New Italian Regulation On Whistleblowing
By 17 December 2023, a considerable number of Italian private companies - that is, those that in the last year have employed on average between 50 and 249 workers – shall have in place an internal reporting channel, pursuant to Legislative Decree no. 24/2023 on whistleblowing.
Previous Italian regulations on whistleblowing, at least in the private sector, were rather fragmented and limited in scope. They only applied to companies that had adopted policies to shield themselves from corporate crime liability and generated many interpretative uncertainties, especially regarding coordination with personal data protection rules.
Then came Directive (EU) 2019/1937, with which EU lawmakers sought to integrate this subject matter in the Union. Legislative Decree no. 24/2023 implements that Directive in Italy. Rules on whistleblowing in both the public and private sector are now laid out within a single, comprehensive instrument. In this article, we shall specifically deal with the private sector.
The rationale of the whistleblowing regulations is to encourage the reporting of breaches of law within the workplace by protecting whistleblowers from retaliation.
Objective and subjective scope
The new law concerns “inside” information, including reasonable suspicions, about actual or potential breaches occurred or likely to occur in the organisation with which the whistleblowers have/had a working relationship, and of which they became aware of in the context of their work-related activities. This includes work done as an employee, a self-employed worker, freelancer, volunteer, intern, shareholder, or a person with administrative, management, control, supervisory or representation functions. All these subjects are protected as potential whistleblowers.
The law applies in principle to all private companies that, in the previous year, have employed an average of at least 50 employees, although the date of application of certain duties varies based on size. It also applies to companies that, though not reaching that numerical threshold, either operate in special sectors - such as banking, financial services and products, etc., or fall within the scope of Italian laws on corporate crime liability (with some limitations).
Reportable breaches include, among others, those relating to public procurement; financial services, products, and markets; money laundering; product safety and conformity; environmental protection; food safety; public health; consumer protection; personal data protection; networks and information systems security; tax crimes; and violation of corporate governance rules.
Disputes or grievances of a personal nature in individual employment relationships, and reports of violations relating to procurement involving defence or national security aspects, are excluded.
Reporting options
Without prejudice to the implied right of directly reporting to law enforcement, under the new law three options are made available to expose a relevant breach: an internal reporting channel; an external reporting channel, managed by ANAC, the Italian anti-corruption authority; and, finally, public disclosure (via, for example, news media or social media).
The internal channel is the default reporting mode; the ANAC external channel can be used subject to an internal reporting channel not being available, or the internal report not having been followed up, or the whistleblower having reasonable grounds to fear retaliation or the existence of an imminent or obvious danger for the public interest. Similar conditions are provided for the protection of the person choosing the public disclosure channel.
Reports can be made in written or oral form, including by telephone or voice messaging systems, or, at the request of the reporting person, by means of a physical meeting.
A three-month timeframe is established to provide feedback to the reporting person.
Confidentiality
The whistleblower’s identity shall not be disclosed to anyone beyond staff members qualified to receive the report and follow up on it without the whistleblower’s consent.
To prevent a legal loophole, this confidentiality shield also acts as an explicit exception to the data subject’s right of access under data protection laws; otherwise, the reported person could have requested disclosure of the reporting person’s identity under the GDPR and the Italian Data Protection Code.
By way of derogation, the identity of the whistleblower may be disclosed where this is necessary to safeguard the concerned person’s right of defence. In such cases, the whistleblower must be informed beforehand in writing of the reasons for the planned disclosure.
In criminal proceedings, the identity of the whistleblower will, as a rule, be kept confidential during the investigations and disclosed only upon indictment.
In internal disciplinary procedures, the whistleblower’s identity may be disclosed where the report is essential to the charges being brought and such disclosure is necessary to safeguard the concerned person’s rights of defence, but only with the explicit consent of the whistleblower. Failing the latter, the content of the report must be discarded.
Protection measures
The law also grants whistleblowers special protection measures. These are subject to the condition that, at the time of reporting or public disclosure, the whistleblower had reasonable grounds to believe that the information provided was true and fell within the objective scope of the application of the law. The whistleblower’s personal motives are irrelevant, so long as he/she acts in good faith.
The main protection measure is a general prohibition of retaliation against whistleblowers, including in the form of dismissal, lay-off, suspension, demotion, withholding of promotion, change of duties or workplace, wages reduction, intimidation, ostracism, reputational damage ("particularly on social media"), early termination of the relationship and others.
The list is, however, non-exhaustive: any act or omission prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person, qualifies as retaliation.
All actions taken in violation of the prohibition on retaliation are radically null and void. Individuals dismissed because of the report or disclosure have a right to reinstatement in the job, as well as, where appropriate, compensation for damages and any other appropriate remedial measure.
In proceedings of any nature relating to alleged acts of retaliation, a reversal of the burden of proof applies: the relevant act or omission is presumed to have been carried out in retaliation for the report or public disclosure, and it is for the person who carried them out to prove the contrary.
In damages proceedings brought by a whistleblower, provided that the latter establishes that he or she made a report or a public disclosure and suffered harm, a presumption applies regarding the existence of a causal link between the report or public disclosure and the harm suffered.
In addition, pecuniary penalties are provided, administered by ANAC, from 10.000 up to 50.000 euros against any natural or legal persons that retaliate or attempt to hinder reporting or breach the duty of confidentiality.
The law also grants a general exemption from civil, administrative and criminal liability in legal proceedings, including for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, brought against a whistleblower on the basis of a report or public disclosure. This protection is applicable provided that, at the time of reporting or disclosure, the whistleblower had reasonable grounds to believe that the reporting or disclosure was necessary in order to reveal a breach.
Any liability of the whistleblower is also excluded in respect of the acquisition of, or access to, information on the reported breaches, except in the case in which the acquisition or access constitutes a self-standing criminal offence.
Obligations for private companies
The part of the new law having the greatest immediate impact on the life of private companies falling within its scope relates to the setting up of the internal reporting channel.
The latter must be set up, after consultation with the trade union representatives, and be designed in such a way as to secure (also through means of encryption) the confidentiality of the identity not just of the whistleblower, but also of the people involved and mentioned in the report, as well as the confidentiality of the contents of the report.
The operation of the reporting channel must be entrusted to either a dedicated and specifically trained internal person or department or externally to an independent third party. Companies that have employed an average of fewer than 250 employees, in the last year, are allowed to use shared platforms.
Among the tasks of the internal reporting channel managers is to provide clear information on the channel itself, on the procedures and on the prerequisites of the reporting, making it easily accessible in the workplace and to any individuals interacting with the company in the context of a working or professional relationship. The same information shall be published on the company’s website.
The processing of personal data inherent to the setting up of an internal whistleblowing line will compel companies to adopt appropriate security measures and comply with all the obligations imposed by privacy regulations: for example, outsourcing the reporting channel to a third party will imply the need for a data processing agreement.
Some of these privacy obligations are set out directly by Decree no. 24/2023. The new law makes the carrying out of a preliminary Data Protection Impact Assessment compulsory and prohibits the collection of personal data that is manifestly not necessary for the management of a specific report. The keeping of records on internal and external reports and related documentation is permitted only for the time necessary to process the report and, in any event, for no longer than five years from the date of communication of the outcome of the procedure.
Administrative fines ranging from 10,000 to 50,000 euros are provided for failure to set up reporting channels and procedures compliant with the law or for failure to follow up on reports received.
As mentioned above, although in principle the Decree came into force on 15 July 2023, legal entities in the private sector with 50 to 249 workers have until 17 December 2023 to set up an internal reporting channel compliant with the law.