27.05.2021 14:31
The storm brought about by the General Data Protection Regulation (GPDR) is only slowly subsiding. It was an unprecedented whirlwind since the recodification of private law in the Czech Republic. The reasons behind this lie in a combination of several factors.
First, some notions of the General Regulation are truly problematic from the legal point of view. Moreover, the fact that the legislator was in delay with the adoption of the adaptation laws for more than a year did not help the situation either.
Second, many of those at whom the Regulation was aimed did not previously pay any attention to the protection of personal data, so no simple „fine-tuning“ would have sufficed. A complete overhaul was needed to respond to the requirements under the General Regulation, requirements that went slightly beyond and above the requirements of the previous legislation. Since the Czech law on the protection of personal data has almost twenty years of history behind it and the European legislation even a bit more, the rules stemming from the legislation are supplemented with a considerable layer of interpretations by expert groups and with case law. It is not easy to jump onto a running train from zero speed.
Finally, the media did not help the situation either by providing haphazard information with regular support of “experts” who, having no past expertise in personal data protection, were willing to tell the public engaging and dramatic stories about this “new phenomenon”.
Many are now wondering about the merits of the GDPR-related “maneuvers” (often extensive and costly measures) when
– the number of persons whose personal data are being processed (data subjects) and who are interested in the processing of their data has not changed substantially after the GDPR´s entry into force,
– the activity of the supervisory authority has not increased in any way, rather (given a number of legislative, organizational and personnel issues) to the contrary;
– public authorities and public entities (e.g. municipalities, regions, schools and kindergartens among others, i.e. entities that struggled most with the introduction of personal data protection rules) cannot be penalized (see Section 62 (5) of the Act) No. 110/2019 Coll.).
Such situations are sometimes rather funny. For example, after a considerable internal struggle, an elementary school has appointed its Data Protection Officer and had the employee properly trained, and provided them with suitable conditions to perform the task, etc. After the adoption of the adaptation legislation, however, the school found out that if it had not appointed its Data Protection Officer, it would be in violation of the General Regulation but unlike other entities which are not public authorities or public entities, it cannot be penalized by the Office for Personal Data Protection for failure to fulfill this obligation. The whole exercise was in fact (from the perspective of the school) rather pointless.
However, the turbulences do not seem to cease even after the General Regulation frenzy has subsided. The domestic legal environment (and hence the business environment in this respect) begins to resemble the Caribbean in the hurricane season. There is a high probability of another storm looming on the horizon. It may be smaller in scope than the GDPR storm. However, that does not necessarily mean that it will feel more comfortable. On the contrary, one may assume otherwise.
1. On Whistleblowing
In about the last decade, the practice of whistleblowing has been discussed in the local legal community with varying degrees of intensity.
Initially, the discussion developed around the introduction of whistleblowing systems by multinational corporations in the Czech Republic. The issue was looked at from the perspective of personal data protection. Later, other aspects were added, including, for example, criminal liability of legal entities or the general protection of public interest.
The term whistleblowing is based on the English idiomatic expression to blow the whistle. Put simply, whistleblowing today can be characterized as protected reporting of harmful conduct. Especially in the common-law legal environment, this notion has a relatively long and rich history.
Going into detail, we can divide whistleblowing into internal and external.
In internal whistleblowing, the whistleblower reports harmful conduct of a colleague, manager or business partner within the company in which the whistleblower works to the management of the company (or to a third party appointed for these purposes by the company and the third party subsequently handles the case – it may be a law firm, etc.). This is followed by an inquiry and, where appropriate, action against the concerned person if the veracity of the report is proven, or action against the whistleblower if it is established that the harmful conduct has been reported to harm the concerned person for the benefit of the whistleblower, etc. Internal whistleblowing includes whistleblowing within the whole concern.
In the context of internal whistleblowing, the whistleblower should be able to report harmful conduct in such a way that he or she cannot be penalized by the concerned person (for example, his or her superior). The recipient of the report must be independent, impartial and discreet.
On the other hand, external whistleblowing typically refers to a report to a public authority (e.g. law enforcement bodies, etc.). Theoretically, external whistleblowing should be the last resort the whistleblower uses in a situation when there seems to be no chance of handling the matter otherwise due to a lack of impartiality and independence of the person designated to investigate the report within the organization. External whistleblowing is also appropriate when there is a reasonably strong public interest. Simply put, these are cases which amount to the offense of a failure to report a crime (Section 368 of the Criminal Code). [3]
In short, whistleblowing legislation should lay down rules on protected reporting, namely what harmful conduct may be reported and what protection is offered to the whistleblower and to the concerned person about whom the report has been made. Both in relation to the concerned person and the whistleblower, the legislation must provide sufficient guarantees of protection of personal data and confidentiality due to possible stigmatization and victimization of the actors. An honest whistleblower should be protected against retaliation in the form of wage cuts, a transfer to another job, termination of employment, and withholding promotion, etc.
Since whistleblowing has been a subject of professional discussions for a relatively long time, extensive academic literature as well as court rulings (usually on external whistleblowing), whether by international or domestic courts , are available. These must be taken into account when drafting legislation.
2. Whistleblowing Legislation in the Czech Republic
Both in the Czech Republic and elsewhere, whistleblowing schemes, types of conduct to be reported as well as reporting channels, etc., are covered in the context of data protection legislation which seems sufficient for these purposes., provided the labor-law legislation offers a high degree of protection which is the case of the Czech Republic.
However, it is not unusual for some jurisdictions to adopt special laws for the protection of whistleblowers, which define the conduct that may be subject to protected reporting (see, for example, Slovak Act No. 307/2014 Coll., On Certain Measures Related to Whistleblowing and Amending and Supplementing Certain Acts, which was replaced by Act No. 54/2019 Coll., on the Protection of Whistleblowers and Amending Certain Acts). The legislation usually includes (in some form) the definition of the status of a protected whistleblower and related measures (protecting against the termination of employment, discrimination on the job, transfer to other work, etc.).
In some cases, such legislation also provides for incentives, i.e. measures intended to encourage whistleblowers to make a report. For example, the above-mentioned Slovak law on whistleblower protection offers the possibility to reward the whistleblower with financial remuneration of up to 50 times the minimum wage in the case of a “successful report” to the public authority – for more details see Section 9 of Act No. 54/2019 Coll.
In recent years, many Czech politicians declared the fight against corruption a priority in their political agenda also in response to independent resolutions of the EU bodies or other international organizations, and attempted to adopt legislation on protected reporting within the legal order of the Czech Republic. Draft proposals submitted to the Chamber of Deputies of the Parliament of the Czech Republic by deputies themselves, but also by senators or ministers, namely Karolína Peak, Libor Michálek, Jiří Diensbier, Jan Chvojka and Andrej Babiš, during the previous term took different forms. These proposals ranged from a few amendments to the existing legislation to separate, relatively comprehensive bills which strived to introduce processes for granting the status of protected whistleblower, together with protective and incentive measures in the above sense.
All these efforts were either nipped in the bud (they did not even reach the Chamber of Deputies) or, if submitted, failed to pass the legislative process for various reasons.
The bad news for the opponents of extensive descriptive legislation is that the European Union considers legislation on whistleblowers´ protection a desirable tool in the fight against corruption. Momentarily, a proposal for a directive on the protection of whistleblowers, namely the Directive on the Protection of Persons Reporting on Breaches of Union Law is being drafted and discussed at the EU institutions.
Given the past experience in transposing the European acquis, when the Czech Republic missed many a deadline, the Act on the Protection of Whistleblowers is being prepared in parallel with the Directive under the auspices of the Ministry of Justice.
JWhat will be the final form of the two pieces of legislation is uncertain, because on both levels, at the EU level and domestically in the Czech Republic, debates among experts are currently underway.
In both cases, the legislation will cover both internal and external reporting. Different forms are discussed:
– with respect to material scope, they range from the protection of reports with respect to any infringements to protection of reports limited to infringements (criminal or administrative offences) which are punishable, possibly from a certain threshold determined by the allowable sentence the offence carries;
– with respect to personal scope, i.e. the status of a whistleblower, they range from employees (civil servants, etc.) to contractors, i.e. independent suppliers who have no lasting relationship with the person about whom they report or where a person about whom they report is employed;
– with respect to the status of the whistleblower, they range from granting the status directly by law on the basis of factual circumstances to granting the status by means of a certificate from a government authority (existing or newly established Agency for Whistleblower Protection or other similar agency) or by a combination of both options;
— with respect to protection against retaliation, they include protection against demotion from a position, protection against termination of employment, against wage reduction, or other forms of discrimination, etc.;
– it also seems likely than an obligation will be established to introduce an internal reporting system (at least for some persons); possibly in combination with the appointment of a person authorized to receive reports (in some regards, this person has a similar role as the Data Protection Officer);
Final Notes
One can only hope that the final product will be a minimalist one. A law which will rely on the principles formulated by the European Court of Human Rights in Guja v. Moldova, that is (a) the report to the public authority can only be used as a last resort where no other internal channel can be used, (b) there is a strong public interest, (c) the report is substantiated and true (information verification), (d) the public interest prevails over the interest of the employer (e) the motivation to report must be honest (good faith of the whistleblower and the pursuit of a public not personal interest); (f) potential punishment of the whistleblowers by the concerned person or by the whistleblower’s employer must be serious enough.
A law that will not protect the anonymous opportunist informers but honest (ideally transparent) ones, and that will reflect the current employment legislation and other labor laws, respecting their rigidity and protective functions, without further deepening the protection of whistleblowers without logic and reason. In this context, the factual implementation of procedural law must always be taken into account. A law that is free of rewards and incentives to report. Indeed, if a failure to report harmful conduct is a criminal offense and reports are encouraged by rewards, there is little scope for free will.
Further, one can also hope that no similar media storm will follow as in the case of the General Data Protection Regulation, and that measures resulting from the new legislation will be designed and presented within reasonable limits.
Rulings of British courts frequently contain quotations from classical literature in which judges find inspiration of its kind. It is worth recalling the judgment of the London Court in Aslam, Farrar, Dawson and others v Uber (A2 / 2017/3467) in which (in point 87 of the judgment´s reasoning) the judge quoted Shakespeare’s Hamlet. In the case of the whistleblowing legislation (in particular, when it comes to decided and complex schemes covering any infringement) one cannot help but think of literary inspiration. The author who comes to mind is much younger and worked in a different genre. The title of his books coincides with the year in which the first heart transplant in Eastern Europe was performed at Prague’s IKEM, Jaroslav Seifert was awarded the Nobel Prize for Literature, Konstantin Chernenko replaced Yuri Andropov as Secretary-General of the Communist Party of the Soviet Union and Prime Minister Indira Gandhi was assassinated.
We had once lived at the time of confidants and other denunciators. History often repeats itself. However, not every historical moment is worth repeating.
[1] In other words, as the first-year students at the Faculty of Law are taught, the school is subject to a piece of legislation which lacks any sanctions, i.e. an imperfect legislation.
[2] In this context, the phrase “blow the police whistle” became commonplace. The same phrase was used by the North American Indians reporting the impending danger. For details on the definition and history of the notion, see, for example, Pichrt, J., Morávek, J. Whistleblowing, in Law for Business and Employment, vol. 7-8, 2009, pp. 19–25, 2009, Morávek, J Whistleblowing – Practical Issues, in Law for Business and Employment, vol. 11, 2009, pp. 12–20, 2009, Morávek, J Whistleblowing – Legal Basis, in Law for Business and Employment, vol. 12, 2009, pp. 12-17, 2009, Pichrt, J., Morávek, J. The Czech Republic and Whistleblowing in Thüsing, G., Forst, G. Whistleblowing – A Comparative Study, 2016, Vienna: Springer International Publishing, pp. 123 – 130, 978-3-319-25577-4, 2016, Pichrt, J., Morávek, J. The Czech Republic and Whistleblowing, in The Lawyer Quarterly, International Journal for Legal Research, Institute of State and Law of the Academy of Sciences of the Czech Republic, 2014, vol. 2., pp. 132-138, 2014, Pichrt, J. (ed.) Whistleblowing and Related Aspects – International Conference, Prague: Wolters Kluwer, 2013, pp. 187-202.
[3] It is apparent from the above that the notion of whistleblowing refers to a practice well known namely in companies with foreign ownership (practice also known as compliance). The same de facto applies to companies that want to address criminal liability of legal persons (whether for criminal or administrative offenses), in particular by creating the conditions which would release them from criminal liability.
[4] For example, working document WP 117, i.e. Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime, Working Party No 29 established under Directive 95/46 / EC.
[5] Among the first is the ruling of the European Court of Human Rights in Guja against Moldova (application no. 14277/04), where the court defined the basic preconditions for external reporting of harmful conduct to be protected (see below).
[6] For example, the Constitutional Court of the Czech Republic in case file no. III. ÚS 298/12 stated: “Private-law requirement for adherence to contracts, i.e. the principle pacta sunt servanda, in other words the contractual freedom and the employee’s commitment to loyalty to their employer cannot, a priori, prevail over another important public interest, namely the interest of employees also being able to turn to government authorities in situations where the employer is endangering (or such endangering is eminent) important societal interests, such as citizens’ health, protection of the environment, or protection of water purity or even when these public goods have already been endangered. A contract between an employee and an employer cannot interfere with public-law relations, undermine the interest of society to ensure that every citizen under a democratic rule of law can assist the government authorities in identifying deficiencies, and draw attention to such deficiencies where necessary.”
Autor článku: JUDr. Jakub Morávek, Ph.D.