The aim of this entry is to highlight what are in my opinion two serious shortcomings of the whistleblower protection law (Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption):
the obligation for private sector and public sector entities and bodies subject to criminal liability to report to the Public Prosecutor’s Office, I believe against the Constitution,
and the lack of criminal immunity of the whistleblower, I believe, vis-à-vis the Directive that gives rise to the Law (Directive 2019/1937, of 23 October, on the protection of persons who report breaches of Union law).
I will end my reflection with a comment, no longer a complaint, on a question that seems to me to be very relevant in the practice of internal disclosure of irregularities in companies and public institutions: whether it is possible to maintain confidentiality in the event that the reported matter is “criminalised” (submitted to criminal jurisdiction). The question is whether confidentiality is a guarantee with feet of clay.
Previous: a necessary law
As I am going to be a bit grumpy about the law, before the grumbling I would like to pay tribute to the law and the original directive. This is a very necessary law from a criminal point of view, and that is why its shortcomings are all the more annoying. One is the compulsory nature of public denunciation, because it is anti-guarantor; the other is the lack of immunity from prosecution, because it undermines the noble objectives of the law to a considerable extent.
I have already reflected on the timeliness of whistleblower protection in my post “The EU Whistleblower Protection Directive: a criminal perspective”. As criminology teaches us, the crimes committed by companies and public organisations are becoming more and more worrying. It would take a long time to dwell on the causes, which are similar but not the same in companies and public organisations.
What happens in the company is that it is a group in which its members tend to be strongly dependent on it, vitally dependent on it, so they will try to be well regarded by the organisation – to remain in it or to prosper in it – and of course and above all not to do anything that harms the interests of the organisation, as it would seem to be in principle to denounce irregular conduct that benefits it. This coercive context is often accompanied by a peculiar internal culture of justification of economic crime. That “we harm others but as a bitter necessity for survival”.
In public institutions there are similar circumstances of opacity of crime. On the one hand, because the authority or official who corrupts himself does so within an institution that controls, organises and also organises to hide his irregularities. Often these irregularities will only be known by their subordinates, who will come up against strong barriers to reporting them: again, fear of the power of their superiors, which may extend to their own job; the generation of criminal group cultures in civil service units of the type “it is only fair that we should have additional benefits in view of what we are paid and what it cost us to become civil servants”.
In addition to these criminogenic factors, there is the impunity of corporate and public organisation crime. Crimes grow when they are difficult to detect. A lot of profit with little risk. And here they are. What is very difficult to detect from the outside with our police and judicial resources is not reported from the inside. And when, exceptionally, the crime is detected externally, we come up against a second obstacle to punishing it. We know that the crime was committed but we lack information about who committed it in the intricate business or public organisation. And this lack of information leads to acquittal. As is well known, the presumption of innocence only allows us to punish based on the certainty of the facts: when we know that someone has actually committed the harmful behaviour and we know beyond reasonable doubt.
This opacity can usually only be pierced from the inside. That is why it makes good legal sense to encourage internal vigilance. Or at least facilitate it. Or at least not hinder it. An indispensable feature of this encouragement is the protection of the whistleblower, which is the primary purpose of Law 2/2023, as its title states. Incidentally, and as our Anglo-Saxon colleagues teach us, the invention of the criminal liability of legal persons ends up working as a stimulus to internal disclosure of crime. A sort of “company: investigate and hand over to me the culprit of the crime or else I will come against you”.
Criminal immunity
The first of the two major flaws in the law is the lack of criminal immunity for reporting wrongdoing, a major flaw that is difficult to exaggerate. The basic logic of the law is that of facilitating alerts through the ubiquity of reporting channels and the immunity of the whistleblower. It is obviously a question of guaranteeing that there will be no reprisals from the organisation towards the whistleblower who reports an irregularity that favours the organisation, because without this protection no one will report. The confidentiality rule is nothing more than a flanking rule, a guarantee of indemnity.
That said, not everything has been said, because perhaps the worst consequence for the whistleblower may not come from within but from the State: the fact of reporting the irregularity may end up causing civil liability (which is considered a source of compensation for the company); or, worse, that he or she incurs an administrative offence; or, much worse, that he or she is considered to be committing a crime (for example, disclosure of secrets or libel or slander). And, by the way, for the penalty (for punishment) it is already sufficient, as we know, to charge and subject to incisive criminal proceedings.
The Directive made this clear. Already in its recitals (which is not surprising: I have never understood that Directives practically repeat the normative content in the preamble; 110 recitals in this Directive) it states that:
“whistleblowers should not incur any liability, whether civil, criminal, administrative or employment-related” (recital 91);
specifying later that this is a catch-all in proceedings “for defamation, infringement of copyright, trade secrets, confidentiality and protection of personal data” (recital 97).
And this is then embodied in Article 21 of the Directive:
“persons who report information about infringements or who make a public disclosure in accordance with this Directive shall not be regarded as having infringed any restriction on disclosure of information, and shall not incur any liability of any kind in connection with such reporting or public disclosure” (21.2). It is then specified that this applies to “legal proceedings, including those relating to defamation, infringement of copyright, breach of confidentiality, breach of data protection rules, disclosure of trade secrets, or to claims for compensation based on private, public or collective labour law”. In these, whistleblowers ‘shall not incur liability of any kind as a result of complaints or public disclosures under this Directive’ (21.7).
The Directive quite sensibly limits criminal immunity to the conduct of disclosure, and does not extend it accordingly to the possible criminal content of the conduct of obtaining the information that is then disclosed. And this is obvious: to give an extreme example, there would be no sense in immunity for a person who tortures a colleague in order to obtain the information he needs for the subsequent denunciation. Thus, Article 21.3 of the Directive says that
“Whistleblowers shall not be liable in respect of the acquisition of or access to information which is publicly communicated or disclosed, provided that such acquisition or access does not in itself constitute a criminal offence. In the event that the acquisition or access itself constitutes a criminal offence, criminal liability shall continue to be governed by the applicable national law”.
Incidentally, the preamble, in point 92, gives a nod to the fact that perhaps this offence in the acquisition of the information might merit some mitigation on the grounds that it has had some value: that national bodies should assess the liability of the whistleblower
“in the light of all relevant factual information and taking into account the particular circumstances of the case, including the necessity and proportionality of the act or omission in relation to the public report or disclosure”.
In any case, the warning for whistleblowers who obtain information by criminal means is twofold. Not only is their offence of obtaining information not covered by the law, it is not justified, but in cases in which, in addition to the offence, a fundamental right is violated – significantly privacy – it may be that it has no evidential value with regard to the offence to which the complaint is directed. I refer here to the complex constitutional jurisprudence contained in STC 97/2019, in the Falciani case, on the cases in which the production of evidence obtained in violation of fundamental rights in turn violates the constitutional guarantees of a fair trial.
The legislator’s disobedience
It seems quite clear what the message of the Directive is: there is no criminal liability for disclosure, there may be criminal liability for obtaining the information. Unfortunately, this has not been understood by the Spanish legislator.
Thus, Article 38(1) sensibly states that.
“persons who communicate information about actions or omissions under this law or who make a public disclosure under this law shall not be deemed to have breached any restriction on disclosure of information, and shall not incur liability of any kind in connection with such communication or public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure of such information was necessary to disclose an act or omission under this law”. Perfect so far, in the portico of foolishness: “This measure shall not affect criminal liabilities”. We removed just the shield that was most needed.
I think the Law makes a mess of the following provision, which is appropriate:
“Whistleblowers shall not incur liability in respect of the acquisition of or access to information that is publicly communicated or disclosed, provided that such acquisition or access does not constitute a criminal offence” (art. 38.2).
What do we do then: criminal liability of the whistleblower versus the European protection of the Directive?
I believe that there are at least two ways to prevent such a dysfunctional consequence for the law.
The first is a systematic internal interpretation of the law. As opposed to this stupid criminal exclusion in Article 38.1, Article 38.5 literally transposes the specific exclusion of liability of any kind for communications or disclosures
“in legal proceedings, including those relating to defamation, copyright infringement, breach of secrecy, infringement of data protection rules, disclosure of trade secrets, or claims for compensation based on labour or statutory law”,
the contradiction between Articles 38(1) and 38(5) could be bridged by deciding in favour of the second clause.
In support of the above, and even independently of this, it is possible to rely on the doctrine of the Court of Justice of the European Union regarding the direct applicability of European Directives when their content is unconditional and sufficiently precise and has not been transposed or has been transposed defectively (for example, CJEU of 4 December 1974, Van Duyn case; of 19 January 1982, Becker case; of 7 July 2016, Ambisig and AICP case). This doctrine has been accepted by our Constitutional Court “by virtue of the principle of the primacy of European Union law” in cases in which “rights are provided for citizens” (for example, SSTC 13/2017, 25/2022). It should therefore be specified that what we are talking about here is precisely, in the terminology of the law itself, the informant’s “rights of protection” (art. 35.1).
The criminal translation of all this for the bona fide whistleblower who is accused of, for example, a crime of disclosure of company secrets, is, first of all, that he is covered by the fulfilment of a duty (art. 20.7ª CP) if he witnessed the commission of the crime, an obligation that is underlined at the beginning of the Preamble of the Law. Prior to this justification, and more generally, for all cases of denunciation in good faith, it is appropriate to affirm the atypical nature of the conduct, because in a system of freedoms, any accusation must be denied if the conduct is permitted by the law.
The obligation to report to the Public Prosecutor’s Office
The public and private bodies to which the law is addressed must implement an “information management procedure” (Art. 9.1). This procedure must provide for the “[r]issuance of information to the Public Prosecutor’s Office immediately when the facts could be indicative of a criminal offence. If the facts affect the financial interests of the European Union, it shall be referred to the European Public Prosecutor’s Office” (Art. 9.2.j).
The first question raised by this provision is a more general one. The question of whether a good compliance system should include as part of its sanctioning system a knock on the door of the Court or the Public Prosecutor’s Office if individual behaviour within it appears to be criminal, or whether, on the other hand, an internal sanction (e.g., ultimately, dismissal) is sufficient. There are several problems in finding an adequate answer to this question. On the one hand, whether we can consider the internal sanction to be sufficiently preventive in the face of the offence; on the other hand, whether the entity’s obligation to report the offence is an adequate extension of the citizen’s duty to report it. If this actually exists, in view of its ridiculous sanction (25 to 250 pesetas), it only applies to “[w]hoever witnesses the perpetration of any public crime” (art. 259 LECr), although it also applies to “[w]hoever, by reason of their positions, professions or trades, has knowledge of any public crime” (art. 262 LECr).
But what interests us now is the third side of the triangle: whether this obligation to denounce is not restricting the constitutional right of the legal person not to denounce itself insofar as the individual crime can reveal the crime of the organisation: that the individual crime was produced due to the lack of a reasonable system for preventing it.
The risk is not negligible, as we are still living in a certain context of uncertainty about this standard of diligence of the legal person. The company may always think that, although it believes it is doing things right, the fact that an individual offence has been committed within it and on its behalf will arouse a strong suspicion of lack of control that may lead not only to its being charged and accused, which is already a considerable penalty, but even to its being convicted.
It may be said, “Let him not denounce, then, in the exercise of his constitutional guarantees”. Yes, but then he will be generating a strong indication against him. If the individual offence becomes known, the failure to report will be attributed to the fact that there was no proper system of compliance: that the legal person did not want to report itself. We have thought something similar in relation to the duty to waive the criminal lawyer’s defence in order not to incur money laundering by charging his fees (by the way: if this is an act of money laundering and not a necessary expense for another purpose).
That is to say: the problem, the unconstitutional problem, is the following: if my compliance system is probably defective, if I denounce, I denounce myself, and if I don’t do it, then I denounce too. That is the way out: unconstitutionality. Or the forced interpretation that this duty to report refers only to cases in which the entity has no possibility of criminal liability, either because it is excluded by its nature (art. 31 quinquies 1 CP), or because it is a crime that does not generate criminal liability for legal persons.
Confidentiality?
One of the questions that has always been a concern in the reasonable construction of whistleblowing channels is the admissibility of anonymous whistleblowing in the face of the requirement of a protected identity with a guarantee of confidentiality, which in turn is a guarantee of indemnity. There can be no reprisals if we do not know who did it.
With regard to anonymous reporting, the Directive basically says two things in Article 6:
- that it will not regulate them, leaving the decision on their admissibility to national law;
- that if they are admissible, the whistleblower must be protected under the Directive if he or she is subsequently identified and suffers reprisals. Prior anonymity does not deprive subsequent protection.
The Law imposes that anonymous complaints be admitted (Art. 7.3), in line with what our legislation has already been doing in the field of data and money laundering. The admissibility of anonymous complaints has the disadvantage that it can promote spurious complaints and, as our criminal jurisprudence shows, that of their low credibility (identity is in fact an element of veracity, due to the very sanction of falsehood), and that of the generation of defencelessness, as the affected party lacks the essential information on who is accusing him/her as an element to combat the veracity of the accusation.
However, in a world in which whistleblowing is hardly ever reported, and in which we are therefore trying to encourage whistleblowing, it has the obvious advantage of facilitating it, as it is the one that definitively overcomes the fear of internal alert: no reprisal can take place in anonymity, if there is no subject to retaliate against.
This advantage is compounded by the possible evanescence of confidentiality. If the case comes before the criminal courts and if, as will be usual, the informant is a witness, the guarantees for the defence of the accused will require knowledge of his identity. This is what the Directive states (art. 16.2) and what the preamble of the Law states: “this essential pillar of the European standard is excepted when […] it is requested within the framework of judicial proceedings, which is often the case, the judge arguing the need to know the identity of the informant, in order to guarantee the right of defence of the accused”.
An additional doubt is whether the right of defence allows for the safeguarding in any case of confidentiality in the disciplinary instruction, be it corporate or of the administrative authority in the management of the institutional channel. In the regulation of the institutional channel, the Law states in general that the informant has the guarantee of “confidentiality of identity […], so that it is not revealed to third parties” (art. 21.1); and categorically that “[i]n no case shall the identity of the informant be communicated to the affected parties” (art. 19.2). And more generally, it is configured as a global protection measure: “The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the framework of a criminal, disciplinary or sanctioning investigation” (Art. 33.3).
According to this, there is absolute confidentiality of the whistleblower’s identity, as opposed to the affected party’s right of defence, in the internal business procedure and in the equivalent of the Independent Authority, but not in the criminal or administrative sanctioning procedure. This raises a question which I believe has been given little thought, and that is the question of what the guarantees should be in a company’s internal disciplinary procedure: to what extent are they reducible because it is a minor procedure? Is it so obvious that the right of defence of the person being prosecuted means that the confidentiality of the informant must be maintained?
Conclusions
I conclude. The Act has two gross flaws:
the lack of criminal immunity for reporting, which we can overcome by direct invocation of the Directive;
the obligation of legal persons subject to criminal liability to report individual offences to the Public Prosecutor’s Office, which is probably unconstitutional.
And the law has some minor technical flaws. I am struck by the constant repetition of “Independent Authority for the Protection of the Informant, A. A. I.”, only sometimes with the final comma, and whose acronym does not refer to the name of the Authority (which would be A. I. P. I.), but to the fact that it is an Independent Administrative Authority. It is also thought-provoking that the obligation to allow anonymous complaints is accompanied by an intriguing “including” (“Internal reporting channels shall even allow for the submission and subsequent processing of anonymous communications”).
However, the most sympathetic flaw is the wording of Article 2.1.b which, in order to define the material scope of application of the law, reads: “Actions or omissions that may constitute a serious or very serious criminal or administrative offence. In any case, this shall include all serious or very serious criminal or administrative offences that involve financial losses for the Public Treasury and for the Social Security”. Imagine if we were to transfer this technique, which actually calls into question the first paragraph, to other legal texts: “Everyone has the right to life. In any case, Murcians have the right to life’. You know, we are all equal but some are more equal than others (Animal Farm, George Orwell).