Who is a whistleblower?

A whistleblower is someone who reports fraud, crime, or other serious wrongdoing inside a company. The report serves the public good: colleagues, customers, local people, the environment, or the economy. Usually the reason is simple. They refuse to look the other way. A worker notices that something is really wrong. They decide the cost of staying silent is higher than the cost of speaking up. A solid report rests on facts the whistleblower has actually seen, not rumour or a personal grudge.

For that to work, the person who reports the wrongdoing must feel safe. Fear of being sacked, demoted, blocked from promotion or quietly bullied is what keeps misconduct hidden. So a company serious about whistleblowing has to give people somewhere safe to report. The reporting channel needs to be built for that purpose. It has to be run apart from the people whose conduct might be reported. It must also stay open to anyone connected to the company. Not only employees, but suppliers, contractors, consultants and customers can become whistleblowers.

Where a report goes depends on what it holds. Smaller, internal matters land with the compliance team, an ethics officer, or a named trustee inside the company. More serious findings reach the board, external auditors, or regulators. At the top end of the scale, they reach law enforcement, the press, or national and EU watchdogs.

Modern whistleblower laws usually set out three reporting tiers. Internal reporting goes to a channel inside the company, run by compliance, an ombudsperson, or an outside firm hired for that role. External reporting goes to a national authority. Going public, to the press, an NGO, or social media, is a last resort. It applies only when internal and external channels have failed. It also covers cases where they pose a clear risk to the whistleblower, or are likely to end in a cover-up. Building all three into one law lets the system scale. The same safeguards cover everything from minor internal complaints to major public scandals.

Whistleblowers don't have to suffer in silence. Anonymous reporting helps, but the stronger shield is legal protection. Under the EU Whistleblower Directive and the national laws that put it into effect, the burden of proof is reversed. A whistleblower might be fired, demoted or otherwise treated badly after a disclosure. If so, the employer has to prove the action wasn't retaliation. That single shift changes who carries the risk.

Origin of the "whistleblower" term

British Acme whistle by J. Hudson & Co (circa 1930s)
©R. Henrik Nilsson (CC BY 4.0)

The first uses of the word "whistleblower" go back to the 19th century. Police blew whistles to call for help when chasing a suspect. Referees used them to stop play after a foul. Both send the same message. It is a sharp public signal that something has gone wrong. The people nearby need to take notice. Literally, whistleblowing means whistling. In the 1970s, the campaigner Ralph Nader gave the term a new use. He applied it to people who exposed corporate and government misconduct. He wanted to break with ugly words like "informer" or "snitch".

Journalists and activists carried the word into everyday use. Along the way it lost its hyphen, going from "whistle-blower" to "whistleblower". Today it carries a positive connotation: someone who took a risk to tell the truth. Books and films about whistleblowers have strengthened that idea by turning real cases into stories people know.

Famous whistleblowers

Many of the best-known cases involve insiders reporting on their own employers. Frances Haugen walked out of Facebook with internal research showing the company knew its platforms caused harm. Peiter "Mudge" Zatko did the same at Twitter on security and bot-count claims. Others acted because of direct danger to human health: Erika Cheung and Tyler Shultz at Theranos, and Jeffrey Wigand at Brown & Williamson Tobacco. At Theranos, Elizabeth Holmes is serving an eleven-year fraud sentence. A federal appeals court turned down her appeal in February 2025. The two best-known cases come from the public sector. Edward Snowden exposed NSA mass surveillance in 2013, and was given Russian citizenship in 2022. Mark Felt, the FBI deputy director, outed himself in 2005 as the Watergate source "Deep Throat".

Frances Haugen at the Heinrich-Böll-Stiftung event, Berlin, November 4, 2021
©Stephan Röhl (CC BY-SA 2.0)

Two of the biggest recent cases come from Boeing. John Barnett spent thirty-two years at Boeing. For the last seven he was a quality manager at the 787 Dreamliner plant in South Carolina. He reported faulty parts, missing components and metal shavings near flight-control wiring. He was found dead by a self-inflicted gunshot wound on 9 March 2024. He died partway through a deposition in his retaliation case. His family filed a wrongful-death suit against Boeing in March 2025. The company settled in September 2025. Weeks after Barnett's death, fellow Boeing engineer Sam Salehpour went public with his own claims. He said 787 fuselage sections were being forced together with too much force. He testified before the US Senate Permanent Subcommittee on Investigations on 17 April 2024.

The birth of whistleblowing laws

An evocation of the era of the 1912 Lloyd-La Follette Act, the historical baseline for whistleblower protection in the United States.

The first whistleblower act was signed in the United States on 24 August 1912. Known as the "Lloyd-La Follette Act", it covered only federal employees. It gave them the right to speak directly to members of Congress without going through their agency.

Between 1972 and 1990, the US passed a string of laws extending those rights outside government. Most of them were tied to green laws. Employees who reported air, water or soil pollution at their employers' sites got protection against retaliation. The idea began to spread from the public sector into private industry.

In July 1998, the UK government passed the Public Interest Disclosure Act (PIDA). It protected employees who reported wrongdoing in good faith, and made it illegal to fire them for it. PIDA became the template that several Commonwealth and European countries copied over the next decade.

In July 2002, the US Congress passed the Sarbanes-Oxley Act, a direct reply to the Enron and WorldCom scandals. SOX targeted financial fraud and corporate governance failures. One of its lesser-known parts extended whistleblower protection to employees of publicly traded companies. It also told audit committees to set up private reporting channels.

Eight years later, the Dodd-Frank Act of 2010 created the SEC's whistleblower programme. It was the first to pay informants a share (10% to 30%) of the fines collected in a successful enforcement case. That reward changed whistleblowing in the United States. It turned a purely moral act into something a person could actually afford to do.

In October 2019, the European Union adopted the Directive on the protection of persons who report breaches of Union law. It was the first cross-border framework of its kind. It told all 27 Member States to put national whistleblower laws on the books.

Whistleblower laws today

The EU directive set a deadline of 17 December 2021. Most Member States missed it. Only three countries had a national law in place by then. The Commission took legal action against 24 countries. By July 2024, the Commission published its first progress report. All 27 Member States had finally written the directive's main rules into law. But Brussels flagged compliance problems in roughly half of them. The gaps were mainly around the scope of protection, the meaning of retaliation, and exemption rules. The next review is due in 2026.

Poland was one of the slowest to act. The Polish Sejm finally passed the Whistleblower Protection Act on 14 June 2024. It took effect on 25 September 2024, almost three years after the EU deadline. The law requires every public or private company with at least 50 employees to set up an internal reporting channel. Financial-sector firms have to do so whatever their size. Retaliation is banned, and in such disputes the burden of proof shifts onto the employer.

On the other side of the Atlantic sits the SEC programme. It has become the largest reward scheme for whistleblowers in the world. Since 2012 it has paid out more than $2 billion to 444 people. The peak years were around fiscal 2023 and 2024. Fiscal 2025 saw a sharp drop to roughly $60 million across 48 awards, the lowest annual total in five years. Whether that's a one-off or the start of a longer slowdown isn't clear yet. A couple more annual reports will tell.

Every EU organisation with at least 50 employees now has to operate a dedicated, independently run internal reporting channel.

The day-to-day numbers point in the same direction. NAVEX's 2025 benchmark covered 4,052 companies and roughly 77 million employees. Together they filed 2.37 million reports through internal channels in a single year. Whistleblowing has stopped being a rare act and become a normal part of how large companies are run.

Retaliation is what these laws are meant to deter. The data shows why that still matters. NAVEX's 2025 figures showed retaliation reports rising in both number and median severity year-on-year. The average time to close a retaliation case crept up from 32 days to 35 days. The flip side of more reporting is that the people doing the reporting still face real career risk. These protections only work if courts and regulators choose to enforce them. They include the reverse burden of proof, automatic interim measures and anti-gag clauses.

None of that erases the personal cost. Speaking up still risks careers, friendships, and in rare and terrible cases like John Barnett's, a great deal more. The case for protection is the same as it always was. A society that wants honest companies and honest public bodies has to make sure of one thing. The people inside them must be able to tell the truth without paying for it. That is the work the EU directive started and the Polish act extended. The next decade of enforcement will either lock it in or let it slip.