Bulgaria is one step closer to the transposition of the Directive on the protection of persons who report breaches of Union law

20 December 2021

In 2019, Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (“the Directive”) was adopted at European Union (“EU” or “Union”) level. The objective of the Directive is to improve the application of EU law in certain areas by introducing a minimum level of harmonization with regard to mechanisms and protection measures when reporting breaches of Union law. Thus, the European legislator seeks to encourage those who have information about breaches of Union law to report it.

The material scope of the Directive is relatively wide, including breaches of EU law, affecting a number of areas in which the business operates such as: 1) public procurement; 2) financial services, products and markets, and prevention of money laundering and terrorist financing; 3) product safety and compliance; 4) transport safety; 5) protection of the environment; 6) radiation protection and nuclear safety; 7) food and feed safety, animal health and welfare; 8) public health; 9) consumer protection; 10) protection of privacy and personal data, and security of network and information systems. The list also includes the breaches affecting the EU’s financial interests as well as the breaches related to the Union’s internal market (e.g. competition and state aid). However, the Member States may also provide for a wider material scope.

The protection provided by the Directive in respect of persons who report breaches of Union law (or whistle-blowers) also covers a wide range of persons from the private or public sector who possess information on breaches in a work-related context. These can be workers and employees, self-employed persons, shareholders, board members, subcontractors, suppliers, trainees and volunteers, as well as persons during a recruitment process or pre-contractual relations. The protection itself represents a prohibition for counter actions aiming retaliation, which can take the form of dismissal, demotion, imposition of disciplinary measures, early termination or termination of a contract, etc. Moreover, whistle-blowers are not liable when they disclose information to which they have lawful access.

Persons reporting breaches of Union law receive protection where the following two conditions are met: 1) they had reasonable grounds to believe that the information they reported was true at the time of reporting; and 2) they have reported in one of the ways provided for in the Directive. The Directive provides protection also for those who submit anonymous reports but leaves the Member States to decide whether to introduce the acceptance of anonymous reports in their national law.

The Directive provides for three ways of reporting breaches: 1) internally – by reporting breaches within a private or public sector undertaking; 2) externally – by reporting to a competent national authority; and 3) publicly – by disclosing the relevant information about the breach to the public. In order to be protected in case of public disclosure, whistle-blowers must first report internally or externally, and no action has been taken in response to the report.

The introduction of adequate rules and procedures for internal reporting of breaches of EU law is an obligation of the business. In this regard, the Directive provides that this obligation applies to private sector undertakings with 50 or more employees, except for undertakings covered by the EU acts governing the financial services, products and markets, the prevention of money laundering and terrorist financing, transport safety and environmental protection. However, after carrying out a risk assessment, the Member States may also impose this obligation on undertakings with less than 50 employees. For private sector undertakings that have between 50 and 249 employees, the Directive provides some flexibility, allowing resources to be shared between undertakings as regards the receipt of reports and any investigation to be carried out. It is expected that Bulgaria will opt for these shared channels of reporting.

The deadline for transposing the Directive into the national legislation of the Member States expires on 17 December 2021. Despite the lack of a parliament and a regular government in Bulgaria for most of the year, it is expected a national act transposing the Directive in the Bulgarian legislation to be adopted soon. The lack of an adopted act, as a rule, should lead to direct application of the Directive, but in view of the still discussed 7 main options for the member-states and in view of the advanced legislative process in Bulgaria and the existence of the first working version of the act, we do not expect sanctions for non-compliance with the Directive by the Bulgarian business.

Moreover, the process of preparing the transposition of the Directive is currently in its final stages, with an inter-ministerial working group with a wide range of experts preparing a draft Act on the protection of persons who report or publicly disclose information on breaches. It is expected that the final version of the act will not provide for an extension of the material scope beyond that provided for in the Directive. It is also expected that no obligation will be introduced for undertakings with less than 50 employees to create channels for internal reporting of breaches. Regarding determining the competent authorities to which signals will be submitted and which will be able to impose sanctions, it is expected that a decentralized approach will be adopted, and powers will be given to a number of institutions. In addition, the Bulgarian act it is not likely to provide option for anonymous reporting.

However, the last word belongs to the Bulgarian legislator which will decide on the aspects of the Directive giving the Member States discretion, namely: 1) whether to extend the material scope provided for in the Directive by introducing additional areas that may be affected by breaches; 2) which will be the institutions to which reports can be sent as well as which institutions will have the powers to impose sanctions for breaches of the law; 3) what should be the specific measures for protection of the persons reporting breaches; 4) whether the obligation to introduce rules and procedures for internal reporting of breaches will apply to private undertakings with less than 50 employees; and 5) whether anonymous reports of breaches will be allowed.

Authors: Eleonora Mateina and Rashko Stoyanov