In the middle of April 2019, new rules on the protection of persons reporting on breaches of European Union law were adopted by the European Parliament, and as a next step the directive must be approved by EU ministers. The directive covers the breaches falling in the scope of European Union acts, in particular in the area of public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety, transport safety, protection of the environment, public health, consumer protection, and protection of privacy and personal data.
Persons reporting information on breaches falling within the areas mentioned above will be entitled to protection if they had reasonable grounds to believe that the information reported was true at the time of reporting and they reported internally and externally, or directly externally or publicly disclosed information. The reporting person must use the internal channels before external reporting, therefore, the Member States should ensure that legal entities in the private and in the public sectors establish internal channels and procedures for reporting and following up on reports.
As protection measures, the directive prescribes the prohibition of retaliation, in the framework of which the Member States must take the necessary measures to prohibit any form of retaliation, in particular dismissal, negative performance assessment or discrimination, disadvantage or unfair treatment. In addition, Member States have to take other necessary measures for support, protection against retaliation and for the protection of concerned persons. Furthermore, the directive includes that Member States must apply effective, proportionate and dissuasive penalties to natural or legal persons that hinder or attempt to hinder reporting, take retaliatory measures or bring vexatious proceedings against the reporting persons, or breach the duty of maintaining the confidentiality of the identity of reporting persons.