Who is a whistleblower?

A whistleblower is someone who reports fraud, crime, or other serious wrongdoing inside a company. The report serves the public good: colleagues, customers, local people, the environment, or the economy. Usually the reason is simple. They refuse to look the other way. A worker sees that something is badly wrong. They judge that the cost of staying quiet beats the cost of speaking up. A good report is built on facts the whistleblower has seen first-hand, not rumour or a grudge.

For that to work, the person who reports the wrongdoing must feel safe. Fear of being dismissed, demoted, blocked from promotion or quietly bullied is what keeps wrongdoing hidden. So a company that takes whistleblowing seriously has to give people a safe place to report. The reporting channel has to be built for that job. It must run apart from the people whose conduct might be reported. And it must stay open to anyone tied to the company. Not only employees, but suppliers, contractors, consultants and customers can become whistleblowers.

Where a report goes depends on what it holds. Smaller, internal matters land with the compliance team, an ethics officer, or a named trustee inside the company. More serious findings reach the board, outside auditors, or regulators. At the top end, they reach law enforcement, the press, or national and EU watchdogs.

Modern laws usually set out three reporting tiers. Internal reporting goes to a channel inside the company. Compliance, an ombudsperson, or an outside firm runs it. External reporting goes to a national authority. Going public is a last resort, whether to the press, an NGO, or social media. It applies only when internal and external channels have failed. It also covers two cases: clear risk to the reporter, or a likely cover-up. Building all three into one law lets the system scale. The same safeguards then cover everything from small internal complaints to major public scandals.

Whistleblowers don't have to suffer in silence. Anonymous reporting helps, but the stronger shield is legal protection. The EU Whistleblower Directive and the national laws behind it reverse the burden of proof. A reporter might be fired, demoted or otherwise treated badly after a report. If so, the employer has to prove the action wasn't payback. That one shift changes who carries the risk.

Origin of the "whistleblower" term

British Acme whistle by J. Hudson & Co (circa 1930s)
©R. Henrik Nilsson (CC BY 4.0)

The first uses of the word "whistleblower" go back to the 19th century. Police blew whistles to call for help when chasing a suspect. Referees used them to stop play after a foul. Both send the same message. It is a sharp public signal that something has gone wrong. People nearby need to take notice. Literally, whistleblowing means whistling. In the 1970s, the campaigner Ralph Nader gave the term a new use. He applied it to people who exposed corporate and government wrongdoing. He wanted to break with ugly words like "informer" or "snitch".

Journalists and activists carried the word into everyday use. Along the way it lost its hyphen, going from "whistle-blower" to "whistleblower". In modern use it carries a positive connotation: someone who took a risk to tell the truth. Books and films about whistleblowers have strengthened that idea. They turn real cases into stories people know.

Famous whistleblowers

Many of the best-known cases involve insiders reporting on their own employers. Frances Haugen walked out of Facebook with internal research. It showed the company knew its platforms caused harm. Others acted because of direct danger to human health. Erika Cheung and Tyler Shultz exposed Theranos. Jeffrey Wigand exposed Brown & Williamson Tobacco. At Theranos, Elizabeth Holmes is serving an eleven-year fraud sentence. A federal appeals court turned down her appeal in February 2025. The two best-known cases come from the public sector. Edward Snowden exposed NSA mass surveillance in 2013. Russia gave him citizenship in 2022. Mark Felt, the FBI deputy director, outed himself in 2005 as the Watergate source "Deep Throat".

Frances Haugen at the Heinrich-Böll-Stiftung event, Berlin, November 4, 2021
©Stephan Röhl (CC BY-SA 2.0)

John Barnett spent thirty-two years at Boeing. As a quality manager at the 787 Dreamliner plant, he reported faulty parts and metal shavings near flight-control wiring. He was found dead from a self-inflicted gunshot on 9 March 2024, partway through a deposition in his retaliation case. His family settled their wrongful-death suit with Boeing in 2025.

Not every case ends that way. Erin Brockovich was a legal clerk with no formal training. She built the case that won $333 million from Pacific Gas & Electric. The cause was chromium-6 in the water of Hinkley, California. It was the largest settlement of its kind at the time. Her fight has since carried on to the PFAS "forever chemicals".

The birth of whistleblowing laws

An evocation of the era of the 1912 Lloyd-La Follette Act, the historical baseline for whistleblower protection in the United States.

The first whistleblower act was signed in the United States on 24 August 1912. Known as the "Lloyd-La Follette Act", it covered only federal employees. It let them speak straight to members of Congress. They did not have to go through their agency.

Between 1972 and 1990, the US passed a string of laws that extended those rights outside government. Most were tied to green laws. Workers who reported air, water or soil pollution at their employer's sites got protection against payback. The idea began to spread from the public sector into private industry.

In July 1998, the UK government passed the Public Interest Disclosure Act (PIDA). It protected employees who reported wrongdoing in good faith. It also made it illegal to fire them for it. PIDA became the template that several Commonwealth and European countries copied over the next decade.

In July 2002, the US Congress passed the Sarbanes-Oxley Act, a direct reply to the Enron and WorldCom scandals. SOX targeted financial fraud and weak corporate governance. One lesser-known part extended cover to whistleblowers at public companies. It also told audit committees to set up private reporting channels.

Eight years later, the Dodd-Frank Act of 2010 created the SEC's whistleblower programme. It was the first to pay informants a share (10% to 30%) of the fines collected in a successful case. That reward changed whistleblowing in the United States. It turned a purely moral act into something a person could afford to do.

In October 2019, the European Union adopted a new Directive. It protects people who report breaches of Union law. It was the first cross-border framework of its kind. It told all 27 Member States to put national whistleblower laws on the books.

Whistleblower laws today

The EU directive set a deadline of 17 December 2021. Most Member States missed it. Only three countries had a national law in place by then. The Commission took legal action against 24 countries. By July 2024, it published its first progress report. All 27 Member States had finally written the directive's main rules into law. But Brussels flagged compliance problems in about half of them. The gaps were mainly the scope of protection, the meaning of retaliation, and exemption rules. The next review is due in 2026.

Poland was one of the slowest to act. The Polish Sejm finally passed the Whistleblower Protection Act on 14 June 2024. It took effect on 25 September 2024, almost three years after the EU deadline. The law covers every public or private company with at least 50 employees. Each one has to set up an internal reporting channel. Financial-sector firms have to do so whatever their size. Payback is banned. In such disputes, the burden of proof shifts onto the employer.

On the other side of the Atlantic sits the SEC programme. It has become the largest reward scheme for whistleblowers in the world. Since 2012 it has paid out more than $2 billion to 444 people. The peak years were around fiscal 2023 and 2024. Fiscal 2025 saw a sharp drop to about $60 million across 48 awards. That was the lowest annual total in five years. Whether that's a one-off or the start of a longer slowdown isn't clear yet. A couple more annual reports will tell.

Every EU organisation with at least 50 employees now has to operate a dedicated, independently run internal reporting channel.

The day-to-day numbers point in the same direction. Whistleblowing has stopped being a rare act. Inside large companies, filing an internal report is now a routine part of the business.

Payback is what these laws are meant to deter. It remains the sharp edge of the problem. The flip side of more reporting is that the people who report still face real career risk. These protections only work if courts and regulators choose to enforce them. They include the reverse burden of proof, automatic interim measures and anti-gag clauses.

None of that erases the personal cost. Speaking up still risks careers, friendships, and in rare and terrible cases like John Barnett's, a great deal more. The case for protection is the same as it always was. A society that wants honest companies and honest public bodies has to make sure of one thing. The people inside them must be able to tell the truth without paying for it. That is the work the EU directive started and the Polish act extended. The next decade of enforcement will either lock it in or let it slip.