Dr Ann Bugeja is a senior associate at GVZH Advocates and Dr Nina Fauser is a legal trainee at GVZH Advocates
The EU Whistleblower Directive (“the Directive”) establishes a regulatory framework for procedures where persons who acquired information on breaches in the context of their work-related activities may report information on such breaches through internal or external reporting channels.
The Directive was transposed into Maltese legislation quite recently on 18 December 2021, introducing several amendments to Malta’s Protection of the Whistleblower Act, Chapter 527 of the Laws of Malta (“the Act”).
Key amendments introduced to our local legislation
A) Obligation to establish internal reporting channels
By virtue of the Act, all legal entities operating in the public sector and legal entities with 50 or more workers operating in the private sector are required to set up internal reporting which shall be designed and operated in a secure and confidential manner, enabling workers to report information on breaches.
Entities operating in the private sector with fewer than 50 workers may also be required to establish said internal reporting channels following an appropriate risk assessment taking into consideration the nature of the entity’s activities and the ensuing level of risk.
B) Reporting through external reporting channels
The Act also establishes that a whistleblower may opt to file a disclosure through an external reporting channel, including the Auditor General, Commissioner for Revenue, Financial Intelligence Analysis Unit (FIAU), Malta Financial Services Authority (MFSA) and Ombudsman, among other channels. Whistleblowers may choose to file a disclosure through an external reporting channel either:
i) after having first reported through internal reporting channels; or
ii) by directly reporting through an external channel in situations where, for example, such reporting person has valid reasons to believe that the head of the organisation is involved in the improper practice or if he/she has reasonable grounds to believe that he/she will be subjected to an occupational detriment by his/her employer if he/she makes an internal disclosure.
c) Public disclosures
Another novelty of the Act is the introduction of the protection of persons who make public disclosures. A public disclosure refers to a situation where an individual makes information on breaches available in the public domain. Such individuals shall qualify for protection if:
i) The individual reported internally/externally, but no appropriate action was taken in response to the report within the relevant timeframes; or
ii) The person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to public interest or in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed.
Who does the Act apply to and what breaches may be reported?
In order for an individual to qualify for protection under the Act, a report must be filed by an “employee” and it must relate to an “improper practice”, that is, an action or series of actions as defined in the Act, including for example, situations where a person has failed to comply with any legal obligation to which he/she is subject, situations where the health or safety of any individual has been endangered or cases where the environment has been damaged.
The definition of an “employee” under the Act has also been extended to cover, among others, former employees, persons who work under a contract of service with an employer, persons who are/were seconded to an employer, volunteers, prospective employees where information concerning improper practices has been acquired during the recruitment process or other pre-contractual negotiations and shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, and paid or unpaid trainees.
Way forward
Although so far, the Act did not seem to gain the same momentum as the GDPR and other similar large-scale European Directives, some of the changes, which have been introduced, are far reaching and entities operating in the public sector, as well as companies with more than 50 workers operating in the private sector (and potentially also companies with fewer than 50 workers operating in the private sector following an appropriate risk assessment as explained above), are now required to establish internal reporting channels in order to ensure compliance with the Act.
Dr Ann Bugeja is a senior associate at GVZH Advocates, forming part of the Employment team. Ann has advised a number of large companies in Malta and overseas on non-litigious employment law matters, including collective redundancies and transfer of businesses.
Dr Nina Fauser is a legal trainee at GVZH Advocates, focusing on Employment law, Real Estate and Litigation. Nina also has a particular interest in Technology law and Intellectual Property matters.