On 16 May 2023, the Luxembourg Parliament (Chambre des députés) adopted the long-awaited law (the "Law") transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the "Directive").
The Law entered into force on 21 May 2023, with the exception of the obligation for private sector entities which have between 50 and 249 employees to establish internal reporting channels. This obligation will apply from 17 December 2023.
Definition of a whistleblower
In line with the Directive, the Law provides for a relatively broad personal scope. The Law applies to all whistleblowers working in the private or public sector who have obtained information about violations in a professional context, including:
- workers, including civil servants;
- self-employed persons;
- shareholders and members of the administrative, management or supervisory body of a company, including non-executive members, as well as volunteers and trainees (paid or unpaid);
- any person working under the supervision and direction of contractors, subcontractors and suppliers.
The Law also covers whistleblowers:
- when reporting or publicly disclosing information about violations obtained in the course of an employment relationship that has ended;
- whose employment relationship has not yet begun if information about violations was obtained during the recruitment process or other pre-contractual negotiations.
The protective regime of the Law also covers, where appropriate:
- facilitators ;
- third parties who are connected to the reporting person and who are at risk of retaliation in a professional context, such as colleagues or relatives of the reporting person; and
- legal entities that the reporting person own or work for, or is otherwise connected with in a professional context.
Whistleblower protection
The Law protects, under certain conditions, the whistleblower who obtains, reports or publicly discloses information about breaches, which information was obtained in the course of his or her professional activities.
Firstly, the breaches covered by the Law may concern any act or omission which is either unlawful or contrary to the object or purpose of directly applicable provisions of national or European law. The material scope of application of the Law is therefore extremely broad.
Moreover, according to the definition of "information" provided by the Law, a reasonable suspicion about actual or potential breaches which occurred or are very likely to occur, or about attempts to conceal such breaches, is sufficient to fall within the protective scope of the Law.
However, violations relating to national security are not covered by the Law. Reporting persons whose relations are covered by medical secrecy or lawyer-client privilege, notary or bailiff secrecy, the secrecy of judicial deliberations, as well as rules on criminal proceedings (in particular, the secrecy of investigations), are also excluded from the scope of application of the Law.
Secondly, the protection provided by the Law only applies if the reporting person:
- had reasonable grounds to believe that the information reported was true at the time of reporting; and
- reported in accordance with the conditions and procedures laid down in the Law.
Reporting channels
The Law provides for a hierarchy of reporting channels to be used by the whistleblower. Reporting through internal reporting channels is to be preferred, as long as the breach can be addressed effectively internally and the reporting person considers that there is no risk of retaliation. Failing that, reporting through external reporting channels may be made, or even public disclosure if the legal conditions are met.
Internal reporting channels
The Law requires legal entities in both the private and public sectors to establish channels and procedures for internal reporting and follow-up. Contrary to the draft law, the Law no longer provides that this establishment must be done after consultation or even agreement with the social partners.
Only legal entities with 50 or more employees are affected by this obligation. Legal entities with fewer than 50 employees and municipalities with fewer than 10,000 inhabitants are not affected.
Internal reporting and follow-up procedures should be designed, established and operated in a secure manner, ensuring the confidentiality of the reporting person and any third parties mentioned in the report, and preventing access to these channels by non-authorised staff members.
The procedures should include
- an acknowledgement of receipt sent to the reporting persons within 7 days;
- the designation of an impartial person or service competent for following-up on the reports;
- diligent follow-up ;
- a reasonable timeframe to provide feedback, not exceeding 3 months;
- the provision of clear and easily accessible information.
External reporting channels
The reporting person may turn to external reporting channels either after having issued an internal report or directly, when the conditions for issuing an internal report are not met.
Reports through external channels must be made directly to the competent authorities listed in the Law. These authorities are subject to similar requirements in terms of designing, establishing and operating follow-up procedures.
Public disclosure
The reporting person may eventually consider making a public disclosure of the information obtained, provided that :
- that person has first reported internally and externally, or reported externally, but no appropriate action has been taken;
- that person has reasonable grounds to believe that :
- the breach may constitute an imminent or manifest danger to the public interest; or
- In the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed.
Protection measures
Provided that a report has been made by the reporting person in accordance with the provisions of the Law, the reporting person will be protected at two levels.
Firstly, the Law prohibits any form of retaliation, including threats and attempts of retaliation, against a whistleblower because of the report made.
The Law lists, in a non-exhaustive manner, a series of measures that must be considered prohibited (such as dismissal, demotion, discrimination, etc.), some of which must also be considered null and void (such as dismissal).
A reporting person who considers themselves to be the victim of a retaliation measure following a report may, if necessary, request that the measure be declared null and void before the competent courts within 15 days of being notified of the measure, and/or may bring a legal action for compensation for the damage suffered.
In any event, the Law provides, to the advantage of the reporting person, that in proceedings before a court relating to a detriment suffered by the reporting person, it must be presumed that the detriment was made in retaliation for the report or the public disclosure.
Secondly, a whistleblower who has made a report in accordance with the provisions of the Law will not be considered to have breached any restriction on disclosure of information (e.g. confidentiality obligation) and will not incur any liability as a result, provided that he or she had reasonable grounds to believe that the report was necessary to reveal a breach under the Law, even if the procedure is closed.
Furthermore, no liability can be incurred by the reporting person in respect of the acquisition of or access to, the information disclosed, provided that such acquisition or access does not constitute a self-standing criminal offence.
Penalties
Finally, the Law provides for sanctions against persons who retaliate or bring vexatious proceedings against a reporting person, namely a fine of between EUR 1,250 and EUR 25,000.
The reporting person may also be punished under the Law for knowingly reporting or publicly disclosing false information. The reporting person is liable to a prison sentence of 8 days to 3 months and a fine of EUR 1,500 to EUR 50,000. Reporting persons may also be held civilly liable, which exposes them to a claim for damages from the entity that suffered a detriment as a result of the report.