Romanian Approach to the Whistleblowers’ Directive
19.04.2021 – Author: George Trandafir
Romanian authorities have recently initiated the transposition process for Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law (the “Whistleblowers’ Directive”).
A limited period for public review of the first draft of transposition bill has just closed. The projection is that it will become law by December 2021 to meet the transposition deadline.
We analyzed the initial draft bill and prepared this summary to provide the stakeholders with insights on the upcoming legislation.
Relationship with the Existing Whistleblowing Rules
Whistleblowing rules are not new to the Romanian legal landscape.
Pieces of legislation covering specific business areas (e.g. banking, insurance, anti-money laundering) do include some whistleblowing rules, which will continue to apply under the Whistleblowers’ Directive.
In addition, since 2004, a whistleblowers’ law has been in force in Romania, but its applicability is limited to the public entities’ operations. From a practical viewpoint, its impact has been limited to nil, with no significant public disclosures nor case law developed around them.
The new whistleblowers’ law will replace the 2004 law, will become a common general standard in facilitating and managing reports on breaches and will complement the existing sectoral legislation.
Breaches to Report
As compared to the Whistleblowers’ Directive, the Romanian transposition bill proposes to expand the types of breaches to report, from EU law breaches to virtually any breach of law, deontology, and rules governing regulated professions, occurring within a company, should the breach qualify as disciplinary misconduct, administrative breach or criminal offence. Breaches not having such qualification may also be reported.
The primary justification of this approach lies within the initiators’ intention to preserve the legal standards set under the 2004 whistleblowers’ law in terms of applicability ratione materiae.
From a practical perspective, allowing whistleblowers to report on any breach relieves them from the burdensome task of assessing what constitutes breach of the EU law and what is only breach of domestic law.
The alternative approach, which would have followed word-by-word the Whistleblowers’ Directive, was deemed to have potentially rendered insignificant the number and scope of reports on breaches, thus strongly affecting the efficacy of the Whistleblowers’ Directive.
All companies with at least 50 employees are obligated, per the transposition bill’s provisions, to set up reporting policies and infrastructure, including a secure internal reporting channel.
However, compliance is expected from companies with 50 to 249 employees only as of 1 January 2023.
For companies with less than 50 employees, the transposition bill proposes that the whistleblowing rules become applicable immediately upon entry into force of the law, as follows:
- Internal reporting channels are not mandatory.
- Whistleblowers may pursue external reporting directly, unless the companies voluntarily set-up internal reporting channels.
- Public disclosure is conditional on the inadequacy of the measures taken following submission of a report on breaches through the external reporting channel.
Reporting Breaches, Escalating, and Public Disclosure; Investigations and their Duration
As a preliminary remark, the Romanian transposition bill requires further adjustment for coherence of the rules applicable to reporting and to escalating reports on breaches. We will highlight below several matters to be further clarified/addressed under the law.
The bill requires whistleblowers to report first through the internal reporting channels.
However, the bill is unclear as to the deadline imposed on the recipients for completing the investigations on a breach. The deadline is important for determining the awaiting period before escalating a report on a breach through the external reporting channel.
The bill does provide that a public authority, when managing the external reporting channel, should complete the investigations within 3 months (with the option to extend it up to 6 months, if duly justified); consequently, the recipient company’s deadline will probably mirror the one binding on public authorities.
Whistleblowers may utilize the external reporting channel only subject to having reported through the internal reporting channel and the recipient having inadequately dealt with it.
Whistleblowers may pursue direct external reporting if:
- There are no internal reporting channels (as in case of companies with less than 50 employees); or
- Reporting through the internal channel poses a risk of retaliation and the breach cannot be adequately remedied through that channel.
There is no mechanism preventing that whistleblowers proceed directly to external reporting and it is only up to the recipient authorities to set a rigorous practice as regards reporting streams and management of inadequate reporting.
Public disclosure (mainly through media) requires a whistleblower to assess whether the legal requirements are met for going public and may occur only as a last resort measure (i.e. following cumulative reports through internal and external channels if both exist).
By derogation, public disclosure:
- Is directly available to whistleblowers only in case that the breaches trigger an imminent or evident danger to the public interest or pose the risk of a prejudice that cannot be remedied.
- Does not require the prior submission through the external channel in case there is a risk of retaliation or in case of reduced chances that the breach may be remedied following reporting through the external channel given the particular circumstances of the case.
Guidance is necessary to achieve responsible recourse to public disclosure.
Under the Romanian draft legislation, anonymous reporting on breaches is not permitted. In case of reports made anonymously, the addressee company, as well as the authority managing the external reporting channel, may dismiss them without any assessment on the merits.
However, the whistleblowers’ protection would extend to whistleblowers having made anonymous reports, in case they are identified and subsequently suffer retaliation.
The Romanian draft transposition bill has set out several administrative fines for companies failing to comply with the new whistleblowers’ legislation. The legislator seems to intend to incentivize the concerned companies, for encouraging them to set up reliable reporting policies and infrastructure and thus avoid the greater risks of external public exposure and disruption deriving therefrom.
The most important consequences of breaching the whistleblowers’ legislation may derive from court actions filed by whistleblowers for nullification of retaliation measures and for the award of indemnification for prejudices suffered due to retaliation.
Note that the initiators of the bill have proposed that the individuals having ordered in bad-faith retaliation against a whistleblower be liable jointly with the recipient company for the payment of indemnification to whistleblowers.
Matters of Concern
- Potential Substantial Public Disclosures
The bill designates the National Agency for Integrity as the main public authority in charge of the management of the external reporting channel.
However, it is questionable whether this authority will be properly equipped for carrying out its tasks and there is little time left before the authority should become operational and start setting standards and guidelines. Under these circumstances, a large workload will probably trigger a blockage of the external reporting channel, with the main consequence of the whistleblowers being thus in the position of channeling their reports to the press, invoking the public disclosure right.
The same may occur if the recipient companies fail to take adequate measures following submission of reports on breaches via their internal reporting channels. We anticipate that, until court practice settles the guiding principles to follow in solving reports on breaches, this will constitute a major source of concerns for the recipients.
In addition, with the Agency commencing to implement the law at the same time with the recipient companies, there will be no time to exercise its educational and consultancy tasks provided under the new law.
- Redirecting Reports on Breaches
The National Agency for Integrity is required to redirect all reports on breaches if the Authority does not hold competencies ratione materiae to solve them or if such competencies belong to other authorities based on the sectoral whistleblowing legislation.
Given that the Agency’s competencies ratione materiae are limited, probably most reports will be redirected to other authorities.
In this scenario, the confidentiality granted to the whistleblowers should be maintained, but from a practical standpoint this might not always work properly or not work at all; changes in legislation should be implemented to accommodate whistleblower’s confidentiality with the requirements on submitting complaints to public authorities, which involve also disclosing the complainant’s identity.
Unless properly addressed under the bill or under secondary legislation, this may also be a source for blockages, and consequently a trigger for an increased number of public disclosures.
- Abusive Reports
Whistleblowers’ abusive reports may trigger significant administrative fines, ranging from approx. Euro 500 to Euro 5,000.
Whistleblowers may also incur civil liability for damages caused to the concerned company following abusive reports.
However, the Romanian transposition bill does not sufficiently clarify under what conditions reports are abusive and consequently engage the whistleblowers’ civil liability. Unless the draft law is corrected/adjusted, courts should settle this matter; until such time, the concerned companies and the whistleblowers will pay for the lack of foreseeability, which will lower the efficacy of the new law.
- NDAs, Confidentiality, and Loyalty Legal Obligations
Established practice concerning whistleblowers’ protection in the United States has shown that NDAs, confidentiality, and loyalty legal obligations cannot prevent a whistleblower from making a report on breaches and consequently the liability deriving therefrom should be limited or excluded.
In line with such practice, the preamble of the Whistleblowers’ Directive indicates that member states should eliminate the obstacles to whistleblowing mentioned above.
The Romanian transposition bill has stepped up to meet this requirement as well, but the current wording requires further refinement and simplification.
- Business Decisions Scrutinized
Pursuant to the Romanian transposition bill, courts of law may scrutinize business decisions and legal deeds of the concerned companies, when qualifying as retaliation, and may nullify them and/or order the payment of indemnification if they triggered damages to the whistleblowers.
Consequently, decision-making needs adjustments for correlation with the whistleblowers’ legislation and implementation of contracts require additional diligence in documenting or challenging failure in performance.
- Burden of Proof
The Romanian transposition bill provides for the reversal of the burden of proof in disputes relating to retaliation.
Consequently, for obtaining the dismissal of the whistleblower’s court action, the concerned company will be required to prove that measures qualifying as retaliatory actions have solid business grounds unrelated with the reports on breaches.
Recommendations for Companies
The Romanian legislative process is still in its early stages and stakeholders should contribute to the shaping of the final draft of the transposition bill.
With the initiators intending to exceed the European legislator’s expectations set under the Whistleblowers’ Directive, it is unlikely that substantial alterations to the transposition bill be implemented.
Consequently, in a precautionary approach, companies should prepare for full compliance starting December 2021, as follows:
- Companies with at least 250 employees should be fully equipped to manage reports on breaches, by setting-up reporting policies and infrastructure.
- Companies with 50 to 249 employees may consider whether to speed up the implementation of internal reporting channels, based on risk analysis concluding that reports submitted by whistleblowers directly through the external channel might significantly disrupt their activities.
- If resource-wise feasible, companies with less than 50 employees may do the same.
- Irrespective of the number of their employees, companies applying the existing sectoral legislation on whistleblowing should update their reporting policies and infrastructure to bring them in compliance with the new law.
 Other public authorities in charge with managing the external channel per this bill are the following: (1) public authorities holding competencies to hear complaints concerning the breach of the sectoral legislation on whistleblowing and (2) public authorities competent to take measures in connection with the reported breaches.