Spain: The internal whistleblowing channel and its impact on labor relations (I)

The transposition of Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law, carried out by Law 2/2023 of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption, will have a very significant impact on companies and labor relations. In addition to the institutional role assigned to the Independent Whistleblower Protection Authority and the regulation of external channels, including autonomous regional ones, which tighten the bureaucratic spider's web that imprisons civil society, the obligation for companies to establish an "internal reporting system", i.e. an internal whistleblowing channel, will impose new and significant business burdens and generate new conflicts, fuelled by a complex, imprecise and in some aspects redundant regulation.

The first thing that is striking is the Spanish law's extension of the material scope of application of the directive. While the latter (Article 2) covers infringements of European Union law in certain areas listed in its annex, those affecting its financial interests and those relating to the internal market, the Spanish law (Article 2) adds acts or omissions that may constitute a serious or very serious criminal or administrative offence (including in any case those involving financial losses for the Treasury and for the Social Security). What the European rule limits to the law and interests of the Union, the Spanish legislator extends to all serious or very serious criminal or administrative offences. It is true that the extension is protected by the directive itself, which allows (Article 2.2) the Member States to extend protection to other areas or acts not provided for in the directive. But this is yet another manifestation of the Spanish legislator's long-standing habit of not merely transposing Community law but adding new requirements or new content. This is worth reflecting on: it would seem that European regulations (which are becoming ever more prolix and interventionist) are always insufficient for us and that we should go further, without taking into account the impact on the competitiveness of our companies or the growing weight of the regulatory burdens they have to bear. It would be interesting to analyse which obscure collective complexes encourage this tendency.

But the important thing is that the extension of the scope may lead to a collision with existing labor procedures, whether internal to companies or not (inspection procedures, penalties, and settlement of social security obligations). Administrative and criminal offences are mentioned without further ado, and only the area of health and safety at work is saved, with an imprecise formula (Article 2.3), subject (in what sense? with what scope?) to its specific regulations. There is a lack of nuances and specifics, and this is a source of legal uncertainty. The repeated appeal in the Preamble of the law to the fact that the general interest is at stake (that it is damaged, affected, or undermined) is not reflected in the text of its precepts. It is not clear, therefore, whether it can be required that the reported offence affects the general interest, although what the law does exclude is "information linked to claims about interpersonal conflicts or affecting only the informant and the persons to whom the communication or disclosure refers" (Article 35.2.b). This seems to leave out complaints about actions affecting the informant (the different types of harassment or discrimination) and which are imputed to a specific person, or to a group of specific persons, but here again we cannot be fully certain about how the interpretation and application of the law will occur.

In relation to this, the question also arises as to whether the internal whistleblowing channel can coexist with others that may already be established in the company (e.g. equality plans or harassment protocols) or whether it should/can integrate or absorb them. In favour of this integration operates the mandate of Article 5.2.d) of the law, according to which the internal management system shall "integrate the different internal information channels that may be established within the entity". Similarly, Article 7.1 provides that all internal information channels shall be integrated into the internal system regulated by the law. But does integration mean unification, and can different channels be maintained, even if they are integrated into the internal system? This, in any case, must be seen in connection with the provision of the first transitory provision regarding the possibility that existing systems and channels in companies can be used to comply with the provisions of the law, as long as they "comply with the requirements" established therein. The regulation speaks of "internal communication systems and their corresponding channels” but does not require their integration or the configuration of a single channel, which raises the question of whether, despite what is provided by the aforementioned Articles 5 and 7, the provisions of the law can be complied with through different systems and channels already in place. In any case, companies adapting pre-existing channels will have to ensure that it is clear that they comply with the requirements of the law, as required by the first transitional provision.

Companies with 50 or more employees are obliged to have an internal information system in accordance with the terms of the law (Article 10). This is in line with the provisions of Article 8.3 of the Directive, but there is no doubt that the economic and bureaucratic burden for small companies may be excessive. For this reason, both the European legislator (Article 8.6 of the Directive) and the Spanish legislator (Article 12 of the law) provide for a kind of shared internal system, a "pooled" system, whereby companies with between fifty and two hundred and forty-nine employees may share the system and the resources allocated to its management, which may correspond to any of the pooled companies or they may opt to outsource it (an option that is open to all companies: Article 6 of the law). In any case, each company is obliged to maintain the confidentiality of complaints, to respond to the complainant and to deal with the infringement reported (Article 8.6 of the Directive). This joint management, for which the law does not contain any further specifications (such as the requirement of any criteria to justify it, such as geographical proximity, belonging to the same production sector or integration in a cluster) can be, if well designed, a very interesting way for medium-sized companies to comply with their legal obligations.

Finally, it should be noted that there are specific provisions for groups of companies (Article 11 of the law), in which the controlling company must approve a general policy regarding the internal information system and ensure the application of its principles in all the companies that make up the group, notwithstanding the autonomy and independence of each of them. The internal information system may be one for the whole group and the person responsible for it may also be the same, although the requirements of Article 8.6 of the Directive must also be considered applicable in the case of the group, in the sense that each company must guarantee confidentiality, the response to the whistleblower and the treatment of the reported infringement.

In a future publication we will discuss the channel manager, anonymous whistleblowing, and sanctions.