The new Italian bill on corporate whistleblowing and its privacy implications
A bill for the “Protection of individuals reporting crimes or irregularities learnt in the context of a public or private employment relationship”, already rechristened the “whistleblowing law”, was passed by the Italian Parliament on 25 November 2017, and is about to enter into force.
Corporate whistleblowing has been a subject of debate in Italy for at least 15 years, since the US Congress adopted the Sarbanes-Oxley Act, requiring publicly held US companies and their EU subsidiaries to establish internal procedures for the reporting of misconducts. The lack of comparable national rules had always made the implementation of those procedures by Italian subsidiaries of US corporations difficult, especially on account of personal data protection concerns.
A first step towards the regulation of whistleblowing schemes was taken in 2012, when whistleblower protection rules were introduced in the public sector.
With the new bill, however, Italian lawmakers have not only expanded the scope of the existing public-sector provisions, but have finally regulated whistleblowing in the private sector too.
The new bill focuses on the protection of corporate whistleblowers against any form of retaliation in the context of the employment relationship.
The method chosen by its drafters was to amend Act no. 231 of 2001 on corporate administrative liability. Act no. 231 of 2001, while making legal entities subject to administrative penalties for certain offences committed or attempted by individuals connected to them, exonerates, on certain conditions, companies that have adopted organisational models aimed at preventing corporate crimes. Under the new whistleblowing bill, such organisational models must now provide for multiple internal reporting channels, designed to allow the reporting of misconducts while protecting the identity of the reporting party.
In order to strengthen the protection of whistleblowers, organisational models shall also expressly veto retaliatory or discriminatory acts (e.g. dismissal, demotion, disciplinary sanctions, transfers) against the reporting person. In the event that a dispute arises on the retaliatory or discriminatory nature of measures that adversely affect the whistleblower’s working conditions, it will be the employer’s responsibility to demonstrate that they are based on grounds unrelated to the report.
Finally, the new law provides that, under certain conditions, disclosure by the whistleblower of professional, trade or business secrets, or the breach of the duty of loyalty to the employer, shall not be deemed unlawful.
The new set of rules will have repercussions especially on the application of labour law and privacy law principles. In the latter regard, a scheme designed to report complaints involves quite obviously the processing of personal data concerning both the reporting and the accused party, including, in the latter case, sensitive data related to the alleged commission of offences.
Back in 2009, the Italian Data Protection Authority sent a report to Parliament and Government in which it deplored the existence, at the time, of a regulatory void regarding whistleblowing schemes and the possible conflict of the latter with personal data protection laws. In particular, the DPA pointed out the difficulty of identifying in the (then current) legal system a legal basis for the processing; the difficulty of justifying a limitation of the right of access of the accused subject; and the risk of instrumental uses of anonymous reports.
In the meantime, the so-called “General Data Protection Regulation” or GDPR (Regulation EU 2016/679) entered into force, which shall apply throughout the EU, Italy included, from 25 May 2018.
The critical question is, therefore, whether the new whistleblowing law conflicts with the soon-to-be applied Regulation.
Starting from the first point highlighted in 2009 by the Italian DPA, it should be noted that the GDPR also requires any processing of personal data to have a legal basis, such as the data subject’s consent, the carrying out of a contract, compliance with a legal obligation, or the purpose of a legitimate interest pursued by the controller.
One might be tempted to conclude that, following the entering into force of the new whistleblowing law, the legal basis for the processing of personal data under a corporate whistleblowing scheme will be the fulfilment of a legal obligation. However, that conclusion would probably be incorrect, because the establishment of whistleblowing schemes will be conditional on the adoption, in the first place, of a corporate organisational model, which in turn is not mandatory, but merely optional.
It is therefore more correct in my opinion to assume that whistleblowing schemes in Italy will find their (personal data protection) legitimacy under the umbrella of the pursuit of a legitimate interest, relying on the argument that the 2017 legislator has weighed such interest already against all other interests at stake and deemed it worthy.
As for the possible conflict between the right of access of the concerned party (in particular, the accused person) and the need to protect the whistleblower’s identity, at least at an early stage of the investigation, the Regulation, not unlike the privacy legislation currently in force, provides that the person concerned has the right to know “where the personal data are not collected from the data subject, any information available as to their source” (Article 15, paragraph 1. g), i.e., at least in principle, also the whistleblower’s name.
The potential conflict in this case might be defused, in my opinion, by subsequent Article 23 of the Regulation, which provides for the right of each Member State to restrict by national legislation the scope of the right of access to safeguard interests such as, for example, “prevention, investigation, detection or prosecution of criminal offences”, or even “the protection of the rights and freedoms of others”.
Furthermore, it should be emphasised that the Article 29 Working Group, in a specific 2006 opinion, had found it consistent with the principles expressed in Directive 95/46/EC (which, in the matter of right of access, does not differ much from the GDPR) to limit the right of access of the accused person, stating, indeed, that he/she should obtain information on the whistleblower’s identity only in case of malicious false statements.
The new law, on the other hand, does not encourage or offer in any way protection to anonymous reports, the last of the Italian DPA’s concerns in the 2009 document.
Of course, ruling out a conflict between the just-approved whistleblowing legislation and privacy laws is not the same as saying that the former should not be coordinated with the latter, starting from compliance with information duties (which, once again, must be reconciled with the need not to compromise investigations against the accused person).
It is desirable, in this regard, that, following the entering into force of the law, the Italian DPA issues implementing guidelines.