Whistleblowers as John Does: preserving their identity while conducting internal investigations

Monday 20 September 2021

Adriana de Buerba
Pérez-Llorca, Madrid, Spain

Edurne Álvarez
Pérez-Llorca, Madrid, Spain

Jonathan Gómez
Pérez-Llorca, Madrid, Spain


Coming forward with information that could get someone into trouble has never been easy. To remedy this, states have been increasing their efforts to encourage whistleblowers to report wrongdoings by ensuring their protection from retaliation,1 which, up until recently, has been scarcely regulated, particularly in the European Union.2 The need to enhance the protection of whistleblowers has been thrown into the spotlight as a result of a series of scandals (such as the Panama Papers,3 Cambridge Analytica and Danske Bank scandals) in which whistleblowers played a key role.

As a response to this need, on 7 October 2019, the Council of the European Union passed the Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union Law (the ‘Whistleblowing Directive’). This regulation laid out common minimum standards to ensure whistleblowers are protected from potential retaliations and to strengthen the enforcement of European Union law.4

As the European Commission’s proposal5 states, these standards include confidentiality as the cornerstone of the protection for whistleblowers. According to the Whistleblowing Directive, safeguarding the confidentiality of the identity of the reporting person during the reporting process and the investigation triggered by the report is an essential measure to prevent retaliation.6

Although the deadline to transpose the Whistleblowing Directive is just around the corner,7 most of the Member States of the EU have not transposed it into national law yet.8 In fact, some international organisations have raised concerns about the likelihood of any Member States succeeding in transposing it in time.9 However, it is well known that the Whistleblowing Directive is capable of having ‘direct effect’10 and forward-thinking legal professionals are once again overtaking the different legislators and applying its provisions already.

Practice shows that lawyers and in-house legal counsels play a leading role when it comes to safeguarding confidentiality while conducting internal investigations, especially when the reported facts involve top managers or directors, and the risk of retaliation run by whistleblowers is even higher. The importance of having effective safeguards in place to protect whistleblowers is beyond question, but how it should be done is still up for discussion.

How are whistleblowers protected under the Whistleblowing Directive?

The Whistleblowing Directive establishes a general duty of confidentiality which extends not only to the identity of the reporting person, but also to any third party mentioned in the report, as well as any other information from which the identity of the whistleblower may be directly or indirectly deduced or that might identify the person concerned.11 This protection prevents the disclosure of the identity of the whistleblower to anyone beyond the authorised staff members competent to receive or follow up on reports,12 and even obliges Member States to provide for penalties when this confidentiality duty is breached.13 This translates into the obligation for legal entities to implement reporting procedures that enable them to receive and investigate reports in full confidentiality and in a manner that guarantees that the identity of the reporting person is protected.14

Now that specific regulations recognising the need to provide sufficient and effective protection to whistleblowers have been passed, companies are left wondering how this need for protection works in practice. Indeed, the content of these new regulations which are being adopted to further ensure { the protection of whistleblowers raises several questions regarding its application, which on some occasions clashes with other obligations set out in different areas of the law. So how should these conflicts be resolved?

Obstacles to the application of whistleblower protections in internal investigations

Although the Whistleblowing Directive applies to both public and private sector whistleblowers, there are very few provisions dedicated specifically to the regulation of this protection in the framework of internal investigations carried out by private legal entities, with the focus being very much on investigations and criminal proceedings carried out by public authorities. Indeed, the application of the protections that are set out may leave companies facing certain obstacles when it comes to conducting internal investigations as a result of a report received through their whistleblowing channels.

On certain occasions, the duty of, and need for, a company to investigate an alleged wrongdoing committed by one of its employees may require disclosing certain information to third parties, which in turn may lead to the identification of the whistleblower. Imagine a whistleblower who reports harassment or their unfair dismissal as a result of them being privy to certain information which affects the top management of the company. The investigation of these allegations and the process of gathering evidence may require the partial disclosure of information to other employees of the company, which may reveal the identity of the whistleblower. This scenario raises the question of whether the right to the protection of the identity of the whistleblower prevails over the company’s right and duty to investigate the alleged wrongdoing committed within the company.

Article 16 of the Whistleblowing Directive may shed some light on this discussion. This provision establishes that the identity of the reporting person may be disclosed ‘only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings’, particularly with the aim of safeguarding the rights of defence of the persons concerned.15 Moreover, it requires that any disclosure on the identity of a whistleblower be subject to the appropriate safeguards.16 This includes informing the reporting person before their identity is disclosed, unless this information would jeopardise the investigation.

Although the Whistleblowing Directive seems to limit this exception to investigations carried out by public authorities, the question remains whether these provisions should also apply, at least to some extent, to internal investigations carried out by private entities as part of a company’s right and duty to address and follow up on the reported breach, and to take the necessary measures to prevent similar situations happening again.17 When faced with the dichotomy between the obligation to preserve the confidentiality of the whistleblower and the need to investigate a potential wrongdoing that is being committed within the company, a balance should be struck between the rights of the parties concerned, including the company’s legitimate investigation needs.

Opinion 1/2006 of the former Article 29 Data Protection Working Party18 on the application of EU data protection rules to internal whistleblowing schemes, provides that ‘a balance must be struck between the legitimate interest pursued by the processing of personal data and the fundamental rights of data subjects’. According to this legal opinion, the balance of interest test should take into account issues of proportionality, subsidiarity, the seriousness of the alleged offences that can be notified and the consequences for the data subjects. Furthermore, it establishes that adequate safeguards will also have to be put in place.

This balancing test, which would have to be conducted on a case-by-case basis, requires the interests in conflict to be weighed up – with the protection of whistleblowers given paramount importance – against the circumstances in question, such as: (i) the existence of a necessary and proportionate need for the company to effectively investigate the allegation and gather evidence; (ii) the risk that the disclosure of the identity of the whistleblower could jeopardise the success of the investigation; (iii) whether the disclosure is limited to information which is essential to adopt the necessary investigative measures;19 (iv) whether the information is only disclosed to the relevant individuals and personnel; and (v) whether the company has taken all the reasonable steps to reduce the risk that the whistleblower is identified and that any retaliation follows.

According to a report published on 16 March 2016 by the Organisation for Economic Cooperation and Development (OECD) on ‘Committing to Effective Whistleblower Protection’,20 although protection under domestic whistleblower protection laws is most commonly provided to those reporting misconduct externally to competent authorities, in reality, private sector employees report first, if at all, inside the company. This highlights the need for states to adopt clear guidelines on how companies should apply whistleblowing protections when conducting private investigations, especially as internal investigations have become very much in vogue over the past few years.

Whistleblower Protection Programmes: a solution?

In light of this framework, it remains to be seen how Member States will transpose the Whistleblowing Directive and integrate these new protections and guarantees for whistleblowers, and whether specific provisions will be drafted to be applied within internal investigations conducted by private companies. Companies will also have to assess how these protections and guarantees will play out in practice, particularly when carrying out internal investigations as a result of a report received through their whistleblowing channels.

In any case, companies should stay ahead of the curve by developing and implementing policies and protocols, in accordance with their structure and activity, which facilitate internal investigations while preserving the identity of whistleblowers. These policies and protocols may arise as whistleblower protection programmes, establishing the specific measures to provide whistleblowers with comprehensive protection and to ensure that companies comply with the applicable regulations.21

These whistleblower protection programmes have been successfully adopted in the United States, by organisations such as the Internal Revenue Service (IRS),22 the Securities and Exchange Commission (SEC)23 and the Occupational Safety and Health Administration (OSHA).24 The adoption of these measures to preserve the identity of the employees involved in an internal report not only reduces the risk of potential retaliation, but also protects the company from future liability.25 It is not about forcing companies to codify some sort of 2.0 version of a Witness Protection Programme, such as those you might see in crime thrillers, but rather it is about creating a special statute for whistleblowers and granting them the protection the Whistleblowing Directive calls for.


1 See ‘Strengthen Whistleblower Laws in the European Union’ at www.whistleblowers.org/strengthen-whistleblower-laws-in-the-european-union,accessed 10 September 2021.

2 In July 2017, a European Commission report, ‘Estimating the Economic Benefits of Whistleblower Protection in Public Procurement’, highlighted the lack of protections for whistleblowers across the EU, which resulted in economic losses for the EU. Available at: https://perma.cc/U4QY-G6BM,accessed 10 September 2021. A 2019 report ‘Law and practice on protecting whistle-blowers in the public and financial services sectors by the International Labour Organization similarly found that, although many countries had made strides in creating or expanding whistleblower laws, major gaps and challenges remained in implementation. Available at: www.ilo.org/wcmsp5/groups/public/---ed_dialogue/---sector/documents/publication/wcms_718048.pdf, accessed 10 September 2021.

3 The 2016 Panama Papers leak scandal became public as a result of an anonymous statement published under the pseudonym John Doe.

4 Recital 5 of the Whistleblowing Directive mentions that underreporting by whistleblowers is a key factor affecting enforcement.

5 Proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches in Union Law, European Commission: COM (2018) 218 final, p 11.

6 Recital 82 of the Whistleblowing Directive.

7 Pursuant to Article 26(1) of the Whistleblowing Directive, Member States of the EU must transpose the Whistleblowing Directive into national law by 17 December 2021.

8 For some Member States (such as Austria, Spain, Denmark or Greece), this entails enacting specific whistleblowing laws for the first time. See www.whistleblowers.org/strengthen-whistleblower-laws-in-the-european-union, accessed 10 September 2021.

9 Terracol, M, ‘Are EU Governments Taking Whistleblower Protection Seriously? Progress report on transposition of the EU Directive’ (2021) Transparency International [Online]. Available at: www.transparency.org/en/publications/eu-governments-whistleblower-protection, accessed 10 September 2021.

10 If a directive has not been properly transposed or if its implementation has not taken place before the established deadline, it can be enforced by an individual in a court of a Member State (Van Gend en Loos v Nederlandse Administratie der Belastingen, Case 26/62, European Court of Justice, 5 February 1963).

11 Articles 9, 12 and 16 of the Whistleblowing Directive.

12 Article 12 of the Whistleblowing Directive.

13 Article 23 of the Whistleblowing Directive.

14 Recital 55 and Article 9 of the Whistleblowing Directive.

15 Recital 82 of the Whistleblowing Directive.

16 Article 16(3) of the Whistleblowing Directive.

17 Articles 8 and 9 of the Whistleblowing Directive establish the obligation for legal entities in the private sector to give feedback and to address and follow up on the reported breaches. Article 5 defines ‘follow-up’ as any action taken by the recipient of a report to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry.

18 Note that since the General Data Protection Regulation entered into force, its functions are carried out by the European Data Protection Board.

19 Article 17 of the Whistleblowing Directive establishes that personal data which are manifestly not relevant for the handling of a specific report must not be collected or, if accidentally collected, must be deleted without undue delay.

20 Available at: www.oecd.org/corruption-integrity/reports/committing-to-effective-whistleblower-protection-9789264252639-en.html, accessed 10 September 2021.

21 According to the European Data Protection Supervisor’s December 2019 Guidelines on processing personal information within a whistleblowing procedure, appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to the risks presented by the processing of the whistleblowing report and the sensitive nature of the personal information to be processed. As stated in the Guidelines, it is essential to put in place appropriate security measures in order to effectively prevent personal information from being accessed by non-authorised persons and to guarantee its integrity.

22 The IRS Whistleblower Protection Program also provides for an exception to the duty of confidentiality when the whistleblower is an essential witness in judicial proceedings and it is not possible to pursue the investigation or examination without revealing the whistleblower’s identify. In this scenario, the IRS will inform the whistleblower before deciding whether to proceed. See: www.irs.gov/compliance/confidentiality-and-disclosure-for-whistleblowers, accessed 10 September 2021.

23 See: www.sec.gov/whistleblower, accessed 10 September 2021.

24 See: www.osha.gov/sites/default/files/publications/OSHA3638.pdf, accessed 10 September 2021.

25 In the context of criminal proceedings, authorities tend to rely more on the internal investigation carried out by the company if it has adopted sufficient security measures to ensure the confidentiality and protection of the whistleblower.