Whistleblowing - recent developments and privacy aspects in Italy
And the EU Directive to come
28 February 2019
The laws and regulations that apply to whistleblowing in Italy work from different positions in different areas, and continue to develop fast. There are many issues to consider when it comes to meeting the duties imposed by both general and sector-specific rules and by data protection requirements, which have been substantially revised following whistleblowing legislation, and the employment law protections that apply to individuals accused of disciplinary breaches. A European Directive that will set minimum standards on whistleblowing is currently under preparation.
Navigating successfully through the existing rules and those coming down the line will enable companies and institutions not just to meet their duties under the law, but also to handle reporting systems in a way that best serves their specific requirements, and thus provides the most effective protection.
COMPLEX, INTERLOCKING SETS OF RULES – AN OVERVIEW OF THE CURRENT SITUATION
Whistleblowing is a global phenomenon these days. The development of both domestic legislation in countries around the world and international rules have resulted in different countries developing their own laws, usually focused on reporting systems and measures to protect the whistleblowers (See: "Whistleblowing: first steps taken towards legal safeguards in Italy".)
Italy gained rules of general application in this area through Law 179/2017, which came into force on 29 December 2017. This governs whistleblowing within the private sector, amending Legislative Decree 231/2001 on the vicarious liability of corporations, and Legislative Decree 165/2001 on public employment. The most important features of Law 179/2017 are the obligation to provide for appropriate reporting channels that ensure that whistleblowers' identities are kept secret, and a prohibition upon retaliatory action being taken against whistleblowers for reasons that are directly or indirectly connected with their whistleblowing. (For more on the content of Law 179/2017, and the guidelines for its application, see "Whistleblowing legislation – early indications on how law 179/2017 will work").
Sector-specific legislation on whistleblowing
In addition to the general legislation Law 179/2017, other laws and regulations apply to different sectors of the economy. Individuals and entities operating in the various sectors affected have to familiarise themselves with these regulatory distinctions and take the necessary action to ensure compliance.
- The Consolidated Law of Banking provides that (i) banks and their parent companies put in place specific procedures that ensure secrecy, protection against retaliatory action, and that there is a specific, autonomous and independent channel for internal whistleblowing over acts or circumstances that might constitute breaches of banking laws and regulations; and (ii) reports of breaches of the provisions of Titles II and III of the Consolidated Law of Banking, and of EU instruments that are directly applicable, may be reported to the Bank of Italy itself.
- The Consolidated Law of Financial Intermediation (or CLFI) provides that (i) individuals and entities subject to the rules governing the conduct of intermediaries and markets should put in place specific procedures with characteristics similar to those set by the Consolidated Law of Banking for internal reporting of acts or circumstances that may constitute breaches of the rules governing their operations, or the provisions of the Market Abuse regulation; and (ii) whistleblowing reports of breaches of the CLFI or of EU instruments that are directly applicable, may be made to the supervisory authorities (meaning the Bank of Italy and CONSOB).
- Legislative Decree 231/2007 on money-laundering requires individuals and entities to whom article 3 of the Decree applies to put in place proportionate procedures with characteristics similar to those set by the Consolidated Law of Banking, for internal reporting of potential or actual breaches of the provisions for the prevention of money-laundering and terrorist funding.
- The Private Insurance Code provides that (i) insurance and reinsurance firms, insurance brokers (including those who broker insurance as an ancillary to their main business) and reinsurance brokers put in place specific procedures with characteristics similar to those set by the Consolidated Law of Banking for internal reporting of acts or circumstances that may constitute breaches of the provisions of the Code; and (ii) whistleblowing reports of breaches of the Code or of EU instruments that are directly applicable may be made to the domestic insurance regulator, IVASS.
- The Consolidated Law on Public Employment provides that public employees (which definition includes employees of public entities that are economic operators, and of private entities that are publicly-controlled or that supply goods or services to general government) may make whistleblowing reports to the RPCT(person in charge of transparency and prevention of corruption), the National Anti-Corruption Authority, the ordinary prosecution authorities, or the prosecution authorities at the Court of Auditors, where the reports concern unlawful conduct of which they have become aware through their employment relationship. The procedures must ensure that the whistleblower's identity remains secret and that the whistleblower has protection against retaliatory action.
The guidelines in this area
The legislative and regulatory provisions have resulted in a number of sets of guidelines being introduced to assist companies and institutions with analysing and defining the practical aspects of putting the reporting channels in place.
- In January 2018, the employers' association Confindustria published a memorandum that concentrates on the question of the secrecy of the whistleblower's identity and which persons should receive whistleblowing reports (such as the supervisory body, an external person, the head of compliance, or the employer).
- In December 2018, Italy's National Council of Commercial Accountants published a document entitled, Consolidated Principles for the Preparation of Organisational Models and the work of the supervisory authorities, and prospects for the revision of Legislative Decree 231/2001. Compiled jointly with the Italian Banking Association, the Italian lawyers' professional body, and Confindustria, the document draws upon the aforementioned memorandum from Confindustria and proposes that reports should be submitted to the supervisory body, albeit not necessarily to the exclusion of other possibilities. The document also suggests that more sophisticated instruments are needed for handling such reports than simple email exchange with the supervisory body, in order to ensure that the whistleblower's confidentiality is kept, and that there be specific, appropriate mechanisms for assessing whether reports are well-founded and for following up the reports.
- The International Organisation for Standardization is currently drawing up guidelines for whistleblowing management systems, ISO 37002. These should be completed by the end of 2021 and are intended to provide guidance to firms of all sizes regarding the implementation and management of an effective whistleblowing system founded on principles of trust, impartiality and protection.
EUROPEAN LEGISLATION UNDER PREPARATION
In efforts to harmonize the disparate approaches that domestic European legislatures have taken in different Member States, the European Union has begun drafting some pieces of legislation that will establish common minimum standards in this area.
Proposed Whistleblowing Directive
In April 2018, a proposal for a Directive was published, with the objective of harmonising the protection assured to whistleblowers in the European Union. The proposal reflected observations and opinions from the EU's consultative bodies and is currently under consideration by the relevant institutions. The Directive's final terms are likely, when they emerge, to be based on the following points:
- The application to entities with legal personality in the public or private sector with more than 50 employees, or revenues or net assets exceeding euro 10 million, that operate in the financial sector, or are exposed to moneylaundering or terrorism financing;
- The establishment of reporting channels, either internally or externally towards the appropriate authorities designated by the Member States;
- The organisation of internal reporting channels that ensure, inter alia, that the whistleblower's identity remains secret, and that the whistleblower receives a response to their report within a reasonable period;
- Protection for the whistleblower from direct or indirect retaliation; and
- Penalties that are effective, proportionate and dissuasive for those who obstruct reports, put in place retaliatory or vexatious measures against the whistleblower, or who breach the secrecy obligation, and for whistleblowers whose reports are fraudulent or unfounded (such penalties being in addition to the obligation to compensate the losses caused as a result of the report).
Fifth Money-Laundering Directive
Directive (EU) 2018/843 (commonly known as the Fifth Money Laundering Directive) was published in the Official Journal of the European Union on 19 June 2018 and its provisions are due to be implemented by Member States by 10 January 2020. The new Directive has an impact also on whistleblowing, as it replaces the provisions of article 38 of the Fourth Money-Laundering Directive. The new article retains the protection for whistleblowers against threats, and hostile and retaliatory action, and also imposes an obligation upon Member States to ensure that persons who face such measures because of their whistleblowing have the right to submit complaints safely to the appropriate authorities, and the right to effective recourse to protect their rights.
CHANGES TO DATA PROTECTION AND EFFECTS UPON DISCIPLINARY PROCEDURES
Law 179/2017 expressly provides that how reports are managed must ensure that whistleblowers' identity remains secret.
This produces a potential conflict with the right of access that the reported person has in principle as a data subject affected by the processing of their personal data (in particular, articles 15-22 of the GDPR (Regulation (EU) 2016/679) provide for rights to access, amend, cancel and restrict processing, data portability, to object, and protection against automated decisions).
Nonetheless, the Italian legislature has exercised the provisions of article 23 of the GDPR and introduced specific restrictions upon those rights. Specifically, article 2- undecies of Legislative Decree 101/2018, which brings domestic legislation into line with the GDPR (the "GDPR Decree"), provides that those rights may not be exercised where to do so may result in an "effective and tangible prejudice":
- To the secrecy of the identity of a whistleblower who, pursuant to Law 179/2017, reports a breach of the law of which they became aware in the performance of their duties; and
- To the conduct of investigations for the exercise or defence of legal claims in court proceedings.
These restrictions must be applied in accordance with the laws and regulations that govern the relevant sector, that must in turn implement measures that are at least intended to govern the matters covered by article 23(2) of the GDPR, including the right of data subjects to be informed of the restriction unless that could compromise its objective.
The rules of professional practice on acting during investigations and proceedings were reviewed by Italy's data protection authority in the light of the GDPR and published in Italy's Official Gazette, No. 12/2019. Compliance therewith is required as a condition to the lawfulness of data processing, and breach is punishable by the highest administrative penalties (up to euro 20 million, or, for businesses, up to 4% of annual global revenues in the prior year, if higher; see article 166(2) of Legislative Decree 196/2003, known as the Privacy Code, as amended by the GDPR Decree).
Article 52-bis of the Consolidated Law of Banking already provided that the right of access did not apply with respect to a whistleblower's identity, which may be revealed only with their consent or where knowledge thereof is essential for the whistleblower's defence. That provision of the Consolidated Law of Banking referred to the nowabolished article 7(2) of the Privacy Code, which dealt with rights of access – now governed by article 15 of the GDPR directly.
More generally, article 2-undecies of the GDPR Decree provides that exercise of a data subject's rights may be delayed, restricted or refused by a notice setting out the grounds, issued without delay to the data subject, unless the notice may compromise the restriction's objective. In any event, such a notice will apply only for the period, and to the extent, such a measure is necessary and proportionate.
That is similar to the positions set out by Europe's Article 29 Data Protection Working Party on whistleblowing in its Opinion 1/2006, referred to by the report of the Italian data protection authority of 10 December 2009; and by the European Data Protection Supervisor in its July 2016 guidelines – that access may only be delayed where that would risk identifying the whistleblower, and disclosure to the person whom the whistleblowing concerns may be delayed of, inter alia, the allegations against them for so long as there is a risk of compromising either the report's effective review, or evidence-gathering.
In employment law terms, the caselaw has repeatedly found that internal investigations are legitimate where they seek to obtain the evidence to assess whether a disciplinary offence has been committed (also where that involves meeting the individual, and even receiving their spontaneous confession); and that only where an employer has the evidence to reasonably believe that a breach was committed is there an obligation to inform the person considered responsible, providing a detailed description of the allegations in writing within the disciplinary procedure under article 7 of Law 300/1970 (legislation informally known as the Workers' Charter).
Suspension, by contrast, does not require a specific explanation and may be imposed even while the investigations are ongoing, as national collective labour agreement frequently provide and as in any case is permitted under the employment caselaw.
Law 179/2017 expressly provides that whistleblowing is outside the right of access to administrative documents that exists under article 22 of Law 241/1990, and that the identity of a whistleblowing public employee should not be revealed where the disciplinary allegation is based on further, distinct, findings, even if those flowed from the whistleblowing. Where the disciplinary allegation is based entirely or in part upon the whistleblower's report, and knowledge of the whistleblower's identity is essential to the defendant's ability to defend themselves, then the report may only be used where the whistleblower has consented to disclosure of their identity.