A whistleblower is someone who reports fraud, illegal activity, or other serious wrongdoing inside an organisation. The disclosure is made for the public good: colleagues, customers, the local community, the environment, or the wider economy. The motivation is usually a refusal to look the other way. An employee notices that something is genuinely off and decides the cost of staying silent is higher than the cost of speaking up. A credible report is grounded in facts the whistleblower has actually seen, not rumour or personal grievance.
For that to work, the person disclosing the wrongdoing must feel safe. Fear of dismissal, demotion, blocked promotions or quieter forms of harassment is what keeps misconduct buried, so an organisation that takes whistleblowing seriously has to give people somewhere safe to report. The reporting channel needs to be dedicated to that purpose, run independently of the people whose conduct might be reported, and accessible to anyone connected to the company. Not only employees, but suppliers, contractors, consultants and customers can become whistleblowers.
Where a report goes depends on what it contains. Smaller, internal matters land with the compliance team, an ethics officer, or a designated trustee inside the company. More serious findings reach the board, external auditors, or regulators, and at the upper end of the scale, law enforcement, the press, or supervisory authorities at national or EU level.
Modern whistleblower laws typically recognise three reporting tiers. Internal reporting goes to a channel inside the organisation, run by compliance, an ombudsperson, or an external third-party operator engaged for that role. External reporting goes to a competent national authority. Public disclosure, to the press, an NGO, or social media, is treated as a last resort: protection applies only when internal and external channels have failed, present an obvious risk to the whistleblower, or are likely to result in a cover-up. Building all three into a single law lets the system scale from minor internal complaints to major public scandals using the same protections.
Whistleblowers don't have to accept retaliation in silence. Anonymous reporting helps, but the stronger guarantee is legal protection. Under the EU Whistleblower Directive and the national laws that implement it, the burden of proof is reversed: if a whistleblower is fired, demoted or otherwise treated badly after a disclosure, the employer has to prove that the action wasn't retaliation. That single shift moves who carries the risk.
Origin of the "whistleblower" term
British Acme whistle by J. Hudson & Co (circa 1930s) / ©R. Henrik Nilsson (CC BY 4.0)
The first uses of the word "whistleblower" go back to the 19th century. Police officers blew whistles to summon help when chasing a suspect, and referees used them to stop play after a foul. Both gestures share the same logic: a sharp public signal that something has gone wrong and the people nearby need to pay attention. Literally, whistleblowing means whistling. In the 1970s, the human-rights activist Ralph Nader began applying the term to people who exposed corporate and government misconduct, partly to break with stigma-laden words like "informer" or "snitch".
Journalists and activists carried the word into general use, and along the way it lost its hyphen, going from "whistle-blower" to "whistleblower". Today it carries a positive connotation: someone who took a risk to tell the truth. Books and films about whistleblowers have reinforced that reading by turning real cases into recognisable cultural stories.
Famous whistleblowers
Many of the most recognisable cases involve insiders reporting on their own employers. Frances Haugen walked out of Facebook with internal research showing the company knew about harms caused by its platforms. Peiter "Mudge" Zatko did the equivalent at Twitter on security and bot-count claims. Others were driven by direct danger to human health: Erika Cheung and Tyler Shultz at Theranos, where Elizabeth Holmes is now serving an eleven-year fraud sentence after a federal appeals court rejected her conviction challenge in February 2025, and Jeffrey Wigand at Brown & Williamson Tobacco. The two best-known cases come from the public sector: Edward Snowden, who exposed NSA mass surveillance in 2013 and was granted Russian citizenship in 2022, and Mark Felt, the FBI deputy director who outed himself in 2005 as the Watergate source "Deep Throat".
Frances Haugen at the Heinrich-Böll-Stiftung event, Berlin, November 4, 2021 / ©Stephan Röhl (CC BY-SA 2.0)
Two of the highest-profile recent cases come from Boeing. John Barnett spent thirty-two years at Boeing, the last seven as a quality manager at the 787 Dreamliner plant in South Carolina, and reported defective parts, missing components and metal shavings near flight-control wiring. He was found dead by a self-inflicted gunshot wound on 9 March 2024, partway through a deposition in his retaliation case. His family filed a wrongful-death suit against Boeing in March 2025, and the company settled in September 2025. Weeks after Barnett's death, fellow Boeing engineer Sam Salehpour went public with allegations that 787 fuselage sections were being forced together with excessive pressure, and testified before the US Senate Permanent Subcommittee on Investigations on 17 April 2024.
The birth of whistleblowing laws
An evocation of the era of the 1912 Lloyd-La Follette Act, the historical baseline for whistleblower protection in the United States.
The first whistleblower act was signed in the United States on 24 August 1912. Known as the "Lloyd-La Follette Act", it covered only federal employees and gave them the right to communicate directly with members of Congress without going through their agency.
Between 1972 and 1990, the US passed a sequence of statutes extending those guarantees outside government, most of them attached to environmental laws. Employees who reported air, water or soil pollution at their employers' sites got protection against retaliation, and the principle began to spread from the public sector into private industry.
In July 1998, the UK government passed the Public Interest Disclosure Act (PIDA), protecting employees who reported wrongdoing in good faith and making retaliatory dismissal unlawful. PIDA became the template that several Commonwealth and European jurisdictions copied over the following decade.
In July 2002, the US Congress passed the Sarbanes-Oxley Act, the direct response to the Enron and WorldCom scandals. SOX targeted financial fraud and corporate governance failures, and one of its less-discussed provisions extended whistleblower protection to employees of publicly traded companies and required audit committees to set up confidential reporting procedures.
Eight years later, the Dodd-Frank Act of 2010 created the SEC's whistleblower programme, the first to pay informants a percentage (10% to 30%) of the monetary sanctions collected from a successful enforcement action. That financial incentive turned whistleblowing in the United States from a purely moral act into something a person could plausibly afford to do.
In October 2019, the European Union adopted the Directive on the protection of persons who report breaches of Union law, the first cross-border framework of its kind, requiring all 27 Member States to put national whistleblower laws on the books.
Whistleblower laws today
The EU directive set a transposition deadline of 17 December 2021. Most Member States missed it. Only three countries had a national law in place by then, and the Commission opened infringement proceedings against 24 countries. By the time the Commission published its first implementation report in July 2024, all 27 Member States had finally transposed the directive's main provisions, but Brussels flagged non-conformity issues in roughly half of them, particularly around the scope of protection, definitions of retaliation, and exemption rules. The next assessment is due in 2026.
Poland was one of the slowest to act. The Polish Sejm finally passed the Whistleblower Protection Act on 14 June 2024, and it took effect on 25 September 2024, almost three years after the EU deadline. The law requires every public or private organisation with at least 50 employees to set up an internal reporting channel; financial-sector entities have to do so regardless of size. Retaliation is prohibited, and the burden of proof in retaliation disputes shifts onto the employer.
On the other side of the Atlantic, the SEC programme has become the largest financial reward scheme for whistleblowers in the world. Since 2012 it has paid out more than $2 billion to 444 individuals, with peak years around fiscal 2023 and 2024. Fiscal 2025 saw a sharp drop to roughly $60 million across 48 awards, the lowest annual total in five years. Whether that's a one-off or the start of a longer slowdown will only be clear once a couple more annual reports are out.
Every EU organisation with at least 50 employees now has to operate a dedicated, independently run internal reporting channel.
The day-to-day numbers point in the same direction. NAVEX's 2025 benchmark covered 4,052 organisations and roughly 77 million employees, who together filed 2.37 million reports through internal channels in a single year. Whistleblowing has stopped being an exceptional act and become an ordinary part of how large organisations are run.
Retaliation is what these laws are meant to deter, and the data shows why the deterrent still matters. NAVEX's 2025 figures showed retaliation reports rising in both frequency and median severity year-on-year, while the average time to close a retaliation case crept up from 32 days to 35 days. The flip side of more reporting is that the people doing the reporting still face real career risk, and the procedural protections (reverse burden of proof, automatic interim measures, anti-gag clauses) only work if courts and regulators are willing to enforce them.
None of that erases the personal cost. Speaking up still risks careers, friendships, and in rare and terrible cases like John Barnett's, a great deal more. The case for protection is the same as it always was: a society that wants honest companies and honest institutions has to make sure the people inside them can tell the truth without paying for it. That is the work the EU directive started, the Polish act extended, and the next decade of enforcement will either consolidate or let slip.
