Webinar: EU Whistleblower Directive, Part 2

August 26, 2022

For the previous part of this webinar go to EU Whistleblower Directive, Part 1

Transcript for EU Whistleblower Directive, Part 2

Giovanni Gallo: Hello, everybody, and welcome to the “Ethics Verse.” I’m your host, Giovanni Gallo. And I’m super excited to get into this topic. Today we’re gonna be talking about the EU Whistleblower Directive. And I’m really glad that we have Dr. Vigjilenca Abazi to join us. So we’re just gonna wait another minute or two to let some people join in on the webinar as they’re loading up.

If you’re attending, jump into the chat and tell us where you’re coming in from. Dr. Vigjilenca where are you from today?

Dr. Vigjilenca Abazi: I’m joining you guys from Amsterdam.

Giovanni: All right, Amsterdam. Beautiful. I love it there. I’m here in Charlotte, North Carolina. And jump in, we see Ohio, Texas, some more Charlotte coming in. Hey, Boston. So, yeah, jumping on that chat. And part of the reason we do that is because we want you to know where that chat is. Because this is the EthicsVerse guys. This is not a lecture, we want you to be part of this.

So you’re gonna have an opportunity while we’re going through this topic today to ask some questions, comments, we get a lot of people chatting with each other and answering each other’s comments and questions there. So please engage in that chat. We’ll be monitoring that as we go through the webinar today, to see what you guys care about, what do you have questions about, and see if we can react to some of those.

So let me give you a quick introduction, in case you don’t know Dr. Abazi. Dr. Abazi is an assistant professor of European law at Maastricht University. She has a recent book called Secrecy and Oversight in the European Union. But she has a lot of really great exposure, understanding, and really influence over this topic we’re talking about today for the EU Whistleblower Directive.

She’s worked with Brussels, she’s worked on certain projects, she’s been a practitioner, and she will be going forward be an external consultant to, this is really cool, set benchmarks for the European Union to evaluate whether the member states have transposed the regulation properly.

So she’s got a great background in practice and working with companies across a range of compliance issues. You know, she’s an academic and a professor. She’s well-published and super knowledgeable about this. And she’s actually had an influence going back more than five or six years had an influence on this whistleblower directive in the EU.

So Dr. Abazi, thank you so much for joining us today. I’m really excited to have this discussion.

Dr. Abazi: Thank you, too. It’s so great to join you guys. And I’m seeing over 100 participants. So this is wonderful that there’s a lot of interest in the topic.

Giovanni: Yeah, there’s definitely a lot of interest. I know over the past year, this is kind of gone from, “Hey, it’s coming,” to, “It’s here.” And obviously big enough companies need to have something done about it. But as these things go, everything isn’t figured out about this, right? Like, you know, they kind of pass it and then see if it’s going well and give some more clarity. So I think a lot of people are really hungry to figure out what they should be doing. And obviously, as ethics experts, we should all be trying to get ahead of that curve, not just be reactive to enforcement, but get our companies and our teams ready to respond to this.

So we’re gonna jump right in. And, you know, like you said, a bunch of people are really interested to be part of this discussion. So glad that you’re joining us today.

So to start off, let’s talk about, you know, let’s just set the stage quickly about kind of why this came about and what this directive is trying to achieve. I know this is kind of basic ABCs and we’re gonna get into some deep stuff. But from your standpoint, Vigjilenca. Like, why did this happen?

Dr. Abazi: Yeah, that’s a great question actually it brings me back all the way in 2016, when I sort of wrote what was initially a legal memo, and then it became a model law. We wanted to, quite frankly, and I think what a lot of people I’m seeing are U.S. based, so I think a lot of people kind of don’t maybe also understand the very complicated legislative process in the EU, and you don’t have to, obviously.

But initially, what triggered all of this is the fact that we had a trade secrets law. And all of a sudden, we were protecting secrets, and Brussels got the blame of one more time, you know, being about sort of protecting business or secrets and not enough about protecting individual people.

And this was also the time where there were so much of cases around whistleblowing, including one in the EU itself with Antoine Deltour, who revealed tax evasion practices or tax schemes rather, in Luxembourg, which was particularly embarrassing at the time for the President of the European Commission.

But I do want to highlight that there were two in particular two moments that really gave the political push for this directive to be more than just something that some of us were advocating for. And that unfortunately was with the tragic assassination of two journalists in European Union. Excuse me. One was definitely Galizia and Malta whose car was set to explode in the middle of broad daylight just metres, like, not too far from her own house. That essentially brought down at some point the Maltese government.

And the similar thing in Slovakia, where reporters working with whistleblowers trying to reveal the corruption that were taking place. That was an assassination and middle of the night, which also brought at the time the Slovakian government down. And we had a first-time an anti-corruption lawyer, a female taking the presidency of the country.

So just to give you a bit of a political context, as well, and not only focus on the law in terms of some of the tensions that we were seeing, and what made the political push for the law. But as far as the law was concerned, we had already written this down in 2016, there was a big discussion on can the EU do it? Or does the EU have the legal powers to act, etc.? Because I mean, similar, I guess, to an analogy in the U.S., if we look at the separation between what can the federal government do and what can states do.

In the European Union, obviously, Brussels is supposed to have more limited competences and only legislate on matters that are delegated to them. So in part of the initial campaign, and initial big push, and where my job, frankly, as a new law expert was handy, was to convince the legislature that, yeah, we do have the powers that Brussels should do this.

Giovanni: Got it.

Dr. Abazi: And then very fast, we moved to having sort of very fast by Brussels terms, we moved to having this law. And quite frankly, the commission surprised us all because when the proposal came out, we were surprised to see the ambitious proposal and the level of depth as we’re going to discuss today of what the directive covers.

Giovanni: Yeah, that’s great context. Yeah, I think a lot of us understand the power and importance of whistleblowers. I think for a lot of people in compliance and ethics, it’s a foregone conclusion that they are allies, not just to the compliance department, but to the things that really matter for the company and fight against special interest and overreach of power and all of those things. So I think we all get that it’s important. But it’s been this really, to your point, interesting story with some tragedy in it about how this got to the level where Brussels is implementing this for the entire EU.

Dr. Abazi: Yeah.

Giovanni: So thanks for walking us through that. Talk to us a little bit briefly about your involvement, and how you’ve helped drafting and passing this. I don’t want to spend too much time on it, because I think we want to get into it. But, you know, I think it’s really helpful for people to hear the things that you’re saying you really have an inside track, you haven’t just read the regulation, you’ve been deeply involved in this.

Dr. Abazi: Yeah, I know, I essentially was sort of, together with other colleagues kind of initially wrote the very first law that how this is gonna look like. So it’s been…

Giovanni: Give her a hand guys. Here’s who you have to thank for it.

Dr. Abazi: A very fascinating… I mean, it’s not often that we, academics, get to sort of be part of the real world. So it was very much outside the ivory tower very much in action. Yeah, no, as I said, it started with a legal memo way back in winter of 2015. And then it’s been sort of a massive journey since and in getting the law done, doing the advocacy, getting a lot of people being very much involved constantly as a legal adviser to all these different stakeholders.

In particular, really we have to mention a lot of what was really great. And the reason why we have this directive is the sort of interesting collaboration that we saw, between what I’ve called in my own work and sort of my academic papers, the whistleblowing lobby, in Brussels, which is different organizations, including those based in the U.S. to really try to bring different stages of expertise are here transparency or international, Whistleblowing International Network, Government Accountability Project, Blueprint for Speech.

Many, many other small organizations also across the EU were very much involved. Eurocadres, which is sort of a trade union organization, organizing millions of workers across EU was very instrumental in making sure there’s always a platform for people to come together and debate.

And this is the one kind of piece of legislation where everybody sort of left their turf and didn’t sort of… it wasn’t about one specific organization, everyone really galvanized around the common goal of making sure we have a law and making sure that we get the best version of it we possibly can, and really do this for the best protections possible for the whistleblower and I think the commission did come through it is very much the provisions and I will explain them.

And also now the commentary that we see from the commission coming, everything is really done from a perspective of trying to maximize the protections and trying to maximize them. And in my own specific role, so I kind of was behind writing it, then I worked with a commission and trade unions and national implementation specifically did a lot of work with 10 countries.

And now we’ll be working also with setting benchmarks to evaluate member states, essentially, the commission does this to sort of see whether they’re really implementing the directive as it’s supposed to be, and where member states are deviating and then, obviously, having to fix that.

Giovanni: Awesome. Well, I just want to give a heartfelt thank you, to you. And, you know, you listed a bunch of organizations and teams and colleagues that have been part of it. This is so important for not just our profession, but for the world to have people who speak up against bad things happening to themselves and other people, for them to be protected. I think it’s so cool that you are a part of it. And like you said, you know, there’s not always this opportunity for someone from academia to have this influence.

But I just so much appreciate you and the other people who were involved in this, because this is an important protection that, you know, unfortunately, doesn’t just happen naturally in the world that we live in. So I just really appreciate all the work that you and everyone has put into this, you know, excited to see it come to fruition and protect more people from retaliation and, you know, bad outcomes.

Dr. Abazi: Thanks. Yeah, if I may just quickly throw one more comment here. In terms of context, I just want to emphasize since as I said, I see that we have a lot of people from the U.S., so I just sort of want to kind of really point out, and I’m happy to share, there’s an open access paper where I’m gonna go through the directive in all these provisions that we can share, we can post the link later on maybe in the chat.

But because I discussed this there, too, which is most countries in the EU, there’s 27 member states, some of them don’t even have a word in their national language that is whistleblowing, right? They just really want to set the context that this is coming from… and that’s one problem. The other context there is there are many member states, especially those that had an Eastern Bloc before, including here Germany, that were very allergic to the idea of protecting people, because to them, it came from a background and a history of informants.

And so building that culture where whistleblowers are not informants, that this is not about, you know, telling on your neighbor, this is very much a positive culture of accountability and how much this is important. And so even helping to understand and navigate that has been quite a challenge. So it is a really a giant leap in that sense to have a law.

Because I think in the U.S., obviously, the discussion has been there since the ’70s. Whistleblowers, there’s different financial programs. There’s a very different culture around understanding whistleblowers, and accepting whistleblowing is a very positive phenomena in our societies. In Europe, it’s a culture in the making.

Giovanni: Yeah. Yeah, it’s so great that you bring that up. And it’s such an interesting and challenging, you know, issue to deal with, because it is such a diverse culture across the EU, right, like, people, you know, from the base core of how they communicate in their language, to how they view these things. And whether they have stories they heard about growing up about whistleblowers accomplishing something positive for society. There’s so many different ways that people can see that.

And I think a lot of people in the audience may manage offices or locations across a bunch of different countries. And just that context, that this idea of whistleblowing could be looked at so differently across those different cultural contexts, is something that I think we as ethics experts need to deal with and need to meet that challenge. But it’s a completely different and maybe broader challenge for a legislator or regulator to handle that across such a diverse cultural landscape.

So let’s talk a little bit about the effect and the impact of this. Can you talk to us a little bit about whether and how the law protects whistleblowers from retaliation, or what the actual kind of impact is that might prevent that from happening?

Dr. Abazi: Great. So if I may slightly modify your question.

Giovanni: It’s your show, so you go for it.

Dr. Abazi: In a way, it’s not modifying it, it’s just sort of expanding it. Because basically, we need to understand first of all, who can be a whistleblower because I think you’ve talked about that with Mary, who’s fantastic, does very wonderful work. And she’s absolutely someone who knows U.S. law and she walks me through the U.S. side of things. So that’s wonderful that you had her previously on the webinar.

So we need first to see who can be a whistleblower because it is very specific. And it’s impressive how broad that scope is. Then secondly, to sort of look at when we talk about what can be reported, so the who and the what, right? And then it kind of brings me to impact because the moment that I can have a few minutes to sort of elaborate on these two points, I think the impact would even be sort of self-evident for our listeners.

So basically, in terms of who can be protected what’s very fascinating, and by the directive is that it talks about anyone within a work context. So even if you went into a job interview, let’s say this is a… and you, kind of through that interview process, came to sort of suspect that there’s some mismanagement of funds about procurement or whatever, even in that situation, you are protected.

Now that is so, so broad because, A, you’re not even working, maybe you didn’t even manage you were not hired, maybe in the end, that doesn’t matter. Second, you don’t have to show that there was really a breach, even if you suspected that there was one. And that’s one of the really wonderful things about directive that it tries to utilize that potential of whistleblowers to prevent and not only to cure mistakes, and so it really tries to be preventive in nature and open the scope of saying, well, even if you just have a suspicion that is reasonable within sort of what you’re witnessing, etc., that you would be able to report on this.

And that would be legitimate, that if you were to have any retaliation, and let’s say you suspect that you didn’t end up getting the job, because you report it, etc., the burden would be then on that prospective employer to elaborate on that and to provide all kinds of different protections.

Giovanni: Which is a huge change, right? That burden of proof, not that you have to be sure that it’s right, or you’re gonna get in trouble but loosening it up and saying, you know because I mean, how often are you gonna be in an interview and be able to absolutely prove everything and know it all? It’s really like a shift in that focus. I think that’s a lot of the power of this legislation.

Dr. Abazi: So exactly, as I said, this goes back to my comment that I said, the bill is drafted with the whistleblower as a centerpiece with the whistleblower in mind, and how do we maximize the protections for the whistleblower. What we’ve seen with 30 years of practice, show us that you simply you don’t have any equality of arms, when it comes to you as one individual trying to sort of show and have access to the kind of resources that one would need to really sort of have the burden of proving that you were retaliated, and this is because you blew the whistle.

I wouldn’t say call it necessarily that the criteria is loosened, it’s more that it’s shifted towards the employer, right?

Giovanni: Yeah.

Dr. Abazi: So to kind of make sure that the standards are still strict in the sense that we need to see there has been a level of retaliation. But just to go back to my answer in terms of who’s covered. Any intern, any volunteer, any stakeholder, whether public or private sector, whether it’s basically everything relating to work context. I was actually just trying to go through the law itself.

So the wording that the bill uses the law uses is “work-related activities.” And it guides member states and saying when you’re going to implement this law, don’t only look at the nature of the relationship, but look at all the factors around it. So it’s really trying to open up and not even go back to sort of saying, “Oh, but this wouldn’t be really a work relationship.” Well, we don’t care about that, that would be just one of the factors, we’re gonna have a much more holistic sort of understanding of it.

And this goes even beyond some of the national laws like Ireland, for example, which by the way, had a very good law, as well, in many ways, quite an advanced protection, which still we’re talking about in connection with employment. It was still narrower or sort of not to as a lawyer, obviously, every word matters. So these are the kinds of examples where the directive in practice really goes a mile further in advancing protections.

Then in terms of what can be reported, what is a breach, and I’ll need to explain EU…little bit because I do want to debunk this myth a little bit that in the one hand, the fact that the directive focuses on EU law only so it cannot expand to national laws can be seen as a limitation. But what’s important to be said here is that what happens in a situation that I think I blew the whistle on something that was EU law-related. And I in good faith had that idea. But it turns out that this was simply a national situation that is not covered by EU law, you would still get protected. Because the directive works on the presumption that, and quite frankly, I think that’s only fair.

So I’m a professor of European law, I have a PhD in European law. And if you were to ask me, well, “Okay, Vigjilenca, where do you draw the line between where EU law starts and national law finishes?” You can’t really do that. They’re so intermingled. So we cannot expect the burden on a random employee or a random intern somewhere to really know that this is only EU law and not national.

So in that sense, the directive tries to create this bridge, as much as it can within the powers the EU has that if you, in good faith, thought that what you’re reporting on is still related to EU law, that it would still be captured by protections so that we wouldn’t have a situation where we say, “Oh, well, we don’t care about you,” there can be retaliation against you because this is not EU law. So we’re trying to avoid situations of that nature by interpreting the law in this manner.

And secondly, as I said, it interprets the word “breaches” very broadly as well. So even if you have a suspicion, and even if something doesn’t meet the purpose, so it’s not strictly legal, has the breach already occurred, or is this a breach that has taken place, more so than even a suspicion can or something that defeats the purpose. So in that sense, behaviors that defeat the rules purposes, would also possibly be considered breaches, it doesn’t have to be a black and white kind of rule.

So the who, very vast, very generous, the what, as generous as it can be in terms of what’s covered within the, you know, possibilities of working around EU law.

And that brings me to your question, which is what is the impact and the impact is vast because if you have, even if you’re a smaller company, although you have more time, you still need to have reporting channels, and you still need to have a very clear procedure in terms of how you’re going to follow up, because there’s clear deadlines, as you’ve gone through with Mary as well in terms of seven days follow-up and three months, etc., etc.

So there’s really a procedure, where we’re trying to move away what happened in the UK, for example, and there’s a wonderful study where over 1000 whistleblowers were interviewed. And it shows that over 90% of them try to report internally first, and over 90%, again, try to do it the second or third time, and nothing really happens. And you don’t want that. Because, A, you just end up discouraging people from speaking up.

And there’s nothing really that happens, or you end up having a situation where the problem isn’t being fixed. But the person is already being bullied at work. So you have the worst of both worlds where you have pressure, and therefore even more a culture of silence being built up, which is, by the way, what we saw with the Volkswagen case, where continuously employees were trying to raise concerns with their managers. And it was being a hush-hush culture until it really exploded in Volkswagen’s face.

Giovanni: Yeah. Yeah, I think that approach where it gives guidance on what your program should do is a great step for that, right? Instead of just defining the outcome saying, if you do these things, then you’re on your way to, you know, if you follow up quickly, and things like that, then you’re going to be expressing some more kind of protection or openness to hearing these things going on to try to fight against some of those on the front end, right?

And then, can we talk a little bit about the kind of enforcement if you have the program in place, but you still retaliate against somebody?

Dr. Abazi: Yeah, so this is a question that sort of isn’t. We’re in a phase right now that, unfortunately, not all member states, or most member states haven’t really implemented or are discussing. And the reason for that is, for a lot of countries, as I said, this is really coming out of no background or not enough background and trying to figure out, since it does have a massive impact also in the industry and in the public sector, how to best do this.

So as far as enforcement is concerned, in terms of, you know, what kind of sanctions that will be in place, or what can we expect, what kind of penalties or etc., that’s a little bit in the competence of member states. And that will be maybe slightly different depending where you’re based because it will be based on member states, whether they’re active talks about is that the sanctioning regime should be sort of proportionate, that it should be strict, etc., etc., sort of these more broad or legal principles, that overall a regime should be faced, or build upon.

But this sort of a still I can’t really give you very concrete input right now, because we’re still seeing how member states are implementing it. What is something worthwhile to be said and sort of it’s a bit disappointing, but maybe it’s understandable.

So back when I was based at NYU, and I was doing a lot of consulting for privacy, which is another topic that I work on, a nd when I was consulting, privacy startups or startups, obviously impacts privacy in New York, they’re like, well, okay, well, how is the commission gonna come and check if what we’re doing is okay, because to what extent, you know, this says, you know, will they ever find out and I can understand that, but if you’re a company, you’re looking at compliance from a cost perspective. And you’re like, “Well, how much does it cost me not to comply?” It’s very sort of…

Giovanni: Which happens, right? It happens.

Dr. Abazi: Which happens and I understand that, especially, like, if you’re a startup, you have a lot of things to comply and do and maybe you have limited resources. So you’re trying to navigate the path of what can you, must you do first. Here, it will be very tricky if you’re in a situation. So it does not have… because I’m seeing in the chat that some people are asking to what extent the directive has extraterritorial jurisdiction, and it is not.

So if you’re solely operating, let’s say in the U.S., you only have U.S. based employees, you’re going to be functioning under U.S. laws, to be clear on that. But if you have any subsidiary or anything based in any of the 27 member states in the EU, then that subsidiary will be having to comply with the directive.

And so you will have to set up those channels. And if you do that, for the subsidiary you might as well maybe, you know, sort of streamline everything and do it for the whole company. So that’s one thing to explain that the reach of enforcement, there is no that extra-judicial character with the GDPR, for example, does have because even if you’re abroad, you’re still dealing with EU citizens data, you still need to have some level of compliances.

And secondly, there is no clear financial bite to the directive, unfortunately, which there is for GDPR, for privacy protection, where we know it’s 4% or 2%, depending on what the situation will be here that’s left on the member state level. So we will see what kind of penalties, what kind of financial instruments member states will put in place in terms of sanctions that the directive will be enforced with.

Giovanni: Yeah, I appreciate you walking through that. I think you see it in the chat, we’ve gotten it. In other events, people are wondering some of these things around territory. And like we were talking about earlier on retaliation that, you know, some of it isn’t decided yet some of it is going to be different based on the member state. And these things are gonna progress as we go.

But, you know, I think that it’s important for people understand what is decided and what’s clear, what is kind of, you know, left up to a certain jurisdiction, or a certain split of locale for a subsidiary and things like that, which is some complexity about this. But that’s how these things happen is, you know, we kind of figure out what we can figure out and we’re gonna define this.

And then, you know, like you were talking about earlier, you’re gonna be involved in the next phase of this, of helping a benchmark member states and how they are implementing and enforcing some of the things that are expressly not defined by this law specifically, but are kind of follow on effects to implement it properly, or to monitor it.

Dr. Abazi: Let me maybe just repeat one more time. Just so I want to make sure that sort of the lecturer in me, the educator in me trying to make sure everyone’s getting what I’m saying. And of course, it’s a pity because I don’t see people’s faces and their reactions. So I’m not so sure everyone’s kind of just like, “What is she saying? Where does it apply? What are we talking about?”

So two different moments in point to kind of remember the fact that any retaliation whatsoever is strictly forbidden, that’s very clear with a directive. And so anything from I don’t know, you don’t get to go to a training because, you know, you’re reported and this is one of the ways that you suspect your employer now is actually kind of keeping you down or sort of trying to make a point, even situations like that. And not only you but even if you have facilitators around you or family that’s been impacted will also have protections.

So the scope of retaliation, and what you’re being retaliated against is quite broad. The directive lists a few things as an example, but it says that’s not an exhaustive list, that it leaves for, you know, practice and real life to be able to do for the courts to actually say all sorts of different situations can also fall under protection.

So defining, in other words, defining what retaliation is and the situation is the fact that it’s very broad. It’s included in the directive, what’s not included is you are a company you’ve been accused of retaliating against your employer. What are your sanctions, or you have not set up proper reporting channels? Or you’re missing your deadlines. What do we do in these situations?

These are the kinds of systems of sort of enforcement and sanctioning that is left to be decided for member states, and that will be slightly different depending on each member state, possibly, although the trend that we’re overall seeing is that we don’t have a situation where some member states will be like, completely, very different than most.

There is some sort of center of gravity around what most member states are leaning towards. But I just would refrain from giving any points about this, because it’s all sort of still in the making. So it’s not very helpful to kind of get distracted.

Giovanni: Yeah, thanks for clarifying that. I think that’s an important distinction that it’s defined broadly. And, you know, forbidden, but how it’s enforced or measured, or the size of the sanction is getting figured out, and, you know, may have some different stance in different member states. Thanks for that.

Dr. Abazi: Yeah. Great.

Giovanni: So let’s go to the chat. I want to pick up a question from the chat. There’s a lot of good discussion going on. And thank you to everyone who’s giving your input and your perspective, or what you know about these things. This is how we do it on the ethics verse. We’re all part of this together. So this is a why question. So you can answer the literal why or give us some context around it.

But why does the directive require in-country ownership of investigations, some multinational companies may be concerned that disconnecting the investigation from the corporate, you know, central compliance function might be bad for companies who might be specifically worried about in-country retaliation or visibility?

Dr. Abazi: Yeah, so I’ve had a chance, actually, even very recently in June to discuss this with the policymakers in Brussels, including the people who sort of gave answers to comments, because there were companies sort of asking the commission well, okay, we have one centralized mechanism reporting, why should we have a subsidiary one, etc.

And for the commission, the position is that, so I’m just sort of explaining their position before I kind of gave my own take on it in a way that the entire regime is supposed to be whistleblower friendly, and so first and foremost. And secondly, because national implementation will be slightly different, that subsidiary will be bound by the national laws of the country where they are based.

So what we’re seeing, for example, to give you context in say, Belgium, they are creating two different regimes where there’s one that’s gonna be a separate law for the public sector and different one for the private industries. And they are doing is slightly different than what the Netherlands right now is doing, for example, or the kinds of conversations that took place in Sweden or Denmark.

And so where your subsidiary is, and the kind of processes and the kind of authorities and things that you’d need maybe to work with will also be different. And so the idea is to really do this as close to the whistleblower as possible. And in cooperation sort of in collaboration in the context of that country where the issue took place.

Of course, the situation is slightly tricky, because it is the EU and you could easily imagine a situation where, okay, you have a company that’s operating in warm states, and whether the EU, including maybe obviously globally, you have employers from all these different countries. You are maybe employing a third-party provider for your hotline, who’s supposed to do what’s under what law, and what kind of confusion is here.

And I think we will also see, because so far, we have never had truly a whistleblower case in front of the court of justice, so the court in Luxembourg. We have yet to see some of the interpretation by the courts of these provisions. What I suspect sort of just on basis of the legal cases available, and that it will be that courts will very much go with where that whistleblowing is taking place, that would essentially be the most kind of determining factor, or it will happen in collaboration, which is similar practices that we see in privacy.

Again, I draw a lot of analogies with the privacy with GDPR, because a lot of the situations and a lot of the background in a way of these provisions does have that similarity. And so, yeah. I’m just kind of while I answer the question that someone is like mentioning, okay, “Work for a Canadian company that employs U.S. citizens that work in the EU from their homes is the regulation applicable to the company?”

Yeah, I mean, the fact that they’re based in the EU, so part of your activities also taking place in the European Union. And so that very much… it’s not a question of where the company is headquartered or where it’s registered. It’s also where this is taking place, right? I don’t want to delve into conflict of laws that’s way beyond.

Giovanni: That’s the 401 course. We’re not there yet.

Dr. Abazi: Yeah. Yeah, yeah. Yeah, let’s not do it. Let’s not do it. I mean, the lawyer in me would love to get even more into this, but I think it’s way too much legal talk for a Thursday afternoon.

Giovanni: Okay. Yeah, so to your point there, there are some questions moving through the chat on kind of these changes in jurisdiction. Let me see if I can summarize it. And this might cover a few of these scenarios. What I understand that you’re saying is the EU law pertains to work-related whistleblowing around perceived anticipated, work-related, not just employee issues, that somebody in the EU experiences, regardless of where the head company is headquartered.

Whether they’re employed in a subsidiary, if the citizen, the person who does the whistleblowing is in the EU, then the company can be headquartered wherever it is, they could be an employee or not an employee or a consultant. If they’re in the EU, this law protects them. Is that a good way to kind of wrap around it?

Dr. Abazi: Yeah. And just to make sure also, that I’m being super legally correct. So you don’t have to be a citizen for this to apply, right? Very important, because you may be a worker coming here, a resident. And so that’s one scenario. The scenario of you are someone who is working in the EU and we don’t care if you’re a citizen or not, as long as you’re working in the EU, that’s fine. And maybe your main parent companies based elsewhere, also, we don’t care as subsidiaries here, you have a branch here, it applies.

The other flip side situation will be you are an EU-based company, but your employees are elsewhere. I mean, we’re very global work right now. Yes, definitely. It applies, too. We will see how that situation exactly goes. Especially, I mean, COVID times if someone’s not even moved to the EU at all, and they’re back in their own country. And, you know, what does that mean?

Let’s say someone is, I don’t know. Well, someone said India in the chat. So let me just bring India in there. Basically, what does that mean? Like, would we count that, you know, you can go to an Indian authority, and then would that be an external reporting for the directive? I am not so sure. That’s how it’s going to be, that they would still be… the external authorities would still have to be the country where the company then would be based, let’s say it’s a German-based company. But definitely, it would be a German-based company would have to apply with the directive.

Giovanni: Yeah, it’s not specifically excluded. But we’ll kind of get there when we get to it. Or maybe that’ll be based on some precedent once it happens or something. The India reporting to an Indian government authority.

Dr. Abazi: No, because… so I mean, just to explain why do I mention that is because the directive says, obviously… So the scenario is this, you’re a German company, you’ve employed someone who is living in India and doing their job from India, for example. Does the directive apply? Okay, now I’m witnessing some issues. I want to blow the whistle. How do I do this? Is my company bound if they’re retaliating against me, can I benefit from these protections?

The issue would be here with the second channel of reporting, which is the external reporting. And I’m just trying to clarify that in that situation, the fact that you’re physically based in India wouldn’t be a problem. But you cannot go and report to Indian authorities, it will still be German authorities that you’re reporting to that would be considered as external channel of reporting, as far as a directive is concerned. Am I kind of making more sense?

Giovanni: Yeah, it makes sense to me that second channel reporting. So maybe we should cover those because I want to get into kind of reporting channels, and some things like that. Can you give us an overview of those three tiers of reporting, and then we can talk about that a little bit?

Dr. Abazi: Yeah, absolutely. So the first year and that’s also great news is something really had to fight about because especially Germany and France, two major important countries in the EU, really were, for different reasons, very hesitant to have a sort of a no obligation to report inside your organization first.

Germany because of what they saw as loyalty to your employer. And this principle of loyalty and employment is very important to them, and they thought, “Well, no, it’s not okay, that you can just simply go and report to authorities before doing so internally.”

And France because they already had a law that they didn’t want to change too much. And that law was requiring individuals to be obliged to report internally first. Just to give you a context, what happened before the directive and why these two member states were a bit opposed.

But somehow, through good negotiations, we managed to get rid of that. And so basically, right now a whistleblower is not obliged to report internally within their organization within their employer first. They can, if they so choose, go to an external channel, we can sort of say is the second tier.

Obviously, internal whistleblowing can happen itself by the organization, they can have third-party providers who do the channels for them. And in any case, though, there’s very strict procedures in terms of what the follow-up procedures should be. The person can also go to a variety of authorities at the member state or directly, also the European Union.

So let’s say you’re talking about EU funding, you can also go to institutions in Brussels and report to them that would also be considered external reporting, they would also be considered part of the sort of institutional bodies that are okay to receive reporting.

Giovanni: And that’s tier two, right? All of those, whether it’s EU or in-country, those are all…

Dr. Abazi: So tier one, inside your company inside your organization. Tier two, authorities of any sorts of any nature, whether nationally whether the EU level, that’s fine. Now public would be me posting something on my social account. Public would be me calling a news reporter. Public will be any of that thing that actually reaches obviously the public directly. That does have some more conditions. And it’s much more sort of seen to be more exceptional than the first step.

It’s either in sort of very dramatic situations where it’s so urgent that you really need to immediately alert and there’s no other way for…you don’t expect that any action can be taken internally, or you’ve tried and it hasn’t worked. Or you expect that you will be retaliated against because the top leadership may be involved. And this is of such public concern that it should be reported publicly.

So what I’m trying to say is that we’re sort of a whole open field to go to authorities, and you can choose to do so without even alerting inside at all. It’s not the case exactly with just going public, that’s still a little bit more… in order for you to gain protection, you still sort of need to prove a bit more that you really had to do it, that it could have been prevented simply by…you couldn’t simply have gone to the authorities, let’s say, and do that, do the whistleblowing there.

Giovanni: Yeah, it’s an interesting balance for that, you know, going public, Facebook, newspaper, whatever it is. I think there’s some term that, you know, you need to believe that it’s in the public interest or something. So it’s an interesting balance to extend some protection to that, while also trying to give some preference to kind of follow the regulator channels if that’s gonna be prudent.

Dr. Abazi: Yeah, I mean, let’s not forget here that, obviously, if someone does do this, they still have the freedom of expression. And that is a fundamental right in the EU, it’s just that it would then operate maybe through a very different system. Again, I don’t want to complicate things and bringing the Council of Europe and bring the other course we have in Strasbourg.

But there’s a whole different regime here as well, there are people can actually also kind of following that then would not be anymore I’m calling upon my right through this directive. But then that would be more I’m calling upon my fundamental right to speak up. And so that would be a sort of a different kind of protection potentially.

So I think a good lawyer would give their client kind of different options in terms of in that particular situation, which legal route to take, and what would make more sense.

Giovanni: Yeah, I think…

Dr. Abazi: I mean, even in the UK, actually, just to kind of give people a sense, people who even restore to tort law, because they, for example, in the UK, what the problem was that if you’re choosing to go through the Public Disclosure Act, there wasn’t really, it wasn’t as generous, it was much more heavy and burdensome way to do it.

Whereas going through towards which of course, has a higher burden of proof, and the burden is on the plaintiff, etc., etc. But still, then the damages and the compensation is so much higher. And so there’s different ways also in law. I just want to say the directive is super important. But they’re all very different legal ways, including a new law that will kind of work together with a directive in a way in providing people different means in what can be the best legal route for them in that particular situation.

Giovanni: Yeah, I think that’s important, right? As we’re talking about what this law regulates or allows. It’s not restricting someone’s freedom of speech or bringing this and potentially being protected under some other jurisdiction or law. It’s just saying, if you want the protections of the EU whistleblower law to apply to you, then here’s our kind of scale of these three channels. Is that right?

Dr. Abazi: That’s an excellent summary. Yes.

Giovanni: I got a thumbs up from the teacher, from the professor. Thank you. So we’re talking about these three tiers of reporting. We’ve gotten some questions about the potential obligation of the company to educate employees and potential whistleblowers about this, like, do they need to, you know, explain those three tiers within each country? Or do they have to explain how to report externally to facilitate that for them? Or do they just need to kind of know when to be careful about retaliation?

Dr. Abazi: Okay, so I guess we can talk on a scale, you know. The best case scenario, you’re this sort of fantastic company, all you want to do is sort of raise the maximum awareness to I want to do my bare minimum. So doing the bare minimum, is you need to absolutely have a clear procedures for internal reporting. I’m not gonna go in all the depth, I’m just sort of outlining the main things here.

Giovanni: Yeah, that’s the whole category, clear procedures for internal reporting.

Dr. Abazi: Yeah, clear procedures for reporting, you absolutely must make sure to comply with reporting in a way that facilitates, you have to have it available in the language of the whistleblower, you have to make sure that it can be done in writing, it can be done by a phone, it can be done online, it can be done in person. They…really says all kinds of possible ways of blowing the whistle should be available to the whistleblower.

So that is very, very important, that part of the process is where the most of the sort of the biggest obligation or sort of the biggest heavy lifting work lies. Then in terms of obligation to, what do you tell your employees, you do need to have sort of a clarity around what your obligation…what kind of channels are you offering, how whistleblowing is done internally within your company at the bare minimum.

So it’s not maybe your job per se to kind of give on visual of all the institutions that exist in a country about where they can go externally, but you certainly need to make sure that employees are aware of where they can blow the whistle and where they can turn to.

Also, while that training is taking place, people need to make sure that the officer, I would imagine most companies having a privacy officer, that they’re involved in this process and that people are aware when they’re blowing the whistle to do so in the manner as well, that can also be privacy-friendly. And so because there can be consequences there in terms of providing more unnecessary private data, and also that the companies themselves create the reporting process in a way that is compliant with GDPR.

And so these two, this is moments where these two regimes meet. And I will have, and I’m happy to share through you a paper where I kind of explain the processes in depth, because there’s a little bit convoluted in terms of who does what, and when, and how and all of that. I would say then that these three things are absolutely a must for any company.

The question was, I saw it earlier in the chat, you know, well, if a country hasn’t done anything, do we have an obligation to do anything? Or is the law kind of inactive? And that’s not the case.

So any law, the idea, the basic way things would work is that citizens or beneficiaries of these rights shouldn’t suffer the competence because the member state did not meet its obligation to transpose the directive. The differentiation here is that if you’re in the public sector, or related to public sector, you would immediately…actually says December 2019, you were already able to call upon the directive or later on with a transposition.

Whereas if you are in a private sector…still need to depend on the national law, and you’re still kind of a bit on the waiting in terms of what your obligations will be. We still don’t have a situation where you can directly call upon this law, because, again, EU law 101, it’s a directive, not a regulation means that member states have to do something about it.

And so we’ve only seen rare situations and consumer protection, where the courts are a bit more willing to hold companies accountable, even if a member state hasn’t done any national implementation yet, and the deadline has passed, which is the reality we’re operating in right now. But I am not so sure this would be one of those scenarios. So yeah, there’s another piece actually where kind of it’s more like a kind of a brainstorm of ideas whether would that be possible again, which I’m happy to share for people that are interested.

Back to your question, now, what is the ideal if you really want to do the top job and you have the resources, and you really want to make sure, then, yes, make sure that people also know what kind of other institutions they can call upon. And let me just explain why that’s good for a company.

You don’t want your employee who maybe has an important issue that they’re raising, which is actually essentially good for your company to deal with, and not let things escalate. You rather want them to reach the right regulator as soon as they can, and not have an information about your company being filed to 50 different agencies, and then have all these different agencies all of a sudden being interested in okay, what are you doing here? And are you actually compliant?

So I remember talking to Antoine Deltour, who was, as I said, blew the whistle on tax schemes. And he initially was contacting different organizations left and right because he didn’t know exactly which is the relevant body that is relevant for this. So in a way, you end up exposing yourself to even way more scrutiny than you necessarily have to.

And it’s not necessarily that you’re a company doing something massively wrong, maybe something is not going precisely as a procedure, maybe an employee simply as a suspicion. Better inform those individuals, okay, we operate in this field, these are the regulators, these are the institutions that matter for us, these are the kinds of bodies, these are the kinds of things that, you know, we are involved with.

Simply so that they don’t go kind of left and right and alert more public bodies, and that will then kind of follow up and have to scrutinize things and have investigations more than it’s necessary. So in that sense, is it in legal obligation? Not per se. Is it actually a very smart thing to do for companies themselves? Absolutely.

Giovanni: That’s great. Yeah. I mean, there’s that whole spectrum of are you doing the bare minimum just to, you know, hopefully not get some enforcement by a member state for their transposition of this. Or are you doing the thing that’s best for your company and your people in your mission to actually do it right. There’s obviously a big spectrum there.

And, you know, I think from my perspective, I’m glad that this is driving some more of those questions about what should we actually do about this. For some people who may be, you know, were kind of lower on the scale, when there was no legal requirement and people saying, “Okay, well, if we’re doing something, let’s maybe do it right, and put some effort into it.”

Dr. Abazi: Yeah, I think, just to jump back, Giovanni, to what you said at the very beginning of this webinar, which was were great and on-spot comments about the fact that whistleblowers are an asset. And I think truly they are, and I think the moment that a very smart company treats them in that way, you end up being way more successful in terms of management of your resources, better processes inside, better listening culture, overall in your company.

Therefore, better learning processes and moving forward, rather than sort of seeing the directive as yet another thing you need to comply with and kind of, then only seeing it as more of as a sort of a hurdle or a pain in the neck, more so than kind of saying, “Well, okay, how can we maximize our own benefits from this process? And in what way should we do and should we act? And what kind of processes should we have in place that actually makes us even more competitive in whatever we’re doing?”

Giovanni: Yeah, I think it’s an awesome point. And, you know, I consider it a comparison between the individual or the collective. Not supporting whistleblowers is a very individualistic thing that’s gonna allow someone to kind of go rogue and cause some problems. A whistleblower is, to me, loyal to the collective and saying, this is bad for the whole company, that this thing is happening, I’m gonna speak up at risk to myself to better the group and the tribe, that I’m a part of the company, the division that I’m in.

And, I think, you know, if you’re a leader, you got to care about the collective, not an individual manner or being able to get away with something, even if it’s at some cost to you know, spinning up a program and investigating something.

Dr. Abazi: That sounds brave.

Giovanni: Oh, thank you. We have a couple of minutes left, anything that you want to cover? If not, I got another question or two, we can try to get to.

Dr. Abazi: Maybe let’s get more into questions, I’d be more eager to have people feel involved in that their questions are not just being lost in a Zoom chat forever.

Giovanni: So I’d like to take this from the other side. Someone asked, “Is there anything in the directive that addresses potentially bad faith reports by potential you know, people who position themselves as whistleblowers or people who are trying to harm a company by you know, stating something?” At the other side of this.

Dr. Abazi: So, yeah, kind of okay. Let me explain that motive does not matter. So in a situation where I see my boss that is corrupt and is misusing funds, but generally, I’m not speaking out. Next day, I don’t know, I’m really upset, whatever with them and I just want to sort of make sure like, okay, I’m gonna have one on you. And then I report on this person that doesn’t matter, it doesn’t matter that what drove me the motivation for reporting per se, as long as what you’re reporting on is true and factual.

That is different from I’m fabricating information. This is absolutely incorrect, but I’m making stuff up or I’m involving people that are not involved, etc., etc. Absolutely, then there is responsibility for that.

But the directive very importantly does not require checking someone was motive. And I think this is very important. And it’s one of those advancements of whistleblower just as we are as a stage because what, generally, happened in the past is trying to sort of portray the whistleblower, as someone with a bad agenda that’s trying to kind of harm the company or the organization, where it’s precisely as you just said, is the contrary. This person genuinely 99% of the time, they’re really just trying, they’re doing their job.

And quite frankly, from over and over, from empirical studies and research that we’re seeing, most often the first time a person’s reporting, they’re not thinking of themselves as “I’m a whistleblower.” They’re thinking, “Oh, this looks a little bit fishy or doesn’t seem right. And let me just check with my manager.” Or like, “Okay, I thought this is the other way?”

It depends, obviously, of how detrimental or how bad the breach we’re talking about. But we’re talking about the vast majority of cases where people also don’t necessarily even think of themselves as whistleblowers when they’re first reporting.

But in short, the directive does set a very clear line between motive per se does not matter. So you were in a good mood, bad mood, you wanted this, you wanted that. That’s not important. But it is important that you’re not fabricating and that you’re not lying. And if that is proven to be the case, there would obviously be consequences for that.

Giovanni: Okay. Thanks for that. So one more if we can, as we get toward the end here. There’s a question about, we’re gonna go back to kind of domain, and whether an externally headquartered company with a subsidiary in the EU, if they need a separate channel for this reporting, or they just need to make sure whatever channel, whether it’s consolidated across the company or not, kind of follows these specific rules of, you know, availability and follow up in language and things like that, does it need to be a centralized channel?

Dr. Abazi: So the commission has answered this question. And I said that the channel has to be local, has to be at the subsidiary level as well. And there has been a lot of backlash from companies to sort of say, well, I mean, why, and this kind of doesn’t work with us streamlining or processes, or what’s the point, etc., etc., etc., I had a chance to speak with a few colleagues in Brussels in June about this.

And they simply, for a variety of reasons, that we don’t have time to get into now, from the commissioners perspective, this is the better way to protect whistleblowers, and therefore this is the requirement that companies will have to that you cannot just have one centralized mechanism channel reporting, it has to be also the closest to the whistleblowers. So if you’re operating in different member states, you need channels in all those countries.

Giovanni: Okay. Well, thanks for that. Obviously, that’s an issue that there’s some disagreement on, which is why it’s so great to get your perspective. You’ve been a real blessing to us. Thanks for joining us today. It’s been really great to hear your insight. You know, obviously, in addition to being such an expert on this issue, you’re close to it, you’ve seen it develop, you understand the nuance behind it. And it’s been really great to help us and the audience here get some more clarity around this.

Obviously, a lot of people in our audience want to do this right, want to do it well, want to not just protect their company, but protect their whistleblowers through the way that we lead our programs. And you’ve helped us by making us smarter, help us understand how to do that better today. Thank you so much for joining us.

Dr. Abazi: Thank you so much. Thank you so much for having me. And thanks to everyone for your questions, and apologies that we haven’t managed to cover everything, but it is 130 of you, at least that was, so that’s quite a lot to go through. But thanks so much. And please, you know, you can easily find me through LinkedIn, do check out that paper, but also reach out if you have questions and everything.

I’m happy to always be in touch. It also gives me more interesting ideas and kind of see how things work in practice. I love to hear from you as well. And thank you so much, Giovanni, you’ve been great to chat with. I appreciate the enthusiasm. And, yeah, have a lovely afternoon, wherever you are.

Giovanni: All right, thanks, everyone for joining us on the “Ethics Verse.” You could find the same time next week on Thursday, and we look forward to engaging with more of these great discussions. Thanks for jumping in the chat. And thanks for being part of this great compliance and ethics community where we’re all working together to make the world a better workplace. Bye, doctor. Thank you so much.

Dr. Abazi: Bye.

ComplianceLine is now Ethico!