Análisis y modificación del borrador de la CE para la protección de los Alertadores

Analysis and recommendations for key modifications in the draft EC Directive for the Protection of Whistleblowers

Give your feedback in the European consultation using this report. You can attach it.
Download it here in pdf format (Beta versión )
Analysis and recommendations for necessary modifications of the draft EC Directive for the Protection of Whistle-blowers by XNET – EDRi (European Digital Rights)
In collaboration with Courage Foundation
With the endorsment (in progress) of Expose Facts, Institut de Drets Humans (IDHC), Electronic Frontier Norway and Loïc Dachary


The fact that the European Commission has drafted a proposal for a Directive in and of itself is welcome news. It is the result of the prolonged efforts of many activist organisations and several EU policy-makers, particularly in the European Parliament. Nevertheless some changes have to be done to secure the objectives of the draft Directive and the rights of access to information:




The first concern is to be found in the draft’s definition of whistle-blower. While the definition is very broad, it is nevertheless restricted to persons reporting illegal activities that are in some way connected to their work environment.

The vast majority of cases of whistle-blowing fall into this category. However there are numerous examples where the wrongdoing is detected by a persons who have no working relationship with the body/persons committing the wrongdoing in question.

What is more, in our extensive experience working with whistle-blowers, at least 15% of the incidents do not involve any employment relationship.
The whistle-blower may be someone who is personally affected by a crime, or a researcher, journalist or activist who uncovers evidence, as was the case with Ramsay Orta or the Flexispy whistle-blowers. In other cases, the whistle-blower may be in a personal relationship with those involved in athe plot (e.g. the Pujol case in Spain).

Special protections should be extended to all citizens. The draft Directive extends the concept of “workers” but still limits the scope of protection to those engaged in a working relationship. It is undesirable to “leave unprotected other types of whistle-blowers” (…) and, as the draft itself states, a “… limited scope would constitute a main gap in whistle-blower protection at EU level while, by excluding from protection crucial categories of potential whistle-blowers, such an initiative would also have limited effectiveness”.(Context pag.8)

It is our belief that it is absolutely necessary to ensure that all citizens are afforded the protection they deserve when reporting wrongdoing. This  is particularly important when the protection of journalists and other persons that ensure that information in the public interest reaches the public is inadequate. (see point 4 on “intermediaries and facilitators”).

Our experience contradict the claim made in Recital 23 that “[w]hen there is no such work-related power imbalance (for instance in the case of ordinary complainants or citizen bystanders) there is no need for protection against retaliation”.

While typical retaliations in the workplace include “early termination or loss of business”, all citizens “blowing the whistle” are still subjected to “cancellation of contract of services, licence or permit, loss of business, loss of income, coercion, intimidation or harassment, blacklisting/business boycotts or damage to their reputation” mentioned in the Directive (under Recital 27).

If it is true that “persons who report information about threats of harm to the public interest (…) make use of their right to freedom of expression… [which] encompasses media freedom and pluralism”(Par.21), then every citizen is entitled to equal whistleblower protections. Union citizenship offers substantive equal treatment rights, including the constitutionally protected liberty “to participate in the democratic life of the Union” (TEU, Title II, Article 10). In exempting  non-workplace whistleblowers from special protections the Directive would fall short of respecting the rights and freedoms guaranteed by the EU treaties (Article 11 of the Charter of Fundamental Rights of the European Union: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers” and Article 10 of the European Convention on Human Rights).

An other position that we consider inappropriate is the attempt to link the effectiveness of the evidence obtained in reporting illicit acts to issues of morality to be ill-advised. We believe that the aim of this Directive must be to facilitate the discovery of grave injustices, and that for the purpose of this objective, it is irrelevant whether the person who uncovers them does so with good or bad intentions as long as their reports correspond to the facts. For this reason, we believe that requiring protection for the whistle-blower “provided that the respondent acted for the purpose of protecting the general public interest” hinders and runs counter to the Directive’s objective.

Finally, and more generally, Article 14 (g) of the proposed Directive refers to “coercion, intimidation, harassment or ostracism at the workplace” when, in practice, such reprisals are not confined to the workplace environment. They can be exacted on workers and non-workers alike and, more often than not, occur outside this environment – in the private ealm of the whistleblower. Thus, we strongly suggest that the “workplace” restriction must be eliminated.

We understand the intention of the European Commission to limit the scope of the draft Directive so as not to encroach on Member State competencies or areas of law covered by existing legislation. However, we suggest that the scope of the Directive state explicitly in a new provision that the Directive covers only wrongdoing that affects the public interest, otherwise we leave a considerable number of potential whistle-blowers unprotected.

As a solution to the problems outlined in this section, we can refer to Article 3 of our Proposed Law Template for the Protection of Whistle-blowers, which states:

a) Whistle-blower: any person who, having a reasonable belief in the reliability of information to which he or she has access and that would constitute a reason to blow the whistle/ a disclosure of wrongdoing, brings it to the attention of third parties by means of an administrative or jurisdictional complaint or through a channel designed for this purpose. 

b) Information constituting a reason to “blow the whistle”, or disclose wrongdoing: any information that, presented together with evidence supporting the claim or reliable indications thereof, provides basic grounds for suspecting the possible perpetration of illegal activity or wrongdoings, the consequences of which affect not only the authority or private entity concerned but extend beyond them to harm or threaten the public interest (Public interest: 1) public administration and organization administratevely depending on public administration; 2)any entity affecting more than 10% of the population of a legal constituency).


The confidentiality provisions in the draft Directive are insufficient. The ability to lodge a formal complaint anonymously must be ensured, as the European Parliament recommended in its Resolution of 24 October 2017 on legitimate measures to protect whistle-blowers (, arguing that “…the option to report anonymously could encourage whistle-blowers to share information which they would not share otherwise; (…) stresses that the identity of the whistle-blower and any information allowing his or her identification should not be revealed without his or her consent; considers that any breach of anonymity should be subject to sanctions”. (paragraph 49)

As we state in our legislative model (, there is “a situation of asymmetry of forces between the public and institutions or corporations, making it impossible in practice for people to fulfill their duty as citizens to report any wrongdoing of which they may be aware, as well as to report improper behaviour, irregularities or illegal activities.
The use of technological tools allows us to be more efficient in protecting the confidentiality and anonymity of those who provide relevant information. This makes it possible for us to correct this asymmetry. We must preserve the anonymity of private persons because they are vulnerable when they expose themselves to serve the common good.

The difference between anonymity and confidentiality resides in the fact that anonymity is the only way a source of information can wholly manage her or his own protection and the use that is made of the information. The weaknesses and porosity of reporting systems based solely on confidentiality have been amply demonstrated. Besides, there are additional and evident dangers in centralising all the power (information) in just a few hands, namely those of company directors and senior office holders in the public administration, leading to serious, massive abuses, as has already happened at other times in history.

It is obvious that companies and institutions must meet their obligations for transparency and implement systems for monitoring irregularities. However, even so, it is not possible to avoid abuse by trusting in some sort of self-regulation since fraud and corruption tend to be located in the privileged echelons of these internal systems. Hence, we must take advantage of the opportunities now being held out by technology and outline channels enabling distributed citizen monitoring and disclosure.

Anonymity is the only real protection that can be offered to a citizen whistleblower. This has been recognised even by the Public Prosecutor in Spain since 1993, and also in a range of provisions in the legal system as a just and necessary type of tool. A similar view is taken by organisations like the United Nations, for example in its 2015 Report on Encryption, Anonymity, and the Human Rights Framework.”.

Technological innovations, which considerably reduce the risk of compromising the identity of the complainant are fundamental in achieving the objective of this Directive. The importance of the use of such tools must be integrated into the draft explicitly.

As legislation protected those accused of wrongdoing against false allegations exists, Article 17.2 of the draft Directive should be reworded in accordance with the Recommendation of the Council of Europe (10): “Member States shall provide for effective, proportionate and dissuasive penalties applicable to persons making malicious or abusive reports or disclosures by retaining the protection and applying the rules of general law.”


The third problem we encountered is that the proposed Directive does not encourage the whistleblower to choose the most appropriate reporting channel. This will undermine much of the usefulness of the Directive, if left.
In cases where whistle-blowers have used the internal channels of the entity they wished to report for abuses, we have observed that this usually resulted in the destruction of evidence and personal suffering (

The extensive obligation included in the draft Directive requiring complaints be lodged internally first, forcing the whistle-blower to prove that she or he has good reasons for not doing so, would prevent many of the worthy objectives of this Directive from being realized.
These “good reasons” are not defined and would lead in some cases to arbitrary decisions by the state or the courts, discouraging action.
In fact, in the vast majority of cases the whistle-blower would not be protected under such circumstances: see the cases of Snowden or Luxleaks, among countless others.

It is entirely legitimate to discourage the infliction of needless harm to a entity’s reputation. However, the use of internal complaint mechanisms are not necessarily appropriate and whistle-blowers need to be able to choose the most effective course of action. In the case of Snowden or in the case of Luxleaks, for example, such a mechanism would not have led to any effective reforms.

We understand that the goal is to avoid groundless harm to a company’s reputation and this is a very legitimate goal. However, often lodging internal complaints would not be the appropriate mechanism and whistle-blowers need to be able to choose other appropriate mechanisms. In the case of Snowden or in the case of Luxleaks, for example, this would not have been a solution.

Any obligation to first make use of internal channels should be both circumscribed and linked to evidence of its demonstrated effectiveness. Along these lines, we suggest the inclusion of provisions that would help to guarantee the effectiveness of internal channels (e.g. independent reviewer, the mechanism allows for anonymity). This would encourage entities to establish more effective internal mechanisms.

The proposed Directive itself refers to this (Recital 62):
“In other cases, internal channels could not reasonably be expected to function properly, for instance, where the reporting persons have valid reasons to believe that they would suffer retaliation in connection with the reporting; that their confidentiality would not be protected; that the ultimate responsibility holder within the work-related context is involved in the breach; that the breach might be concealed; that evidence may be concealed or destroyed; that the effectiveness of investigative actions by competent authorities might be jeopardised or that urgent action is required”.

But then it is left undefined and vague in the provision.

Art. 13.e), which addresses the necessity of an external channel if the whistelblower has “…reasonable grounds to believe that the use of internal reporting channels could jeopardise the effectiveness of investigative actions by competent authorities” should be change as follows: “she or he must first make use of external channels if she/he has reasonable grounds to believe that the use of internal reporting channels could result in retaliation or jeopardise the effectiveness of investigative actions by competent authorities or when use of the internal channel has previously resulted in retaliation or jeopardised the effectiveness of investigative actions by competent authorities.

The Directive should not consider the use of non-internal channels as an exceptional option and should contribute to facilitate and improve channel completely independent such as channels in NGOs or medias.
Acknowledging the crucial role of non-internal or non-external channels is essential for encouraging the right to freedom of information.

The Directive must allow for the use of independent external channels that do not depend on any institution, such as NGOs or the media.

Regarding the freedom to determine the channel for disclosure, we want to draw your attention to the very strong and detailed statement from experts participating in the Whistleblowing International Network (WIN):

“In overview, mandatory internal reporting is not necessary. Studies of corporate whistleblowers, for example, consistently report that 90-96% make their disclosures solely within the institution. Strong factors inhibit breaking ranks – fear of retaliation; an ingrained trust and identity with the employer’s organization; and spillover consequences on colleagues and friends, to name just a few. Whistleblowers only report to the government or media in extreme cases anyway, without boundaries that cut off their anti-retaliation rights.” 

And “The problem [in the draft] is that since the exceptions to mandatory internal reporting are subjective, whistleblowers must guess whether they have free speech rights by going to the government or media. They will not know until the trial is over, after a ruling whether their judgment was safe or an act of professional suicide.”
And it will “Undermine regulatory/civil/criminal law enforcement and justice: The whistleblower will be providing notice of the evidence, before competent authorities get to see it – a three to six month head start to cover-up”. 


In our model law Template on the Protection of Whistle-blowers we define the facilitator as “a person or legal entity that contributes, facilitates or aids the whistle-blower in revealing or making public information constituting reason to blow the whistle/disclose of wrongdoing.”
In the vast majority of cases, citizen platforms, NGOs, journalists and trade unionists are indispensable in helping the whistle-blower, and they also suffer serious retaliations. The case of Luxleaks in which the journalist has been sentenced as the whistle-blower, is just one example.

While the role of intermediaries and facilitators is valued in the introduction to the Directive [1], this should be reflected in explicit protections for the entitites taking on such roles in the text of the Directive.
It is essential they receive the same protection consistently throughout the provisions of the Directive, as we describe in our proposal (“…facilitators [a person or legal entity who or which contributes, assists or aids the whistleblower to reveal or make public information constituting reason to blow the whistle / disclosure of wrongdoing]; these including physical persons and legal entities such as NGOs, citizen platforms, and the media. Using facilitators as a cover is a common practice among whistleblowers and anyone reporting wrongdoing (…). Hence the Law’s primary objective, in accordance with the system of guarantees for whistleblowers, is also to offer protection for disclosers and facilitators involved in the case”).

Specifically, and by way of example, Article 15.7 of the draft Directive covers only the ‘worker’ and not the person that publishes it. Moreover, the definition of ‘report’ and ‘reporting person’ (Art.3 “Definition) should include whoever facilitates or publishes the information, if we really wish to protect the freedom of the press and information.

[1] Par. 31: “Protection from retaliation as a means of safeguarding freedom of expression and media freedom should be provided both to persons who report information about acts or omissions within an organisation (internal reporting) or to an outside authority
(external reporting) and to persons who disclose such information to the public domain (for instance, directly to the public via web platforms or social media, or to the media, elected officials, civil society organisations, trade unions or professional/business organisations)”


One of the purposes of protecting whistle-blowers is to redress the asymmetrical power dynamic between powerful entities and citizens.

We have long observed that powerful interests initiate lawsuits for slander or violation of intellectual property rights or trade secrets (the cause of the long battle during the adoption of the 2016 Trade Secrets Directive – A clear provision is needed in the Directive in order that these elements cannot be used as an excuse to undermine and inhibit public interest reporting and freedom of information.

In recent years, we have witnessed a surge in the misuse data protection rights to challenge whistle-blowing protections.

We work to actively promote and protect the fundamental rights to privacy and data protection. We equally promote the importance of transparency in public institutions and large corporations, and believe that society benefits when power asymmetry between the citizen and powerful entities is reduced ( We also believe that this should be the goal of this Directive.

Data protection cannot and should not be used to dissuade people from reporting illegal activity (this is clear in the GDPR, articles 85-86). Neither do we believe that should such protections be equally applied to members of the public and public servants or heads of companies whose activiteis can have an impact the majority of the population.

Abuses are rarely dealt with effectively if they are not made public, and they cannot be made public if the people allegedly responsible for them are not named. The careful redaction of personal data that is not pertinent to an alleged wrongdoing is nonetheless important.

In order to fully and equally ensure respect for freedom of expression and information, personal data protection and privacy in this Directive, non-relevant personal data relating to the private sphere —data such as telephone numbers, email addresses, home addresses, as well as the names of private individuals and persons not responsible for an alleged offence— must remain private at all times and must prevail over freedom of information.
The judgement of the European Court of Human Rights on the Hungarian Helsinki Committee case concerning the denial of freedom of information requests sheds light in this regard.

It must therefore be emphasised that the burden of proof must favour the whistle-blower and their goals and motivations must not effect the value of their revelations; the ultimate aim of the Directive is not one of morality but to eliminate institutional abuse.

This is why we believe it is essential that the scope of the protection of personal data should be made more explicit and that recital 73 of the Directive, which reads “in case the alleged acquisition, use or disclosure of the trade secret was carried out for revealing misconduct…”, must be modified. Otherwise this would mean that the whistle-blower would have to prove her/his reasons, which are irrelevant. What is important is that reported evidence can reasonably be assumed to serve as proof of actual misconduct.

Whistle-blowers are neither saints nor devils. Their personal reasons are their own. The romantic aura surrounding whistle-blowers must be corrected, so the practice of denouncing abuses becomes the norm in a democratic society, and not a heroic act. This must be the ultimate goal of the Directive.

XNET – EDRi (European Digital Rights)
In collaboration with Courage Foundation
With the endorsement (in progress) of Expose Facts, Institut de Drets Humans (IDHC), Electronic Frontier Norway and Loïc Dachary