Navigating the Evolving Whistleblower Landscape

Recent court cases dealing with whistleblower provisions provide guidance on parameters of protections in this area and what should be done by businesses to comply and to mitigate legal and reputational risks. We take a look at the key takeaways from these cases and practical tips for directors to meet their whistleblower obligations effectively.

Until recently, there was little guidance from courts on how to interpret whistleblower protections in the Corporations Act 2001 (Cth). However, that has now changed with the Federal Court of Australia handing down two significant decisions revealing important takeaways about the parameters of the protections and what should be done by businesses to comply and mitigate legal and reputational risks.

At the same time, the public enforcement landscape continues to evolve. In March 2023, ASIC commenced its first-ever civil penalty proceeding in the Federal Court against TerraCom Limited in relation to alleged breaches of whistleblower provisions. The case has been set down for trial commencing on 16 June 2025.

We take a look at the key takeaways from these cases and practical tips for directors to meet their whistleblower obligations effectively.

1. Whistleblower Protections

Where an individual makes an eligible whistleblower disclosure under the Act, they are entitled to various protections. These include protection against the disclosure of their identity or any information that could reasonably disclose their identity, as well as protection against conduct that could cause detriment to them because of a belief or suspicion that they may have made a protected disclosure.

IN order for a disclosure to qualify for protection under the Act, three key elements must first be satisfied:

1.      Eligible whistleblower: The person making the disclosure must be an ‘eligible whistleblower’, which includes current or former employees, officers, associates and suppliers of goods and services to a business or its related bodies corporate,

2.      Eligible recipient: The disclosure must have been made to a prescribed regulatory body (eg ASIC or APRA) or an ‘eligible recipient’, which includes someone authorised by a business to receive whistleblower complaints under an internal policy, senior managers and officers within a business (including the board of directors),

3.      Disclosable matter: The discloser must have reasonable grounds to suspect that the information involves misconduct, an improper state of affairs or an offence against prescribed legislation. The disclosure of ‘personal work-related grievances’ is not generally eligible for protection (save in limited circumstances).

2. Key takeaways from recent decisions

In Mount v Dover Castle Metals Pty Ltd [2025] FCA 101 (Mount), the CEO of Dover Castle Metals (DCM), raised concerns internally, including two formal whistleblower disclosures, in relation to site safety and operational procedures and the alleged misconduct of other directors. The CEO was later dismissed from his position and brought proceedings against both DCM and its then directors, alleging that amongst other things, they had breached the Act by unlawfully disclosing his identity and subjecting him to various detriments because he made protected disclosures (including terminating his employment and injuring his reputation).

In Reiche v Neometals Ltd (No 2) [2025] FCA 125 (Reiche), the Head of Recycling at Neometals Limited (NeoMetals) and Managing Director of Primobius GmbH (Primobius - a joint venture between NeoMetals and another company) raised various concerns internally. These included a formal whistleblower complaint, regarding the conduct of the executive and non-executive directors and a contractor of Primobius (including in relation to corporate governance, strategic risks, forgery and bullying and harassment). He was later made redundant by NeoMetals as part of a company-wide restructure and brought proceedings against NeoMetals alleging that, amongst other things, it had unlawfully subjected him to various detriments because he made protected disclosures (including by making his role redundant, exposing him to bullying and harassment and reducing his delegated authority).

The Federal Court dismissed the proceedings brought by Mr Mount and Mr Reiche. The reasoning in both cases was detailed and lengthy, but the following key findings were made which inform and clarify the operation of the whistleblower protections:

1.      Standing to bring a claim: the Federal Court in Mount confirmed that only ASIC has standing to bring a claim seeking pecuniary penalties or compensation orders in relation to a breach of the confidentiality and stand-alone victimisation provisions in the Act. Individuals can still seek that the Federal Court make declarations that those provisions have been breached, and they can also still claim compensation for contraventions of separate no-detriment provisions.

2.      Eligible disclosures: In Mount only the formal whistleblower disclosures were held to be protected disclosures under the Act. Ordinary business emails and interactions that were retrospectively claimed to be eligible disclosures were found not to rise to the threshold required for protection. Those included requests for information and assistance, directions to employees and general statements which did not disclose information. In Reiche, the Court accepted that ordinary board updates that did not relate to a regulator’s functions may not give rise to a suspicion or belief that a protected disclosure was made.

3.      Confidentiality: The Federal Court in Mount confirmed that the mere mention of the document in which a protected disclosure is made will not be sufficient to reveal the identity of the author. Additionally, the Federal Court held that where a disclosure is sent to both an eligible recipient and a non-eligible recipient, the eligible recipient must still comply with the obligations in the Act (although it was left open for determination whether disclosing information to a non-eligible recipient waived the confidentiality protections under the Act).

4.      No-detriment: A breach of the no-detriment provisions in the Act will be established where three key elements have been satisfied. First, the discloser must have suffered a detriment (which is construed broadly as any form of disadvantage, and could include damage to reputation, termination, redundancy, bullying and harassment and decisions about entitlements). Second, the person engaging in the detrimental conduct must have had a subjective belief or suspicion that the discloser may have made a protected disclosure. Third, the person’s belief or suspicion must have been the substantive and operative reason for them engaging in the detrimental conduct. These decisions confirm that businesses can continue to take action in relation to eligible whistleblowers in accordance with their business requirements, provided the fact that a protected disclosure has been made does not influence a particular course of action.

5.      Burden of proof: Once a whistleblower has proven that there is a ‘reasonable possibility’ they were subjected to an actual or threatened detriment, the company must then prove that all the decision makers responsible for the alleged detrimental conduct were not substantively or operatively motivated by a belief or suspicion that the whistleblower may have made a protected disclosure. This may also include those who contributed to the decision maker’s deliberations.

3. Practical tips for directors

Although Mount and Reiche were both found in favour of the company, the decisions serve as timely reminders that whistleblower protections are not only a compliance obligation but a governance priority. With that in mind, there are several proactive steps that boards and executives should take to manage these disclosures effectively:

1.      Do not ignore a disclosure: All potential whistleblower disclosures must be treated seriously. The cases have not yet determined the limits of what is ‘misconduct or an improper state of affairs’. Therefore it is not safe at this stage to assume any narrower definition, notwithstanding some comments in Reiche regarding the regulatory purpose. Failure to promptly address a disclosure will expose a company to liability and may also prompt the whistleblower to engage directly with regulators if they feel like nothing is being done in response to their concerns. Establishing a culture where disclosures are taken seriously, and handled in a structured and compliant manner, helps to build trust and mitigate legal risks.

2.      Train eligible recipients: Boards and executives and those designated internally as eligible recipients must be trained to understand their responsibilities (including internal escalation procedures), and how to identify when a disclosure has been made which could qualify for protection under the Act. Not every workplace concern or internal complaint qualifies for protection, but each disclosure must be carefully considered before determining how to proceed. Further, if an individual or company believes an eligible disclosure has been made (whether or not that is objectively the case) then no-detriment provisions will still apply.

3.      Treat confidentiality seriously: It is permissible to share a disclosure with others if the whistleblower has provided consent, or to a lawyer to get legal advice. Therefore, at first instance (unless there is a conflict), the disclosure should be forwarded to in-house counsel for advice on whether whistleblower laws apply and how to obtain consent from the whistleblower to share their disclosure with others.

4.      Ensure clarity of process and decision-making records: Where a whistleblower is subjected to an actual or threatened detriment, each person involved in that decision will be called to give evidence on their reasons for the decision. Given the reverse onus of proof under the Act, boards and executives should maintain clear records explaining who has delegated authority to make a decision, who is the decision maker in a particular case, the rationale and substantive reasons behind key decisions, especially those involving dismissal, demotion, or role changes. These records may later serve as crucial evidence that a decision was not influenced by a protected disclosure.

4. Potential reforms on the horizon

In February 2025, the Whistleblower Protection Authority Bill 2025 and the Whistleblower Protection Authority Bill 2025 (No 2) were introduced into Federal Parliament. The Bills seek to establish a new, independent statutory Whistleblower Protection Authority which would be responsible for providing information, advice, assistance, guidance and support to whistleblowers. It remains to be seen whether the Bills will become law, but boards and executives should monitor these developments closely.

The authors are Shivchand Jhinku (Partner), Olga Klimczak (Partner), Chris Nowland (Senior Associate) and Kate Devlin (Solicitor) from Herbert Smith Freehills.