Necessity of reporting or public disclosure of information
In the previous blog it was argued that the Directive apparently divides persons who report in good faith into groups with “more” and “less” good faith. The latter is excluded from the protective measures. However, even for the “more” good faith reporting persons the protective measures are anything but self-evident under the Directive.
The Directive stipulates an additional condition for the protection against retaliation, which relates to the information that is reported or publicly disclosed by a reporting person. This condition was not included in the Directive’s proposals and apparently found a way to creep into its final text that was adopted.
As per the definition in Article 5 (2) of the Directive the information on breaches means information on actual or potential breaches, which occurred or are very likely to occur. However, reporting or publicly disclosing such information in “more” good faith is not enough under the Directive. The reporting or public disclosure of such information needs to be necessary for revealing the breach.
Article 21 of the Directive stipulates measures for protection against retaliation. In its paragraph 2 the Article stipulates that persons who report information on breaches or make a public disclosure in accordance with this Directive shall not be considered to have breached any restriction on disclosure of information and shall not incur liability of any kind in respect of such a report or public disclosure provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary for revealing a breach pursuant to this Directive. Paragraphs 4 and 7 of the same Article include the same necessary reporting or public disclosure condition.
These are extremely important protective measures for reporting persons, which have been additionally conditioned in the final text of the Directive. Hence, for a reporting person to avail him or herself of these protective measures, it is not sufficient to report information on the breach in accordance with the conditions from Article 6 of the Directive. Additionally, the reporting person must be able to prove with a certain degree of certainty the necessity of reporting or public disclosure of the information for revealing the breach. Reporting persons are therefore required to distinguish between information on breaches that are necessary for revealing the breaches and that are not necessary for revealing the breaches. Once again, the distinction is everything but trivial. Should a reporting person report information on a breach that was relevant and helpful, but not necessary, he or she may incur liability for disclosing such information.
The necessity of reporting or public disclosure condition from Article 21 additionally raises the already very high bar for reporting persons to avail themselves of the protective measures. Nevertheless, the Member States may still opt for a more effective protection against retaliation and introduce conditions for the protection measures that are more favourable to reporting persons than those set out in the Directive.
To use Trusty for your company free of charge, please fill out the following form. You will receive the link to your personal login and all further information from us shortly.