On September 23, the DraftLaw regulating the protection of persons who report on regulatory and anti-corruption infringements was published in the Official Gazette of the Congress of the Cortes Generales. The purpose of the text is to provide adequate protection against retaliation to natural persons who report any of the actions or omissions referred to in the law itself. As is known, Directive (EU) 2019/1937 of the European Parliament and of the Council is thus incorporated into Spanish law, which established common minimum standards to provide a high level of protection for persons reporting breaches of Union law.
The draft law, following the guidelines of the Directive, contains a series of very specific provisions in relation to various aspects, one of the most important being the obligation imposed on all entities and organizations, both public and private, to establish internally systems that allow those who maintain an employment or professional relationship with them, are able to report or alertthem to irregularities of which they have become aware in the context of that relationship, and all this with full guarantees that they will not be subject to retaliation for that reason [1].
Without prejudice to the considerable delay that we accumulate in the transposition (it should have been completed in December 2021), the truth is that everything indicates that in a few months the standard can be approved, after which the different bodies and entities must have these systems fully implemented and operational within a maximum period of three months [2]
In the field of the public sector, which is the one that concerns us here, the fulfillment of these forecasts requires to gain time in their planning, to be able to face them with a minimum of rigor and solvency. Let us recall, first of all, that the Directive imposed this requirement in general on all public sector entities, a provision that is incorporated in the draft law very broadly, so that practically no body or entity canexempt itself from this obligation [4]. That being so, I would dare to say that, except in the field of public commercial companies, which have already made significant progress in this area as a result of the extension to them of the regime of criminal liability of legal persons (article 31 quinquies of the Criminal Code after the reform operated by Organic Law 1/2015, of March 30), there are not many public sector entities that currently have these systems, so, to this date, the greatest challenge is those that have to start from scratch.
Be that as it may, we must start from the fact that, as the OECD has been demanding for years, for these tools to have real functionality they should be solidly established within a system of integrity of the organization, which in turn should rest on an ethical culture, something that should be addressed in a first stage in an essential way. That’s where we should start, therefore.
It would also be necessary to advance in planning the design of the essential elements of these systems and their fit within the organizational structures of each agency or entity. It is necessary to be very clear that the bill is not limited to requiring that there be a channel so that irregularities can be reported internally, but imposes that it be integrated into a system, with a person in charge appointed by the administrative or governing body of the entity, who must carry out their functions independently and autonomously with respect to the rest of the organizational bodies of the entity or body. This makes it essential to start thinking as soon as possible about the model to follow.
In many public administrations, some functions of this type are already resident in service inspections, while others have reporting channels within corruption offices or bodies located outside the administrative structure to provide them with greater autonomy and independence. Similarly, it is not possible to ignore that within the framework of the Anti-Fraud Plans referred to in Order HFP 1030/2021, which configures the management system of the Recovery, Transformation and Resilience Plan, it is recommended that decision-making or executing entities or that they participate in the execution of the PRTR measures, the creation of an Anti-Fraud Committee and an Internal Control Unit [4] , units which, if they exist, should not be left out of the integrity system or detached from the person responsible for the system referred to in the Directive and the draft law.
Admittedly, not all entities have the same characteristics, so it will also be necessary to make, at least, a first assessment of the situation of each one, its possibilities and its needsin order to consider sharing the System and resources with other entities (art. 8.9 of the Directive and 14 of the draft L ey) or, where appropriate, to resort to management through an external third party (Art. 15 of the draft L ey). In this area, the Autonomous Communities and, above all, the provincial councils, should also design possible actions to help its implementation, through subsidies or assistance, paying special attention to smaller municipalities.
Furthermore, it should be noted that, even in cases where institutions already have internal channels for alerting to irregularities, it would be necessary to adapt them to the requirements of the Directive and the transposition rule, as laid down in the first transitional provision of the draft law. Among others, special attention should be paid to some essential issues:
• In their design, it is necessary that these channels appear differentiated and independent of the internal information channels or systems of other entities or organizations. This issue is important to take into account for certain reporting channels that some public administrations have already established, and that, to date, serve other bodies or entities in their own field.
• As for their addressees, it must be guaranteed that at least the persons referred to in article 3 of the draft law can go to these channels, and that, through these channels, they can alert or report on the entire catalogue of irregularities provided for in the transposition norm provided that they have had knowledge in the labor or professional context.
• Internally, strict security protocols must be established in advance. The standard requires channels to be secure, so that these protocols must request access to unauthorized third parties and guarantee the confidentiality of the data of the person who is informed about the irregularities, of the persons concerned, or of any third party mentioned in the information provided, even in those cases in which the communication is sent to non-competent personnel.
• Technologically, channels must not only allow alerts about breaches to be presented anonymously, but must ensure that such anonymity is protected. As is known, anonymity is a step beyond confidentiality, so that, in these cases, not even the person in charge of receiving the alerts or information, nor the person responsible for their processing, monitoring and investigation, could access to know the identity of the complainant. This, of course, requires progress when implementing tools that allow these solutions, so that in digital environments the connection goes through encrypted tunnels that prevent tracking the source of the information.
• In parallel, these systems must be associated with a series of guarantees that provide protection to whistleblowers to avoid any type of retaliation. This requires that those guarantees must also be clearly defined and defined, in advance, within the scope of the entity or body itself.
These issues should not be left until the last moment, especially if we take into account that many of them, by their nature, require the participation of the representativesbefore the workers.
The clock that counts the deadlines to meet these requirements is closer to starting, and the rule itself intends that its non-compliance does not come free to anyone, contemplating sanctions of up to one million euros for entities that do not implement these systems, so it will be better not to get confused.
If the reform on the criminal liability of legal persons meant the generalization of compliance systems in the private sector and in public commercial companies, perhaps this rule can be a stimulus for the rest of the public sector entities to advance in an area traditionally so neglected for them, as is the integrity and fight against corruption. Perhaps also, this can help us to prevent corruption from continuing to appear as one of the most important problems for Spaniards or to recover the lost confidence in institutions, which we need well. We have plenty of reasons, and as the Marquis of Ensenada said to Fernando VI back in 1751 “Majesty, what is not started, does not end”.
Ignacio Saez Hidalgo
Lawyer and former director of the Legal Services of the Junta de Castilla y León
[1] Private sector legal entities with fewer than 50 employees would not be subject to this obligation.
[2] The project provides in its second transitional provision that the period available for the effective implementation of these channels is three months from their entry into force, with the only exception in the public sector of municipalities with less than 10,000 inhabitants, and in the private sector of legal entities with less than 249, for which it contemplates an extension of the term until December 1, 2023.
[3] The Directive allowed municipalities with less than 10 000 inhabitants or with less than 50 workers, or other entities with less than 50 workers, to be excluded, but the project approved by the Government has chosen not to operate an exception in this regard, without prejudice to the fact that they can share resources.
[4] Guidelines prepared by the Ministry of Finance and Public Function dated January 24, 2022
https://www.fondoseuropeos.hacienda.gob.es/sitios/dgpmrr/es-es/Documents/Orientaciones plan antifraude PRTR_SGFE_MHFP_enero 2022.pdf