Whistleblowing

Whistleblowers in private sector entities are predominantly covered by the Corporations Act 2001 (Cth) part 9.4AAA.

Whistleblowers are also covered by the Taxation Administration Act 1953 where the disclosure relates to tax information.

Public officials are covered by the Public Interest Disclosure Act 2013 (Cth).

Australian whistleblower protections are slightly different from that of the EU. Broadly, the 2019 EU Directive provides much broader protection for whistleblowers. In Australia, the laws are more specific to certain circumstances. Some examples:

• the EU Directive covers both the public and private sector, while Australia has two separate systems;
• the EU Directive covers individuals who assist whistleblowers, while the Australian systems do not;
• the EU Directive notes that disclosable acts referred to as breaches include acts or omissions that are not unlawful but that defeat the object or purpose of the law. Australia has key disclosable acts that are not this broad.
• the EU Directive, like Australian law:
  • covers individuals outside of the typical employer/employee relationship;
  • does not consider motive as to why someone reports;
  • protects the whistleblower's identity and grants protection to anonymous disclosers who are later identified;
  • allows people to report internally or directly to the authorities; and
  • allows for public disclosure in certain circumstances. 

The status of whistleblowers in Germany, as in other EU member states, is primarily governed by European law. The relevant legislation is Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons reporting infringements of Union law (EU Whistleblower-Directive).

The German legislature has incorporated the EU-Whistleblower-Directive into German law by enacting the Whistleblower Protection Act (“Hinweisgeberschutzgesetz”) which – largely – entered into force on July 2, 2023.

If the Whistleblower Protection Act (hereinafter referred to as “HinSchG”) should meet specific concerns under European law, this will be pointed out separately in the following.

The only sector-agnostic legislation dealing with the protection of whistleblowers in India are:

• the Whistle Blowers Protection Act 2014 (Whistle Blower Protection Act), which enables any person (ie, a whistleblower) to report an act of corruption, wilful misuse of power or discretion, or a criminal offence by a public servant.  This includes all public servants, including ministers, members of parliament, the lower judiciary, regulatory authorities, and central and state government employees. A specified competent authority appointed under this legislation will conduct a discreet inquiry into the complaint and conceal the identity of the complainant and public servant; and
   
• the Companies Act 2013 (Companies Act), which mandates the incorporation of a whistleblower policy, but primarily only by listed companies.

To date, there are no specific laws dealing with the protection of whistleblowers applicable to private, unlisted companies or unincorporated entities and their employees. Employers are free to formulate and adopt a whistleblower policy to encourage employees (or any other person for that matter) to report matters without the risk of subsequent victimisation, discrimination or disadvantage, economic or otherwise. Accordingly, for private establishments, the whistleblowing regime remains largely discretionary and policy-driven. 

In addition to the laws listed above, while there are various disclosure obligations imposed on persons and entities (such as banks and listed companies) enabling early detection of fraud and wrongdoing, India has not yet adopted laws to improve the protection of whistleblowers across sectors or levels in the economy and establish adequate secure channels or mechanisms to enable whistleblowers to report without fear of disclosure, retaliation or victimisation.

According to the Australian Securities and Investment Commission (ASIC), public companies, large proprietary companies, and corporate trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation entities must now have a whistleblower policy. Among other things, the law requires the whistleblower policy to include information about the legal protections available to whistleblowers, and how a company will investigate whistleblower disclosures and protect whistleblowers from detriment.

ASIC Regulatory Guide 270, Whistleblower Policies was created to help companies and other entities establish a policy in line with their legal obligations.

In principle, companies that regularly employ 50 or more employees are obliged to set up an internal reporting system (section 12 (1), (2) HinSchG). For companies with between 50 and 249 employees, this obligation will only apply from 17 December 2023 (section 42 HinSchG).

For certain employers, particularly in the financial and insurance sectors or for data provision companies, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act (section 12 (3) HinSchG).   

As per the Companies Act, the following types of companies are required to establish a vigil mechanism and adopt a “whistleblower policy” for directors, employees, stakeholders and any other individuals (such as auditors) to report concerns about unethical behaviour, actual or suspected fraud or violation of the company’s code of conduct or ethics policy:

• listed companies;
• companies that accept deposits from the public; and
• companies that have borrowed money from banks and public financial institutions totalling more than 500 million Indian rupees.

The requirement for listed companies to adopt a whistleblower policy also arises from the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations 2015.

The abovementioned companies will be hereinafter referred to collectively as “Covered Companies”.

The vigil mechanism or whistleblower policy must provide adequate safeguards against the victimisation of persons who use it. The Companies Act also requires auditors to report an offence of fraud in the company by its officers or employees if they identify or note such instances during the performance of their duties.

There is no specific guidance on whether there may be a whistleblower procedure at a Group level encompassing all subsidiaries. However, in the absence of a prohibition to this effect, the better view is that such a procedure is possible at a Group level covering all subsidiaries. 

Under section 1317AA(4) of the Corporations Act, an entity's policy must cover the types of disclosures that qualify for protection. Disclosable matters involve information that the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances, concerning:

• an entity; or
• if the entity is a body corporate, a related body corporate of the entity.

Under section 1317AAA of the Corporations Act, an entity’s policy must explain the role of “eligible recipients” – that is, to receive disclosures that qualify for protection. If an entity is a body corporate, an eligible recipient includes:

• an officer or senior manager of the entity or related body corporate;
• the internal or external auditor (including a member of an audit team conducting an audit) or actuary of the entity or related body corporate; and
• a person authorised by the entity to receive disclosures that may qualify for protection.

According to the explanatory memorandum of the Whistleblower Protection Act, it is legally permissible to implement an independent and confidential internal reporting office as a "third party" within the meaning of article 8(5) of the EU Whistleblower Directive at another group company (eg, parent company, sister company or subsidiary), which may also work for several independent companies in the group (section 14 (1) HinSchG). However, the European Commission has already announced in two statements during the legislative process that a group-wide whistleblower system does not meet the requirements of the EU Whistleblower Directive. The question of the compatibility of the regulation with EU law will only arise in practice at a later stage, provided that this question needs to be clarified in court. 

The Whistleblower Protection Act in line with the EU Directive further provides that several private employers with between 50 and 249 employees employed on a regular basis may commonly implement and operate an internal reporting office to receive notifications. However, the legal obligation to take action to remedy the violation and the corresponding duty to report back to the person making the report has to remain with the individual employer.   

Yes, this may be done. Various organisations in India have adopted a whistleblowing policy at the group level and set up a common hotline channel or speak-up portal to receive complaints of unlawful or unethical conduct and other wrongdoing within group companies.

Sections 1311(1) and 1317AI(4) of the Corporations Act notes that it is an offence of strict liability not to implement a whistleblower's policy.

The penalty for non-compliance for individuals is 60 penalty units (A$13,320) and for companies is 600 penalty units (A$133,200), and is enforceable by ASIC.

If there are no whistleblowing procedures in the company (ie, an internal reporting system is not implemented and operated), this constitutes an administrative offence punishable by a fine. This fine may amount to up to 20,000 EUR (section 40 (2) No. 2, (5) HinSchG).

At this point, it should be noted that there is a high incentive for employers to implement an internal reporting channel, since the external reporting channel is available to the whistleblower in any case. Consequently, if an internal reporting office were not implemented or operated, the whistleblower would be forced to report directly to the external reporting office. As a result, the employer would not be able to make internal corrections without the reported information leaving the company.

As per the Companies Act, for failure to adopt and implement a whistleblowing procedure, a Covered Company and every officer of that company who is responsible for such non-compliance may be punished with a fine of up to 10,000 rupees and, if non-compliance continues, a further fine of up to 1,000 rupees a day.

Strictly speaking, no. ASIC Regulatory Guide 270 does not refer to employee representative bodies needing to be involved in the implementation of whistleblower policies.

Although the implementation of a whistleblower system is based on a legal obligation, the works council only has to be involved under certain circumstances.

At first, the employer is, in principle, already obliged to inform the works council in good time and comprehensively about everything it requires to carry out its duties. This information requirement should enable the works council to review whether co-determination or participation rights exist or whether other tasks have to be carried out according to the German Works Constitution Act (BetrVG).

For instance, instructions concerning the orderly conduct of employees are subject to co-determination. These instructions are intended to ensure an undisturbed work process or to organise the way employees live and work together in the company.  If, in the course of the implementation of a whistleblower system, the already existing contractual obligations are extended or regulations regarding the specific reporting procedure are introduced (eg, in the form of a reporting obligation on the part of employees), the organisational behaviour would be affected and the works council must therefore be involved (section 87 (1) No. 1 BetrVG).

Furthermore, in the context of setting up an internal reporting channel, the Whistleblower Protection Act only stipulates that whistleblowers must be given the option of submitting a report to the whistleblowing system in text form or verbally. This could, of course, also be provided via digital channels - eg, via software- or web-based solutions. Should the introduction and use of such technical equipment in the relevant case allow the employer to monitor the behavior or performance of employees (eg, those who deal with the complaint), further co-determination rights of the works council according to section 87 (1) No. 6 BetrVG can be triggered.   

While Covered Companies may factor the suggestions of the unions, associations of officers or employees before framing a whistleblowing policy, employee representative bodies are not involved in the implementation of the vigil mechanism. The whistleblowing mechanism will be overseen by a Covered Company through its Audit Committee or Board of Directors, as may be relevant.

Under section 1317AI(5)(f) of the Corporations Act, an entity's policy must cover information on how the policy will be made available to officers and employees.

ASIC Regulatory Guide 270 provides examples of how to make a policy available to staff. It suggests:

• holding staff briefing sessions or smaller team meetings;
• posting the policy on the staff intranet or other communication platform;
• posting information on staff noticeboards;
• setting out the policy in the employee handbook; and
• incorporating the policy in employee induction information packs and training for new starters.

Further, an entity should conduct upfront and ongoing education and training.

Specialist training should be provided to staff members who have specific responsibilities under the policy.

Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations also receive appropriate training.

To ensure disclosers outside an entity can access the entity’s whistleblower policy, the policy should be available on the entity’s external website.

The Whistleblower Protection Act does not oblige the company itself to publish any information regarding the internal reporting office or the internal reporting channel implemented. However, the internally implemented reporting office must have clear and easily accessible information available on the external reporting procedure and relevant reporting procedures of European Union institutions, bodies or agencies (section 13 (2) HinSchG).

The current explanatory memorandum to the Whistleblower Protection Act also contains the more detailed, but not legally binding, reference that the information can be made available via a public website, company intranet or a bulletin board that is accessible to all employees. In this context, it is recommended that the company also refers to the internally implemented reporting office or the internal reporting channel in the same way. This helps to counteract the risk that potential whistleblowers will report primarily via the external reporting channel.

Furthermore, the German Supply Chain Due Diligence Act (LkSG) also provides for the implementation of complaint mechanisms so that the regulatory requirements of companies can also be met through a uniform reporting system. Within its scope of application, the LkSG also provides for the publication of procedural rules for such a reporting system in text form as well as for annual reporting obligations on what measures the company has taken as a result of complaints.

Details of the whistleblowing policy and the mechanism thereof will have to be disclosed by the Covered Company on its website as well as in the Board of Directors’ annual report filed with the competent regulatory authority.

ASIC Regulatory Guide 270 notes that it is good practice but not mandatory that an entity has mechanisms in place for monitoring the effectiveness of its whistleblower policy.

ASIC suggests an entity could set up:

• oversight arrangements for ensuring its board, audit or risk committee are kept informed about the effectiveness of the policy;
• a mechanism to enable matters to be escalated to the entity's board or the audit or risk committee; and
• periodic reporting to the board, audit or risk committee.

The guide also notes that entities may consider involving an independent whistleblowing service provider authorised to receive their internal disclosures. This is especially so for smaller entities. Using an outside service provider may encourage more disclosures since disclosers can:

• make their disclosure anonymously, confidentially and outside business hours;
• receive updates on the status of their disclosure while retaining anonymity; and
• provide additional information anonymously.

In principle, the Whistleblower Protection Act intentionally does not specify which persons or organisational units are best qualified to carry out the tasks of the internal reporting office or to manage the corresponding reporting channel. However, the internal reporting office may not be subject to any conflicts of interest and it also must be independent. The EU Whistleblower-Directive mentions, for instance, the head of the compliance department or the legal or data protection officer as possible internal reporting offices.

If, in addition to the (internal) persons responsible for receiving and processing internal reports, other (external) persons have to be involved in a supporting activity, this supporting activity is legally only permissible to the extent that is necessary for the supporting activity. This applies, for example, to IT service providers that provide technical support for reporting channels.

It is also legally permissible to appoint a third party to carry out the tasks of an internal reporting office, including the reporting channel (section 14 (1) HinSchG). Third parties may include lawyers, external consultants, trade union representatives or employee representatives.

However, engaging a third party does not relieve the employer of the obligation to take appropriate action to remedy a possible violation. In particular, for follow-up actions to check the validity of a report, there must be cooperation between the commissioned third party and the employer.

While the reporting channel may be outsourced, in respect of Covered Companies, the mechanism should be overseen by the Audit Committee or Board of Directors, as applicable.

It's good practice for any organisation to have appropriate information technology and organisational measures for securing personal information they receive, handle and record as part of their whistleblower policy.

Entities should consult the Australian Privacy Principles under the Privacy Act 1988 (Cth) for any industry or government-specific standards.

Under the Privacy Act section 26WE, there are also requirements for the entity to report a data breach to the Office of the Australian Information Commissioner if it is likely to result in serious harm to individuals whose personal information is involved in the breach.

The internal reporting office implemented by the employer is, initially, authorised to process personal data insofar as this is necessary for the fulfilment of its task under the Whistleblower Protection Act (10 HinSchG). The wide-ranging processing authority allows the personal data contained in the reports to be both received and analysed by the reporting office. In addition, new personal data may be recorded and further processed during the implementation of the follow-up measures.

The employer's obligation to protect the data collected in the course of the whistleblowing procedure is then directly based on the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act. This means, for instance, that data processing has to be limited to the extent necessary to fulfil the tasks of the internal and external reporting channel – data minimisation principle, (article 5 (1) lit. c) GDPR).

Finally, the processing of personal data is complemented by the confidentiality requirements of internal (and external) offices, (section 8 HinSchG).

As per the Whistle Blower Protection Act, notwithstanding any law in force, the competent authority will be required to conceal the identity of the complainant and the documents or information furnished by him for enquiry, unless so decided otherwise by the competent authority itself or it becomes necessary to reveal or produce the same under an order of a competent court. Any person who negligently or with a mala fide intention reveals the identity of a complainant will be punished with imprisonment for up to three years and also a fine of up to 50,000 rupees.

The Indian Companies Act does not impose any obligations on employers regarding data protection and the confidentiality of the complainant, witnesses, the inquiry process or the outcome of a whistleblower complaint, which is a crucial part of whistleblower protection. This will be subject to any such policy adopted by the company.

An entity should analyse how best to structure, draft and present their policy.

An entity should also consider other standards and guidelines to ensure the policy is as up-to-date as it can be.

Entities should take care in determining whether they are complying with all legal requirements under the Corporations Act.

ASIC Regulatory Guide 270 provides a useful overview of what should be included in the policy as follows:

• policy's purpose;
• who the policy applies to;
• matters the policy applies to;
• who can receive a disclosure;
• how to make a disclosure;
• legal protections for disclosures;
• support and practical protections;
• handling and investigating disclosures; and
• ensuring fair treatment of all individuals.

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

According to the German Whistleblower Protection Act, the internal whistleblowing reporting office is not obliged by law to accept or process anonymous reports; however, they “shall” be processed.  Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

Key aspects that should be borne in mind while formulating a whistleblower policy or procedure are:

• a special or distinct committee or channel must be created for receiving and handling disclosures, giving the whistleblowing mechanism a fair, neutral and independent institutional framework;
• the reporting mechanism should be systematic, simple and straightforward to facilitate an early and easy disclosure of any wrongdoing. The procedure for disclosure must be easily comprehensible and should be accessible by all employees or individuals associated with the organisation;
• the policy should provide adequate assurances and comfort regarding confidentiality of the identity of the whistleblower, continuity of association with the organisation, and the steps that the organisation will take to ensure that the whistleblower is not victimised, discriminated against or adversely impacted in any manner pursuant to the disclosure (including facilitating legal assistance at the organisation’s cost, if necessary);
• the policy should ensure that no action will be taken against whistleblowers who make disclosures in good faith and even allow for anonymous reporting; and
• identification of what matters may be reported under the policy, the persons against whom such matters can be reported, the process that should be followed by the organisation, remedial measures, details of persons with whom reported information will be shared, and an overview of the mechanism for protecting whistleblowers and persons cooperating with an investigation, etc.  

Section 1317AA of the Corporations Act provides that a disclosure qualifies for protection under the Act where:

• the discloser is an eligible whistleblower; and
• the disclosure is made to any of the following:
  • ASIC;
  • APRA;
  • A Commonwealth authority; and
  • Subsection 4 or 5 applies - see immediately below. 

Subsection 4 applies to disclosures of information where the discloser has reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs or circumstances related to:

• the regulated entity; or
• a related body corporate of the regulated entity.

Subsection 5 applies to a disclosure of information if the discloser has reasonable grounds to suspect that the information:

• indicates the regulated entity or officer of the entity or related body corporate of the entity or officer of the related body, has engaged in conduct that constitutes an offence against, or contravention of any of the following:
  • the Corporations Act;
  • the ASIC Act;
  • the Banking Act 1959;
  • the Financial Sector (Collection of Data) Act 2001;
  • the Insurance Act 1973;
  • the Life Insurance Act 1995;
  • the National Consumer Credit Protection Act 2009;
  • the Superannuation Industry (Supervision) Act 1993;
  • an instrument made under an Act referred to in any of subparagraphs (i) to (viii); or
• constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months or more, represents a danger to the public or the financial system, or is prescribed by the regulations for this paragraph.

What an entity chooses to specify as falling under the policy, therefore, needs to cover these areas.

ASIC Regulatory Guide 270 provides some examples:

• illegal conduct;
• fraud, money laundering, misappropriation of funds;
• offering or accepting a bribe;
• financial irregularities;
• failure to comply or breach of legal or regulatory requirements; and
• engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure.

The Whistleblower Protection Act´s  material scope of application goes beyond European legal requirements. It extends the material scope of application to all violations that are subject to punishment (section 2 (1) No. 1 HinSchG). Additionally, violations subject to fines are included insofar as the violated regulation serves to protect life, body, health or the rights of employees or their representative bodies (section 2 (1) No. 2 HinSchG). The last alternative covers not only regulations that directly serve occupational health and safety or health protection, but also related notification and documentation requirements, for example under the Minimum Wage Act. Thus, as a result, section 2 (2) No. 2 HinSchG covers the majority of administrative offences in the context of employment.

Finally, the Whistleblower Protection Act also provides for a list of infringements that predominantly correspond to the relevant areas of law according to the recitals of the EU Whistleblower Directive.

As per the Whistle Blower Protection Act, a whistleblower may make a complaint or disclosure relating to:

• the committing of or an attempt to commit an offence under the Prevention of Corruption Act 1988 by a public servant;
• wilful misuse of power or wilful misuse of discretion by which demonstrable loss is caused to the government or demonstrable wrongful gain accrues to the public servant or any third party; and
• the committing of or an attempt to commit a criminal offence by a public servant.

The Companies Act only states that stakeholders of a company may report “genuine concerns” under the vigil mechanism. While the definition of “concerns” has not been provided for under the Companies Act, it would be a prudent assumption that it covers instances of suspected fraud and non-compliance with applicable laws, rules and procedures or any other wrongdoing that would adversely affect the organisation or stakeholders at large (financially or otherwise).

The Taxation Administration Act 1953 is tax specific. The Public Interest Disclosure Act 2013 (Cth) is also specific to public officials.

Otherwise, most other companies are covered under the Corporations Act as section 1317AAB outlines what is a regulated entity. It includes:

• a Company;
• a Corporation to which paragraph 51(xx) of the Constitution applies;
• an authorised deposit-taking institution;
• a general insurer;
• a life company;
• a superannuation entity or trustee; or
• an entity prescribed by the regulations.

The Whistleblower Protection Act itself does not distinguish between different sectors regarding the internal reporting process. However, it contains an enumerative list of regulations from other statutes that take precedence over the Whistleblower Protection Act for the reporting of information on violations; these regulations are therefore lex specialis compared to the Whistleblower Protection Act (section 4 (1) HinSchG). Priority special provisions are, among others, regulated by the Money Laundering Act, the Banking Act, the Insurance Supervision Act and the Stock Exchange Act.    

The Whistle Blowers Act of 2014 targets public servants and is intended to prevent corruption, misappropriation of assets and misuse of power in the public sector. Further, provided a whistleblower makes full and true disclosure of all material facts, the settlement commissions established under the Income Tax Act 1961 and the Goods and Services Tax Act 2016 have the power to grant them immunity from those statutory penalties. Similarly, the Competition Commission of India established under the Competition Act 2002 possesses the power to award a reduced penalty to an informant who is a part of an anticompetitive cartel and makes a full, true and vital disclosure.  The Securities Exchange Board of India also rewards whistleblowers who are themselves guilty of violating securities law by granting anonymity and a pardon for their complete cooperation. Lastly, the Reserve Bank of India (RBI) prescribes for whistleblowing mechanisms to be adopted by various banks and financial institutions.

Broadly, a whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing (National Whistleblower Center, 2002).

A commonly accepted definition specifies that the act of whistleblowing is: 

"…the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employees to persons that may be able to effect action".[1]

A whistleblower is a natural person who, in the context of his or her professional activity or in the preliminary stages of professional activity, has obtained information about violations and reports or discloses it to the – internal or external – reporting offices provided for under the Whistleblower Protection Act (section 1 (1) HinSchG).

The Whistleblower Protection Act also applies to the protection of persons who are subject to a report or disclosure, as well as other persons who are affected by a report or disclosure, (section 1 (2) HinSchG).

As per the Whistle Blower Protection Act, a whistleblower is referred to as a “complainant” and it is defined as any person who makes a complaint relating to:

• the committing of or an attempt to commit an offence by a public servant under the Prevention of Corruption Act 1988;
• wilful misuse of power or wilful misuse of discretion by which demonstrable loss is caused to the government or demonstrable wrongful gain accrues to the public servant or any third party; or
• the committing of or an attempt to commit  a criminal offence by a public servant.

The Companies Act does not define “whistleblower” but it is generally understood to be a person who has first-hand information of fraud or other kinds of misbehaviour or unethical activity or wrongdoing within an organisation and discloses the same in the overall interest of the organisation and all its stakeholders.

Whistleblowers are often, but not always, employees of the organisations where the misconduct has occurred or is occurring.

Previous examples of internal whistleblowers include:

• the Commonwealth Bank Financial Planner Scandal whistleblower; and
• the CommInsure Life Insurance Scandal whistleblower.

Previous examples of external whistleblowers who were not employees include:

• a Ponzi Scheme whistleblower who was an external financial analyst; and
• the Trio Capital Superannuation Fraud whistleblower who was an external financial analyst.

While the commonly accepted definition of “whistleblowing” refers to employees of an organisation (both former and current), an eligible whistleblower is not limited to an employee of an organisation. This is highlighted in section 1317AAA of the Corporations Act, particularly subsections (c), (d), (g) and (h). This section of the Corporations Act is discussed further below.

Whistleblowers may be employees, but also, for instance, self-employed persons, volunteers, members of corporate bodies or employees of suppliers. In addition to persons who obtain knowledge in advance, such as in a job interview or during pre-contractual negotiations, the scope of protection also includes those for whom the employment or service relationship has been terminated. As a result, the status of a whistleblower is not dependent on formal criteria such as type of employment.

There are no limitations or qualifications on who can be a whistleblower. Any person with knowledge of a breach or wrongdoing may report it and qualify as a whistleblower.

Under the Corporations Act an individual must meet the definition of an “eligible whistleblower”.

Relevantly, the criteria set out in the Corporations Act include most people with a connection to a company or organisation who may be in a position to observe or be affected by misconduct and may face discrimination for reporting it. The importance of meeting the definition of an “eligible whistleblower” is that these people can access the rights and protections in the law when they report misconduct, and such protection is extended to their spouses and relatives.

Under section 1317AAA of the Corporations Act, an eligible whistleblower can be someone who is, or has been, any of the following:

• an officer of the regulated entity;
• an employee of the regulated entity;
• an individual who supplies services or goods to the regulated entity (whether paid or unpaid);
• an employee of a person that supplies services or goods to the regulated entity (whether paid or unpaid);
• an individual who is an associate of the regulated entity;
• for a regulated entity, which is a superannuation entity:
  • an individual who is a trustee (within the meaning of the Superannuation Industry (Supervision) Act 1993), custodian (within the meaning of that Act) or investment manager (within the meaning of that Act) of the superannuation entity;
  • an officer of a body corporate that is a trustee, custodian or investment manager of the superannuation entity;
  • an employee of an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid);
  • an individual who supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid); or
  • an employee of a person that supplies services or goods to an individual referred to in subparagraph (i) or a body corporate referred to in subparagraph (ii) (whether paid or unpaid).
• a relative of an individual referred to in any of paragraphs (a) to (f);
• a dependant of an individual referred to in any of paragraphs (a) to (f), or of such an individual's spouse; or
• an individual prescribed by the Corporations Regulations 2001 as being an eligible whistleblower in relation to the regulated entity.

To be qualified as a whistleblower, the person providing the information must have obtained the information in the context of his or her professional activity or in the preliminary stages of professional activity. Information about violations falls within the substantive scope of the Act only if it relates to the employing entity or another entity with which the whistleblower is or has been in professional contact.

Not applicable.

Yes, while whistleblowers can provide their name and contact details when they report - they can also report anonymously (ASIC Information Sheet 238 issued on 1 July 2019). 

This means that a whistleblower must make their disclosure to:

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation;
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation;
• an actuary of the company or organisation, or a related company or organisation;
• a person authorised by the company or organisation to receive whistleblower disclosures;
• ASIC or the APRA; or
• a lawyer.

However, they do not have to identify themselves or their role, and so can raise their concerns anonymously and still access the same whistleblower protections afforded to those who provide their name and contact details when they report.

However, while an individual can report their concerns to ASIC anonymously, ASIC will not be able to follow up with the whistleblower for further information or next steps due to this anonymity (ASIC Information Sheet 238 issued on 1 July 2019).[2]

The Whistleblower Protection Act does not state that the employer must set up reporting channels in such a way that anonymous reports are admissible (section 16 (1) HinSchG). Also, external reporting offices do not have to process anonymous reports (section 27 (1) HinSchG). According to the Whistleblower Protection Act, however, anonymous reports “shall” be processed by the internal and external reporting offices. Against this background, employers are entirely free to choose whether to provide systems that allow for the submission and processing of anonymous reports or not.

As per the Whistle Blower Protection Act, a complaint is only acted upon by the competent authority if the complainant discloses their identity in the complaint. Complainants providing false identities or anonymous complaints are not recognised.

However, there is no embargo under the Companies Act against anonymous reporting concerning the activities of companies. The Audit Committee or Board of Directors may independently assess the contents of the anonymous complaint and take necessary action or attempt to reach out to the whistleblower for further information and cooperation. Leading business organisations in India allow anonymous complaints and have put in place processes to safeguard the identity of whistleblowers, and ensure the confidentiality of the investigation process.

It is uncertain whether a whistleblower needs to be a direct witness of the violation that they are disclosing. Rather, it appears that the only requirement that a whistleblower must show is that they have reasonable grounds to suspect that the information being disclosed about the company or organisation concerns:

• misconduct; or
• an improper state of affairs or circumstances.

Directly witnessing a violation would be the easiest way to establish reasonable grounds; however, it does not appear that this is a prerequisite for whistleblowers.

Relevantly, “reasonable grounds” means that a reasonable person in the whistleblower's position would also suspect the information indicates misconduct or a breach of the law (ASIC Information Sheet 238 issued on 1 July 2019).

In principle, the whistleblowers do not have to be direct witnesses to a violation. However, they must have obtained information about violations in connection with or before their professional activities. Violation information is defined as a reasonable suspicion or knowledge of actual or potential breaches and attempts to conceal such breaches that have occurred or are very likely to occur (section 3 (3) HinSchG). However, only whistleblowers acting in good faith are protected from any discriminatory measures as a result of their report.

There is no such requirement prescribed under applicable laws and the information provided by whistleblowers may be independently assessed and acted upon, notwithstanding the fact that the whistleblower was not a first-hand witness to the reported act.

ASIC Regulatory Guide 270 provides guidance on establishing a whistleblower policy. Under this guide, an entity's whistleblower policy must:

• identify the different types of disclosers within and outside the entity who can make a disclosure that qualified for protection;
• identify the types of wrongdoing that can be reported (ie, disclosable matters), based on the entity's business operations and practices;[3]
• identify the types of people within and outside the entity who can receive a disclosure that qualifies for protection;
• include information about how to make a disclosure;
• include information about the protections available to disclosers who qualify for protection as a whistleblower, including the protections under the Corporations Act; and
• outline the entity's measures for supporting disclosers and protecting disclosers from detriment in practice.

The whistleblower procedure requires – in its broad outlines – that the personal and material scope of the Whistleblower Protection Act is applicable. Assuming this, the whistleblower must have obtained information about violations in connection with his or her professional activities or in advance of professional activities. In a further step, the whistleblower must report or disclose these violations to the internal and external reporting bodies responsible. The Reporting Office will issue an acknowledgement of receipt to the person making the report within seven days. Within three months of the acknowledgement of receipt, feedback will be provided to the whistleblower on planned and already taken follow-up measures and their reasoning. This information will be documented in compliance with the principle of confidentiality. This documentation will be deleted two years after the conclusion of the proceedings.

For Covered Companies, the terms and conditions, as well as the whistleblowing procedure, will be subject to the policy adopted by them. As regards the procedure under the Whistle Blower Protection Act, upon receipt of a complaint the competent authority should conceal the identity of the complainant, or the public servant in the first instance, and make a discreet inquiry, as may be appropriate , to ascertain whether there is any basis for proceeding further to investigate the disclosure. If the competent authority, either as a result of the discreet inquiry, or on the basis of the disclosure itself without any inquiry, believes that the disclosure needs to be investigated, it shall seek comments, explanation or reports from the Head of the Department of the organisation or authority, board or corporation, or office concerned. Pursuant to this, if the competent authority believes that such comments or explanations or report reveals either willful misuse of power or willful misuse of discretion or substantiates allegations of corruption, it shall recommend that the public authority take appropriate measures against the public servant, which may range from corrective action to initiation of criminal proceedings against the public servant.

The hierarchical order for reporting a breach is:

• employer;
• competent authority or authorities (including ASIC, APRA, the Australian Federal Police, or a lawyer); and
• the public or media.

Relevantly, the general rule is that a whistleblower must first report to their employer. However, if the employer does not adequately deal with the report, or the employee is not comfortable reporting to their employer, they can go to the competent authorities. As a last resort, the whistleblower may go public.

There is no legally binding hierarchy between internal and external reporting channels. Therefore, the whistleblower has, in principle, the right to choose whether to report the violations externally or internally. However, in cases where effective internal action can be taken against violations, whistleblowers are to give preference to reporting to an internal reporting office. If an internally reported violation is not remedied, the whistleblower making the report is free to contact an external reporting office (section 7 (1) HinSchG).

This would be subject to the policy and reporting channels prescribed under the whistleblowing policy.

Whistleblower policy provisions will affect how a company can investigate the concern. The company's whistleblower policy must include information about how it will investigate concerns.

However, generally speaking, a company or organisation may report information to external authorities, such as ASIC, APRA, the Australian Federal Police or to a lawyer to seek advice about whistleblower protections.

Once the reporting process at the internal reporting office is completed, the internal reporting office can take various follow-up actions. In addition to internal investigations, the process can also be handed over to a competent authority for further investigation (section 18 No. 4 HinSchG).

There is no blanket requirement for an employer to inform external authorities upon receipt of disclosure from a whistleblower. However, depending on the nature of the disclosure, its gravity and impact, employers may be required to report the same to certain authorities, including but not limited to the Securities Exchange Board of India, RBI or relevant stock exchanges (in the case of listed companies) or even the Serious Fraud Investigation Office.

Generally, there should be no further action against a whistleblower if their accusation was founded on a reasonable cause. If the whistleblower had a reasonable but erroneous belief in the wrongdoing, and as a result they are dismissed by their employer, then they would potentially have a claim for unfair dismissal.

However, if the whistleblower did not have a reasonable ground, further action may be taken. This will depend on the parties involved and what the company or organisation decide to do. For instance, if following an investigation, it is found that the whistleblowing was deliberately false (ie, was not founded on a reasonable ground), then disciplinary action may follow. Such disciplinary action may include dismissal, termination of services or cessation of a service or client relationship.

As a principle, the disclosure of inaccurate information about violations is prohibited under the Whistleblower Protection Act (section 32 (2) HinSchG). A whistleblower may, however, not be sanctioned if the facts, after being verified, are merely not confirmed or do not constitute a violation in the final analysis. If the information disclosed was incorrect, the following legal consequences will apply:

On the one hand, the whistleblower must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG). The whistleblower's liability for damages is based on the fact that a false report or disclosure has far-reaching consequences for the person affected or accused. The effects may no longer be completely reversible. According to the Whistleblower Protection Act, claims for damages resulting from merely negligent incorrect reporting should not arise. Besides, only whistleblowers acting in good faith are protected from further repercussions.

On the other hand, the whistleblower acts improperly if he intentionally discloses incorrect information in violation of section 32 (2) of the Whistleblower Protection Act (section 40 (1) HinSchG). This administrative offence may be punished with a fine of up to 20,000 EUR (section 40 (5) HinSchG).

There are no sanctions prescribed under the Companies Act if the facts, once verified, are not confirmed or do not constitute an infringement.

However, as per the Whistle Blower Protection Act, only persons who make any disclosure with a mala fide intention or knowing that it was incorrect or false or misleading, shall be punishable with imprisonment for up to two years and a fine of up to 30,000 rupees.

Breaching a whistleblower's anonymity and engaging in (or threatening to engage in) detrimental conduct towards a whistleblower or potential whistleblower, will carry a civil penalty for:

• a body corporate of a maximum of the greater of A$10.5 million, or if a court can determine the benefit derived or detriment avoided because of the contravention, three times that amount, or 10% of the annual turnover of the entity up to a maximum of A$525 million.
• an individual, the greater of A$1.05 million, or if a court can determine the benefit derived or detriment avoided, three times that amount.

Moreover, a failure to comply with the confidentiality and detrimental conduct provisions will also be a criminal offence, punishable by imprisonment or fines.

Retaliation against the whistleblower is prohibited under the Whistleblower Protection Act. This also applies to threats and attempts at retaliation (section 36 (1) HinSchG). In addition, it is prohibited to interfere or attempt to interfere with reports or communications between a whistleblower and the reporting office (section 7 (2) HinSchG).

If the whistleblower was nevertheless obstructed, the following legal consequences will apply: if a retaliation occurs, the person causing the violation must compensate the whistleblower for the resulting damage. However, this does not entitle the whistleblower to an employment relationship, a vocational training relationship, any other contractual relationship, or career advancement.

In addition, taking an illegal reprisal or interfering with the communications between the whistleblower and the reporting office constitutes an administrative offence, which can be punished with a fine of up to 50,000 EUR (section 40 (2) No. 3, (5) HinSchG).

Protection is only offered to whistleblowers under the Whistle Blower Protection Act after they report fraudulent activity or non-compliance, and not before. Accordingly, there is a lacuna in the Whistle Blower Protection Act (as well as the Companies Act) as far as they fail to prescribe sanctions to those who obstruct an individual from reporting fraudulent activity or non-compliance.

There is no formal registration process for whistleblowers[4]; however, the protections afforded under the law will only apply to a whistleblower who meets the following criteria:  

The whistleblower must be a current or former: 

• employee of the company or organisation the disclosure is about, or a related company or organisation; ;
• officer (usually that means a director or company secretary) of the company or organisation the disclosure is about, or a related company or organisation; 
• contractor, or an employee of a contractor, who has supplied goods or services to the company or organisation the disclosure is about – this can be either paid or unpaid (and includes volunteers); 
• an associate of the company or organisation, usually a person with whom the company or organisation acts in concert; or 
• trustee, custodian or investment manager of a superannuation entity, or an officer, employee, or a goods or service provider to a trustee, custodian, or investment manager. 

Protection is also offered if you are a spouse, relative or dependant of one of the people referred to above.  

The organisation the disclosure is about must be:

• a company; 
• a bank; 
• a provider of general insurance or life insurance; 
• a superannuation entity or a superannuation trustee; or 
• an incorporated association or other body corporate that is a trading or financial corporation – this includes not-for-profit organisations that trade in goods or services, lend or borrow money, or provide other financial services, and their trading or financial activities make up a sufficiently significant proportion of their overall activities. 

It is important to note that not all not-for-profit organisations are subject to whistleblower protections.

The whistleblower must make their disclosure to: 

• a director, company secretary, company officer, or senior manager of the company or organisation, or a related company or organisation; 
• an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation; 
• an actuary of the company or organisation, or a related company or organisation; 
• a person authorised by the company or organisation to receive whistleblower disclosures; 
• ASIC or APRA; or 
• a lawyer.

The whistleblower must have reasonable grounds to suspect that the information they are disclosing about the company or organisation concerns:

• misconduct; or 
• an improper state of affairs or circumstances.

Relevantly, this information can be about the company or organisation, or any officer or employee of the company or organisation, engaging in conduct that:

• breaches the Corporations Act; 
• breaches other financial sector laws enforced by ASIC or APRA; 
• breaches an offence against any other law of the Commonwealth that is punishable by imprisonment for 12 months; or
• represents a danger to the public or the financial system. 

The protections under the Corporations Act can also apply to a whistleblower report to a journalist or a member of the Commonwealth Parliament or a state or territory parliament. However, protection is only in certain limited circumstances, as set out below:

Public Interest Disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above. 
• At least 90 days must have passed since the whistleblower reported their concerns to ASIC or APRA, and the whistleblower does not have reasonable grounds to believe that action to address the concerns is being or has been taken.  
• The whistleblower must have reasonable grounds to believe that reporting their concerns to a journalist or parliamentarian would be in the public interest. 
• After 90 days from when the whistleblower reported to ASIC or APRA, the whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make a public interest disclosure.[5] 
• The whistleblower must report their concerns about misconduct or an improper state of affairs or circumstances or a breach of the law to a journalist or a parliamentarian.

Emergency disclosures

• The whistleblower must have previously made a report to ASIC or APRA that satisfied the criteria set out above.
• The whistleblower must have reasonable grounds to believe that the information in the report concerns substantial and imminent danger to the health or safety of one or more people or the natural environment.
• The whistleblower must give ASIC or APRA a written notice that includes sufficient information to identify their earlier report and states their intention to make an emergency disclosure.[6]   
• The whistleblower must report their concerns about the substantial or imminent danger to a journalist or parliamentarian.

To obtain protection, the whistleblower generally has to contact the responsible internal or external reporting offices. Disclosure of information about violations directly to the public is subject to strict conditions. This is only permissible, for example, if there is a risk of irreversible damage or in cases where the external reporting agency has not taken the required measures (section 32 (1) HinSchG).

The whistleblower providing the information must further act in good faith (ie, must have reasonable cause to believe, at the time of the report or disclosure that the information disclosed is true, and the information relates to violations that fall within the material scope of the Whistleblower Protection Act (section 33 (1) No. 2 and 3 HinSchG).

As per the Whistle Blower Protection Act, if any person believes they are being victimised because they filed a complaint, made disclosures or rendered assistance in an inquiry under the Act, they may apply to the competent authority designated under the Whistle Blower Protection Act and seek protection.

The authority may take such action, as appropriate, and give suitable directions to the concerned public servant or the public authority (including the jurisdictional police to protect such person from being victimised or to avoid such victimisation. However, it is important to note that the Whistle Blower Protection Act does not clarify or lay down any standards or definitions for “victimisation”, and the same is subject to the assessment of the competent authority.

The process to be followed by whistleblowers in respect of Covered Companies or other establishments is subject to the policy adopted by such establishments.

The Corporations Act and the Taxation Administration Act 1953 (Cth) (Taxation Act) both contain protections for whistleblowers. Amending legislation that came into effect on 1 July 2019 strengthened the protection for whistleblowers under these Acts.[7]

Protection under the Corporations Act

Under the Corporations Act, a whistleblower is afforded:

• protection of information;
• protection against legal action; and
• protection from detriment.

Protection of information

A whistleblower can ask the company or organisation that receives the whistleblower report to keep that individual's identity, or information that is likely to lead to their identification, confidential. Generally, companies and organisations that receive a report cannot disclose information without the whistleblower's consent. However, they may report the information to ASIC, APRA, the Australian Federal Police, or a lawyer for advice about whistleblower protections. Although such information must remain confidential.

Protection against legal action

Relevantly, the Corporations Act protects a whistleblower against certain legal actions related to making the disclosure: including:

• criminal prosecution (and the disclosure cannot be used against the whistleblower in a prosecution, unless the disclosure is false);
• civil litigation (such as for breach of an employment contract, duty of confidentiality, or other contractual obligation); or
• administrative action (including disciplinary action).

Protection against detriment

Moreover, the Corporations Act makes it illegal (through a criminal offence and civil penalty) for someone to cause or threaten detriment to a whistleblower because they believe or suspect that they have made, may have made, or could make a whistleblower disclosure.

The criminal offence and civil penalty apply even if that individual did not make a whistleblower report, but the offender caused or threatened detriment to the individual because they believed or suspected that they have or might make a report. A person may be found to have caused an individual detriment if they:

• dismissed an individual from employment;
• injured an individual during their employment;
• altered an individual's position or duties to their disadvantage;
• discriminated against that individual and other employees of the same employer;
• harassed or intimidated the individual;
• caused psychological harm to that individual;
• damaged that individual's property, reputation, business, or financial position; or
• caused any other damage.

Importantly, the offence and penalty require that the detriment be the result of an actual or suspected whistleblower disclosure.

Other protection

An individual can seek compensation through a court if they suffer loss, damage or injury for making their disclosure.

Alternatively, an individual can pursue other remedies, such as:

• an order that the individual's employer reinstate them to their original position or a comparable position;
• an injunction to prevent or stop the detrimental conduct;
• an order that the person, company or organisation that has caused the individual detriment or threatened them, apologise to that individual.

Protection under the Taxations Act

Under the Taxations Act, the following protection is provided to an eligible whistleblower:

• protection of information – noting that it is illegal for someone to disclose a whistleblower's identity, or information that is likely to lead to their identification;
• protection from civil, criminal or administrative liability for making their disclosure and an entity cannot be sued for a breach of confidentiality clause in a contract; and
• immunity from disciplinary action.

The most fundamental part of the protection is the prohibition of retaliation against the whistleblower. Therefore, the reporting or disclosing of information may not result in unjustified disadvantages such as disciplinary measures, dismissal or other discrimination against the person providing the information. In Addition, the Whistleblower Protection Act still contains a reversal of the burden of proof if the whistleblower suffers a disadvantage in connection with their professional activities. However, it is presumed that the disadvantage is a reprisal for the tip-off only if the whistleblower also asserts this themself. It should be noted, however, that the reversal of the burden of proof in favour of the whistleblower will only apply in labour court disputes and not in fining proceedings.

Furthermore, the Whistleblower Protection Act contains an exclusion of responsibility. Thus, a whistleblower cannot be made legally responsible for obtaining or accessing information that he or she has reported or disclosed, unless the obtaining or accessing of the information and the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG). In addition, a whistleblower does not violate any disclosure restrictions and may not be held legally responsible for the disclosure of information made in a report or disclosure if he or she had reasonable cause to believe that the disclosure of the information was necessary to detect a violation.

While the Whistle Blower Protection Act does not define the specific scope of protection that may be provided to the complainant, the competent authority has a wide range of powers to take such action, as it deems fit, depending on the facts and circumstances of each case, and may give suitable directions to the concerned public servant or the public authority (including the jurisdictional police) to protect the whistleblower or witnesses.

However, the competent authority is not empowered to impose civil or criminal sanctions against perpetrators for any sort of physical harassment or attacks on whistleblowers.

In addition to the protections afforded to whistleblowers as summarised above (namely, the protection of information or confidentiality), the status of whistleblower can be supported by whistleblower policies. Relevantly, from 1 January 2020, the Corporations Act made it a requirement for all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities to have a whistleblowing policy.

ASIC's Regulatory Guide 270 provides a handy overview of what should be included in a whistleblower policy. In this regard, the Regulatory Guide notes:

• in RG 270.40 that the purpose of a whistleblower policy is "to ensure individuals who disclose wrongdoing can do so safely, securely and with confidence that they will be protected and supported"; and
• in RG.270.11 that, under section 1317AI(5)(c) of the Corporations Act, an entity's whistleblower policy must have information that details how the entity will support whistleblowers and protect them from detriment.  

At first, the person providing the information may not be subject to legal liability for obtaining or accessing information that he or she has reported or disclosed. This does not apply if the procurement or access as such constitutes an independent criminal offence (section 35 (1) HinSchG).

In addition, whistleblowers are protected by a comprehensive prohibition of retaliation. Therefore, any adverse consequences caused by disclosure are prohibited. These include, for example, dismissal, disciplinary measures or salary reductions (section 36 (1) HinSchG). Measures that violate the prohibition are void under section 134 of the Civil Code. The prohibition of retaliation is rounded off by a reversal of the burden of proof. According to this, it is presumed that a disadvantage that occurs after a disclosure is retaliation. As a consequence, the person who has disadvantaged the whistleblower has to prove that it is factually justified and was not based on the report or the disclosure if the whistleblower also asserts the disadvantage himself (section 36 (2) HinSchG).

In addition, the whistleblower is entitled to damages in the event of a violation (section 37(1) HinSchG).

The Whistle Blower Protection Act and Companies Act do not prescribe any support measures for the status of whistleblowers.

If there is abusive reporting or non-compliance with the procedure of whistleblowing, there is a risk of:

• retaliation;
• reprisal;
• conflict problems;
• ongoing problems in the workplace; and
• adverse treatment which may impact an individual's health and safety.

(Office of the Independent Commissioner Against Corruption, Frameworks and practices for minimising risks of retaliation, November 2019).

If a whistleblower abusively reports a violation, this may initially give rise to criminal liability. Possible criminal offences are pretending to have committed a criminal offence (section 145d of the Criminal Code), false suspicion (section 164 of the Criminal Code) or offences of honour (section 185 et seq of the Criminal Code).

The whistleblower providing the abusive information also must compensate for any damage resulting from intentional or grossly negligent reporting or disclosure of incorrect information (section 38 HinSchG). Furthermore, there may be competing claims for damages, for example under section 823 (2) of the Civil Code in conjunction with a protective law.

Moreover, the whistleblower commits an administrative offence if he or she intentionally discloses inaccurate information. This may be punished with a fine of up to 20,000 EUR (section 40 (1), (6) HinSchG).

In principle, the whistleblower is free to decide whether he or she reports a violation through the internal or the external reporting channel (section 7 (1) HinSchG). However, if a violation is disclosed to the public directly (ie, without first using internal or external reporting channels and without there being an exceptional circumstance for this), the whistleblower is generally not subject to the protection of sections 35 to 37 of the Whistleblower Protection Act. Only in narrow exceptions is the whistleblower still protected, for example, if there is a danger of irreversible damage or comparable circumstances may represent an immediate or obvious threat to the public interest.

Apart from the risk of retaliation and adverse action in terms of withholding or denial of benefits, termination of the engagement, etc, historically, whistleblowers in India have also faced the risk of death and physical injury, especially in matters that involve public institutions related to scams and frauds. It may not be possible to identify and list all the risks that a whistleblower may be subjected to, as it will depend on the nature of the activity reported by him, the persons involved in such activity, the gravity, magnitude and impact of the disclosure and the position of the whistleblower within the organisation.