Whistleblower Protection Act finally adopted

• The Act on the Protection of Whistleblowers of Work-Related Violations of European Union Law will come into effect on 1 September 2024.
• Whistleblowers will be protected when reporting specific violations of EU law.
• As of 1 September 2024, companies with at least 250 employees must introduce internal reporting channels.
• As of 1 January 2025, the requirement will extend to companies with 50 to 249 employees.

After prolonged delays, the Estonian Parliament finally incorporated the EU Whistleblowing Directive into national law on 15 May 2024 by passing the Act on the Protection of Whistleblowers of Work-Related Violations of European Union Law (referred to as the Whistleblower Protection Act).

The new law establishes a minimum framework for receiving reports from employees about violations of EU law that they become aware of in the course of their work. It also sets requirements for providing feedback to whistleblowers and protecting them from retaliation.

The Whistleblower Protection Act does not regulate reporting of all types of violations as initially conceived. Thus, employees will only receive protection when reporting specific EU law violations, not other types of employment-related violations, through the whistleblowing channel. The law ensures only the minimum protection required by the EU Directive. According to the new law, whistleblowers are protected when reporting to their employer any violation of EU law in the following areas:

• public procurement
• financial services, products and markets, and the prevention of money laundering and terrorist financing
• product safety and compliance
• transport safety
• environmental protection
• radiation protection and nuclear safety
• food and feed safety
• animal health and welfare
• public health
• consumer protection
• privacy and personal data protection, and the security of network and information systems
• violations affecting certain financial interests of the EU
• income tax-related violations concerning the internal market

Employees who are not experts in EU law may find it challenging to distinguish between violations of EU law and national law. Despite the limited scope of the Whistleblower Protection Act, workplace discrimination against individuals reporting other breaches is still prohibited under the European Convention for the Protection of Human Rights and Fundamental Freedoms and other applicable laws. However, employers are not required to investigate reports of other violations in the same manner or provide feedback on them.

By 1 September 2024, the following entities must establish internal reporting channels for receiving reports of violations:

• companies with 250 or more employees
• entities under national financial supervision
• certain state and municipal authorities and their subordinate institutions

Starting 1 January 2025, the requirement to establish internal reporting channels will extend to employers with 50 to 249 employees. Employers with fewer than 50 employees will not be required to create separate reporting channels.

The established channels must enable the confidential receipt of violation reports, either in writing, orally or both. The confidentiality requirement does not imply that anonymous reporting must be ensured – the Act does not regulate anonymous reporting.

When receiving a violation report (within the scope of the Act) through the reporting channel, the employer must acknowledge receipt within seven days. The employer must take appropriate follow-up actions to identify, eliminate and prevent the violation, or forward the report for processing by a competent authority, such as the national supervisory authority or the police).  Feedback on the follow-up measures must be provided to the whistleblower at the earliest opportunity and no later than three months after receipt of the report. The whistleblower must also be informed of the outcome of the proceedings.

Whistleblowers have the right to confidentiality, and any direct or indirect workplace retaliation or threat thereof is prohibited. Although current law already prohibits this, the new law explicitly reiterates this protection.

Hindering reporting, breaching whistleblower confidentiality and retaliatory measures are punishable by fines of up to 100,000 euros under the new law. Therefore, to avoid risks, companies are advised to establish appropriate channels for receiving reports – such as setting up an email address where employees can report violations, making the emails accessible only by designated competent personnel.

To comply with the new requirements, companies should prepare separate guidelines on how to evaluate received reports (including whether an investigation is necessary), who to involve in the investigation (depending on whether the required expertise is available within the company or if external service providers are needed), when to notify national supervisory authorities, and so on. Companies should also consider how to maintain confidentiality and provide feedback to whistleblowers.