On 15 December 2022, the Belgian Act on the protection of persons who report breaches of national or Union law adopted on 28 November by the Federal Parliament was published in the Belgian State Gazette (the “Act”, available in Dutch and French).
The Act finally implements the EU Directive 2019/1937 on the protection of persons who report breaches of Union law (the “Directive“) into the private sector, almost a year after its transposition deadline, and after a letter of formal notice of default of transposition of the Directive was sent to Belgium by the EU Commission. To date, many Member States are still in default of having validly transposed the Directive into their domestic legislation (see our tracker here). Under this legislation, companies of a certain size will have to set up internal reporting channels, and persons (including employees and contractors) who use these channels (as well as external/public channels) to report a range of violations of certain EU and national matters, will be protected against retaliation.
Whilst the content of the Act is broadly in line with the Directive, it does contain some peculiarities which, while not surprising, will nevertheless attract the attention of practitioners and may require adjustments to your existing policies and processes. A brief overview of the specifics of the Belgian Act:
- The Act first extends the material scope of protection to reports of topics in the fields of prevention of social and fiscal fraud, in addition to the topics already covered by the Directive. This is an important extension of the Directive’s material scope, while the personal scope of the Act is identical to the Directive;
- Secondly, not surprisingly, entities with less than 50 employees are exempted from the obligation to establish an internal reporting channel. What is more unusual is that the federal government has reserved the power to extend this obligation to those entities as well, by means of a Royal Decree (although this is unlikely). Entities with more than 249 employees are required to establish such an internal reporting channel that must be up and running by the 15 February 2023. Smaller entities (from 50 to 249 employees) have until 17 December 2023 to comply;
- Entities with 250 or more employees will have to accept anonymous reporting (while smaller entities are free to accept these or not) i.e., an extension that was permitted but not imposed by the Directive;
- Worth mentioning is that the establishment of such internal channels also requires the prior consultation of the existing employee representative bodies, i.e. either the Works Council or the Health & Safety Committee, in the absence of these bodies, the Union Delegation, or in the absence of any of these bodies, the employees individually. This formality was not imposed by the Directive and could complicate the roll-out of your whistle-blowers’ policies;
- The outsourcing of this obligation to set up these channels internally is also allowed for all organisations – regardless of their size – provided the entity concerned remains the “data controller” of the personal data transfers involved within the meaning of the EU General Data Protection Regulation, with all the consequences that this status entails, in particular with regard to the conclusion of an EU GPDR-compliant data processing agreement. Outsourcing also implies the setting up of shared / group-wide reporting channels. As you may recall, the EU Commission – in an informal opinion issued in the summer of 2021 – opposed the extensive use of such centralised instruments, indicating that each entity should have its own separate reporting channel – or at least those with more than 249 employees. The Act did not follow this stance and explicitly leaves it to private sector companies to freely choose between in-house / outsourcing / shared reporting channels, depending on what is most adapted to the structure of their organisation, and this notwithstanding the size of each of its entities. This simplifies the process, especially as these third parties are currently not required to obtain a specific label or authorisation (unlike in several other EU Member States); and
- Finally, the Act sets a wide range of sanctions for acts of retaliation against persons falling under the scope of protection of the Act; employees can get damages amounting to between 18 and 26 weeks’ salary, and for other victims, compensation is possible for damages actually suffered and proved by the victim. Employees who have reported breaches in the field of financial services, products, and markets, and who have suffered retaliatory measures as a result, can also, through a specific procedure, request to be reinstated. Such compensation cannot be cumulated with the damage indemnity that may be due under national CBA No. 109 in case of a blatantly unreasonable dismissal. If necessary, preventive remedies for retaliation against employees can also be ordered in summary proceedings by the President of the Labour Tribunal. Finally, such acts of retaliation may be punished either by a prison sentence (from six months to three years) or by a fine of between €600 and €6,000.
The Act’s provisions are of public policy; no contractual or legal deviation is therefore permitted. The most proactive private sector organisations who have not waited for the adoption of the Act to set up proper inside whistle-blower policies are close to being fully compliant; all they have to do is slightly adapt their policies based on the above and follow the proceedings on prior consultation of the employee representative bodies. For the others who still have nothing in place, it is not too late but time is running out. If you have any questions regarding this new legislation and the way towards compliance, please do not hesitate to contact our team of experts who will be happy to guide you.
For further information, please contact:
Jehan de Wasseige, Bird & Bird
jehan.dewasseige@twobirds.com