Federico Luppi
Studio Legale Diodà, Milan
federico.luppi@studiodioda.it

Whistleblowing in the Italian legal system: genesis and evolution

First of all, it should be noted that the first interventions in the field of whistleblowing at European level were introduced in order to combat the laundering of proceeds deriving from drug trafficking.^[1]

Evidently, it was a duty to report placed on specific subjects and not a right: this approach was extended to other sectors, including taxation.

The reporting of those who work within an organisation is a valuable tool for the emergence of offences that take place there and that would otherwise escape any type of investigation: in this sense, the experience of common law systems is paradigmatic, especially in the United States (US), where 'whistleblowing' has assumed a fundamental role in the detection of corruption and corporate crime for several decades. In these legal systems, the legislation and the doctrinal debate are essentially focused on the issue of the protection of the ‘whistleblower’ against possible forms of retaliation (dismissal, demotion, suspension, threat, harassment and, more generally, any form of discrimination incident even indirectly on employment conditions) by the employer.

The Italian legal system has adopted legislation to protect whistleblowing only recently and because of the need to adapt, certainly not promptly, to international recommendations and obligations. There are several international sources that commit the Italian legal system to introduce legislation to protect the whistleblower which include the United Nations Convention against Corruption (2003)^[2]; the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions^[3]; the Council of Europe Criminal and Civil Conventions against Corruption (1999).^[4]

We believe that this delay was determined by the fact that in the Italian legal system, the need to guarantee protection to the whistleblower was less urgent than elsewhere. From this point of view, it must be considered that the introduction of regulations to protect whistleblowers was mainly determined for example in the US legal system – by the ‘need to remedy the principle, still strongly rooted, of termination at will of the employment relationship, according to which the worker is subject to discharge at any time and for any reason’. 

Regardless of the cause of the delay, on the impulse of supranational law, the Italian legislator has introduced a discipline specifically dedicated to the subject.

The first provisions were introduced by Law No 190 of 6 November 2012 (the so-called 'Severino Law'), which ‘finally defined the contours of corruption prevention policy in our system’.

This law intervened on the general regulation of public employment, which provided for a first embryonic protection in favour of whistleblowers in the public sector. Two years later, the National Anti-Corruption Authority (ANAC) was given the power to receive reports from public employees and also to apply sanctions in case of adoption of discriminatory measures.

Subsequently, the matter was profoundly reformed with Law No 179 of 30 November 2017, providing:

1. a more articulated discipline for the protection of whistleblowers in the public sector;
2. the amendment of Article 6 of Legislative Decree No 231/2001, extending the protections for whistleblowers to the private sector; and
3. the introduction of a special cause of justification for the whistleblower who has revealed information covered by secrecy, in compliance with the limits and forms provided for by law.

For the purposes of this analysis, we have focused on the private sector regulations. The peculiarity of Law No 179/2017 is that it provides protections only for entities that are equipped with an organisation and management model for the exclusion of administrative liability for crimes of entities (as provided by Legislative Decree No 231/2001).

It is immediately evident that the choice made by the legislator, in 2017, presented profiles of dubious reasonableness, because it ended up subordinating the protection of the ‘reporting’ worker to the presence or absence of the organisation and management model, the adoption of which is left to a free choice of the body.

Essentially, Law No 179/2017 intervened on the text of Article 6 of Legislative Decree No 231/2001, inserting new paragraphs 2 bis, ter and quarter – which imposed new obligations on companies that had already adopted the organisational models (compliance program), prescribing on the one hand, the introduction of internal channels of the entity that allow whistleblowers to carry out reports of illegal conduct in a confidential manner, and identifying on the other hand, the protections to be guaranteed in favour of the person who reports illegal conduct of which he/she had become aware of due to the functions carried out within the entity.

With regard to the subject of the report, the law refers to reports ‘relevant pursuant to this decree’ and therefore refers to conduct that integrates one of the crimes that assumes the administrative liability of the entity or to violations of the organisation and management model of the entity. However, as the law appropriately expresses it, these must be ‘detailed’ reports ‘based on precise and consistent factual elements’: these are valuable indications that could perhaps also be applied by way of interpretation to the regulation of whistleblowing in the public sector.

With a ‘symmetrical’ formulation, with respect to that contained in Article 1 and Article 2 of No 179/2017, the law provides that the relevant reports are those presented ‘to protect the integrity of the entity’.

With reference to the protections provided to whistleblowers, the rules do not differ substantially from those provided for the public sector. Even for workers in the private sector, protection consists primarily in protection against retaliatory acts, providing for the nullity of measures having negative effects on the working conditions of the employee that have been adopted because of the report. The law ensures the effectiveness of that protection by providing for the reversal of the burden of proof, in the sense that it will be for the employer to prove that the measures taken against the worker have an independent justification and do not constitute a retaliatory response to the report. Any adoption of discriminatory measures may be sanctioned by disciplinary action and reported to the National Labour Inspectorate.

Secondly, the protection of the confidentiality of the identity of the whistleblower is envisaged: in this regard, however, the law limits itself to providing that the entities must set up one or more channels that guarantee ‘the confidentiality of the identity of the whistleblower in the management of the report’.

In relation to private entities, the protection of the whistleblower is limited by the need to protect the rights of the reported person. In this regard, the law provides for the possible imposition of disciplinary sanctions against those who make ‘with intent or gross negligence’ a report that then proves to be unfounded.

The greatest limitation of this law was undoubtedly, as mentioned above, the placement of protections within the ‘231 system’. On the one hand, it unreasonably deprived whistleblowers operating within entities without an organisation and management model of protection, and on the other hand, it limited the protections to only those cases in which the reports concerned predicated offences or violations of the model.

Article 3 of Law No 179/2017 regulates a profile common to the public and private sectors, providing that the report may constitute, under certain conditions, ‘just cause’ for the disclosure of confidential information and therefore exclude both criminal liability for some specific crimes, as well as civil liability for the violation of the duty of loyalty to the employer.

In the leading case on this specific subject,^[5] the European Court, in the logic of a reasonable balancing of opposing interests, shows that it considers public disclosure as an extreme solution, to be resorted to when no other path is practicable. In this sense, it is noted that ‘in light of the above duty of discretion, disclosure should be made in the first place to the superior or other competent authority or body of the person. It is only when this is clearly impractical that information could, as a last resort, be disclosed to the public’.

The discipline referred to in Law No 179/2017 has recently been reformed due to the need to adapt Italian legislation to Directive (EU) 2019/1937,^[6] whose scope of operation is limited to violations of Community legislation in a range of sectors expressly indicated (including the sector of public procurement, financial services, product and transport safety, environment, food, public health, privacy, network and IT system security, competition).

The objective of that directive was to introduce common minimum standards of protection into European Law (EU) law to give uniformity to national legislation which is, at present, extremely fragmented and heterogeneous, concerning the protection of persons who report breaches of EU law. It states that the protection of whistleblowing represents the implementation of the principles set out in Article 11 of the Charter Fundamental Rights of the European Union and Article 10 of the European Convention on Human Rights (ECHR), in line with the principles developed in this field by the case law of the European Court of Human Rights (ECtHR), as well as with the Recommendation on the protection of whistleblowers adopted by the Committee of Ministers of the Council of Europe on 30 April 2014.

Legislative Decree No 24 of 10 March 2023, transposing EU Directive 2019/1937 on whistleblowing: overview

Before the approval of this Decree, in relation to the private sector, the discipline was dictated exclusively by Law No 179/2017: as we have already seen, this provision required private companies with organisation models pursuant to Legislative Decree No 231/01 to have mandatory reporting channels for illegal conduct deemed relevant pursuant to the legislation. In addition, companies had the burden of ensuring the prohibition of retaliatory or discriminatory acts against the whistleblower for the reports made.

Legislative Decree No 24/2023, implementing EU Directive 2019/1937, has intended to intensify the protection of reporting agents (ie, whistleblowers) who report behaviour, acts or omissions that harm the public interest, the integrity of the public administration or the private entity.

The Decree has recognised a key role for reports in the prevention of regulatory violations, ensuring a more structured protection for whistleblowers of both public and private companies, thus updating Italian legislation and harmonising it with European legislation regarding the protection of persons who report violations of EU law and national regulatory provisions.

Legislative Decree No 24/23 has, in fact, increased the conduct worthy of reporting: the new discipline extends to violations that may harm the interests of the EU; which also include violations of national or EU regulatory provisions that harm the public interest or the integrity of the public administration or, as far as it is of interest here, of the private entity, including administrative, accounting, civil or criminal offences. In continuity with the past, significant unlawful conduct pursuant to Legislative Decree No 231/01 or violations of organisational models are also included.

This Decree entered into force on 30 March 2023 and the related provisions will take effect from 15 July 2023, with an exception for private sector entities that have employed, in the last year, an average of employees not exceeding 249: for these, in fact, the obligation to establish the internal reporting channel will take effect from 17 December 2017.

It should be noted that reports relating to individual employment relationships and those relating to national security and defence are excluded from the Decree.

Private sector actors

The new regulations include significant changes that require companies to create new reporting channels or update existing ones. In this section, we analyse what companies operating in Italy need to know.

The ‘whistleblower’, according to the new Decree, can be an employee, a self-employed person, a consultant, a volunteer, an intern, a shareholder, a person with powers of control, supervision or representation.

Also included in the whistleblower category are people in the hiring or contract negotiation stage and during probationary periods and former employees. The latter may report cases learned in the course of employment.

One of the major innovations introduced by the Decree is the right of the ANAC to investigate the conduct that is the subject of the report or to forward the report to the relevant administrative or judicial authorities who will carry out the necessary investigations.

This means that the whistleblower acquires the right to report to ANAC, for example, if the company does not organise a whistleblowing channel that meets the legal requirements or in case of risk of retaliation.

Companies involved

Private companies are required to comply with the provisions of the Decree in these cases:

1. they have had an average of at least 50 employees with permanent or fixed-term employment contracts in the last year;
2. they operate in certain sectors (eg, services, financial products and markets, prevention of money laundering and terrorist financing, transportation safety and environmental protection);
3. they have adopted an organisation, management and control model in accordance with Legislative Decree No 231/2001 (known as ‘Model 231’).

Who can be reported?

It is worth remembering that whistleblowers are entitled to report people who work in the work context of the institution as:

1. employees;
2. a self-employed person who carries out his/her work activity at the private institution;
3. collaborators, freelancers and consultants who work for the institution;
4. volunteers and trainees, paid and unpaid; and
5. shareholders and persons with administrative, management, control, supervisory or representation functions, even if such functions are exercised merely by way of fact.

Types of violations reported (what and how to report)

Within the private sector, it is necessary to distinguish between entities according to whether or not they have the organisational model pursuant to Legislative Decree No 2310/01.

In particular, employees of entities with an average of at least 50 employees or who operate in sensitive sectors (eg, services, financial products and markets, prevention of money laundering and terrorist financing, transportation safety and environmental protection) will only be able to report violations of EU law, through internal and external channels, public disclosure or complaint.

For employees of private entities that have adopted the organisational model:

1. if the entity has less than 50 workers, only violations relating to those conducts contemplated pursuant to Legislative Decree No 231/01 can be reported, through the sole use of the internal channel;
2. if the entity has an average of at least 50 workers, in addition to the relevant reports pursuant to Legislative Decree No 231/01, violations of EU law may also be reported, through the use of internal and external channels, public disclosure or complaints.

How violations can be reported

Compared to the pre-existing rules, which only contemplated the use of internal reporting channels, the Decree introduced additional ways in which the whistleblower can communicate the offences of which he/she has become aware.

The Decree introduced three different methods for reporting potential violations: internal reporting channels, external reporting channels and public disclosure.

In any event, internal and external reporting channels must ensure confidentiality regarding the identities of whistleblowers and any other persons involved and the contents of reports.

Any personal data processing related to a whistleblowing report must be carried out in accordance with the General Data Protection Regulation (GDPR)^[7] and Italian data protection regulation (eg with respect to the minimisation principle; rules on the restriction of exercise of the data subject’s rights; information to be provided to the data subject pursuant to sections 13 and 14 of the GDPR; and privacy by design and by default principles).

A) INTERNAL REPORTING CHANNEL

The new whistleblowing regulation establishes an obligation for a company, upon consultation with trade unions, to establish an internal reporting channel that may be managed internally by a designated person or department or externally by knowledgeable third parties, including law firms. Appointing external lawyers to assess and investigate reports may have the advantage, in certain circumstances, of shielding investigation outcomes with legal privilege.

The channel shall provide the possibility to report in writing or orally or, upon request of the reporting person, through a face-to-face meeting.

The person or office designated to receive reports must:

• confirm receipt of the report to the whistleblower within seven days of receipt;
•  communicate with the whistleblower to request further information, when necessary;
• assess the report and investigate the reported behaviours; and
• provide feedback to the whistleblower within three months of confirmation of receipt.

Pursuant to the Decree, companies with up to 249 employees may share internal reporting channels and analysis and investigation of reports with holding companies and other group companies.

What does the regulation require of multinational companies organised at the holding level?

The Decree explicitly cites the possibility of using shared reporting channels only for companies with up to 249 employees. The EU Commission previously stated that if whistleblowing channels are organised at the holding level, a subsidiary may rely upon the investigative capacity of its parent company or other group companies, provided that:

• reporting channels exist and are made available at the subsidiary level;
• the whistleblower is clearly informed that a designated person/department at the parent company will be authorised to access the report, and the whistleblower has the right to object and request that the reported conduct be investigated only at the local level; and
• any other follow-up measures taken and feedback to the reporting person are from the subsidiary level.

Therefore, a multinational group may consider appointing a local reporting manager at an Italian branch with up to 249 employees or a local external office to maintain communication with whistleblowers and safeguard their rights at the local level. Subsidiaries with 250 or more employees must implement dedicated reporting channels.

B) EXTERNAL REPORTING CHANNELS

One of the most significant changes introduced by the Decree is the opportunity for whistleblowers to report potential violations directly to the ANAC, which has the power to conduct investigations of reported behaviour:

• if the company fails to establish internal reporting channels compliant with the Decree;
• when a report has not been followed up;
• when the whistleblower has a reasonable basis to believe that the internal report may result in risk of retaliation; and
• when the internal report may trigger imminent danger to the public interest.

The ANAC is also entitled to submit reports to administrative/judicial authorities for violations falling under their purview. In such cases, these authorities will carry out the investigations.

Guidelines for the external reporting channel procedure shall be published by the ANAC within three months of the entry into force of the Decree.

Significantly, the explanatory report accompanying the Decree specifies that in addition to the ANAC, the Italian Competition Authority (AGCM) will also be in charge of the external reporting channel for antitrust violations. In this respect, it is worth noting that, back in February 2023, the AGCM introduced a dedicated whistleblowing platform, following the best practices of the European Commission and multiple national competition authorities. This means that a whistleblower with knowledge of infringements of competition rules can interact directly with investigation offices on an anonymous basis.

C) EXTREME RATIO: PUBLIC DISCLOSURE

Under certain conditions, the Decree provides whistleblowers with the opportunity to disclose publicly the potential violations that they intend to report.

More specifically, this option may be used when:

• the whistleblower already has made an internal/external report, but appropriate follow-up action has not been taken;
• the relevant violation may constitute imminent or manifest danger to the public interest; and
• the whistleblower has reasonable basis to believe that the external report may be ineffective or there may be risk of retaliation.

What protections are established for whistleblowers

Companies should be aware that the Decree provides a series of protective measures for whistleblowers reporting potential violations.

The new regulation has considerably strengthened the protection of the confidentiality of the whistleblower, providing various guarantees against any retaliatory acts.

This protection is extended to other parties connected to whistleblowers, ie the following:

• facilitators, meaning individuals assisting whistleblowers in the reporting process and operating in the same workplace;
• colleagues and relatives of whistleblowers; and
• companies that whistleblowers own, work for or with which they are otherwise connected.

It is also specified that whistleblowers will benefit from sole protections if, at the time of reporting, they had reasonable grounds to believe that information on breaches reported, publicly disclosed or reported was true.

Protection against retaliation

The company is responsible for making it clear within itself that retaliation against whistleblowers and related parties is prohibited and if retaliation is reported, the employer bears the burden of proof and must demonstrate that the measures taken against a whistleblower are not the result of the reporting.

Whistleblowers can report any retaliatory measures to the ANAC, which will forward such reports to the National Labour Inspectorate; in any case, the declaration of nullity of retaliatory acts is the responsibility of the judicial authority.

It is worth bearing in mind that in the context of judicial or administrative proceedings or in any case of out-of-court disputes concerning the ascertainment of prohibited conduct towards the whistleblower, it is assumed that the same have been put in place due to the report, public disclosure or complaint to the judicial authority. The burden of proving that such conduct or acts are motivated by reasons unrelated to the report, disclosure or complaint lies with the person who carried them out. The reversal of the burden of proof does not work in favour of persons and entities other than the whistleblower (eg, facilitators, colleagues).

Protection of confidentiality

Legislative Decree No 24/23 also provided that the identity of the whistleblower may not be revealed except with the express consent of the whistleblower, to persons other than those competent to receive or follow up on reports, expressly authorised to process such data.

The prohibition of disclosure refers not only to the name of the whistleblower but also to all the elements of the report to which the identification of the whistleblower can be deduced.

However, this right to privacy is not absolutely far-reaching: the extent of the protection granted to the identity of the whistleblower varies, in fact, depending on the provisions governing the possible proceedings (criminal, civil, disciplinary) in which the person may be involved.

In the specific case of reports that have led to the establishment of criminal proceedings, the confidentiality of the whistleblower is protected within the limits established by Article 329. The provision imposes the obligation of secrecy of the acts of the preliminary investigations until the suspect has the right to have knowledge and, in any case, is no later than the closure of this phase.

Limitations of liability

It is not punishable for a person who discloses or disseminates information about violations that are (i) covered by the obligation of secrecy; (ii) relating to the protection of copyright or the protection of personal data or discloses or disseminates information about infringements that damage the reputation of the person involved or complained of.

The criminal discrimination operates only when, at the time of disclosure or dissemination, there were reasons to believe that such disclosure was necessary to reveal the violation and the report was made in the manner provided. In such cases, any further liability of a civil or administrative nature is excluded.

When ANAC can impose sanctions

ANAC is entitled to impose pecuniary sanctions against companies and individuals ranging from €10,000 to €50,000 in cases of:

• retaliation against whistleblowers and/or persons connected with them;
• hindering or attempting to hinder whistleblower reporting;
• violation of the obligation of confidentiality; and
• failure to implement internal reporting channels or adopt procedures for their management in accordance with the Decree, as well as to assess and review reports received and diligently follow up on them.

In addition, ANAC may impose fines ranging from €500 to €2,500 on whistleblowers if a report is deemed to be defamatory or slanderous.

Conclusion

To conclude, the purpose of the institute is to prevent maladministration, both in the public and private sectors.

Although Law No 179/2017 was progressive, it still had serious shortcomings, which have been addressed with the transposition of the European whistleblowing directive.

The approval of the new legislation on whistleblowing is undoubtedly a further step forward in the protection of whistleblowers: the Italian legal system will now be able to rely on a homogeneous regulatory framework and follow very similar remedies as adopted in the various countries of the EU.