EU Whistleblower Directive Transposed into Maltese Law: Key Considerations for Companies
EU Directive 2019/1937 on the protection of persons who report breaches of Union law (“the Directive”), sets out a framework for procedures in terms of which persons who acquired information on breaches in the context of their work-related activities may report or publicly disclose information on such breaches, and serves to set minimum standards for the protection of persons reporting said breaches.
The Directive, which was introduced in October 2019, was transposed into Maltese legislation on the 18th December 2021, introducing several changes to our local legislation.
Main differences between the current Act and Directive
Currently, in Malta, whistleblower protection is regulated by the Protection of the Whistleblower Act, Chapter 527 of the Laws of Malta (“the Act”), which was introduced in September 2013. The Directive aims to create common minimum standards of protection across the EU to whistleblowers who raise breaches of EU law with their employers. The new rules require the creation of safe channels for reporting both within an organisation (through internal reporting channels) and also to public authorities (through external reporting channels). It also provides protection to whistleblowers against retaliation and requires national authorities to adequately inform citizens and train public officials on how to deal with whistleblowing.
One of the main novelties of the Directive is the introduction of the protection of persons who make public disclosures, that is, where persons make information on breaches available in the public domain. Additionally, whilst protection under the Act relates to “employees”, the Directive extends such protection to “reporting persons”, also covering shareholders and persons belonging to the administrative, management or supervisory body of the entity, including non-executive members, as well as volunteers and paid or unpaid trainees.
The definition of “detrimental action” under the Act has also been extended to cover any form of “retaliation” including suspension, lay-off, dismissal or equivalent measures; demotion or withholding of promotion; transfer of duties, change of location of place of work, reduction in wages, change in working hours; withholding of training; a negative performance assessment or employment reference; and discrimination, disadvantageous or unfair treatment, among others.
Who does the Act apply to?
The Act covers all employees who make a disclosure through an internal or external reporting channel, including:
- any person who has entered into or works under a contract of service with an employer and includes a contractor or subcontractor who performs work or supplies a service or undertakes to perform any work or to supply services;
- any person who has undertaken personally to execute any work or service for, and under the immediate direction and control of another person, including an outworker1, but excluding work or service performed in a professional capacity to which an obligation of professional secrecy applies when such work or service is not regulated by a specific contract of service;
- any person in employment in the public administration, including as a member of a disciplined force;
- any former employee;
- any person who is or was seconded to an employer;
- any volunteer2, even when such work or service is not regulated by a specific contract of service;
- any candidate for employment only where information concerning improper practices has been acquired during the recruitment process or other pre-contractual negotiations; and/or
- shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, and paid or unpaid trainees.
What kinds of breaches may be reported under the Act?
In order for a disclosure to fall within the scope of the Act, it must relate to an “improper practice”, that is, an action or series of actions whereby:
- a person has failed, is failing or is likely to fail to comply with any legal obligation to which he/she is subject; or
- the health or safety of any individual has been, is being or is likely to be endangered; or
- the environment has been, is being or likely to be damaged; or
- a corrupt practice3 has occurred or is likely to occur or to have occurred; or
- a criminal offence has been committed, is being committed or is likely to
- be committed; or
- a miscarriage of justice has occurred, is occurring or is likely to occur; or
- bribery4 has occurred or is likely to occur or to have occurred; or
1 “Outworker” means a person to whom articles, materials or services of any nature are given out by an employer for the performance of any type of work or service where such work or service is to be carried out either in the home of the outworker or in some other premises not being under the control and management of that other person.
2 “Volunteer” means a person who provides unremunerated services through or for a voluntary organisation.
3 Acorruptpracticehasthesamemeaningasisassignedtoitbyarticle6ofthePermanentCommissionagainst Corruption Act.
4 Bribery refers to any conduct in violation of articles 112 or 115 or of article 121 insofar as it extends the application of articles 112 and 115 of the Criminal Code.
- a person has failed, is failing or is likely to fail to comply with any legal obligation on public procurement to which he is subject; or
- a person has failed, is failing or is likely to fail to comply with laws on financial services, products and markets, and prevention of money laundering and terrorist financing; or
- a person has failed, is failing or is likely to fail to comply with product safety and compliance law; or
- a person has failed, is failing or is likely to fail in ensuring transport safety; or
- a person has failed, is failing or is likely to fail in ensuring radiation protection and nuclear safety; or
- a person has failed, is failing or is likely to fail in ensuring a food and feed safety, animal health and welfare; or
- a person has failed, is failing or is likely to fail to comply with any legal obligation on consumer protection to which he is subject; or
- a person has failed, is failing or is likely to fail to comply with any legal obligation on protection of privacy and personal data, and security of network and information systems to which he is subject; or
- a breach affecting the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (“the TFEU”) and further specified in relevant European Union measures has occurred or is likely to occur or to have occurred; or
- a breach relating to the internal market, as referred to in Article 26(2) of the TFEU, including breaches of European Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law has occurred or is likely to occur or to have occurred; or
- information tending to show any matter failing within any one (1) of the preceding paragraphs has been, is being or is likely to be deliberately concealed.
Internal and external reporting channels
By virtue of the Act, all legal entities operating in the public sector and legal entities with 50 or more workers operating in the private sector are required to establish channels and procedures for internal reporting and for follow-up, which shall enable the entity’s workers to report information on breaches. Entities operating in the private sector with fewer than 50 workers may also be required to establish said internal reporting channels following an appropriate risk assessment taking into account the nature of the activities of the organisation and the ensuing level of risk for the environment and public health in particular.
These internal reporting channels will need to be designed and operated in a secure manner, ensuring that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected. The internal reporting channel is to acknowledge the receipt of a report within 7 days of that receipt, and shall provide feedback to the reporting person within a reasonable time frame, that is, not exceeding 3 months from the acknowledgement of receipt.
The Act also establishes that a reporting person may opt to file a disclosure through an external reporting channel as set out in the Act including the Auditor General, Commissioner for Revenue, Commissioner for Voluntary Organisations, Financial Intelligence Analysis Unit (“the FIAU”), Malta Financial Services Authority (“the MFSA”), Ombudsman, and the Permanent Commission against Corruption, after having first reported through internal reporting channels, or by directly reporting through an external reporting channel in situations where, for example, such reporting person has valid reasons to believe that:
- the head of the organisation is or may be involved in the improper practice alleged in the disclosure;
- immediate reference to the authority is justified by the urgency of the matter to which the disclosure relates, or some other exceptional circumstances;
- at the time he/she makes the external disclosure, he/she will be subjected to an occupational detriment by his employer if he/she makes an internal disclosure;
- it is likely that evidence relating to the improper practice will be concealed or destroyed if he/she makes an internal disclosure; or
- although an internal disclosure has previously been made, the whistleblower has not been informed on the status of the matter disclosed or it is reasonably evident to the whistleblower that there has been no action or recommended action on the matter to which the disclosure relates within a reasonable time from the making of the disclosure.
Persons who make information on breaches available in the public domain shall qualify for protection if any of the following conditions is fulfilled:
- The person first reported internally and subsequently externally, or directly externally as per the procedures indicated above, but no appropriate action was taken in response to the report within the relevant timeframes; or
- The person has reasonable grounds to believe that:
- the breach may constitute an imminent or manifest danger to public
- interest, such as where there is an emergency situation or a risk of
- irreversible damage; or
- in the case of external reporting, there is a risk of retaliation or there is
- a low prospect of the breach being effectively addressed due to the particular circumstances of the case, such as those where evidence
may be concealed or destroyed, or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.
Although the Act did not pick up the momentum as expected, some of the changes which have been introduced are far reaching and entities operating in the public sector, as well as companies with more than 50 workers operating in the private sector (and possibly also companies with fewer than 50 workers operating in the private sector following an appropriate risk assessment as explained above) are now required to establish internal reporting channels in order to ensure compliance with the Act.
Although the implementation did not share the same importance as the GDPR (which was the Directive prior to this one on the same scale), the importance of this Act and the proper implementation should not be underestimated.