Update from Sweden – 2021
Karin Faxén Ågrup
Mannheimer Swartling, Stockholm
On 17 December 2021 a new Act on the protection of persons who report serious misconduct – so-called ‘whistleblowers’ – (the ‘Act’) entered into force in Sweden.
The Act entails an implementation of European Union Directive 2019/1937 on the protection of persons who report breaches of EU law (the ‘Directive’). The Directive aims to achieve the increased reporting of misconduct within certain identified areas where irregularities are deemed to have a severe negative impact on public interests. The Swedish Act, however, extends the scope to encompass reports of misconduct regardless of the area where the misconduct is alleged to have occurred, if it is in the public interest that the misconduct is revealed.
The argument for this wider scope is that it would otherwise be difficult to determine what could be subject to reporting, and a limitation to only certain areas would create unequal access to protection.
The Act offers protection to certain groups of individuals who typically are subject to an imbalance of power, such as employees, job applicants, trainees, and shareholders and persons belonging to the administrative, management or supervisory body of an undertaking. Protection is also offered to an extended group of people, who are not whistleblowers themselves but nonetheless risk being subject to retaliation, eg, union representatives and the whistleblower’s family and close colleagues.
Businesses with 50 or more employees, including law firms, must establish a whistleblowing function, available to, for example, its employees.
The protection of whistleblowers includes exemption from liability and a prohibition on retaliation. The exemption from liability entails that a whistleblower who has reported in accordance with the Act shall not be held liable for breaching confidentiality obligations imposed on the whistleblower, if the whistleblower had reasonable cause to believe that reporting was necessary to disclose the misconduct. However, note that the exemption from liability does not apply to breaches of qualified secrecy under the Swedish Public Access to Information and Secrecy Act or breach of confidentiality under the Swedish Defence Inventions Act.
Although not specifically mentioned in the legislation, the exemption from liability also does not apply to breaches of the professional confidentiality obligations of lawyers. Therefore, careful consideration must be made to establish clear routines and guidelines when implementing the whistleblowing function in a law firm, in order to safeguard secrecy and client obligations whilst fulfilling the requirements of the Act.
The whistleblowing function shall make it possible to submit reports both orally and in writing. It is not mandatory to offer anonymity to a whistleblower, although strict requirements on confidentiality do apply.
Personal data processed within whistleblowing functions may include special categories of data, including personal data relating to (alleged) criminal offences. The processing of special categories of personal data is prohibited, as a general rule, under the EU General Data Protection Regulation. However, one exception where processing of such categories of personal data is allowed is if it is based on a legal obligation. The government bill clarifies that the Act entails a legal obligation to process personal data within whistleblowing systems established in accordance with the Act.