This paper deals with one of the main legislative novelties introduced in Spain in 2023. The Act 2/2023, regulating the protection of persons who report breaches of law and the fight against corruption, is of great importance, not only because it promotes the consolidation of the culture of integrity in organisations, but also because it establishes for the first time in our legal system the obligation to establish reporting channels and, at the same time, guarantees a legal status for the protection of whistleblowers. As this is a subject of unquestionable impact in the labour sphere, the following pages propose an assessment of the Spanish transposition of the EU Directive 2019/1937, in order to identify the convergences and divergences between the Spanish and European standards. As will be seen, while attempting to respond to many of the questions raised by the Whistleblowing Directive, the Act 2/2023 poses interpretative and application problems which will be highlighted in this paper in order to propose solutions and enhance the effectiveness of the Spanish legal framework.
Il presente contributo affronta una delle principali novità legislative introdotte in Spagna nel 2023. La legge 2/2023, che regolamenta la tutela delle persone che denunciano violazioni della legge e la lotta alla corruzione, è di grande importanza, non solo perché favorisce il consolidamento della cultura dell’integrità nelle organizzazioni, ma anche perché stabilisce per la prima volta nel nostro ordinamento l’obbligo di istituire canali di segnalazione e, al tempo stesso, garantisce uno status giuridico per la tutela dei segnalanti. Trattandosi di una materia di indiscutibile impatto in ambito lavorativo, le pagine seguenti propongono una valutazione del recepimento spagnolo della Direttiva UE 2019/1937, al fine di identificare le convergenze e le divergenze tra la normativa spagnola e quella europea. Come si vedrà, pur tentando di rispondere a molte delle questioni sollevate dalla Direttiva Whistleblowing, la Legge 2/2023 pone problemi interpretativi e applicativi che verranno evidenziati in questo articolo al fine di proporre soluzioni e migliorare l’efficacia della struttura dell’ordinamento giuridico spagnolo.
1. Introduction: Are we facing a new or a not-so-new issue in Spain? - 2. Late as usual The Spanish transposition from the formal point of view - 3. The scope of application of the Act 2/2023 - 3.2. Material scope: breaches of EU law and national law - 4. The establishment of reporting channels - 4.1. Internal reporting channels - 4.1.2. Responsibility for the implementation and management of the internal channels - 4.2. External reporting channels: The Independent Authority for the protection of the reporting persons - 5. The public disclosure - 6. The protection of persons who report breaches of law - 6.2. The measures of support and protection against retaliation - 7. The sanctioning legal regime - 8. Conclusions - NOTE
Act 2/2023, of 20 February, regulating the protection of persons who report breaches of law and the fight against corruption, aims to provide adequate protection against retaliation that may be suffered by individuals who report any of the actions or omissions identified in the rule itself, through the procedures provided for therein. The aim is to strengthen the integrity infrastructures of organisations and the promotion of the information culture as a mechanism for preventing and detecting threats to the public interest. It has been proven that the investigation of infractions necessarily requires the promotion of whistleblowing, which also requires the guarantee of the absence of retaliation. Not surprisingly, the fear of possible harmful consequences for the whistleblower explains why 81% of those consulted in the Special Eurobarometer on corruption, according to data referring to 2022, [1] were not open to reporting acts of corruption of which they had become aware. In general, and in contrast to other legal systems, in Spain the figure of the whistleblower and his or her protection lacked a consolidated legal basis. There was therefore no comprehensive regulation of reporting channels in private entities and public administrations or some kind of statute of legal protection for the person who used them. [2] In any case, it is true that, since Organic Law 1/2015 modified the Criminal Code, the implementation of reporting channels has become more widespread. It should be recalled that, five years after the 2010 reform which introduced criminal liability for legal persons, the modification of art. 31 bis included, among the conditions for exemption from such liability, that the management body must have adopted and effectively implemented, prior to the commission of the crime, organisational and management models that include the surveillance and control measures suitable for preventing crimes of the same nature or for significantly reducing the risk of their commission. The requirements to be met by such organisation and management models included precisely the imposition of the obligation to report breaches to the body responsible for overseeing the operation and observance of the prevention model, as well as the establishment of a disciplinary system that adequately sanctions non-compliance with the measures established by the model. This made criminal compliance systems highly relevant. However, given that this was not an imposition in [continua ..]
Although the transposition deadline for the Directive was 17 December 2021, as usual, Spain implemented it with considerable delay and it was on 20 February 2023 when Act 2/2023 regulating the protection of persons who report breaches of law and the fight against corruption was finally approved. However, this delay was not exceptional in the comparative sphere, as many countries were late in complying with the obligation set out in the European legal act. [4] In January 2022, the European Commission sent letter of formal notice to Spain, among other Member States, for not fully transposing and informing the Commission of the transposition measures before the deadline. [5] Just over a month later, on 4 March 2022, the Spanish Council of Ministers approved the Preliminary Draft Act. The rule finally came into force on 13 March 2023, although it postponed the full effectiveness of some articles because it set subsequent dates for the creation or adaptation of internal and external reporting channels, in three months and six months respectively from the entry into force of the Act. Thus, the maximum deadline for setting up internal channels was 13 June 2023, although this deadline was extended to 1 December 2023 for smaller entities, specifically for legal-private entities with fewer than 250 employees and municipalities with fewer than 10.000 inhabitants. This timeframe is too short, as the obligation under discussion is not fulfilled by merely establishing a reporting channel, but requires a qualified person in charge, staff and support material, a detailed procedure and an appropriate policy or strategy. [6] For its part, the deadline for the implementation of external channels was 13 September 2023.
3.1. Personal scope: the work-related or professional context The personal scope of the Act 2/2023, as in the case of the European Directive, is clearly connected to labour relations. Namely, the Spanish Act proclaims its application to reporting persons working in the private or public sector who acquired information on breaches in a “work-related or professional context” (art. 3). The Act 2/2023, as EU Whistleblowing does, uses a broad criterion in the delimitation of the personal scope of application. In particular, the European legislator states that protection should be granted to the broadest possible range of categories of persons, who, irrespective of whether they are Union citizens or third-country nationals, by virtue of their work-related activities, irrespective of the nature of those activities and of whether they are paid or not, have privileged access to information on breaches that it would be in the public interest to report and who may suffer retaliation if they report them (Recital 37). Therefore, it is clear the intention to extend the application of the framework beyond the typical forms of work, and this is also the proposal of the Spanish transposition. The truth is that, as will be seen immediately, it cannot be said that Art. 3 of the Act 2/2023 undertakes a notable extension of the personal scope of application provided for in the Directive, but it does introduce a series of variations in the adaptation to the Spanish legal system. It should be noted at the outset that the cases included exceed in several cases the concept that fits the definition of paid employment in art. 1.1 of the Workers’ Statute and, in this sense, the reference to the “work-related or professional context”, as a note common to the informants, stands out. Specifically, it includes persons with the status of workers or public employees, self-employed persons, shareholders, participants and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, volunteers, workers in training periods, regardless of whether or not they receive remuneration, and any person working for or under the supervision and directions of contractors, subcontractors and suppliers. As the EU Directive does, the Spanish Act extends the protection in terms of time, which is not limited to the duration of the employment relationship. Thus, it also applies to persons who report or publicly [continua ..]
Making use of the power provided for in Article 2.2 of the EU Directive, the Spanish Act opts to extend the application to other areas that do not fall within the material scope of the European rule. Thus, unlike the European rule, which uses the subject matter as a criterion for classifying breaches, the Act 2/2023 makes an initial distinction according to the law infringed, distinguishing between breaches of EU law and breaches of national law (art. 2). Firstly, the Spanish Act establishes mechanisms for the protection of natural persons who report any acts or omissions that may constitute breaches of European Union law provided that they fall within the scope of the European Union acts set out in the Annex to the EU Whistleblowing Directive, irrespective of their classification in the domestic legal system; affect the financial interests of the European Union as referred to in Art. 325 of the Treaty on the Functioning of the European Union (TFEU); or affect the internal market, as referred to in Art. 26.2 TFEU, including infringements of EU competition rules and aid granted by States, as well as breaches relating to the internal market in connection to acts infringing corporate tax rules or practices aimed at obtaining a tax advantage that distorts the object or purpose of corporate tax law. Secondly, and this is a novelty with respect to the text of the European standard (2.1), the Act 2/2023 decides to extend protection to informants of acts or omissions that may constitute a serious or very serious criminal or administrative offence. [8] As indicated in the Preamble to the law, the legislator considered it necessary to extend the material scope of the Directive to infringements of national law, but limited to criminal offences and serious or very serious administrative offences, in order to allow both internal and external reporting channels to concentrate their enquiry or investigation on the breaches that are considered to have the greatest impact on society as a whole. The final text of the article that we are assessing deleted the reference that the Draft Bill had made to “any breaches of the rest of the legal system provided that, in any case, they directly affect or undermine the general interest, and do not have specific regulation”. The final text therefore discarded the generic reference to the effect on the general interest as a criterion for delimiting the material scope and opted for the stricter criterion of the [continua ..]
The Spanish Act considers that the internal reporting channel is the preferential channel for reporting the actions or omissions described above (art. 4.1). [14] It may well be considered that proximity to the origin of the breach may ensure greater guarantees of the effectiveness of the information, since timely knowledge and speed in clarifying the facts may prevent greater harmful consequences from arising from the possible infringement. [15] However, and following the Directive, the Spanish Act makes this preference conditional on the fact that breach can be addressed effectively internally, and the reporting person considers that there is no risk of retaliation. This requirement seems to cover the questions raised by the preferential recourse to the internal reporting channel, especially because of the fear that those responsible for the infringement might themselves be responsible for the reporting channel and could therefore promote its concealment. Therefore, although the law articulates a whole series of measures to protect against retaliation, it does not rule out the possibility that fear of retaliation may often lead informants to dispense with the internal reporting channel and go directly to the external one. The preamble of the Act, after stating that the internal reporting channel should be used as the preferred one’, adds that, once this preference has been declared, the whistleblower may choose the channel to use, internal or external, depending on the circumstances and the risks of retaliation that he or she considers. Therefore, what is a general rule ends up becoming an exception, given the wide range of cases that open up in which specific circumstances would make recourse to another channel more advisable. According to the Directive, the reporting person should be able to choose the most appropriate reporting channel depending on the individual circumstances of the case (Recital 33). As it has been noted, it is a merely enunciative priority, since no motivational requirement has been established for going directly to the external channel; therefore, the decision to use one channel or the other is based solely on the assessment made by the reporting person. [16] Likewise, the relative nature of this preference of the internal reporting channel seems to be confirmed when, while regulating access to the external reporting channel, the Act 2/2023 indicates that information may be provided directly or after prior [continua ..]
4.1.1. Configuration and scope in the private and the public sector In the private sector, the Act follows the guidelines set out in the Directive without introducing any improvement in the scope of application. Thus, natural or legal persons that employ fifty or more workers are obliged to establish an internal reporting system. Aware of the cost that the implementation of this system may generate for companies, the Act 2/2023 admits that companies with more than 49 workers and less than 250 can share means and resources for the management and processing of the information they receive, whether the management is carried out by any of them or whether it has been outsourced (art. 12), with the existence of their own channels in each undertaking always being made clear. [20] The Spanish act does not introduce specific rules to help determine how to calculate the volume of work for the above purposes, so it has been suggested the possibility of operating with the criteria established in Royal Decree 901/2020, of 13 October, which regulates equality plans and their registration. [21] In any case, the legal obligation extends to legal persons which, regardless of the number of employees, therefore even when they employ fewer than fifty employees, fall within the scope of the European Union acts on financial services, products and markets, prevention of money laundering or terrorist financing, transport safety and environmental protection referred to in parts I.B and II of the Annex to Whistleblowing Directive, political parties, trade unions, employers’ organisations and foundations set up by them, provided that they receive or manage public funds. The Preamble itself justifies these previsions by stating that the reason for this requirement is based on the unique constitutional role of these organisations, as proclaimed in Arts. 6 and 7 of the Spanish Constitution. The existence of cases of corruption that have affected some of these organisations increases public concern about the proper functioning of the institutions, and it is therefore essential to demand an exemplary attitude from these organisations in order to establish society’s confidence in them, since the proper functioning of the democratic system depends to a large extent on this. The generalisation of an internal reporting system will facilitate the eradication of any suspicion of nepotism, waste of public funds, irregular financing or other corrupt practices. Therefore, [continua ..]
The administrative body or governing body of each entity is responsible for implementing the internal reporting system, after consultation with the employees’ representatives. [25] Note that, by avoiding extremes, both mere information and the greater requirement of opening a negotiation process with the employees’ representatives have been discarded, so that the exchange of opinions and the opening of a dialogue between the employer and the works council on a specific issue, including, where appropriate, the issuing of a prior report by the works council, as consultation is defined in the Workers’ Statute (art. 64), has been chosen. Therefore, in the absence of an express regulation, this case is subject to the requirements set out in the aforementioned article. In any case, the possibility of negotiation has been defended if both parties so decide, as there is no legal impediment to this, which would make this system more effective in terms of finding out about and correcting breaches of labour legislation, and even more trustworthy for workers. [26] Responsibility for the management of the internal reporting system may fall either on a natural person or on a collegiate body (which, in turn, must delegate these powers to one of its members), [27] the appointment of which is the responsibility of the administrative or governing body of each entity. This should not alter, in practice it remains to be seen, the autonomy and independence that the law entrusts to the figure of the person in charge with respect to the rest of the bodies of the entity, without being able to receive instructions of any kind in its exercise. The Act 2/2023 contains specific provisions for groups of companies, so that, in such cases, the person in charge of the system may be one for the whole group, or one for each company in the group, subgroup or group of companies. For its part, the internal reporting system may be one for the whole group. In any case, the management of the internal reporting system may be carried out within the entity itself or by an external third party, under the terms provided for in the Spanish Act (art. 6). [28] For these purposes, management of the system is considered to be the receipt of information and shall require that the external third party offers adequate guarantees of respect for independence, confidentiality, data protection and secrecy of communications. In any event, such outsourced management of the [continua ..]
The Directive gives a great deal of freedom to Member States to designate the competent authorities to receive and follow up on reports of breaches. In particular, the European rule opens up the possibility that these competent authorities may be judicial authorities, regulatory or supervisory bodies competent in the specific areas concerned, or authorities with a more general competence at central level within a Member State, law enforcement authorities, anti-corruption bodies or ombudsmen (Recital 64). Among all these alternatives, Spanish legislation has decided to assign the management of the external reporting channel to the Independent Authority for the protection of the reporting person (hereinafter, the AAI, to use the acronym used in the Act 2/2023), as a public law entity at state level with its own legal personality and full public and private capacity. As required by the Directive, this administrative authority will act in the development of its activity and for the fulfilment of its purposes with full organic and functional autonomy and independence with respect to the Government, the entities comprising the public sector and the public authorities in the exercise of its functions. Thus, any natural person may report to it, or to the corresponding regional authorities or bodies, the commission of any actions or omissions included in the scope of application of this Act, either directly or following report through the corresponding internal channel (art. 16). It is the specific nature of the matter that makes it advisable for the functions attributed by the Directive to the competent authorities to be exercised by a newly created body, without the possibility of relying on other existing bodies within the public sector. In this sense, the option of entrusting these functions to bodies such as the Court of Auditors or the Ombudsman was ruled out. Under a special regime of autonomy and with a marked technical and specialised character in the matter, this authority will be in charge of the running and management of the aforementioned external channel. In this sense, it can be affirmed that the independence of the competent authority is one of the backbones of the institutional system for the whistleblower protection. It is foreseen that the President will be appointed for a non-renewable period of five years and, therefore, longer than the four years that characterise the legislative term. As it is well known, providing the external reporting [continua ..]
In terms very similar to those used by the European Directive, the Spanish transposition defines public disclosure as the making of information on actions or omissions available in the public domain, under the terms provided for therein. Without any determination of the responsible party or procedure, what distinguishes this third alternative from the previous reporting channels is the instrument used for the communication of the information on breaches and the recipient of the information, insofar as it refers briefly to “making it available in the public domain”. In contrast to the internal and external reporting channels, this requirement does not only refer to actual communication, but also includes those cases in which information is made accessible to a potential audience. Therefore, the key in this case is not so much the success of the disclosure but the easy accessibility of the information being communicated. Particularly noteworthy is the breadth with which public disclosure is regulated. The Act 2/2023 does not limit the means of communication through which such disclosure is made, nor does it make any reference to the extent or scope of knowledge of third parties, so that it has been understood that information posted on a notice board or on an employee’s personal blog could be classified as public disclosure. [37] The protection of persons making use of a public disclosure requires that one of the following two conditions be met: the person first reported internally and externally, or directly externally, but no appropriate action was taken in response to the report within the timeframe referred to; or where the informant has reasonable grounds to believe that either the breach may constitute an imminent or manifest danger to the public interest, in particular where there is an emergency situation, or there is a risk of irreversible harm, including a danger to the physical integrity of a person; or, in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach. In any case, the aforementioned conditions for the protection of the whistleblower provided for in the Act shall not apply when the person has directly disclosed information to [continua ..]
6.1. The prohibition of retaliation The art. 36 of the Act 2/2023 transposes the art. 19 of the EU Directive and regulates the prohibition of retaliation, which it defines, based on the concept used in the art. 5 of the European rule, [38] as any acts or omissions which are prohibited by law, or which, directly or indirectly, involve unfavourable treatment that places the persons who suffer them at a particular disadvantage with respect to another in the employment or professional context, solely because of their status as informants, or because they have made a public disclosure. Taking a broad view, the Spanish Act extends the prohibition not only to acts constituting retaliation in themselves, but also to threats and attempts of retaliation. The question arises as to whether the protection against retaliation applies to persons who already have the status of whistleblowers because they have actually reported breaches of law or whether it also extends to preparatory acts, i.e. when it is known that someone is preparing to make the communication. The first interpretation has been defended, given that the precept prohibits retaliations, with the broad character already seen, against persons who submit a communication in accordance with the legal provisions. [39] In order to illustrate the retaliation that are subject to such a prohibition, the Act sets out an exemplary list in which, therefore, without being exhaustive, specific conducts are listed that fit the aforementioned definition: a) Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including the non-renewal or early termination of a temporary employment contract once the probationary period has passed, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotion and any other substantial modification of working conditions and the failure to convert a temporary employment contract into an indefinite one, where the employee had legitimate expectations that he/she would be offered an indefinite job; unless these measures were carried out in the regular exercise of managerial authority under the relevant labour or public employee statute legislation, due to circumstances, facts or proven breaches, unrelated to the submission of the communication. b) Harm, including to the person’s reputation, particularly in social media, or financial loss, [continua ..]
Persons who report or disclose offenses falling within the material scope of application of the act, through the procedures outlined in it, are entitled to access a series of support measures specified in the Act. Although the legal text is silent on the matter, there does not seem to be any impediment to understanding that such measures are compatible with those which are specific to the labour or civil service sphere, such as trade union assistance or assistance to representative unitary bodies. [44] Focusing on the support measures expressly included in Act 2/2023, these are the following: a) Comprehensive and independent information and advice, which is easily accessible to the public and free of charge, on procedures and remedies available, on protection against retaliation, and on the rights of the person concerned. b) Effective assistance from competent authorities before any relevant authority involved in their protection against retaliation, including, where provided for under national law, certification of the fact that they qualify for protection under this Directive. c) Legal aid in criminal proceedings and in cross-border civil proceedings in accordance with Community law. d) Financial and psychological support, on an exceptional basis, if so decided by the AAI following an assessment of the circumstances arising from the submission of the communication. Comparing the European and Spanish regulations, it is easy to see how the art. 37 of the latter, which regulates such support measures, transposes the art. 20 of the Directive practically verbatim. It only introduces some variation when it refrains from referring also in letter c) to “in accordance with national law, legal assistance in other proceedings and legal advice or any other type of legal assistance”, or when it specifies that all these measures are understood “independently of the assistance that may correspond under Act 1/1996, of 10 January, on free legal aid, for representation and defence in legal proceedings arising from the presentation of the communication or public disclosure”. The act conditions the right to protection of persons who report or disclose offences determined therein to the concurrence of different circumstances. Firstly, the communication or disclosure must have been made in accordance with the requirements set out in this act, including those relating to the subjective and objective scope of application and the procedural [continua ..]
The exercise of the sanctioning powers provided for in the Act 2/2023 corresponds to the Independent Authority for the Protection of the reporting person and to the respective competent bodies of the Autonomous Communities. In any case, the latter shall be exclusively competent in respect of infringements committed in the sphere of the autonomous and local public sector in the territory of the corresponding Autonomous Community, although the autonomous community regulations may provide that these bodies shall be competent in respect of infringements committed in the sphere of the private sector when they affect only their territorial sphere. The legal definition of the conduct constituting offences could be improved, to say the least, as the sections that include very serious and serious offences tend to include the same conducts, although in the latter case with the qualification “not considered a very serious offence”. This is followed in the next section, which, dedicated to the description of minor offences, ends with a closing clause in which it grants this status to “any breach of the obligations set out in this law that is not classified as a very serious or serious offence”. Clearly, this unfortunate catalogue violates the principle of prior definition, generates great legal uncertainty and jeopardises the very effectiveness of the system. [51] Offences included in the Spanish Act can be committed by both natural and legal persons. More specifically, offences can be committed by the employer (for example, adopting any kind of retaliation), the reporting person (for example, reporting or publicly disclosing information knowing it to be false) or the person responsible for the reporting channel (for example, violating the guarantees of confidentiality and anonymity). If natural persons are responsible for the offences, the commission of the offences set out in the regulation entails the imposition of fines ranging from 1.001to 10.000 euros for minor offences, from 10.001 to 30.000 euros for serious offences and from 30.001 to 300.000 euros for very serious offences. If they are legal persons, the fines amount to up to 100.000 euros for minor offences, between 100.001 and 600.000 euros for serious offences and from 600.001 to 1.000.000 euros for very serious offences. In the case of very serious offences, the AAI may also agree on certain additional measures, such as public reprimand, prohibition from obtaining [continua ..]
Until the entry into force of the Act 2/2023, Spain had lacked a national legislation that provided a comprehensive regulation of the legal regime for the protection of those persons who had decided to report breaches of law. Nor was there a specific legal framework expressly prohibiting retaliation and articulating protection measures, without prejudice to the reference already contained in article 17.1 of the Workers’ Statute and the operability of the so-called guarantee of indemnity, which is much narrower in scope as it is limited to protection against retaliation due to administrative or judicial actions. The Spanish implementation of the Whistleblowing Directive has made up for all these shortcomings, while it has also introduced the obligation to set up reporting channels in certain undertakings, which has also been a novelty in many of them. If we compare the European and Spanish legislations, it can generally be considered that Spain has undertaken a minimum transposition. And only on certain issues has it opted to improve on the minimum standard of European protection. In particular, the offences that fall within the material scope of the Directive are extended, in the national context, to all areas of the legal system, although the types of offences are limited, which are reduced to criminal offences and serious or very serious administrative offences. It is true that the rule gains in legal certainty, making use of the criterion of legal definition of the offence, but it does so at the cost of reducing the scope of application, restricting protection to cases in which the commission of an offence classified as a criminal or serious or very serious administrative offence is reported. This, in turn, presupposes specialised knowledge of the list of punishable offences, which logically does not necessarily characterise the persons who report information, with the added risk of ending up discouraging them from doing it. Therefore, conducts contrary to the general interest that is not classified as punishable offences, such as reprehensible conducts, acts or omissions that do not appear unlawful from a formal point of view, but which distort the object or purpose of the law and which nevertheless fall outside the scope of the law, are excluded from the material scope of the Act 2/2023. This exclusion is risky because it is well known that, in the area of corruption, there is a tendency to seek any legislative silence in order to alter [continua ..]