Following Germany's initial attempt last year to implement the EU Whistleblower Directive (Directive (EU) 2019/1937), aimed at ensuring harmonized and improved protection of whistleblowers throughout Europe, the Federal Ministry of Justice has now published a draft bill of a Whistleblower Protection Act (Hinweisgeberschutzgesetz). As the deadline for transposing the EU Whistleblower Directive 2019/1937 into national law expired in vain on 17 December 2021, a swift adoption and implementation of the act is expected. As of now, there will be no transitional arrangements for companies with 250 or more employees. Likewise, most other European countries have already passed similar national laws or are about to do so very shortly.
1. Obligation to set up reporting systems
According to the current draft bill, companies with more than 49 employees are obliged to set up reporting systems or adapt an existing reporting systems to meet the new requirements. Companies with up to 249 employees are to be granted a grace period until December 2023. Companies in "sensitive" sectors will have to set up a reporting office, regardless of the number of employees they have (this applies inter alia to entities providing investment services and asset management companies). In some areas, such as financial regulatory law, there are already a number of sector-specific requirements, some of which are of higher priority, that require the establishment of a reporting office in principle, but do not lay down any procedural or conduct-related duties or requirements relating to internal organization. In those cases, the additional requirements of the Whistleblower Protection Act must be followed.
The draft bill requires reporting offices to be operated by independent, competent persons or external ombudspersons, for example by external lawyers. According to the draft bill, reporting offices and investigations can be centralized group-wide. This is in line with current practice, according to which, companies (especially global organizations) have centralized, group-wide whistleblower systems in place, so that all incoming reports are processed at group level. It should be noted, however, that the opinion of the EU Commission, dated June, 2021, states that group-wide whistleblower systems in general do not meet the requirements of the Directive. The EU Member States have not yet adopted a clear, unified position in this respect.
2. Core procedural aspects
Reporting channels must be open to both employees and temporary staff of respective companies (as may be advisable from a general compliance perspective), and may also be made available to third parties (e.g. suppliers, customers).
According to the draft bill, the whistleblowing system must make it possible to submit reports in writing or orally, indicating possible criminal offences, certain types of administrative offences and violations of various national and European laws and regulations (including violations of provisions for the protection of life or health, product safety standards, anti-money laundering regulations, provisions for the protection of public procurement procedures, environmental protection, drug safety, shareholders' rights and other capital market protection rules). The draft bill goes beyond the scope of the EU Whistleblower Directive, in that it also addresses violations of numerous provisions of national law (including criminal offences, such as white collar crimes and certain administrative offences).
In accordance with European requirements, there is no hierarchical relationship between internal and external reports. Whistleblowers are free to choose whether to use internal reporting systems or contact external reporting offices, which have the right to require the companies to provide information. In specific situations, whistleblowers may make direct public disclosures.
Exercising the right of choice under the EU Whistleblower Directive, the draft bill provides that it will not be necessary to have anonymous reporting channels in place or to follow up on anonymous reports. However, anonymous reporting is widely used in practice.
Reports and the identities of whistleblowers, and potential violators must be kept confidential. The need-to-know principle must be observed. Disclosure of information to the public about reported violation is subject to strict conditions. The reports must be documented, but deleted two years after investigations have been completed.
Whistleblowers have the right to meet in person with a representative from the reporting office, and must receive confirmation of receipt of their reports within seven days. Feedback on the measures planned or already taken in response to a report, as well as the reasons for choosing those measures, must be provided to the whistleblower within three months, allowing the reporting person to determine how the report will be used and whether he/she might perhaps wish to appeal to an external body and/or the public.
3. Fines/Risk exposure
Fines can be imposed against companies, in particular companies that hinder the reporting of violations or which respond by retaliating against whistleblowers can be fined up to EUR 1 million. Failure to have a reporting office in place despite being obliged to do so is also subject to a fine. In addition, companies risk reputational damage, as well as the risk that whistleblowers might contact the authorities or the public directly, so that a company will lose sovereignty of action. Companies should therefore implement appropriate protection mechanisms.
In addition, the draft bill provides for a reversal of the burden of proof, in which case the employer must prove that any disciplinary measures or other disadvantages experienced by a whistleblower are unrelated to the report. In order to succeed in bringing such proof, a high level of internal security and documentation is required.
If the whistleblower has filed a false report against a company intentionally or due to gross negligence, the injured party can claim damages.
4. Substantial need for action
Companies with well-developed compliance management systems can build on their existing reporting channels and processes. Nevertheless, making small adjustments will not be enough. International companies need to take account of not only the national features that apply in Germany, but also those in the other EU Member States, and in other jurisdictions in which a company operates. In addition, the implications under data protection law, employment law and company law, as well as criminal law, such as those concerning the protection of third-party trade secrets in the case of whistleblower reports from a contractual partner, all need to be taken into account.
Implementing a reporting system or modifying an existing system is just the beginning. The system then needs to be managed in a proper manner, which can mean a great deal of organizational and personnel input for the companies concerned.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP