Data protection enforcement in the era of the Directive on whistleblowers: towards a collective approach ?

By applying in the field of data protection, the EU Directive on Whistleblowers (DWB), recognizes a fifth actor in the data protection governance system, next to national data protection authorities, data controllers, data protection officers and data subjects. Even though 'whistleblowers' have not been given any role in the 'governance structure' established by the GDPR, the GDPR creates a setting for the development of whistleblowing by promoting a new corporate culture based on transparency and reporting. Moreover, the DPAs certainly receive disclosures from insiders in data controllers and initiates investigations on their basis. But speaking out is a risky business without comprehensive legal protection and businesses without clear reporting channels. The DWB fills these gaps by setting out common minimum standards of protection for whistleblowers and by requiring legal entities and competent authorities to establish reporting channels. The DWB doesn't bring about a revolution: the protection of public interest remains to entrusted to institutionalised actors in accordance with the centralised approach of law enforcement. However, the whisteblower paves the way to a more collective approach of privacy enforcement by becoming a guardian of the public interest too.