20 years after Sarbanes-Oxley: what will be Luxembourg employers’ obligations to protect whistleblowers?

By Maurice Macchi and Julian Kisslinger (Allen & Overy)

        Exactly 20 years ago, three whistleblowers were named “Persons of the Year” by the TIME magazine further to a number of major corporate and accounting scandals, including Enron and WorldCom. In reaction to such unprecedented series of large corporate frauds, the 107th US congress enacted the so-called Sarbanes-Oxley Act (SOX), which provides in its section 806 for a specific whistleblower protection.


        In Europe, for obvious historical reasons, Governments were at the time reluctant to foresee a clear legal framework for whistleblowers.

        Now, almost 20 years later, the European legislator has adopted a directive in 2019 on the protection of individuals who report violations of EU law. The objective of this directive is to remedy the current fragmentation of whistleblower protection legislation within the EU by introducing minimum rules and guarantees.

        Luxembourg has tabled its draft bill in January 2022. Even if the Bill has yet to go through the entire legislative process, and will hence most certainly see its text modified, Luxembourg employers are well advised to start internally reflecting on the implementation of their future obligations foreseen in the Bill.


        I. What does the Bill cover? 

        According to the Bill, whistleblowers are individuals who have gained, in the course of their professional activities, knowledge and information of violations of national / European law, and who report, disclose such violations via internal reporting channels (i.e. within his/her employer) or through external reporting channels, and so report violations directly to the competent authorities, such as the CSSF or the Luxembourg Labour inspectorate).

        In addition, and subject to specific conditions, whistleblowers may directly disclose such violation to the public.


        What is the Bill’s material and personal scope of application?

        With respect to the Bill’s material scope of application, it is interesting to note that, although the Directive only covers certain acts and fields of action of the European Union, the Luxembourg government has decided to extend the Directive’s material scope to all national law, and thus also to Luxembourg Labour law and violations thereof. The Luxembourg legislator’s decision to extend the scope of application beyond what the European legislator had foreseen, seems to be motivated by the Luxembourg government’s desire to guarantee a complete, coherent and more clearly defined framework of whistleblower protection and hence to provide a greater legal certainty for both, whistleblowers and employers.

        However, provisions on whistleblower protection, which are already contained in specific sectoral laws, provided they offer similar guarantees, prevail over the Bill’s general provisions. This is for instance the case of the law of the financial sector 5 April 1993 as amended, which already sets forth reporting procedures of violations and so offers similar, equivalent guarantees for whistleblowers working in the financial sector.

        As regards the Bill’s personal scope, it applies to whistleblowers working in the private sector, i.e. employees, or in the public sector (civil servants) who have obtained information about violations of European and /or national law in a professional context, meaning during the performance of their work.

        More precisely, the Bill’s personal scope includes, in addition to notably trainees, shareholders and members of the board of directors, also former employees and persons whose employment relationship has not yet begun, for example, when information about violations was obtained during the recruitment process or during pre-contractual negotiations.

        This goes to show that the array of individuals who might benefit from the Bill’s protection regime of whistleblowers is rather large.


        What kind of companies operating in the private sector are concerned?

        Pursuant to the Bill’s provisions, companies counting between 50 and 249 employees have until 17 December 2023 (a “Transition period”) in order to establish so-called “internal reporting channels,” meaning a system and procedures, which allow employees to internally report violations of European and national law they became aware of in the framework of their job. 

        However, for employers currently counting 250 employees or more, the requirement of the establishment of such internal reporting channels and corresponding procedures is immediate, i.e. as of the entry into force of the law, whereas companies with less than 50 employees are free to decide to set up such internal reporting channels and procedures.

        Therefore, the biggest companies in terms of workforce are well advised not only to closely monitor this Bill but also to be ready as from day 1, what requires a certain anticipation and planning in the internal decision-making. To be more precise, Luxembourg employers must take specific steps in order to effectively establish such a “whistleblowing system” within their company and to ensure its enforceability.


        II. Implementation and enforceability of a Whistleblowing system

        As a first step, the introduction of a whistleblowing system within the employer requires the establishment of a “whistleblowing policy”. In this respect, the Luxembourg courts have ruled that such a “whistleblowing policy” is to be considered as having the legal value of an internal regulation (such as the teleworking policy for instance). 

        Therefore, the effective introduction of such whistleblowing policy within the company requires the prior involvement of the staff delegation, provided of course the company has a staff delegation. The degree of the staff delegation’s involvement in this regard depends on the company’s headcount:

        In companies counting less than 150 employees, the employer is merely obliged to inform and consult the staff delegation on the envisaged implementation of the whistleblowing policy. This means in practice that even if the staff delegation renders a negative opinion on the envisaged implementation of a whistleblowing policy, the employer can nevertheless proceed to the implementation of a whistleblowing policy and the whistleblowing system (i.e. the internal reporting channels and underlying procedures).

        However, in case the company counts 150 employees or more, the employer must obtain the staff delegation’s approval (the regime of co-decision) prior to introducing such a whistleblowing policy. 

        Finally, the employees must be informed of the introduction of a whistleblowing policy and the subsequent mechanisms put in place within the company. Hence, there is a need to prepare a proper communication and maybe also an information session in order for the employees to understand their rights and obligations in this context. 

        Assuming the employer has established such a whistleblowing policy and set up internal reporting channels and relevant procedures: What kind of protection does the Bill grant whistleblowers and what are the conditions of this protection?


        III. What about the protection of whistleblowers? 

        The protection of the whistleblowers against any form of retaliation is subject to strict conditions. In order to benefit from the protection against any form of retaliation, whistleblowers must:

        First, have reasonable grounds to believe, in light of the circumstances and information available to them at the time of reporting, that the facts, information they report were true and fall within the Bill’s scope. 

        In other words, an employee who would deliberately and knowingly report information that he or she knows to be false or misleading from the outset would not be protected. This requirement is indeed an essential safeguard against malicious or abusive reporting. At the same time, this requirement ensures that the whistleblower remains protected when he or she has reported information in good faith, which later turned out to be inaccurate.

        Second, whistleblowers must have reported a violation either via an internal or external reporting channel or, subject to specific conditions, a public disclosure in accordance with the Bill’s provisions.

        With respect to these reporting channels, one must bear in mind that the Bill establishes a hierarchy between the different reporting channels: This means that the whistleblower may freely choose to report the violation via an internal or an external channel. However, the whistleblower must have used one of the two reporting channels prior to publicly disclosing a violation of national or European law.


        How do these reporting channels work?

        Internal reporting

        First of all, these reporting channels may be managed internally by a designated person or department (e.g. HR or the company’s legal department) or externally by a third party. 

        As regards the procedure, and as a first step, internal channels for receiving reports must be designed, established and managed in a secured way that ensures the confidentiality of the whistleblower’s identity and any third parties mentioned in the reporting. 

        The whistleblower’s identity may only be disclosed if this is a necessary and proportionate obligation imposed by national and European law in the context of investigations, which are carried out by the authorities or in the context of legal proceedings, in particular in order to safeguard the rights of defense of the persons concerned.

        Once the report is received, the whistleblower must receive an acknowledgement of receipt of his or her report within seven days.

        The employer is responsible for designating a staff member who is in charge of receiving and following up on reports internally. The person responsible for receiving the reports must be an impartial person or department capable of ensuring the follow-up (such as HR or the company’s legal department) and the whistleblower must receive an answer to his or her report within three months of acknowledgment of receipt of the reporting.

        These internal reporting channels allow for written and/or oral reporting in one of Luxembourg’s three official languages or in any other language accepted and practiced within the company, such as English.

        Furthermore, it is possible to report by telephone and, if requested by the whistleblower, through a face-to-face meeting. Employers are well advised to abide by these rules, given that in case non-compliance the competent authorities may impose an administrative fine of 1,500 euros to 250,000 euros on the employer.


        External reporting (procedure and follow-up)

        Instead of having recourse to internal reporting channels, the whistleblowers may decide to go down a different route and choose to report externally, i.e. directly to a competent authority.

        The procedure and follow-up for reports made to a competent authority are essentially the same as for internal reportings. Yet, some differences exist:

        First, the competent authorities may decide that a reported violation is clearly minor and does not require further follow-up. Second, the competent authorities may not act on a repetitive report containing no new information. 

        However, in both of the aforementioned cases, the competent authority must give reasons for its decision and must inform the whistleblower thereof.

        It is important to bear in mind that the Bill provides for a hierarchy between internal and external reporting, i.e. internal reporting shall be prioritized. Therefore, in order for individuals to prioritize internal reportings, companies must ensure that their internal reporting channels are efficient and easy to use. In this respect, the implementation of an electronic / online whistleblowing system, which is compliant with the GDPR rules, has the advantage of guaranteeing the security and anonymity of whistleblowers. 


        How are whistleblowers protected in practice?

        For and foremost, all retaliatory measures, including threats and attempts at retaliation, in response to the whistleblower’s reportings made in compliance with the procedure are prohibited. Moreover, specific forms of retaliation by the employer, such as dismissals, demotions, salary reduction, change of working hours and disciplinary sanctions in general are voidable.

        This means that the employee concerned may, within 15 days following notification of the retaliatory measure, bring the matter before the Labor Court in order to have the retaliatory measure be ruled null and void and to obtain its cessation. The employee who has not invoked the nullity of the retaliatory measure may still bring an action for compensation for the harm suffered, and thus claim damages.


        Shift of the burden of proof 

        The effectiveness of protection introduced by the Bill would indeed be limited, if it where up to the whistleblower to prove that he or she had suffered retaliation following his/her reportings. 

        Thus, the Bill provides for a reversal, a shift of the burden of proof, provided that (i) the whistleblower is acting in good faith and (ii) has complied with the prescribed reporting procedures. 

        If this is the case, once the whistleblower has made a prima facie case that he or she reported the violations in accordance with the Bill’s provisions and suffered harm, the burden of proof shifts to the person who took the harmful action, i.e. the employer. Consequently, it will be up to the employer to demonstrate that his actions were unrelated to the whistleblower’s reportings.

        However, a whistleblower who knowingly reports or publicly discloses false information may be subject to a prison sentence of 3 days to 3 months and a fine of 1,500 euros to 50,000 euros. Moreover, the author of a false report may be held civilly liable. In this respect, the entity which has suffered damages may claim compensation for the loss suffered (damages) before the competent court.


        It is needless to say that the Bill is complex and that employers will have to prepare for its coming into force properly, since many technical and practical points will have to be factored in. In addition, and beyond legal considerations, one critical aspect will also be to “educate” employees in the sense that the whistleblowing channels should not be misused or diverted from their actual aim. There will hence be a need to inform employees properly about their rights and obligations.

        The future will tell how well the “Luxembourg SOX” will be received and what challenges it will pose to Luxembourg employers in practice.


        Maurice Macchi, Labour Law Counsel

        Julian Kisslinger, Labour Law Associate

        Allen & Overy