The anxiously awaited Whistleblower Protection Act implementing the Whistleblowing Directive ((EU) 2019/1937) has now been approved, and it enters into force on 1 January 2023.

The key objective of the Whistleblowing Directive and the Act is to encourage persons who have become aware of suspected breaches against public interest in a work-related context to report their observations. This is promoted by adopting a new centralised whistleblowing channel among the authorities and by obligating most organisations in the public and private sector to establish a confidential internal whistleblowing channel. In addition, whistleblowers will be protected from negative consequences.

This article reviews the new obligations related to the establishment of internal whistleblowing channels and whistleblower protection in Finland.

Private sector employers regularly employing at least 250 employees and public sector employers regularly employing at least 50 employees must set up a whistleblowing channel within three months after the new Act enters to force by 1 April 2023. Private sector employers that regularly employ at least 50 employees will have to establish a whistleblowing channel by 17 December 2023.

Group companies can have a joint whistleblowing channel. In addition, smaller private sector organisations with fewer than 250 employees may, even without belonging to a same group of companies, share resources related to whistleblowing channels.

Organisations with fewer than 50 employees are exempted from the obligation to establish a whistleblowing channel. However, suspected breaches related to the operations of organisations that do not have an internal whistleblowing channel can be submitted directly to the centralised official whistleblowing channel. The statutory requirements for internal whistleblowing channels also apply to these smaller organisations if the organisation has voluntarily set up a whistleblowing channel.

Organisations may outsource the whistleblowing channel to an external service provider. However, outsourcing does not relieve the organisation of its responsibility to ensure that the statutory obligations associated with the whistleblowing channels are followed.

The new Act applies to reporting of serious breaches that endanger the public interest in specific legal fields, such as breaching EU or national legislation related to product safety, competition rules, public procurement, environmental protection as well as privacy and personal data protection. It is to be noted that for instance breaches of labour laws fall outside the scope of the new Act.

Breaches are reported via the whistleblowing channel either in writing and/or orally. The reporting of breaches must be confidential. An important part of ensuring confidentiality of reporting is that only individuals who have been specifically designated to receive and process reports should have access to the internal whistleblowing channel.

The whistleblower should receive an acknowledgement of receipt within seven days. With an electronic system, an automatic acknowledgement of receipt sent by the system is sufficient. The follow-up measures based on the report must be communicated to the whistleblower within three months following the acknowledgement of receipt.

There are no specific rules on the technical qualifications of the whistleblowing channel. The legislation does not require that the whistleblowing channel should be electronic, although this is likely the most common alternative. Instead, the whistleblowing channel may be implemented, for example, in the form of a locked feedback box or a tip-off line.

Organisations are not obligated to accept anonymous reports. In practice, many organisations wish to accept anonymous reporting and anonymous reports are relatively typical even if conducting an investigation based on an anonymous report may be more challenging. If an organisation decides to accept anonymous reports, it is recommended that the whistleblowing channel allow communication with the anonymous whistleblower so that the organisation may ask questions or request further information from the whistleblower. Many electronic whistleblowing channels have this function.

There are no language requirements for the reports or related instructions. In our view, the recommended approach is to accept reports and to prepare instructions for the whistleblower in the working languages used at the workplace.

The obligation to establish a whistleblowing channel is not a new one, and many organisations have already set up whistleblowing channels based on business-field-specific legislation. However, the new general Whistleblower Protection Act significantly expands the obligation to set up a whistleblowing channel, as it concerns all organisations that employ at least 50 employees, regardless of their field of operation, and creates a framework for extensive whistleblower protection. The new Act does not impact the validity of the existing business-field-specific whistleblower legislation but supplements it.

In addition to the obligation to establish a whistleblowing channel, the new Act obligates all organisations to protect the whistleblower against retaliation. This obligation is not dependent on the size of the organisation. In other words, it is applied even to smaller organisations that are not required to set up their own internal whistleblowing channels. If the organisation does not have an internal whistleblowing channel or the whistleblower has no access to it, the whistleblower may get protection by submitting a report to the official centralised whistleblowing channel.

The statutory whistleblower protection consists of several supplementary elements.

Prohibition against retaliation

Reporting a suspected breach must not cause any negative consequences for the whistleblower. It is also prohibited to threaten retaliation, attempt to retaliate, prevent the submission of the report or attempt to prevent the submission of a report. The prohibition against retaliation does not prevent the employer from making ‘negative’ decisions concerning the whistleblower’s employment relationship as long as they are not based on the submission of the breach report.

A reversed burden of proof is applied in legal processes concerning retaliation. In practice, the employer must be able to provide justification for the allegedly retaliatory decision and prove that the decision was not based on the submission of the breach report. This highlights the importance of documenting the grounds of these decisions.

Confidentiality

Only specifically designated individuals may process the whistleblower’s personal data and data that may reveal the whistleblower’s identity. Organisations are obligated to designate in advance the responsible individuals and roles who receive breach reports and are responsible for their processing. The number of designated parties may also be increased afterwards, if necessary. In addition, the organisation may also appoint experts for investigating the accuracy of an individual suspected breach. The confidentiality obligation is not limited in time and breaches of the confidentiality obligation are punishable.

No liability for disclosing necessary information

Acquiring or disclosing information necessary for revealing a breach may not result in any negative consequences for the whistleblower, even though similar actions would in other circumstances constitute a breach of a contract or legal provision and lead to consequences. For example, confidentiality obligation agreed in the employment contract does not prevent the whistleblower from submitting a breach report. The whistleblower’s discharge from liability also covers criminal sanctions, with the exception of a situation in which the acquisition or obtaining information constitutes an offence.

A whistleblower who has received information on the suspected breach in a work-related context is entitled to whistleblower protection if the following three conditions are met:

Reporting through correct whistleblowing channel

The main rule is that the whistleblower must submit the report first through the organisation’s own internal whistleblowing channel, if the organisation has one. If the organisation has not taken appropriate measures based on the report within a three-month deadline, the whistleblower may then report the breach to the competent authorities through the centralised whistleblowing channel or, under certain circumstances, directly to the competent authority. If appropriate measures are not taken even after this report, the whistleblower may exceptionally have a right to publish the information concerning the breach as a last resort or even earlier in certain acute situations.

The whistleblower has a justified reason to believe that the reported issues are accurate at the time of submitting the report

A report submitted in good faith, which turns out to be incorrect, will not lead to consequences. In addition, the whistleblower is not obliged to obtain proof to support the report.

If the report, when assessed objectively, includes clearly incorrect information or unjustified rumours, the whistleblower is not entitled to whistleblower protection. In addition, intentional submission of an unjustified report is a punishable act, which may also lead to employment consequences and liability for damages.

The suspected breach is covered by the scope of the Act

The whistleblower must have a justified reason at the time of submitting the report to believe that the suspected breach is included in the fields of law within the scope of the Whistleblower Protection Act and the suspected breach may lead to a penalty or punitive administrative sanction (or the breach may seriously endanger ‘the objectives of general interest’). From the whistleblower’s perspective, this criterion can be deemed challenging in practice, even when there are no especially high criteria set for the whistleblower’s awareness of the consequences of the suspected breach.

What if the employer neglects the whistleblower protection obligation?

Breaching the prohibition against retaliation or attempting to prevent the submission of a report may result in an obligation to pay compensation to the whistleblower. The amount for the compensation is not regulated but it can be assumed that the compensation amount would, depending on the nature of the violation, be between a couple of thousand euros and approximately EUR 15,000. If the organisation intentionally engages in retaliatory activities, it is also obliged to compensate the whistleblower for the loss caused in full.

Unjustified disclosure of the identity of the whistleblower or the person who is the subject of the report, or any information based on which their identities can be concluded, is punishable.

What if the whistleblowing channel is also used to receive reports on other breaches?

It is generally in the interest of the organisation to obtain information about breaches occurring in its operations. Many organisations wish to receive reports on also other omissions and breaches than those covered by the scope of the new Whistleblower Protection Act.

Organisations typically wish to treat all whistleblowers equally regardless of how the breach report was submitted and what it concerns. On the other hand, some of the statutory whistleblower protection elements cannot be applied to reports on suspected breaches which do not fall within the scope of the new Whistleblower Protection Act. These protection elements include, for example, the right to receive compensation for retaliation and penalties based on breaches of the statutory confidentiality obligation. Organisations should acknowledge the diversity of situations when planning their whistleblowing processes and drafting related instructions.

It is also possible that, regardless of the instructions, organisations receive reports on breaches that are not covered by the scope of the Act or that do not even belong to the possibly more extensive scope of the whistleblowing channel determined by the organisation. In our view, these reports should be processed like any other breach report received by the employer outside the whistleblowing channel.

A whistleblower acting in good faith is protected by labour law provisions in all situations.

When discussing the new Whistleblower Protection Act, it is often overlooked that many standards and principles protecting whistleblowers are already included in employment legislation. Submitting a breach report in good faith is not a legitimate reason to terminate an employment relationship, and it does not entitle the employer to otherwise put the whistleblower at a disadvantage. In addition, the employer already has an obligation to intervene with harassment and inappropriate treatment at the workplace, among other things.

The employer is always obligated to protect the whistleblower against retaliation, even when the criteria for special protection laid down in the Whistleblower Protection Act are not met. This is the case, for example, when an employee in good faith reports breaches related to bullying, harassment, occupational health and safety or code of conduct to his or her employer. An employee who has submitted a report on breaches that fall within the Whistleblower Protection Act is nevertheless in a somewhat better position compared those submitting other breach reports, because the whistleblower protection under the new Act is more comprehensive.

Organisations should decide how to arrange an internal whistleblowing channel in practice. If the organisation’s internal whistleblowing channel is not established within the set time limit, it is possible to report suspected breaches related to the operations of the organisation directly to the official centralised whistleblowing channel. This means that an organisation that fails to set up the channel would not be the first instance to investigate the suspected breach within its operations.

In addition, the new Whistleblower Protection Act requires organisations to provide detailed information on the whistleblowing channel, reporting process and whistleblowers’ rights. On the one hand, appropriate instructions should encourage employees to submit reports and, on the other hand, reduce the number of reports excluded from the scope of the whistleblowing channel. Larger private sector organisations must have processes related to whistleblowing in place and responsible parties designated by the time when the whistleblowing channel is set up.

In addition, organisations are also obliged to handle the introduction of a whistleblowing channel with the personnel representatives in a continuous dialogue process and to carry out an impact assessment on the processing of personal data in the whistleblowing channel.

In terms of risk management, each organisation should assess in advance how it will ensure that whistleblowers receive appropriate protection. Reporting breaches is usually associated with overlapping interests and suspected breaches often surface unexpectedly. This may be a crisis for any organisation. It is significantly easier to function appropriately and efficiently when the relevant processes and practices are defined in advance.