Why is it important to protect whistleblowers?
Whistleblowing has been recognized as playing a crucial role in the fight against corruption, fraud, mismanagement, and various other crimes. The Council of Europe underlined that whistleblowing can act as an “early warning to prevent damage as well as to detect wrongdoing that may otherwise remain hidden”.
Some countries, including Italy, have already implemented laws to protect whistleblowers, however whistleblowing is far from being used as a real instrument to detect crimes. The OECD Foreign Bribery Report (2014) describes how very low the percentage is – only close to 2 % of the concluded foreign bribery cases were detected through whistleblowing.
The reasons for such a poor result are many, including the lack of clear and effective whistleblower protection mechanisms, as well as deficiencies in the implementation phase of the protection instruments in place.
Moreover, a culture of trust needs to be established and promoted to strengthen the perception of the importance of whistleblowing in the public interest. Studies on whistleblowing highlight that whistleblowers typically believe that their reports “will not make a difference” and that “nothing would be done to correct the activity”.
What are the innovations brought by the new whistleblowing law in Italy?
Corporate whistleblowing and whistleblowers’ protection have been under the spotlight in Italy for at least the last decade. The Italian regime on whistleblowing was recently amended by Law No. 179 of 30 November 2017 (the “Law”), which entered into force on 29 December 2017.
The Law completes the whistleblowing regulatory landscape in the public sector and introduces provisions applicable to the private sector in general, where whistleblowing was hitherto limited to specific regulated sectors (like banking and finance) or to specific activities (health and safety at work), and simply recommended – in a self-regulatory way – for listed companies.
2.1 Public sector
The Law expands and clarifies the scope of the existing provisions in the public sector, now applying it to “public administration employee”, “public-economic entity employee”, “private-law entity subject to public control”, as well as “to workers and contractors of undertakings providing goods and services and performing works in favor of public administration”.
The Law provides that “the public employee who, in the interest of the public administration’s integrity, reports to the Anti-Bribery and Transparency Officer, to the National Anti-Corruption Authority (“ANAC”), to judicial or accounting authorities wrongdoings he became aware of by reason of employment, shall not be sanctioned, demoted, fired, transferred or subject to other organizational measures having negative effects, direct or indirect, on work conditions due to the report”.
The Law, in addition to confirming what was already established by the previous legislation, namely that the whistleblower’s identity must not be revealed, provides for a prohibition of retaliatory and discriminatory measures against the reporter as well as the reversal of the burden of proof, and introduces administrative pecuniary sanctions in connection with a violation of the provisions to protect whistleblowers (including when discriminatory measures are adopted against the whistleblower or when there is a lack of procedures for forwarding, managing reports or adoption of procedures inconsistent with the law).
2.2 Private sector
For the first time, the Law provides rules generally applicable to the private sector, requiring a mandatory reporting system for the protection of whistleblowers to be inserted within the organizational model pursuant to Legislative Decree No. 231/2001 on the criminal liability of corporations (“Decree 231”).
In detail, the Law requires compliance programs that companies have had to adopt under Decree 231 to provide for one or more channels which allow employees to report in detail, “for the protection of the entity’s integrity”, “relevant wrongdoings”, under Decree 231, and “based on precise and consistent evidence,” or “violations of compliance programs they became aware of by reason of employment”.
The Law details measures to protect the whistleblower, which include measures (i) to ensure the confidentiality of the reporter’s identity, (ii) to provide for at least “an alternative channel” for whistleblowing (iii) disciplinary sanctions against “anyone who violates measures in place to protect whistleblowers”, as well as against “anyone who performs, with intent or gross negligence, groundless reports”, (iv) the prohibition of retaliatory or discriminatory acts against the whistleblower for reasons, directly or indirectly, connected to the report.
Furthermore, the secrecy regime has been amended accordingly, in order to create consistency throughout the overall legal framework, providing for limited exceptions in which rules on secrets may be waived in favor of the reporting of wrongdoings.
Do you have any suggestions for companies in connection to whistleblower protection, in light of these legislative developments?
The new Law should be read positively because it dispels many uncertainties of interpretation and application in the field of whistleblower protection.
Companies will have to update and supplement the compliance programs they have adopted under Decree 231, where existing; draw up procedures consistent with law; and set up specific training programs on reporting, defining, at the same time, contents, limits and methodologies. Italian companies belonging to international groups, will have to ensure that the existing group procedures for managing the reporting of violations are consistent with the Law.
There are various obstacles that will have to be considered, as well as various issues that are left unresolved by the Law and open to numerous interpretations.
The Law does not resolve the potential issues arising from the processing of the whistleblower’s personal data or that of the offender, in connection with the Data Privacy Code (legislative decree No. 196 of 2003) and in light of the General Data Protection Regulation (the European Regulation 2016/679, the “GDPR”).
The reporting system contemplated by the Law involves the processing of personal data concerning both the reporting and the accused party, and thus will have to consider the guarantees established by the data protection law and regulations, including the Data Privacy Code and the GDPR, in force from 25 May 2018. These aspects will require that guidelines and other implementing measures be issued by competent Authorities, including the Italian Data Protection Authority.
Consequently, companies must verify and ensure that the personal data processing operations arising from the reporting system are carried out in compliance with the privacy legal framework and through the adoption of safety measures in view of protecting personal data processed and/or transferred and/or stored in connection with reporting activities.
Finally, the main way in which countries and companies could facilitate and protect whistleblowers, is by creating a culture of acknowledgement on the important role of whistleblowers as well as by promoting information related to this instrument, through training programs on reporting, clear and operational compliance programs and whistleblowing procedures.
The Law on whistleblowing asks companies and public administrations to adopt appropriate control systems which should include whistleblower protection mechanisms, “which should be perceived as a democratic tool to protect the community against crime.”
 Council of Europe, Protection of Whistleblowers, Recommendation CM/Rec (2014) and explanatory memorandum.
 Recommendation CM/Rec (2014) of the Council of Europe mentioned above, page 36.
 Art. 1, paragraph 2.
 ANAC is the Italian Authority with supervisory, investigative and disciplinary powers mainly in the field of contracts with the Public Administration; it can impose administrative or monetary sanctions as well as precautionary measures (e.g. the exclusion from bidding procedures).
 Art. 1, Art. 54-bis, paragraph 1.
 Art. 1, Art 54-bis, paragraph 6.
 Decree 231 contemplates a discipline for corporate liability. It provides that a corporation shall be considered liable when individuals (i) who hold representative, administrative or executive positions in the company or actually operate and control it (the top management of the company), or (ii) who are subordinate to, or under the supervision of, one of the aforementioned persons (corporation’s employees) commit, for the benefit of the company, certain crimes listed in Decree 231, which includes national and international corruption. Decree 231 exonerates the company from liability if it can demonstrate that, before the crime was committed, it had adopted and effectively implemented an adequate “organizational model” suitable to prevent the offenses of the kind that occurred and had appointed a supervisory body specifically vested with autonomy of initiative and control powers to supervise the implementation of the organizational model.
 Art. 2.
 Art. 2.
 Art. 3.
Paul Hastings LLP
Via Rovello, 1
20121 Milan, Italy
Tel: +39 02 30414 000