Whistleblowing, or reporting of breaches of the law, is often regulated in a fragmented and non-comprehensive fashion. This is about to change thanks to Directive 2019/1937 of October 23, 2019 “on the protection of persons who report breaches of Union law” (the “Directive”), aimed at harmonizing and broadening the protection of whistleblowers and of reported entities.

In Italy whistleblowing is currently governed by Legislative Decree no. 165/2001 (for public employees) and by Legislative Decree no. 231/2001 (for private employees). With regard to the private sector, whistleblowing provisions are only applicable to companies who have adopted a “231 Organizational Model”.

The Directive should have been implemented by December 17, 2021. The Italian government has been delegated by the Parliament to adopt the necessary implementing measures but, as many other EU countries, the legislative process has already exceeded the December 17 deadline.

While the details of the national law that will implement the Directive are still unknown, certain basic principles can already be envisaged:

• In principle, the Directive applies to public entities and to private entities with at least 50 employees or with an annual turnover of more than Euro 10 million, with two caveats: (i) the Directive is applicable, regardless of the number of employees, if your company operates within the scope of EU legislation preventing money laundering and terrorist financing (e.g., financial services); and (ii) Member States may decide to apply new whistleblowing provisions also to companies below the 50-employees threshold;

• The Directive broadens the concept of reporting person: among others, also self-employed workers, shareholders, members of the key company’s bodies, (sub)contractors and suppliers will be covered by the protection afforded by whistleblowing legislation (such as the protection of their identity), even if their work relationship has ended or has yet to begin;

• The Directive also broadens the subject matter of the report: to be covered by the Directive, reports have to relate to breaches of EU law in specific sectors. However, the Directive provides for the possibility to broaden the subject matter as to include violation of domestic legislation;

• The Directive provides for three reporting channels:
  • Internal channel: if you have adopted a 231 Model, you are surely already equipped with an internal whistleblowing channel, which however will require to be upgraded as to cover the new definition of reporting person and the strict reporting and follow-up requirements established by the Directive;
  • External channel, which will be set up by the government and will likely allow to blow the whistle to public authorities, such as the Italian Anticorruption Authority. (If you have an IT provider which helps you run a whistleblowing channel, that’s an internal one);
  • Public disclosure: reporting persons may “go public” only if other channels have not been successful.

• In relationto groups of companies, the European Commission has clarified the matter with two opinions, dated June 2, 2021 and June 29, 2021: each legal entity with 50 or more workers is required to set up its own channels and procedures for internal reporting. Entities with 50 to 249 employees, may “share resources” with their parent companies (but also with non-linked companies) and may also, but not exclusively, rely on their channels;

• Data collection and processing activities under whistleblowing provisions must be carried out in compliance with the GDPR: as an example, personal data which are manifestly not useful for the purposes of a specific report must not be collected or, if collected accidentally, deleted.

While we wait for the Italian law implementing the Directive, the above basics already give you an idea of what is to come.