Luxembourg’s transposition of EU Directive 2019/1937 on the protection of whistleblowers

in Regulatory/Compliance, 01.02.2022

On 12 January 2022, Luxembourg Minister of Justice Sam Tanson presented the bill to transpose the EU Directive 2019/1937 on the protection of whistleblowers. This bill aligns Luxembourg with EU requirements in protecting people who report breaches of EU laws.

How does the Luxembourgish bill compare to the EU directive?

The Luxembourgish bill is mostly a straightforward transposition of the EU Directive.

However, while the scope of the Directive includes only reporting breaches of EU laws, this bill extends the scope to Luxembourg’s laws as well. Per Article 1,  whistleblowers will be protected against any retaliation when they report acts or omissions which fall under the laws of both the EU and Luxembourg. This extension clarifies which reports are under the protection of the law.

An “Office des Signalements” will be created to provide whistleblower guidance, raise public awareness and support implementation of the new law. We do not yet know how this office will be empowered, but the existence of such a controlling body demonstrates that whistleblower protection is taken seriously in Luxembourg.

Ambiguous areas of the whistleblower bill

The bill does not clarify if large entities need a local whistleblowing line in Luxembourg or if they can use a centralized system based in another country. This is particularly important for international companies that might already have a hotline based abroad.

Who is concerned in the whistleblower bill?

The scope of the law is broad and covers people working in the private sector and public agents. The scope includes employees, independent contractors, shareholders, board members, trainees and volunteers – even persons who have not started work but who have obtained information during recruitment or negotiation. Relationships of those persons, including relatives or colleagues, are in the scope as well.

What kind of information qualifies for whistleblower protection?

Basically, any information that would constitute a violation of EU or Luxembourg laws are in scope. The bill gives some exceptions: classified information, information involving national security, information under medical secrecy and attorney privilege. For the last two, the whistleblower is protected from a criminal offense if the reporting is proportionate and in the general interest.

What are the conditions of the whistleblower protection?

Whistleblowers are protected by the law if:

  • They had logical reason to believe that the information was true when they made the report.
  • They reported the information internally, externally or publicly, according to the conditions of the law.

Internal whistleblower reporting requirements

All private companies with 50+ employees and all legal entities in the public sector (including administrations in cities with 10,000+ inhabitants) must implement an internal whistleblowing line. The bill states that relevant authorities can request information to demonstrate that these entities comply with the law. Whistleblowing lines can be managed internally or outsourced.

Reporting procedures must include:

  • A strictly confidential channel which guarantees anonymity.
  • The ability for whistleblowers to make reports in one of the three administrative languages in Luxembourg.
  • The ability for whistleblowers to make reports orally by phone, through a voicemail or face to face
  • An acknowledgement of the report within seven days
  • A designated person or department to monitor reports
  • A response, which should not exceed a reasonable delay of three months after the reporting acknowledgement
  • Clear information on the reporting procedures provided to authorities. Failing to do so can lead to a fine from EUR1,500 to EUR250,000 for private companies.

Luxembourg’s reporting office for whistleblowers

The bill proposes to create a “Office des Signalements” (reporting office) whose mission would be to:

  • Inform and help whistleblowers
  • Raise public awareness about whistleblower protection
  • Provide recommendations on application of the law
  • Inform authorities of any breach of obligations. (This suggests that some controls could be performed by the Reporting Office. However, this is not clearly stated.)
  • Issue a yearly activity report to relevant EU authorities.

External whistleblower reporting requirements

Although the bill states that an external report should be made only after an internal report, it allows for whistleblowers to fill an external report directly in writing or orally.

The bill also stipulates that external channels created by the relevant authorities must guarantee:

  • Information provided is exhaustive and confidential and has integrity
  • Sustainable backup and archiving to allow subsequent investigations

The bill provides a list of 22 authorities entitled to receive reports. Those authorities can request all information relevant to the investigation of the report. They can also fine (EUR1,500 to EUR250,000) all person or entities who:

  • Impede or try to impede a report
  • Refuse to provide information or provide inaccurate information
  • Impair whistleblower confidentiality
  • Refuse to remediate the breach

The authorities will provide feedback and monitor reports. If the report is not in scope of their responsibilities, they should expediently forward the report to the relevant authority and inform the whistleblower of this transmission.

Just like for private and public entities, authorities should provide acknowledgement and feedback to the whistleblower, as well as clear information on the report and procedure on their website.

Provisions applicable to both internal and external whistleblower reports

The bill gives criteria for confidentiality and personal data management:

  • The protection of whistleblower identity should be guaranteed unless they provide express consent otherwise. Any information which might lead to whistleblower identification should be kept strictly confidential. An exception can be made in the context of investigations performed by the authorities. Authorities who received information containing business or trade secrets will not use them beyond necessary.
  • All personal information will used in compliance with GDPR regulation, only relevant personal data will be collected.
  • Public and private entities and authorities should archive reports in adherence to applicable laws.
  • When an oral report is recorded, the recipients could archive an audio file or transcript of the report. The person receiving the report could also prepare minutes of the conversation, as affirmed by the whistleblower in that case.
  • If the whistleblower must meet with EU representatives, a recording or minutes should be archived as well.

Public whistleblower reports

The bill also gives whistleblowers the opportunity to go public if they fulfil one of these conditions:

  • An internal or external report has already been filed but no appropriate follow-up actions have been implemented.
  • The whistleblower reasonably believes that the breach represents immediate danger to public interest.
  • The whistleblower believes or an external report implies a risk of retaliation due to circumstances like collusion between the implied entity and the authorities.

Prohibition of retaliation against whistleblowers

Any type of retaliation (or retaliation attempt) is strictly forbidden. Descriptions of retaliation provided by the bill show that retaliation should be defined broadly.

Per the bill, retaliatory actions should be made null, and the whistleblower could ask the relevant jurisdictions to legally void such action. If no such request has been made, the whistleblower can still ask for reparation. In such cases, the implied entity must demonstrate to the jurisdictions that the decision was not linked to the report.

In addition, the bill states that the whistleblower would not be held responsible for any legal violation so long as they reasonably believed that a report or going public was necessary to avoid a legal breach. In the same spirit, they would be held responsible for accessing information if it does not constitute a specific criminal offense. They can therefore request the abandonment of any procedure against them like defamation, breach of copyrights or data protection.

However, the sentence for diffusing fake information is up to three months in jail and EUR50,000 maximum.

How this whistleblower law impacts your firm now

Although this transposition brings no real surprises, now entities in both the private and public sectors need to act quickly – especially those with 250+ employees. For mid-size companies, implementing an ethical hotline can be challenging, and confidentiality can be difficult to preserve. Reports should also be taken seriously to mitigate the risk of an employee or third party going public. For entities with less infrastructure, outsourcing might be a good option.

KPMG expertise

Do you have questions about how to enact whistleblower protection policies in accordance with this new bill? Reach out to our team of experts at KPMG Luxembourg!