New Bulgarian Whistleblower Protection Act – Some initial thoughts on its implementation
The new Bulgarian Whistleblower Protection Act came into force on 4 May 2023. Its scope includes local and public authorities, as well as private sector enterprises with more than 50 employees. Bulgaria was late with the transposition of the EU Whistleblower Directive and was sanctioned by the European Commission for this failure. The process took longer due to political instability and changing governmental priorities. When it comes to the public consultation process – initial drafts of the text were showing lack of awareness about the role of whistleblowers as primary source of revealing organisational wrongdoing. Bulgarian legislators were unsure about and institutional set-up for facilitating the whistleblowing process.
After two-rounds of public consultations, involving the NGO sector (mainly Transparency International Bulgaria, but the European Compliance Center also submitted comparative inquiry), the draft legislations finally entered the Parliament in November 2022 (almost a year after the EU Directive should have been transposed).
Fortunately, many of the comments made by the non-governmental sector were considered by the legislator, so the provisions of the new law that entered into force differ substantially from earlier drafts.
The biggest challenge to Bulgarian regime was to designate a responsible public authority that will receive external whistleblowing disclosures ranging from organisational wrongdoings to serious economic/organised crime. The choice made by the legislator was correct and in accordance with the advice by the NGO sector. External whistleblower disclosures will be received by the National Data Protection authority (NDPA), the consideration being the ability to ensure secure and confidential reporting channel. After receiving the external disclosure, the NDPA will resend the case, including collected evidence (ensuring data privacy and confidentiality) to relevant enforcement authorities, for example: for tax-evasion matters – it will be the National Revenue agency and for money-laundering and terrorist financing signals – Financial Supervision authority (maybe here better option could have been Bulgarian FIU).
It remains to be seen how the NDPA will coordinate the whistleblower protection efforts with the whole range of different enforcement authorities. The problem might be lack of resources, time and insufficient training of staff that is usually responsible for dealing with data privacy violations. All stakeholders are currently looking forward to NDPA’s further guidance and instructions on the matter.
Private sector perspective
For many Bulgarian companies the new regulation still comes as a surprise. Many businesses are not prepared to meet new obligations, especially the SMEs and the ones which business operates locally. For many stakeholders the regulation will add to the administrative burden, already imposed by the GDPR or the AML. Problems with whistleblowing disclosures and protection might be expected when it comes to state-owned entities (SOEs).
Similarly to other countries in the CEE region, the problem is rooted in-path dependant business practices and the cultural perception that the whistleblower is a traitor to the organisation. Society tends to put stigma on whistleblowing, without considering that whistleblower disclosures are primary way to reveal organisational wrongdoing and prevent serious economic crime.
Unfortunately, both managers and employees in many organisations still believe that reporting wrongdoing to the line-manager constitutes whistleblowing. This is not the case as whistleblower procedures should be independent from the business/executive lines.
In the core of the whistleblowing process stands creation of a secure and confidential reporting channel. This will be one of the main obligations according to the new Bulgarian law (in accordance with the EU Directive). The text of the new legislation gives examples of how whistleblower disclosures can be reported – for instance orally by phone or in person by meeting the internal whistleblower case handler. The new legislation sets an underlying internal organisational conflict from the outset and threatens to compromise the requirement of confidentiality. What is more, the NDPA is obliged in due course to prepare a standardised disclosure form, containing too much personal data about the whistleblower, such as: full name, address and telephone number of the sender…signature, electronic signature or other way of verifying sender’s identity.
It is surprising how old-fashioned is Bulgarian legislation when enumerating possible ways of setting/operating a whistleblower channel. The opportunities provided by new technologies are absolutely disregarded. The European practice is whistleblower disclosures to be made by utilising an appropriate reporting software/ RegTech solution. For example, Belgium law allows only anonymous whistleblower disclosures that focus on collecting information/evidence about the wrongdoing, not on personal data for identification of the whistleblower.
The question of anonymous whistleblowing remains unclear. It seems that although protection against retaliation of anonymous whistleblowers is explicitly recognised by the new legislation, there is no procedural way how to deal in practice with anonymous disclosures.
On the other hand, it might be argued that legislator recognised that not all businesses are tech-savvy (i.e. companies in production or agricultural sectors). For example, there might be a factory where manual workers should be able to report wrongdoings in the context of their employment responsibilities without the need to use computer. For such cases, the designation of external whistleblower case handler might be the best option (Bulgarian legislation is silent on this point).
Overall, some parts of the new act are concerning. Legislator does nothing to encourage whistleblowing and might impair the effectiveness of whistleblower protection. Financial crime professionals might expect discrepancies and caveats in application and enforcement across Member states, so it will be always a good idea to consider local practices and peculiarities.