Act was adopted in 2016 with a dual purpose: legally protecting whistleblowers and contributing to solving societal issues. The act obliged companies for whom at least 50 people worked (i.e., not only employees) to implement a procedure through which people working for the company (again: i.e., not only employees) could report suspicions of malpractices. The act refers to malpractices as violations of legislation that cause the societal interest to be at stake.
Companies are prohibited to place (former) employees or civil servants at a disadvantage because of a report, provided the report meets the material and procedural requirements. These requirements imply that the suspicion of the reporter must be based on reasonable grounds and the suspicion must be reported internally first.
Furthermore, as the title of the act suggests, the act introduced the House for Whistleblowers. This is an independent organization entrusted with advising employees who suspect malpractices on the reporting process and with researching reports directly submitted to the House. The House thus functions as external reporting authority but won’t deal with reports that were not reported internally first.
The European legislator considers that reporters play a key role in protecting the social wellbeing and that their reports are an important part of enforcement of law. Currently, the protection of reporters varies throughout the member states. A lack of protection can restrain persons from reporting their suspicions. Once these suspicions concern cases with cross-border dimensions, the insufficient protection in a member state not only affects that one-member state but can have consequences for other member states and the functioning of EU-policy in general as well. This directive regulates how entities in member states should respond to reports of breaches of EU-law and introduces common minimum standards for the protection of reporters in member states. In this way, the fear for reporting should be reduced and enforcement of EU law improved.
The directive is specifically focussed on breaches of EU law. With breaches the legislator means actions or omits which are unlawful or which undermine the purpose or application of Union law and in that way either harm the financial interests of the Union, are related to the internal market, or specifically concern Union law in the following areas:
- Public procurement;
- Financial services, products and markets, prevention of money laundering and terrorist financing;
- Product safety and compliance;
- Transport safety;
- Environment protection;
- Radiation protection and nuclear safety;
- Food and feed safety, animal health and welfare;
- Public health;
- Consumer protection;
- Protection of privacy and personal data, security of network and information systems.
Several personal scopes should be distinguished while interpreting this directive.
At first, the directive introduces the obligation for companies to install internal reporting offices through which employees can report breaches of EU law internally. This obligation applies to all companies, private or public, with at least 50 employees. This threshold does not apply to companies in financial services, transport, or the environment-sector. They must implement this procedure at all times. Private companies with 50 to 249 employees will be given more time to install the office – until December 17, 2023 – and they may share their resources for receiving reports and performing research.
Secondly, the protective measures of the directive apply to all persons who during their work find breaches of EU law in the areas mentioned and subsequently report these breaches. Third parties, natural of legal, who are related to the reporter and also risk work-related reprisals are protected as well.
Thirdly, the directive allows a narrower personal scope for the internal reporting office. The internal reporting office must enable employees to report breaches of EU-law internally. Companies may also enable other persons who are in contact with the company in work-related context to report through this office. Companies do not seem obligated to open up this procedure for a broader audience than just their employees.
What are (most likely) the relevant changes in Dutch legislation?
- The Dutch whistleblower-rules will for the most part be bundled in one act and the name of the act will change from the ‘House for Whistleblowers Act’ into the ‘Protection of Whistleblowers Act’.
- The material scope of the act will be broadened. Although current Dutch law not specifically excludes reports regarding EU law, after implementation it will explicitly mention and regulate reports of breaches of EU-law on the specific areas as well. The term ‘reporter’ will be used in the act, which term includes reporters of malpractices under national law as well as reporters of breaches of EU-law.
- Besides the House for Whistleblowers, several other authorities will be appointed as authorized (external) authorities to receive and research reports regarding EU-breaches. The Dutch Central Bank and the Financial Markets Authority are amongst these authorities. These organizations will have to implement specific procedures too.
For those finding malpractices/breaches
- The obligation to first report internally to be protected will disappear. Companies may only ‘encourage’ using the internal reporting office first. The report must still be based on reasonable grounds.
- Not only employees and civil servants are protected, but all persons who find information in a work-related context, in the private of public sector, regarding malpractices under national law or breaches of EU-law and who may be disadvantaged after reporting this. This means that besides employees and civil servants, also volunteers, interns, contractors, board-members, shareholders, applicants etc. will fall within the scope of the following protective measures (provided the report is based on reasonable grounds):
- The reporter may not be disadvantaged by the concerning entity because of the report. This applies to third parties who assist the reporter or are connected to the reporter in a work-related context as well.
- Reporters will be safeguarded against any court procedures. This applies to their related third parties as well.
- A reversed burden of proof will be introduced. Reporters will no longer have to prove the relation between a report and being disadvantaged, but the concerning entity must prove the contrary. The same goes for being safeguarded from procedures: the concerning entity must proof the report was not in line with the statutory requirements to have the safeguard dropped.
- Reporters gain the right to request authorities to provide them with the documents they need to prove they’ve reported and have a right to protection.
- Publishing information regarding malpractices under national law or breaches of EU law will be regulated as well. However, to be protected against disadvantages and safeguarded against court procedures, the publication must be preceded by a report, whether internally or externally.
- Companies must make their internal reporting offices fit to deal with reports regarding breaches of EU law as well as malpractices under national law. The rules that apply to reports of national malpractices differ from the rules applicable to dealing with reports regarding breaches of EU-law. In both procedures companies will become obligated to get back to the reporter within a reasonable period of time. However, the rules for dealing with reports regarding EU law are stricter when it comes to the specific timing of feedback to the reporter. Companies may choose whether they’d like to install two different internal reporting offices, each with its own set of rules, or one in which they apply the two sets of rules depending on the kind of report.
- All companies active in financial services, transport or the environment-sector, including those with less than 50 employees, must install internal reporting offices for breaches of EU law.
- Internal reporting offices must remain open for all people related to the company in a work-related context, although the directive does not require such a broad personal scope. This already applied to reporting procedures for national malpractices and will apply to reporting breaches of EU-law as well.
- The legislator states that the provisions of the (draft) bill might be implemented in phases. It is likely that the provisions regarding internal reporting offices of companies with 50-249 employees will be implemented in a later phase since the directive grants these companies more time.
- Companies must register the reports they receive regarding breaches of EU law, but not for longer than is necessary and proportional.
- Finally, Dutch companies that want to implement an internal whistleblowing procedure need prior approval from their Works Council.