IBA publishes guide to whistleblower protection

While whistleblowing is not a new phenomenon, it appears to have taken on added significance in recent years. Fundamentally, it remains the case thatwhistleblowers can reveal information that would otherwise go undetected, and are therefore a vital source of intelligence. Such information can often be critical to an organisation, ensuring it, among others, operates according to the law and to an appropriate standard, and protects the health and safety of its employees.

In recent years, numerous jurisdictions have recognised the increasing importance of protecting whistleblowers and have introduced legislation to do so. However, there remain many jurisdictions that afford little or no protection to whistleblowers which lead to a culture of distrust and retaliation. Moreover, even in countries that do afford legal protections to whistleblowers, there remain large gaps in the scope and application of the law that adversely limit their effective operation.

Against this backdrop, the International Bar Association’s (IBA) Legal Practice Division and Legal Policy and Research Unit commissioned a Working Group sometime in late 2016 to come up with guidance for regulators and organisations on the development and implementation of whistleblower protections. The writers of this article were both part of the Working Group, which also comprised practitioners based in United Kingdom, United States, France, Italy, Czech Republic, Netherlands and Bolivia.

The Working Group concluded its work recently, and produced a guide (“Guide”) which addresses these limitations, identifies the fundamental principles underpinning effective whistleblower regulations, and highlights the important role played by governments and organisations in protecting whistleblowers. The Guide provides commentary and offers guidance to: (a) jurisdictions on the elements necessary to develop and improve legislative frameworks on whistleblower protection to make them more comprehensive, effective and robust; and (b) organisations on the elements relevant to developing and implementing whistleblower protection policies and procedures.

A copy of this guide can be located here. This article sets out a summary of the commentaries and findings in the Guide.

Whistleblowing may be defined as the making of certain disclosures of actual or potential (or ‘reasonably anticipated’) conduct that an individual reasonably believes to be unlawful. These disclosures can take place internally via a dedicated and clearly communicated reporting mechanism or externally to appropriate authorities.

The Guide concluded after some research that many jurisdictions do not have a specific definition of ‘whistleblower’. The Guide recognised the importance of whistleblowing frameworks to identify clearly the persons who can avail themselves of protections in the event that they choose to report misconduct or wrongdoing. In the context of legislation, laws should clearly describe the persons to whom the protections afforded under the law would apply. Such protections generally apply to persons who are ‘employees’ or ‘workers’ in a workplace, including contractors, consultants, interns and volunteers. For multinational companies, protections should be extended to foreign or expatriate workers.

It is not uncommon to hear accounts of employees who experience negative repercussions after having raised concerns of misconduct within an organisation (often honestly and in the course of one’s job duties). These adverse repercussions often take the form of victimisation, ostracism by peers, demotion, retaliation, discrimination, reprisals and/or dismissal. Outside of the workplace, a whistleblower may find himself exposed to defamation proceedings or criminal prosecution after the act of whistleblowing. For example, in Aghimien v Fox Case No 71A03-1602-CT-291 (Indiana Court of Appeals), the plaintiff whistleblower exposed two university professors of academic plagiarism. One academic was found to have plagiarised, while the other as co-author, was not. Cleared of plagiarism, the co-author brought a defamation suit against the whistleblower.

Fear of these adverse repercussions can understandably amount to a significant disincentive to whistleblowers, and place a chilling effect on individuals seeking to provide information of wrongdoing.

The Working Group observed that whistleblower protection laws differ greatly across jurisdictions. For example, the US has an established history of whistleblower protection laws. Some of these laws are well known, such as the Dodd–Frank Act and Sarbanes–Oxley Act. In Europe, the whistleblower protection laws in most European countries are not as developed as those in the US. However, the EU Commission has recently enacted a new whistleblowing directive and that is set to be a significant breakthrough in this area (we explain more on this below).

Most jurisdictions have specific and targeted whistleblower protections in the context of certain statutes. In Singapore, for example, whistleblowers are afforded anonymity when making disclosures required by the Corruption, Drug Trafficking and other Serious Crimes (Confiscation of Benefits) Act (Cap 65A). However, jurisdictions such as the Netherlands and Australia have standalone whistleblowing laws which provide for whistleblower protections.

One of the thornier issues the Working Group had to consider was the type of misconduct which should properly be covered by whistleblowing protection laws, whether in the private or public contexts. Some considered that whistleblower protections ought only to apply to reports concerning breaches of the law. Others preferred a more expansive approach, specifically to grant protections to persons who report on activities which have not yet amounted to breaches of the law. A further consideration was whether these whistleblower protections should extend to those who report matters that constitute more of ethical or moral concerns.

On balance, the Working Group recommends that laws to protect whistleblowers should be limited in scope to reports of conduct that an individual reasonably believes to be actually or potentially unlawful. There are concerns that extending protections to include ethical or moral issues, which can mean different things to different people, can potentially give rise to subjectivity and uncertainties as to the scope of the protections. However, organisations are at liberty (and, in fact, encouraged) to provide broader internal protections in the context of their workplace, for example by encouraging its employees to report violations of internal policies or conduct that is unethical, immoral or contrary to the values of that organization.

The Working Group recognised that in some instances, there may be a tension between the duties of loyalty and fidelity owed by an employee to his or her employer, and a requirement to report wrongdoing. The duties of loyalty and fidelity (which often arises out of contract or at general law) may prevent an employee from disclosing information about the organisation to third parties, even if that information pertains to misconduct or wrongdoing.

The Working Group observed that some jurisdictions, most notably the US, have laws which makes it unlawful for private companies to put in place reprisals against employees for acts of whistleblowing. For example, an oil-and-gas company, SandRidge Energy Inc, agreed to pay to the U.S. Securities and Exchange Commission a US$1.4 million penalty for retaliating (firing) an employee who had raised concerns inside the company about how it calculated its publicly reported oil-and-gas reserves.

The Working Group took the view that such an approach was to be welcomed, and that organisations should be discouraged from including provisions into employees’ contracts of employment that prohibit them from raising concerns of misconduct or wrongdoing with relevant authorities. Such provisions are essentially used to protect individuals within an organisation rather than protecting the organisation and its raison d’être. Jurisdictions are therefore encouraged to enact laws which discourage organisations from restricting their employees’ ability to expose misconduct or wrongdoing by inserting such ‘gag clauses’ in their employment contracts or separation agreements.

The Working Group was of the view that imposing a positive statutory obligation on individuals to report suspected or actual misconduct or wrongdoing has its risks. While it is likely to result in valuable information being provided to authorities, it may also put those individuals who report it in danger, particularly if the protections in place are inadequate.

If a jurisdiction were to enact laws that oblige individuals to bring actual or suspected misconduct or wrongdoing to the attention of authorities, such individuals ought to be entitled to the most robust form of protection available in the jurisdiction.

In the context of regulatory authorities, a jurisdiction’s laws and regulations typically stipulate the contact person or department that such misconduct or wrongdoing can be reported to.

In the context of private organisations, the question then becomes: who is best placed to be the recipient of such potential disclosures? Failing to address this question carefully might deter individuals from making reports on misconduct or wrongdoing. The Working Group suggested that the person responsible for whistleblower protection be an independent member of the senior management team who reports regularly to the board or a committee (eg, risk management committee) of the board.

Organisations may also consider implementing anonymous whistleblowing hotlines, which may be a more appropriate alternative channel where employees have information that potentially implicates members of the senior management team or board members.

The Working Group observed that laws in certain jurisdictions such as in New Zealand include a requirement that a person reporting misconduct can only avail themselves of protection if they have made such their disclosures in good faith. Such a requirement of good faith is typically met if the person reasonably believes that the information they are reporting is true. Some jurisdictions appear to add a further gloss to this requirement, requiring that the informant must be seized of pure altruistic motives when making the report, failing which he or she cannot rely on the protections even if the information set out in the report were true.

Given that there is often ambiguity behind the term “good faith” (particularly when legislation fails to define such a term and leave the task of interpretation to the courts), this requirement can have a stifling effect as potential informants are uncertain whether they can avail themselves of these protections. As such, it was the Working Group’s preference for whistleblower protection frameworks to drop such a requirement of “good faith”.

The Working Group recognised that anonymous reporting is often the only way information on a particular situation can be obtained. Anonymity is particularly important where there are risks to a person’s safety after having reported wrongdoing. However, there is a recognition that anonymous reporting can make it difficult to obtain follow-up information that might be essential to conduct a more thorough investigation. There are also concerns that if reports can be made anonymously, individuals might abuse these reporting channels and bring false or vindictive allegations against other persons.

As an added consideration, anonymous reporting may also have implications under data protection laws in some countries. This is dealt with further in the next section below.

Data protection laws in some countries may impose legal restrictions on internal private sector whistleblowing procedures. Consider, for example, the EU’s General Data Protection Regulation (GDPR). The principle underpinning the GDPR is that personal data should be collected and used fairly. As company whistleblower reporting mechanisms rely on the processing of personal data – both of the reporting person and the subject of the report – the establishment of such reporting mechanisms by companies headquartered or operating in Europe (and potentially those outside the EU) will be subject to this strengthened data protection framework.

If companies’ internal reporting mechanisms and subsequent internal investigation procedures violate GDPR provisions on data processing, data subjects’ rights (ie, the subject of the whistleblower report) or transfer personal data to third countries or international organisations, companies could be liable to pay hefty administrative fines (for example, up to four per cent of total worldwide annual turnover). This could be a significant deterrent for companies considering whether to implement protected internal reporting channels, whether or not they are in the EU. Organisations may therefore have to acquire an understanding of the relevant data protection regulations in order to implement robust and effective whistleblowing protection frameworks.

The Working Group recognised that whistleblowers sometimes suffer detrimental actions following exposure of wrongdoing or misconduct. This is arguably most prevalent in the context of the workplace, where whistleblowers may face termination or constructive dismissal following their exposure of wrongdoing in their organisations. Obviously, the termination of employment in such circumstances will be optically structured as unrelated to the acts of whistleblowing. Some jurisdictions (e.g. Australia, Canada, South Africa, South Korea and the US) have legislation which provides for compensation for reporting persons in the public sector who have suffered adverse actions as a result of whistleblowing activities, such adverse actions including a termination of employment.

Where compensation is provided, the question of compensation is usually addressed by reference to the unlawfulness of the termination of the whistleblower’s employment. These compensation frameworks do not usually take into account any pain, suffering and harassment which the whistleblower may have encountered as a result of the whistleblowing activities.

The Working Group proposed that whistleblower protection frameworks should include a system of compensation administered by an independent statutory office-holder, court system or quasi-judicial administrative process, and through which both parties provide information related to the assessment of economic and emotional damages. Leniency programmes (such as total immunity or partial reduction from prosecution or penalties) can act as a strong incentive for whistleblowing. However, it appears that the whistleblowing laws of most jurisdictions do not currently include any leniency programmes. The Working Group suggested that legislators should consider including such programmes to encourage whistleblower to come forward with information.

The Working Group observed that organisations typically adopt and implement whistleblowing frameworks only when they are the subject of investigations or legal proceedings. In this sense, coming up with a whistleblowing framework is largely a reactive measure, and when implemented in such circumstances, the framework is often put together quickly on a piece-meal basis and may not be ideal.

Rather, organisations should take time to consider some of the following questions when looking to implement a robust whistleblower protection framework (more questions are found at page 36 of the Guide):

• What is the nature of information that the organisation wants brought to its attention?
• How should the reporting procedures work in the structure of the organisation?
• Does the framework specify appropriate external recipients of concerns if a whistleblower is not satisfied with the internal response?
• How can they ensure information of the reporting person and the person who is the subject of the report is confidential and protected?
• How does the organisation provide feedback to a whistleblower about their concerns? Does the organisation make the results transparent?
• How can the organisation help to promote a workplace culture that encourages and protects disclosures of possible misconduct?
• What process is followed to investigate any reports of misconduct or wrongdoing?

The Working Group recognised that one of the driving factors behind a successful whistleblowing protection framework is a jurisdiction’s cultural perception towards whistleblowing activities. This is not something that can change easily with the mere enactment of laws. For example, in some cultures, there is a deep suspicion of whistleblowers, and acts of ‘snitching’ or ‘tattle-taling’ may be frowned upon whether at home, in the schoolyard or in the workplace. The Working Group believes that education programmes which iterate the importance of reporting concerns of misconduct and wrongdoing, and protecting the rights of those who do so, are likely to be an important tool if cultural attitudes and perception are to change.

In Europe, what lies on the horizon is a new whistleblowing directive proposed by the EU Commission in late April 2018. The directive is intended to improve and harmonise the protection of whistleblowers in the private and public sector across Europe. It is expected to be implemented by national legislators by May 2021. This directive will apply to companies in the private sector with either at least 50 employees or an annual turnover of at least 10 million Euros. It will also apply to companies involved in financial services or vulnerable to money laundering/terrorist financing will be affected regardless of their size or turnover. Under the provisions of the directive, these organisations are required to set up an internal confidential reporting channel, and only a selected, well-trained employees will be allowed to handle the reports. As for whistleblower protections, whistleblowers will have the right to be protected against retaliation, such as dismissal, written warning or transfer by the company.

In Australia, a new standalone whistleblowing statute is in the final throes of parliamentary approval, and is likely to come into force in July 2018. The legislation requires public companies and large private companies which do not have existing internal whistleblower policies to set up new policies, while those that do are required to review and update them to ensure compliance with the new legislation.

The legislation also proposes new statutory protections for whistleblowers in relation to consumer credit laws and taxation, and expands the current protections to take into account disclosures concerning corporate corruption, bribery, fraud, money laundering, terrorist financing or other serious misconduct. Companies will be subject to penalties for failing to set up a compliant whistleblower policy, and both individuals and companies may be subject to substantial civil and criminal penalties for breaching a whistleblower’s anonymity and for victimising or threatening to victimise a whistleblower. It is also interesting to note that the legislation has expressly done away with a ‘good faith’ requirement for disclosures, allowing anonymous disclosures and providing immunities to whistleblowers regarding the type of disclosures made.

In the majority of jurisdictions surveyed, it would appear that the laws relating to whistleblower protections are ripe for change. This topic is not one that is easy to navigate. From the perspective of legislators, the level and forms of whistleblower protection in any legislation will have to take into account the prevailing socio-cultural objectives and norms. From the perspective of individual organisations, each organisation will have to exercise care in coming up with an internal whistleblowing framework which is practical, effective and accessible to its employees.

The Guide does not attempt to provide answers to all these questions. Rather, it is intended to ventilate and provide guidance to help stakeholders address these difficult questions. In that context, we hope that the Guide will be a useful resource for governmental authorities and commercial organisations.