Authors: Mgr. Michal Nulíček, LL.M., CIPP/E, Mgr. Bohuslav Lichnovský, LL.M., FIP a Mgr. Anna Cervanová, LL.M.
Publisher: epravo.cz
Protection of whistle-blowers in the Czech Republic
The protection of whistle-blowers concerns persons who report the abuse of rights, illegal activity, corruption or other damage to public interests, which they found out about in the course of their work.
Recently, this has been a highly topical issue, particularly because of the rising number of instances of whistleblowing all over the world and because of the general change in perception of whistle-blowers from negative (“telling on others”) to neutral, or even positive (protecting society and behaving ethically). Companies have also started noticing that the proper management of whistleblowing can help them significantly, particularly by enabling the management or owners of a company to learn about problems as soon as possible, so they can then resolve them effectively. Giving employees confidence in internal reporting can prevent them from discussing their claims of illegal activity with the public authorities or the media. Thus, a number of companies have already set up whistleblowing hotlines or similar mechanisms, for instance as part of their general compliance controls (i.e. ensuring compliance with the legal regulations applicable to the company).
Still, the main wave of regulations on the protection of whistle-blowers is yet to come, especially following the EU’s Directive on the protection of persons who report breaches of Union law (hereinafter the “Directive”) [1], and the act that transposes the Directive into Czech law. The bill proposed by the Ministry of Justice was released by the government on June 30, 2020 [2]. This is the third version of the bill, the first two did not completely reflect the final text of the Directive and ended in the comments stage. The legislative process should start by the end of the year. The plan is for the act to come into force on December 17, 2021, which is when the transposition period for the Directive expires.
The aim of this article is to introduce the basic elements of protection of whistle-blowers and the main risks and opportunities arising from the new regulation.
Basic elements of the regulation of whistle-blower protection
The basic principle of whistle-blower protection is to provide whistle-blowers who report their suspicions of illegal activity with a guarantee that as long as they do so in compliance with the prescribed procedure, they will not be subject to any sanctions. We will go through the key concepts of whistle-blower, illegal activity, the prescribed procedure for reporting and sanctions against whistle-blowers below.
- Whistle-blower
Whistle-blowers are not only limited to employees, but can also include persons in a service relationship, self-employed persons, members of a legal entity, members of elected bodies of a legal entity, persons that manage trust funds, volunteers, interns, temporarily assigned employees and contractors. Whistle-blowers can also come from among the ranks of persons whose employment or similar relationship is or was yet to start.
Recognition of the status of whistle-blower, is conditioned upon the existence of a connection between the gaining of information about illegal activity and the whistle-blower performing work for the company. Therefore, the protection of whistle-blowers does not apply to e.g. journalists, or to witnesses of illegal activity. Furthermore, whistle-blower protection does not apply to persons who knowingly make false reports.
- Illegal activity
The legislation does not apply to all reports made by employees or other designated persons. The report must concern illegal activity which has the features of a criminal offence or a misdemeanor (a “relevant report”), or is included in one of the defined spheres such as financial services, taxes, preventing the legalization of the proceeds of crime, consumer protection, protection of the environment or public procurement. The defined spheres stem from the Directive, which applies only to activities that breach Union law in these defined spheres, though the Directive explicitly allows member states to expand the scope of protection. Still, the Act is missing a couple of spheres mentioned in the Directive – for instance, the safety of products and their compliance with the regulations, competition, state aid, network and information system security, and nuclear security.
Thus, whistle-blower protection is not intended for resolving employees’ complaints or ordinary disputes between employees. Employers should explain comprehensively to employees and, if necessary, to other persons, what purpose whistle-blower protection serves and to what cases it applies, preferably by providing practical examples that employees might come across while performing work for the company.
Not only illegal activities already committed can be reported, but also facts indicating that an illegal activity is about to take place. The latter case in particular is crucial for preventing illegal activity.
- The prescribed procedure for reporting
There are three ways of filing a report: through an internal reporting system; externally, through a newly established Whistle-blowers’ Protection Agency; or by publication (only in narrowly defined cases).
It is best for companies to receive reports through an internal reporting system. This can prevent significant reputational damage and outside interference.
Internal reporting systems must be set up by companies that employ more than 50 people, contracting authorities (except municipalities with less than 10,000 inhabitants and authorities with less than 50 employees), and also companies working in AML-sensitive fields, in the field of transport safety, transportation and operation on highways, environmental protection, animal health protection and consumer protection.
The internal reporting system includes several components – in particular, a channel for receiving reports (electronically, by telephone, in writing or in person). Thus, reports can take various forms. As opposed to the previous proposals, the bill will no longer include an obligation to accept anonymous reports. Anonymous reporting was seen by many businesses as posing a threat of abuse of the entire system, and therefore a barrier to accepting whistle-blowing as such. [3] However, the possibility is not excluded that companies might accept anonymous reports voluntarily, even if the Act does not impose such obligation. The guarantee of anonymity can help reduce whistle-blowers’ concerns about retaliatory measures.
Besides the channel for receiving reports, in order for the internal system to function properly it is necessary to implement measures for the protection of whistle-blowers and for keeping their identities secret, to organize the submission of reports, to set out rules for resolving reports and the procedure for informing the whistle-blower about the progress and results of investigation. Those measures should take the form of directives and should be reflected in the wider context of the processes of the company (for instance, in the context of retention policy or the rules for personal data processing).
In addition, companies that establish an internal reporting system are obliged to appoint a person responsible for receiving and investigating reports.
The administration of the internal reporting system may be delegated to another entity. However, even such delegated system remains an internal system.
For the purposes of external reporting, the law has established a Whistle-blowers’ Protection Agency as an organisational unit of the Ministry of Justice. Apart from performing informational and advisory functions, the Agency must investigate the legitimacy of reports on illegal activity made to the Agency. Thus, the Agency’s task will be to act as an intermediary between whistle-blowers and the bodies responsible for the objective review of reports of illegal activity.
External reports should be taken into consideration only if there is no internal reporting system or if such internal system is dysfunctional or unreliable. It is therefore in the interests of businesses to establish and maintain an internal reporting system.
The last alternative to reporting is the publication of a report. This last resort in considered only after internal and external reports are made in vain (or only an external report, if the conditions for external reporting were met), or if one of the strictly defined conditions has been met regarding the seriousness of the reported offence or deficiencies in the reporting system.
- Sanctions against whistle-blowers
The core of whistle-blower protection is the prohibition of direct and indirect retaliatory measures. Direct retaliatory measures are implemented against the whistle-blower, indirect ones against other persons involved in the report or to which the whistle-blower is somehow connected.
Specifically, retaliation means an act (the Directive also explicitly mentions omission), directly triggered by a report, which the whistle-blower (or the other persons in case of indirect measures) may consider to be a violation of their rights or legitimate interests. Furthermore, the Directive defines retaliatory measures as taking place in the context of work; this limitation is not present in the bill. Omitting this connection to the work context thus extends the prohibition of retaliatory measures e.g. to complaints regarding a breach of confidentiality, defamation lawsuits and other legal tools sometimes used by employers.
Furthermore, the Directive explicitly prohibits even a mere threat or attempt at retaliation.
Risks and opportunities under the new legislation
The protection of whistle-blowers is unique in that the other consequences of insufficient protection of whistle-blowers are far more significant than the sanctions laid down by law. The law provides for sanctions: businesses face fines of up to CZK 1 mil. for taking retaliatory measures; for a breach of the responsible person’s obligation to evaluate reports and other obligations he/she faces a fine of up to CZK 50 000 (that is, for an offence committed by the person in charge, not the employer that appointed him/her).
There are however some further risks. If an internal reporting system is not established, or if the established system is not reliable or functional, there is a risk that employees might use external systems (reporting through the Agency), or might even make the information public while taking advantage of the protected status of whistle-blower. The company is thereby at risk of losing control over the incident, or might even face significant reputational damage. Alternatively, employees might decide not to file a report at all, in which case problems may go unnoticed for many years before they grow so large that they can no longer be ignored and could even cause the liquidation of the company. The same applies to the case when a company does not react adequately to a report. [4]
Even while trying to implement a system for the protection of whistle-blowers as best possible, a company might face difficulties arising from the need to comply not only with the conditions of the legislation on protection of whistle-blowers, but also with the labour code, GDPR, and other regulations. These difficulties can be avoided if the company delegates the reporting system to a properly selected provider.
A properly set up reporting system can bring many benefits. In the first place, it allows companies to take action quickly and effectively against problems and thus to avoid later losses brought about by illegal activity, whether directly (e.g. by embezzlement) or because of liability for damage (e.g. in the field of environmental protection). Furthermore, it allows the company to maintain control over the decision-making process and to prevent external interference and related reputational damage. Lastly, it strengthens the corporate culture and can bring employees greater job satisfaction.
In addition to those undeniable advantages, there is another fundamental reason not to underestimate the reporting of illegal activity. Timely detection of illegal activity is one of the conditions for the exemption of a legal entity from criminal liability, pursuant to Sec. 8 par. 5 of Act N. 418/2011 Coll., on the Criminal Liability of Legal Entities and Proceedings against Them. For this purpose, a number of companies have already adopted a functional system of interrelated measures referred to as a Compliance Management System (CMS). [5] Companies that have not yet adopted a CMS can do so, for example, in the context of introducing whistle-blower protection.
[1] The Directive of the Parliament and the Council of the European Union (EU) 2019/1937, available here.
[2] Bill available here, and respective amendment available here.
[3] Viz. available here.
[3] One recent example is the case of the company Wirecard, whose illegal accounting machinations repeatedly pointed out by its employees led to the loss of millions of euros and the bankruptcy of the company.
[4] Viz. informative document of the Prosecutor General’s Office “Application of Sec. 8 par. 5 of the Act on the Criminal Liability of Legal Entities and Proceedings against Them: A Guide to Legislation for State Attorneys,” available here, p. 27.