The question seems to have passed unnoticed, but it is, nonetheless, justified. It regards to the areas listed in the material scope of application. If an employee wants to make an internal formal complaint about contingent workers (as real subordinated employees) , can he do so? If an employer creates a channel for complaints where it handles and manages information and personal data of employees reporting on labor matters, can the CNPD (a Portuguese acronym for “National Commission for Data Protection”) later point out that there is no legal condition for the processing?
Let us take a glance at the text of the Whistleblowing Directive (Art. 2(1)):
“This Directive lays down common minimum standards for the protection of persons reporting the following breaches of Union law: (a) breaches falling within the scope of the Union acts set out in the Annex that concern the following areas: (i) public procurement; (ii) financial services, products and markets, and prevention of money laundering and terrorist financing; (iii) product safety and compliance; (iv) transport safety; (v) protection of the environment; (vi) radiation protection and nuclear safety; (vii) food and feed safety, animal health and welfare; (viii) public health; (ix) consumer protection; (x) protection of privacy and personal data, and security of network and information systems; (b) breaches affecting the financial interests of the Union as referred to in Article 325 TFEU and as further specified in relevant Union measures; (c) breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law”.
Meanwhile, the transposition law (Law 93/2021, of December 20) states that:
“1 – For the purposes of this law, the following shall be considered an offence: a) The act or omission contrary to rules contained in the European Union acts referred to in the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council, to national rules implementing, transposing or complying with such acts, or to any other rules contained in legislative acts implementing or transposing them, including those providing for crimes or administrative offences, concerning the fields of: (i) public procurement; (ii) financial services, products and markets and prevention of money laundering and terrorist financing; (iii) product safety and compliance; (iv) transport safety; (v) environmental protection; (vi) radiation protection and nuclear safety; (vii) food and feed safety, animal health and animal welfare; (viii) public health; (ix) consumer protection; (x) (b) the act or omission contrary to, and detrimental to, the financial interests of the European Union referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU), as specified in the relevant Union measures; (c) the act or omission contrary to the internal market rules referred to in Article 26(2) of the TFEU, including the rules on competition. (d) Violent, especially violent and highly organized crime, as well as the crimes provided for in Article 1(1) of Law 5/2002, of January 11, establishing measures to combat organized and economic-financial crime; and (e) The act or omission contrary to the purpose of the rules or norms covered in paragraphs (a) to (c) (…)”.
Was there some kind of a misunderstanding here? Is there a real omission regarding the violation of labor and employment obligations? Let’s take a closer look at Recital (21) of the aforementioned Directive:
“This Directive should be without prejudice to the protection granted to workers when reporting breaches of Union employment law. In particular, in the area of occupational safety and health, Article 11 of Council Directive 89/391/EEC (31) already requires Member States to ensure that workers or workers’ representatives are not placed at a disadvantage because of requests or proposals they make to employers to take appropriate measures to mitigate hazards for workers and/or to remove sources of danger. Workers and their representatives are entitled, under that Directive, to raise issues with the competent authority if they consider that the measures taken, and the means employed, by the employer are inadequate for the purposes of ensuring safety and health”.
For the time being, besides the normative value to be attributed to the recitals of a Directive, it is important to question what is understood by EU labor law and whether it can absorb the valuable contributions, already in several ECHR (European Court of Human Rights) decisions. But one could ask whether jobseekers are covered, as the Directive provides for the protection of former workers. In this, the last part of Recital (39) summarizes that: “(…) Protection should also be granted to persons whose work-based relationship has ended, and to candidates for employment or persons seeking to provide services to an organization, who acquire information on breaches during the recruitment process or another pre-contractual negotiation stage, and who could suffer retaliation, for instance in the form of negative employment references, blacklisting or business boycotting.”
It seems to us that these matters are duly covered by the law that will very soon come into force.
It has also been questioned whether whistleblowing can be aimed at the protection of hackers, namely because some professions involve a high standard of computer diligence or informatic services. Here, from our view, the personal scope of application (Article 4 of the Directive and Art. 5 of the transposition law) is the real matter at stake: who is the person “whistleblowers who, working in the public or private sector, have obtained information on violations in a professional context (…)”, of which “a) Workers, within the meaning of Article 45(1) TFEU, including civil servants”.
We don’t think so. For several reasons: (i) hacking is not, in itself, a professional activity recognized by the EU, not being regularized as such and, most importantly, does not constitute a licit activity; (ii) secondly, the Directive does not overlook other values that the EU aims to pursue, such as the protection of personality rights, especially the one regarding the informational self-determination.
We will keep an eye out for future developments.
Tiago Sequeira Mousinho @ DCM | Littler