The new Italian law on corporate whistleblowing: an examination from the GDPR perspective
March 2018 | EXPERT BRIEFING | FRAUD & CORRUPTION
On 29 December 2017, Italy’s new law on the “Protection of individuals reporting crimes or irregularities learnt in the context of a public or private employment relationship” – already rechristened the ‘whistleblowing law’ – came into force.
Corporate whistleblowing has been a subject of debate in Italy for at least 15 years, i.e., since the US Congress adopted the Sarbanes-Oxley Act, requiring publicly held US companies and their EU subsidiaries to establish internal procedures for reporting misconduct. The lack of comparable national rules had always made the implementation of those procedures by Italian subsidiaries of US corporations difficult, especially on account of personal data protection concerns.
A first step toward the regulation of whistleblowing schemes was taken by Italian authorities in 2012, when whistleblower protection rules were introduced in the public sector.
With the new law, however, Italian lawmakers have not only expanded the scope of the existing public-sector provisions, but have finally regulated whistleblowing in the private sector too. The method chosen by its drafters was to amend an existing law, Act no. 231/2001 on corporate administrative liability.
Act no. 231/2001, while making legal entities subject to administrative liability for crimes committed or attempted to their advantage by individuals related to them, exempts from such liability – under certain conditions – legal entities that have adopted suitable “organisational models” aimed at preventing corporate crimes.
Following the new whistleblowing law amendments, such organisational models must now provide for multiple internal reporting channels – one of which is IT based – specifically designed to allow the reporting of misconduct, while protecting the identity of the reporting party.
The models will also expressly veto retaliatory or discriminatory acts – e.g., dismissal, demotion, disciplinary sanctions or transfers – against the whistleblower. In the event that a dispute arises over the retaliatory or discriminatory nature of measures that adversely affect the whistleblower’s working situation, under the new rules it will be the employer’s responsibility to demonstrate that they are based on grounds unrelated to the report.
Finally, the new law provides that, on certain conditions, disclosure by the whistleblower of professional, trade or business secrets, or the breach of the duty of loyalty to the employer, shall not be deemed unlawful.
The new set of rules will have particular repercussions for the application of labour law and privacy law principles. In the latter regard, a scheme designed to report complaints obviously involves the processing of personal data concerning both the reporting and the accused party, including, in the latter case, sensitive data related to the alleged commission of offences.
Back in 2009, the Italian Data Protection Authority (Garante) sent a report to Parliament and the government in which it deplored the existence, at the time, of a regulatory void regarding whistleblowing schemes and the resulting conflict of the latter with personal data protection laws. In particular, the Garante pointed out the difficulty of justifying a limitation of the right of access of the accused subject, the risk of instrumental uses of anonymous reports and the difficulty of identifying a legal basis for the processing under the Italian Personal Data Protection Code.
Readers should note that, under the code, which has a few months left before it is replaced by the General Data Protection Regulation (GDPR), pursuing a controller’s legitimate interest – the most obvious legal basis for personal data processing of this nature, which can hardly be based on consent, and at the time was certainly not based on a legal obligation – is not self-assessed by the controller itself, but must be sanctioned by the Garante.
In the meantime, the GDPR came into force. The GDPR will apply throughout the EU, including in Italy, from 25 May 2018. The critical question from a personal data protection perspective is, therefore, what the impact will be of the upcoming regulation on the new whistleblowing law.
The very first concern regards the legal grounds for the processing. Not unlike the current legislation, the GDPR requires any processing of personal data to have a legal basis, such as the data subject’s consent, the performance of a contract, compliance with a legal obligation or the purpose of a legitimate interest pursued by the controller.
It would be tempting to assume that, by virtue of the new whistleblowing law, the legal basis for the adoption of a corporate whistleblowing scheme under the GDPR will be the fulfilment of a legal obligation. After all, the new law requires organisation models to include whistleblowing schemes. That would be, however, a hurried conclusion. In spite of appearances, the establishment of whistleblowing schemes has not been made compulsory by any means.
First of all, it is conditional on the adoption, in the first place, of a corporate organisational model, which in itself is merely an option for any company, never an obligation. Secondly, even if an organisational model is adopted, the inclusion of a whistleblowing scheme within the model, once again, may not strictly be qualified as a legal obligation. Failure to include it, in fact, does not carry any penalties, but simply makes the organisational model unfit to bestow on the company an exemption from administrative liability.
Indeed, the most logical conclusion is that the processing of personal data in the context of whistleblowing schemes should find legitimacy under the umbrella of the pursuit of a legitimate interest. Whistleblowing schemes are ultimately meant to pre-empt certain corporate crimes or, at least, the spreading of their consequences. This is both in the interest of the relevant company – the data controller – and the general public, and they do appear to be ‘legitimate interests’, even more so when the lawmakers themselves find them worthy enough to draft rules meant to protect them.
What is more important, the GDPR appears to make it clear that the pursuit of a legitimate interest must be self-assessed by the data controller in line with the principle of accountability which the GDPR emphasises.
Thus, the objection raised in 2009 by the Garante – that it was inappropriate to charge the Garante with assessing the legitimacy of whistleblowing schemes – would seem to be overridden. But here comes the twist. Just as the ‘whistleblowing law’ was coming into force, a few crucial provisions found their way into the annual Budget Law, effective since 1 January 2018. Under these provisions, which on paper are meant to implement the GDPR into the Italian legal system, any data controller meaning to carry out the processing of personal data based on legitimate interest and involving ‘automated tools’ – that is to say, any modern data processing – will preliminarily submit it to the Garante, which will have the power to forbid the processing, if it finds the rights of the individuals concerned to outweigh the interest in question.
It is, in short, a betrayal by way of law of the principle of accountability underlying the GDPR and a throwback to the old system of having the Garante assessing and sanctioning legitimate interest. More importantly, it is a potential bureaucratic nightmare for companies willing to implement whistleblowing schemes, and a possible cause of work overload for the Garante’s office. One can only hope that, by way of some further amendments, whistleblowing schemes will be exonerated from this procedure.
As for the possible conflict between the right of access of the concerned party, in particular, the accused person, and the need to protect the whistleblower’s identity at least in the early stage of the investigation, the regulation, just as the legislation currently in force, provides that the person concerned has the right to know “where the personal data are not collected from the data subject, any information available as to their source” (Article 15 of the regulation), i.e., at least in principle, also the whistleblower’s name.
The potential conflict in this case might be defused, in our opinion, by the subsequent Article 23 of the regulation, which provides for the right of each Member State to restrict by national legislation the scope of the right of access to safeguard interests such as, for example, “prevention, investigation, detection or prosecution of criminal offences”, or even “the protection of the rights and freedoms of others”. It could be argued that the whistleblowing law does already contain a restriction to the right of access, when it provides for confidentiality of the whistleblower’s identity, such identity should be made unavailable to the accused person at least until their position has been cleared, in which case they might have a legitimate interest to prosecute complaints made in bad faith.
Another issue that companies planning to implement whistleblowing schemes should keep in mind is the carrying out of a data protection impact assessment (DPIA). Under the revised guidelines on the subject, published in October 2017 by the Article 29 Working Party, a personal data processing that meets two out of nine criteria identified by the WP29 would require a DPIA to be carried out. It would appear that whistleblowing schemes do, in fact, meet at least two of the nine criteria listed in the guidelines: “sensitive data or data of a highly personal nature” and “data concerning vulnerable data subjects” – these being the employees.
It is desirable that, in the coming months, the Garante issues guidelines or best practices on the implementation of whistleblowing schemes in accordance with the GDPR.
Luigi Manna is a partner at Martini Manna Avvocati. He can be contacted on +39 02 4507 4727 or by email: firstname.lastname@example.org.
© Financier Worldwide
Martini Manna Avvocati