Criminal law in the European Union is an area that still falls within the remit of each Member State. Hence, the rules on whether or not a corporate can be criminally liable and on the criminal sanctions in the event of liability vary according to the relevant Member State, including in areas that concern the transposition of EU Directives (for instance on financial services and banking) that require Member States to establish sanctions.
Having said that, there is a variety of EU authorities and regulators that, albeit strictly speaking active in the regulatory and administrative field, have far-reaching investigative and sanctioning powers as well. These powers often do not differ significantly from those of criminal authorities. Because of the nature and effects of the measures taken and sanctions imposed by regulators on the corporates and individuals (e.g., senior management) affected by them, these persons often benefit from the same fundamental rights and guarantees under EU and national law that apply to purely criminal sanctions.2
Well-known examples of such regulatory authorities are the EU competition authorities (which wield powers across all sectors and areas of economic activity) and the EU financial and banking regulators (which supervise, investigate and sanction the conduct and activities of financial services providers, including banks). Other authorities, while created pursuant to Member States' national law, find their investigation and enforcement powers in EU regulations. This is, for example, the case for national data protection authorities that investigate and enforce potential breaches of the General Data Protection Regulation (GDPR).3
i EU competition law: the example of leniency
Undertakings are not obliged to self-report when they discover an internal wrongdoing that could constitute a competition law infringement. They may, however, voluntarily opt to do so in competition cases to benefit from a leniency programme.
Under EU competition law, the conditions and benefits of leniency applications are enumerated in the Commission Notice on immunity from fines and reduction of fines in cartel cases (Commission Leniency Notice).4 Undertakings that are part of a cartel can apply for leniency. By contrast, abuses of dominant position, vertical agreements and horizontal agreements that are not cartels within the meaning of the Commission Leniency Notice cannot benefit from the leniency programme.
Leniency is granted on a first-come, first-served basis. If an undertaking or association of undertakings wants to obtain full immunity from fines, it must be the first to submit information and evidence enabling the European Commission to carry out a targeted inspection or to establish an infringement. A company that does not qualify for full immunity can apply for a reduction of the fine if it provides evidence that represents significant added value to the evidence already in the possession of the European Commission. In all cases, the leniency applicant must also end its involvement in the alleged cartel (except when the European Commission decides otherwise to preserve the integrity of the inspections), cooperate fully and expeditiously with the European Commission throughout its investigation, and provide all evidence in its possession. The applicant may not destroy, falsify or conceal any evidence relating to the alleged cartel, either prior to the submission of the application or during the investigation.
In assessing whether the conditions for leniency are satisfied, the European Commission enjoys a margin of discretion.
A company cannot be certain whether the competition authorities will consider the information provided to be sufficient to qualify for immunity or fine reduction. Also, leniency applications, under European competition law, provide no protection against private law claims for damages from customers or competitors.
Under the Antitrust Damages Directive,5 final decisions by the competition authorities constitute irrefutable proof of fault in private damage claims. The Antitrust Damages Directive also facilitates disclosure of evidence. However, leniency statements are shielded from requests from disclosure. Other documents in the investigation file may be disclosed, albeit that the court must balance the interests of the victims with the interest of effective public enforcement of competition law (i.e., keeping the leniency programme attractive for undertakings).
ii EU financial services and banking: the example of whistle-blowing
As further shown below, various EU legislations in the area of banking and financial services or dealing with a specific topic (e.g., anti-money laundering (AML)) already contain a number of obligations to set up whistle-blowing mechanisms.
General: 2019 EU Whistle-blowing Directive
Until recently, there was no cross-sectoral EU legislation dealing with such mechanisms generally. This has changed with the adoption on 7 October 2019 of the Whistle-blowing Directive (the Directive).6 EU Member States have until 17 December 2021 to implement the Directive into their national legislation.
This Directive lays down minimum standards for the protection of 'reporting persons' (i.e., individuals (natural persons) reporting or publicly disclosing information on breaches acquired in the context of their work-related activities) and 'persons concerned' (i.e., individuals or legal entities who are referred to in the report or public disclosure as persons to whom the breach is attributed or with which they are associated). The employment status of the reporting person, and whether or not that person works in the private or public sector, is irrelevant. The protection also applies to, for instance, shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including the non-executive members thereof.
The breaches relate to an extensive list of EU legislations in a variety of areas that go beyond financial services or AML. They also include, among others, public procurement, product safety, transport safety, protection of the environment, food safety and health, consumer protection, the protection of privacy and personal data, and IT-security. This Directive contains in this sense the 'default rules', whereas the rules on whistle-blowing that are contained in specific EU legislation will continue to apply.
The Directive first obliges EU Member States to ensure that legal entities set up internal reporting channels and procedures. As a rule, this obligation does not apply to legal entities in the private sector with fewer than 50 employees. As an exception, undertakings that are active in the financial sector or that are otherwise obliged entities for AML purposes are always captured by this obligation. Legal entities in the private sector with 50 to 249 employees are allowed to share resources for the receipt and possibly investigation of whistle-blowing reports.7
EU Member States are also obliged to establish external reporting channels and to designate to this effect the authorities competent to receive, give feedback and follow up on reports. As the Directive captures more areas than those for which there are currently already competent authorities in place for such external reporting, EU Member States will undoubtedly need to establish new authorities that are specifically competent for such reporting.
Besides internal and external reporting channels, the Directive also protects in certain circumstances 'public disclosures' (i.e., persons who publicly disclose information on breaches falling within the scope of the directive).
Finally, the Directive obliges EU Member States to provide for a wide range of protections for reporting persons and persons concerned. These cover, among others, the confidentiality of their identity (albeit with important exceptions), the compliant processing of their personal data and the protection against retaliation.
EU whistle-blowing legislation in the area of financial services
At the EU level, various pieces of legislation in the areas of financial services generally and banking specifically also contain rules on the establishment of whistle-blowing mechanisms. These mechanisms also typically have an internal dimension (i.e., procedures for the reporting by employees to their employer of possible infringements) and an external dimension (i.e., procedures with the regulators for the reporting by employees or other persons that deal with financial services firms or banks of possible infringements to the regulators).
Thus, for instance, Article 32 of the EU Market Abuse Regulation8 requires Member States to ensure that the respective national administrative authority that is competent for market abuse infringements establishes effective mechanisms to enable reporting of actual or potential infringements of this Regulation. These mechanisms must include at least:
- specific procedures for the receipt of reports of infringements and their follow-up, including the establishment of secure communication channels for such reports;
- within their employment, appropriate protection for persons working under a contract of employment, who report infringements or are accused of infringements, against retaliation, discrimination or other types of unfair treatment at a minimum; and
- protection of personal data both of the person who reports the infringement and the natural person who allegedly committed the infringement, including protection in relation to preserving the confidentiality of their identity, at all stages of the procedure without prejudice to disclosure of information being required by national law in the context of investigations or subsequent judicial proceedings.
In the same context, the Market Abuse Regulation also obliges Member States to require employers who carry out regulated activities to have in place appropriate internal procedures for their employees to report infringements of the Regulation.
Finally, the Market Abuse Regulation allows Member States to provide for financial incentives to persons who offer relevant information about potential infringements of the Regulation to be granted in accordance with national law where those persons do not have other pre-existing legal or contractual duties to report the information. The conditions for the provision of these incentives are that (1) the information is new, and (2) it results in the imposition of an administrative or criminal sanction, or the taking of another administrative measure, for an infringement of the Regulation.
A similar requirement to establish internal and external whistle-blowing mechanisms is also provided for in other EU legislation, such as, for instance, in relation to MiFID II,9 undertakings for collective investment in transferable securities (UCITS),10 insurance distribution11 and packaged retail and insurance-based investment products (PRIIPs).12
Finally, the same requirement exists in relation to the activities and supervision of credit institutions. The details of this requirement are laid down in Article 71 of the 2013 EU Banking Directive.13 The whistle-blowing mechanism to be established thereunder is to encourage the reporting of potential or actual breaches of both the national provisions implementing the 2013 EU Banking Directive and the 2013 EU Banking Regulation.14
As regards credit institutions in the eurozone, the European Central Bank (ECB) obviously has an essential supervisory role to play, being at the helm of the Single Supervisory Mechanism (SSM). As the competent authority within the meaning of the aforementioned Article 71, the ECB has set up a 'breach-reporting mechanism'. The rules and procedures governing this mechanism are laid down in Articles 36 to 38 of the SSM Framework Regulation.15 They set forth that any person may, in good faith, submit a report directly to the ECB if that person has reasonable grounds for believing that the report will show breaches of the 'relevant EU law' by the institutions supervised by the ECB or by the supervisors themselves (both the ECB and the national competent authorities for banking supervision).16 Where a breach relates to other areas of activity by a bank that do not fall under the ECB's supervisory competences (e.g., consumer protection or the implementation of anti-money laundering rules), it is outside the ECB's mandate to follow up on the breach. Instead, the breach should be reported to the national authorities that are competent for these areas. All personal data concerning both the person who does the reporting and the person who is allegedly responsible for the breach shall be protected in compliance with the EU data protection framework. Also, the ECB shall not reveal the identity of a person who has made such a report without first obtaining that person's explicit consent, unless disclosure is required by a court order in the context of further investigations or subsequent judicial proceedings.
With regard to significant supervised entities, that is, those entities that are directly supervised by the ECB, the ECB itself assesses the report. By contrast, with regard to less significant supervised entities, the ECB only assesses reports for breaches of ECB regulations or decisions. The ECB forwards reports concerning less significant supervised entities to the relevant national competent authority, without communicating the identity of the person who made the report, unless that person provides his or her explicit consent.
While anyone who has knowledge of a potential breach may report this to the ECB, the ECB has indicated that compliance officers, auditors and other employees of a bank are the groups that are more likely to have knowledge of possible wrongdoing. The breaches that are most commonly reported to the ECB concern the inadequate calculation of own funds and capital requirements as well as governance issues within credit institutions.
iii Investigation of potential breaches of data protection legislation
Since 25 May 2018, the GDPR governs the processing (i.e., any sort of operation, including the mere storage) of personal data (wholly or partly) by automated means and the processing of personal data that forms part of a filing system (even if it is not processed by automated means) within the European Union.17 The person (individuals or legal entities) processing personal data and determining the purposes and the means of a processing is defined as the 'controller'. The identifiable individual to whom personal data relates is defined as the 'data subject'. The GDPR also defines a third category of actors that are qualified as 'processors' (i.e., persons processing personal data under the instructions of a controller).
In addition to setting out the general legal regime for such processing activities, the GDPR contains provisions in relation to investigations of potential breaches and their enforcement. It requires Member States to provide for at least one public authority to be in charge of the monitoring of the application of its provisions. It also sets out requirements in relation to the independence of the authority and qualification of its members, as well as their tasks and powers.
Among these tasks, national supervisory authorities are required to (1) monitor and enforce the application of the GDPR, (2) handle complaints lodged by a data subject (i.e., the individual to whom the personal data relates), or by a body, organisation or association and to investigate the subject-matter and keep the complainant informed of such investigation, (3) conduct investigations, including on the basis of information received by another authority.
In conducting their tasks, the national supervisory authorities must be granted the following investigative powers:
- ordering controllers or processors to provide any information they require for the performance of their tasks;
- carrying out data protection audits;
- reviewing data protection certifications;
- notifying a controller or processor of an alleged infringement of the GDPR; and
- obtaining access to all personal data and to all information necessary for the performance of their tasks and access to any premises, including to any data processing equipment and means, in accordance with EU or national procedural law.
In practice, many investigations by national supervisory authorities are launched following a notification of a 'personal data breach' (i.e., a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed). Under the GDPR, controllers are required to notify personal data breaches to the competent national supervisory authority without undue delay, and at the latest, within 72 hours of becoming aware of such data protection breach, unless it is unlikely to result in a risk to the rights and freedom of natural persons.18
i EU competition law
Under EU competition law, the European Commission may impose fines on corporates of up to 10 per cent of the annual consolidated worldwide turnover of the undertaking. In setting the fine, the European Commission takes into account the gravity and duration of the infringement. The Fining Guidelines provide more guidance on how the European Commission will exactly calculate the fines.19 These Guidelines are not binding on the European courts, which exercise full jurisdiction and can review the fine. However, the instances when the European courts have adjusted fines in competition cases remain exceptional. A 10 per cent reduction of the fine can be granted under EU competition law if an undertaking agrees to enter into a settlement with the competition authority. In doing so, the undertaking concerned must admit its involvement in the infringement.
ii EU financial services and banking
The SSM started in November 2014 and is one of the four pillars of the EU Banking Union. It is particularly relevant for the supervision of credit institutions in the eurozone. It is composed of the ECB and the national authorities that are competent for the supervision of credit institutions in their respective EU Member State. The ECB has a key role in the SSM, as it is responsible for its effective and consistent functioning. In addition, it has, among the thousands of credit institutions that are established in the eurozone, full and direct supervisory authority over 'significant institutions'. To ensure compliance with the supervisory rules and its regulations and decisions in this area, the ECB has significant supervisory,20 investigative and sanctioning powers.
The ECB's investigative powers are similar to those that have been granted to other EU financial supervisory authorities, such as the European Securities and Markets Authority in the areas of supervision of over-the-counter derivatives, central counterparties and trade repositories,21 and of credit rating agencies.22 Thus, the ECB has the right to require legal and natural persons to provide all information that is necessary to carry out its supervisory tasks. It also has the right to require the submission and examination of documents, books and records, to obtain written or oral explanations from the representatives or staff of such persons, and to conduct all necessary on-site inspections at the business premises of the institutions under its supervision, including without prior announcement.
If an institution supervised by the ECB, intentionally or negligently, breaches a requirement under directly applicable EU law for which administrative sanctions are made available, then the ECB has the right to start a sanctioning procedure and impose administrative pecuniary sanctions.23 The same right exists in case of breaches of regulations or decisions adopted by the ECB in exercising its supervisory tasks.24 The ECB also has the right to publish the imposition of such sanctions, irrespective of whether or not a decision has been appealed. However, in certain exceptional circumstances, publication may be anonymised or delayed.
In other cases – for instance, breaches of national legislation that transposes EU Directives – the ECB can only require the national supervisory authorities to open a sanctioning procedure with a view to taking action to ensure that appropriate sanctions are imposed by the national authorities.
The ECB imposes its sanctions in accordance with the ECB Sanctioning Regulation.25 This Regulation, among others, sets forth the procedural rules and time limits for the imposition of sanctions, as well as their judicial review.
iii Data protection
To enforce any breach of the provisions of the GDPR, national supervisory authorities are granted a range of corrective powers, such as:
- issuing warnings that intended processing operations are likely to infringe the GDPR and if such processing has taken place and infringed the GDPR, issuing reprimands;
- ordering the controller or processor to comply with a data subject's request to exercise his or her rights pursuant to the GDPR or to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
- imposing a temporary or definitive limitation including a ban on processing and to order the suspension of data flows to a recipient in a third country or to an international organisation; and
- imposing an administrative fine, in addition to, or instead of the abovementioned measures, depending on the circumstances of each individual case.
Under the GDPR, national supervisory authorities may impose administrative fines up to €20 million or up to 4 per cent of the total worldwide annual turnover of the preceding financial year of an undertaking, whichever is higher.26 As of early 2020, after 20 months of entry into force of the GDPR, GDPR regulators have already issued hundreds of fines for amounts totalling several hundreds of millions of euros. While such fines have caught a lot of attention, the impact of the other corrective powers should not be underestimated, such as banning a processing activity or ordering the suspension of data flows outside the EU.
1 Stefaan Loosveld is a partner and Sarah Benzidi is an associate at Linklaters LLP.
2 The possible application of the criminal aspects of Article 6 of the European Convention on Human Rights is based on the criteria laid down by the European Court of Human Rights in Engel and others v. the Netherlands, 8 June 1976, 5100/71, paragraphs 82–83.
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4 May 2016, p. 1).
4 Commission Notice on immunity from fines and reduction of fines in cartel cases (OJ C 298, 8 December 2006, p. 17).
5 In full, Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union (OJ 349, 5 December 2014, p. 1).
6 Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (OJ L 305, 26 November 2019, p. 17). See for what follows: S. Loosveld, 'EU Financial Supervisory Powers, Whistleblowing and Self-reporting', Journal of International Banking Law and Regulation , 320-323.
7 The Directive provides for the possibility for EU Members to grant similar exemptions for legal entities in the public sector.
8 In full, Regulation (EU) No. 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ L 173, 12 June 2014, p. 1).
9 See Article 73 of Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12 June 2014, p. 349).
10 See Article 99-quinquies of Directive 2014/91/EU of the European Parliament and of the Council of 23 July 2014 amending Directive 2009/65/EC on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) as regards depositary functions, remuneration policies and sanctions (OJ L 257, 28 August 2014, p. 186).
11 See Article 35 of Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2 February 2016, p. 19).
12 See Article 28 of Regulation (EU) No. 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs) (OJ L 352, 9 December 2014, p. 1).
13 In full, Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27 June 2013, p. 338).
14 In full, Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 648/2012 (OJ L 176, 27 June 2013, p. 1).
15 In full, Regulation (EU) No. 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (ECB/2014/17) (OJ L 141, 14 May 2014, p. 1).
16 The term 'relevant EU law' covers the substantive rules relating to the prudential supervision of credit institutions that the ECB applies when carrying out the tasks conferred on it by the SSM Regulation. These rules are composed of directly applicable EU Regulations such as the Capital Requirements Regulation. When EU Directives are considered relevant Union law, the national implementations of these Directives are also considered to be relevant Union law, e.g., national implementations of the Capital Requirements Directive IV (CRD IV). Furthermore, where directly applicable EU Regulations grant options to Member States, the national legislation exercising those options is considered to be relevant Union law. ECB regulations, such as the SSM Framework Regulation, and ECB decisions, are also considered to be relevant Union law.
17 In certain cases, the GDPR also applies to processing of personal data outside of the EU. See Article 3 of the GDPR as well as Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), version 2.1, European Data Protection Board, 13 November 2019.
18 In certain cases, a personal data breach must also be communicated to the data subjects (see Article 34 of the GDPR).
19 Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of Regulation No. 1/2003 (OJ C 210, 1 September 2006, p. 2).
20 E.g., requiring a credit institution to hold own funds in excess of the EU law capital requirements or to use its net profits to strengthen its own funds, requesting the divestment of activities that pose excessive risks to the soundness of an institution, limiting variable remuneration when it is inconsistent with the maintenance of a sound capital base, or removing members from the management of a credit institution.
21 Regulation (EU) No. 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27 July 2012, p. 1).
22 Regulation (EC) No. 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ L 302, 17 November 2009, p. 1), as among others amended by Regulation (EU) No. 513/2011 (OJ L145, 31 May 2011, p. 30).
23 The sanctions that the ECB can impose in this case consist of a maximum of twice the amount of the profits gained or losses avoided because of the breach where those can be determined, or a maximum of 10 per cent of the total annual turnover of that institution in the preceding business year. If the institution is a subsidiary, then the relevant total annual turnover is calculated on a consolidated basis.
24 The sanctions that the ECB can impose in this case consist of (1) fines of a maximum of twice the amount of the profits gained or losses avoided because of the infringement where these can be determined, or 10 per cent of the total annual turnover of the undertaking, and (2) periodic penalty payments of a maximum of 5 per cent of the average daily turnover per day of infringement. Periodic penalty payments may be imposed in respect of a maximum period of six months from the date stipulated in the decision imposing the periodic penalty payment.
25 In full: Council Regulation (EC) No. 2532/98 of 23 November 1998 concerning the powers of the European Central Bank to impose sanctions (OJ L 318, 27 November 1998, p. 4). To adapt it to the supervisory tasks exercised by the ECB under the SSM, the ECB Sanctioning Regulation has been amended by Council Regulation (EU) 2015/159 of 27 January 2015 amending Regulation (EC) No. 2532/98 concerning the powers of the European Central Bank to impose sanctions (OJ L 27, 3 February 2015, p. 1).
26 European guidelines have been adopted in relation to the method for determining the amount of fines. See the Guidelines on the application and setting of administrative fines for the purpose of Regulation 2016/679, The Article 29 Data Protection Working Party, 3 October 2017, WP253.