Compliance & Investigations
Whistleblowing: Germany’s Federal Ministry of Justice puts forward draft bill
Headed by Germany’s Free Democrats (the FDP), the Federal Ministry of Justice published a draft bill for an “Act to Improve the Protection of Whistleblowers and Transpose the Directive on the Protection of Persons who Report Breaches of Union Law” (Hinweisgeberschutzgesetz or “Whistleblower Act”) on 13 April 2022. The draft bill is long overdue, as the deadline for transposing the EU Directive expired on 17 December 2021 and the European Commission has already started infringement proceedings against Germany.
Points especially relevant to practice:
If companies have not yet done so, they should review whether their existing processes meet the statutory requirements. This applies with regard to both European and German rules on internal reporting systems. Where necessary, the review should also take into account the obligation to implement a complaints procedure from 2023 onwards, as stipulated in Germany’s Act on Corporate Due Diligence in Supply Chains (Lieferkettensorgfaltspflichtengesetz or “Supply Chains Act”). It is worth basing the review on a gap analysis and developing concepts for formalized processes with regard to responsibilities, handling reports and whistleblowers, reporting channels and documentation. These concepts can then be used as a basis for clear procedural instructions, descriptions of processes and group-wide guidelines.
Contrary to widespread fears and the European Commission’s demands in connection with the EU Whistleblowing Directive, the German draft bill provides that the whistleblower system can be centralised within the corporate group. This clarification is very welcome, not least in light of the fact that from 1 January 2023 onwards companies with at least 3,000 employees will also be obliged under the Supply Chains Act to set up an internal complaints procedure. At the company’s choice, this procedure can be group-wide.
In summer 2021, the European Commission had interpreted group-level matters very restrictively: companies with 250 or more employees were not permitted to share internal reporting system resources. Any central reporting channel on the level of the holding, the Commission held, was only possible in addition and in parallel to a local reporting channel on the level of subsidiaries. At the whistleblower’s wish, the report would have to remain with and be processed by the company employing the whistleblower. Sweden, for example, has transposed the EU Whistleblowing Directive so as to require companies with at least 250 employees to set up their own internal reporting channel. Such companies must operate this channel themselves in full, without drawing on the resources of other companies within the group. Establishments with 50 to 249 employees may share resources in receiving reports and undertaking follow-up investigations, but the whistleblower must not be contacted via the common resources.
The German draft bill, we are happy to say, provides instead that an independent and confidential reporting channel may also be set up at another group company. Such centre is then a “third party” within the meaning of Article 8(5) of the EU Whistleblowing Directive and can act on behalf of several independent group companies. The bill nevertheless makes clear that responsibility for pursuing and addressing infringements originates and must remain with the respective subsidiary that instructs such group company to take action. This applies equally, for example, whether external or in-house lawyers from within the group assist in the matter (cf. p. 85 of the draft bill’s explanatory memorandum). Accordingly, group-wide reporting systems for all employees will continue to be permissible. When processing reports, the reporting channel will be acting on behalf of the respective legally independent subsidiary. Responsibility does not pass to the reporting channel.
The reporting channel must differentiate internally according to the respective subsidiaries when processing reports, and confidential treatment of reports must be ensured. Group management may only be notified by or on behalf of the respective group company and maintaining confidentiality as to the whistleblower’s identity.
Example: a group parent company has a compliance department. A subsidiary with 300 employees has not set up a separate compliance role of its own. According to the draft Whistleblower Act’s explanatory memorandum, the group parent company’s compliance department is an independent third party that may receive incoming reports on the subsidiary’s behalf and process them confidentially, separating them according to company. Resorting to group-wide resources does not equate with transfer of responsibility, however. Responsibility for stopping infringements originates and remains with each group company.
It remains to be seen whether this interpretation of the group parent company as a “third party” will stand up under European law.
Article 8(6) of the EU Whistleblowing Directive eases rules on companies with 50 to 249 employees and is transposed in section 14(2), sentence 1 of Germany’s draft Whistleblower Act. Going beyond subsection 1, this provision eases rules for small companies still further to head off financial burdens. Such companies can combine their resources for receiving reports and undertaking follow-up measures by setting up and operating a joint centre. Nevertheless, it is up to each company to take measures to stop infringements and to report back to the whistleblower accordingly.
Personal scope: generally, companies with at least 50 employees are obliged to set up a centre for internal reports that employees can contact (section 12(1) and (2) of the draft Whistleblower Act). For companies with 50 to 249 employees the deadline for implementation has been extended to 17 December 2023. Certain companies in the financial services sector (e.g. credit institutions) are obliged to set up internal reporting channels irrespective of how many employees they have.
Employees require access to the internal reporting system. But to emphasize their awareness of compliance issues, companies may also choose to open their whistleblower systems up to third parties. This may be of particular interest to companies that fall under the Supply Chains Act because of how many employees they have. They will need to set up a complaints procedure that is not limited to employees in any case.
Material scope: As expected and set forth in the coalition agreement of Germany’s current ruling parties, the material scope of the draft Whistleblower Act goes beyond European Union law. In addition to breaches of European Union law covered by the Directive, the draft Whistleblower Act also includes breaches of German criminal law and regulations punishable by a fine (where the regulation serves to protect life and limb, or the rights of employees and their representative bodies). The draft bill therefore meets expectations for the comprehensive protection of whistleblowers and is in line with the legislation of other Member States.
The EU Whistleblowing Directive leaves it up to Member States to decide whether companies must also be obliged to receive anonymous reports. According to the draft bill, companies are not obliged to provide reporting channels that enable anonymous reports to be made (end of section 16(1) of the draft Whistleblower Act). We recommend enabling anonymous reports to be made as well, however, as this lowers any inhibitions employees may have in reporting infringements. Another reason to open up the system to anonymous reports is that anonymous whistleblowers whose identity becomes known also enjoy protection, according to the explanatory memorandum.
The draft bill also takes a stance on issues left open by the EU Whistleblowing Directive, namely requirements placed on case managers. Notably, the draft bill clarifies the fact that it is unnecessary to create a full position to meet the duties under the draft Whistleblower Act. This lack of a wholly dedicated position is already everyday practice in many companies. Case managers may have other tasks and duties besides those they have in connection with the internal reporting channel (section 15(1), sentence 2 draft Whistleblower Act).
To ensure that persons tasked with processing reports remain independent as required, we recommend explicitly stating that case managers cannot be instructed to complete reporting procedures in a particular way. Companies must also ensure that case managers have the requisite specialist skills. These can be obtained in training sessions or through other further training. Following the need-to-know principle, the draft Act requires reporting channels to be structured such that only case managers (or persons supporting them) have access to the incoming reports. For technical solutions, putting this rule into practice will mean coming up with concepts for access rights.
In compliance with the requirement of confidentiality, incoming reports need to be documented such that they can be accessed on an ongoing basis. This is to facilitate access to the documents should legal disputes ensue. Documentation is deleted two years after the procedure has been completed.
The draft bill transposes the reversal of the burden of proof that the EU Directive provides for. Accordingly, if an employee suffers a disadvantage after reporting or disclosing a matter, it is assumed that this disadvantage is a reprisal for the employee’s action. Such disadvantage – which may take the form of a termination or warning in the employment relationship – is illegal. It is incumbent upon the employer (or principal or other organisation) to prove that such action has adequate justification or did not result from the report or disclosure (section 36(2) draft Whistleblower Act). In a welcome move, the explanatory memorandum states that the whistleblower must demonstrate and prove that a measure taken represents a disadvantage. Notably, if a short-term contract is not turned into a permanent one, or a potential promotion is withheld, the whistleblower must prove that he or she had grounds to expect that such permanent contract or promotion would have been forthcoming.
If the ban on reprisals is breached, the whistleblower has a claim for damages against the party responsible. But the whistleblower has no claim to an employment relationship being established or to professional advancement.
The pre-requisite for such protection includes the fact that at the time of reporting the whistleblower had reasonable grounds to believe that the information was true and concerned breaches that fell within the scope of the Act (section 33(1) draft Whistleblower Act). Regrettably, the draft bill adopts the Directive’s imprecise legal terminology instead of following the familiar standards of intent and negligence when it comes to culpability. According to the explanatory memorandum, there must be actual indications that a breach has taken place; no protection is extended to either speculation or negligent reports where no reasonable effort at verification was made. Where a whistleblower files an erroneous report with intent or gross negligence, he or she is obliged to pay damages. Just like the EU Whistleblowing Directive, the draft bill is ambivalent about taking account of a whistleblower’s motivation. Although the explanatory memorandum states that the whistleblower’s subjective motivation plays no role, elsewhere it specifies that persons reporting abusively or maliciously incorrect information are not protected. Insofar, taking account of the whistleblower’s motivation does not seem to be ruled out when assessing whether the whistleblower had “reasonable grounds to believe” in the truth of their information.
New fines defined in section 40(2) of the draft Whistleblower Act go beyond those provided for under the EU Whistleblowing Directive. These new fines will be especially critical in practice. A fine of up to EUR 100,000 can be imposed on anyone obstructing (or attempting to obstruct) a report or subsequent communication, anyone taking (or attempting to take) illegal reprisal, or anyone failing to comply with the requirement of confidentiality with intent or gross negligence. In contrast to the Directive, the German draft bill also provides for a fine of up to EUR 20,000 where an internal reporting system is not set up or not operated.
Sections 30 and 130 of Germany’s Act on Regulatory Offences (Ordnungswidrigkeitengesetz) apply via section 40(5), last sentence of the draft Whistleblower Act. Legal entities may therefore receive a fine if an executive has committed a regulatory offence. At the same time, breaches of duties of supervision may be penalized. Please note that the reference to section 30 Act on Regulatory Offences means that for certain infringements the maximum fine can increase ten-fold.
Please do not hesitate to contact us if you have any questions.