30.10 2023

Draft act on protection of whistleblowers puts an extra burden on businesses

The draft law, which was recently adopted by the Riigikogu for first reading, significantly reduces the number of offences for which employers are obliged to ensure the confidentiality and protection of whistleblowers. These changes could make the application of the law unexpectedly difficult for businesses.

The draft act provides protection for the whistleblowers only if the infringement falls to at least one of the areas of European Union (EU) law listed in the act. The draft act includes a closed list of twelve areas that the EU considers to be priorities, including, for example, public procurement, consumer protection, product safety and environmental protection. This change is also illustrated by changing original title of the act into something lengthy and complicated: “Tööalasest Euroopa Liidu õiguse rikkumisest teavitaja kaitse seadus” (Whistleblower Protection Act). We will refer to it here as the Whistleblower Protection Act.

We understand that the previous broad scope of application made employers fear that the hotline will be clogged by various reports of breaches which, on closer inspection, turn out to be false. KPMG’s practical experience of running a hotline and various international studies confirm that such fears are unfounded.

We believe that if the scope of the act becomes very narrow, as envisaged by the new draft act, the situation could be complicated the other way round. It will be up to the business to ascertain whether or not the reported breach is covered by the Whistleblower Protection Act. The company must reject all reports concerning occupational violations that arise only from Estonian national law or EU law that are not covered by the areas set out in the draft law.

Thus, the employer must first be able to distinguish which violation falls within the scope of the Whistleblower Protection Act and, secondly, to give clear messages about this also to its employees, partners and other professionally related persons, so that the latter know what kind of reports the business expects to receive on the hotline.

All whistleblowers need protection

We believe that larger businesses will have no problem in identifying which breaches of EU law fall within the scope of the Whistleblower Protection Act under the current draft law and which of them are related to their economic activities. However, for smaller businesses, which will also be obliged to set up a hotline, detection may require significantly more resources than under the previous draft law. The list of legal acts is very long, and it is necessary to have an internal understanding in Estonia of which acts should be considered a breach of EU law under the Whistleblower Protection Act. Such mapping of breaches of EU rights could be done by the state to ensure a uniform application of the law and a uniform standard of protection for whistleblowers, but this is unlikely to happen in practice.

If we look at the situation through the eyes of the whistleblower, the most important thing for them is to know what kind of reports the employer expects from them. The more confusing the employer’s messages are about expected notifications and whistleblower protection, the more likely it is that a breach will not be reported or the report will be made directly to the competent authority. However, this contradicts the legislator’s idea to create a legal framework so that people can communicate their concerns to the employer first. The latter can respond to a potential breach more quickly and more effectively than any external authority and prevent or limit damage.

In order to better protect the interests of both whistleblowers and businesses, it would be sensible to amend the draft law so that breaches in the twelve areas of relevance for the EU (e.g. consumer protection, environmental law, tax law) listed in the Directive would continue to fall within the scope of the act, but irrespective of whether the composition of the breach arises from EU law or national law. In our opinion, persons who report a breach that arises from Estonian law need protection in the same way as EU law.

If we’ve agreed in Estonia that an act (or omission) is illegal, it could be assumed that we would like to contribute to a faster and more effective detection of these offences by the organisations themselves and to protect those courageous people who report breaches. The more serious the breach, the more integrity and courage is required to report it, and the more it is in the interests of organisations, as the consequences can be more severe for them.

In conclusion, it can be said that compliance with the EU minimum could, at least initially, lead to legal ambiguity and bring along a higher administrative burden and higher legal costs than expected for all employers who implement this act conscientiously. At the same time, our proposed recommendation would be somewhat narrower than the first (2021) draft law, as it would still limit the areas covered by whistleblower protection, but not too narrowly, which could lead to other concerns for practitioners already described above and discussed by various authors in the media.

Twelve priority areas of European Union law

If a breach (as an unlawful act or omission) falls within the scope of these twelve areas of EU law, then reporting the breach falls within the scope of the draft Whistleblower Protection Act:

1) public procurement, 2) financial services, 3) product safety, 4) transport safety, 5) protection of the environment, 6) radiation protection and nuclear safety, 7) food and feed safety, 8) public health, 9) consumer protection, 10) protection of privacy and personal data, 11) breaches affecting the financial interests of the Union, and 12) competition and state aid breaches and possible EU-related tax fraud by companies.

Irrespective of the scope of the Whistleblower Protection Act, even in the case of rejection and failure to act on a breach report, the employer will, as a rule, be obliged under the new draft law to accept the report, send the person an acknowledgement of receipt of the report within seven days, reply to him or her as soon as possible about the failure to initiate proceedings and retain the report for three years.

The employer must ensure the confidentiality and protection of the whistleblower if the whistleblower had reasonable grounds to believe that the breach had been initiated or completed and fell within the scope of the draft law.

If it turns out that the report concerned a breach that is not covered by the act, although the whistleblower believed this in good faith at the time of the report, the whistleblower must still be offered protection, and may not be subjected to harassment or pressure.

The fact that no proceedings were initiated on the basis of the report does not necessarily give the right to make public the fact that a report was submitted or who submitted it.

Katri Remmelgas

+372 667 6805

Kärt Blumberg

Internal Auditor
KPMG Baltics

KPMG global ESG survey: ESG is becoming an impactful element in transactions

The inclusion of environmental, social and governance (ESG) due diligence into the process of buyi..

Article 10.07 2023

The Legal 500: KPMG Law is among the finest law firms

In the new 2023 edition of the prestigious international legal directory The Legal 500, KPMG Law a..

Article The Legal 500 23.05 2023

State starts to assess the reliability of foreign investments in Estonia

In January 2023, the Riigikogu adopted the Foreign Investment Reliability Assessment Act (FIRAA), ..

Article 27.04 2023

Impact of DORA Regulation on legal and IT departments

With the increasing digitalisation of the financial sector, more and more attention is paid to th..

Article 26.04 2023

Changes in the Occupational Health and Safety Act

Amendments to the Occupational Health and Safety Act entered into force on 19 November 2022. The o..

Article 11.12 2022
We are committed to high-level strategic legal assistance in the Baltics, Scandinavia and globally.

Advokaadibüroo KPMG Law OÜ

+372 6676 805
Ahtri 4, 10151 Tallinn, Estonia
Email again: