Regular readers know that I post frequently on this site on whistleblower-related topics. However, my discussion of whistleblower-related topics is generally focused on whistleblowing in the U.S. There have been significant recent whistleblower-related developments outside the U.S. For example, and as discussed in detail in the following guest post, a draft whistleblower protection act is now circulating in Germany. If adopted the new act could have significant implications, as discussed below. This guest post was written by Frank Hülsberg, who is a Chartered Accountant and Tax Advisor in Düsseldorf, Partner Advisory and Member of the Executive Board at Grant Thornton AG Wirtschaftsprüfungsgesellschaft in Germany, and Burkhard Fassbach, a D&O-lawyer in private practice in Germany. I would like to thank Frank and Burkhard for allowing me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
The Federal Ministry of Justice in Berlin published the draft bill of the Whistleblower Protection Act (HinSchG-E) in April 2022. The draft is available here. According to press reports, the draft law is to be adopted by the cabinet in June and then enter into force in the fall. The draft law serves to implement the EU Whistleblower Directive / Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report infringements of Union law. The EU Whistleblower Directive (HinSch-RL) is available here. The Whistleblower Protection Act is expected to have a significant impact on D&O claims practice in Germany.
The law provides for the following central regulatory elements:
The personal scope of application (Section 1 HinSchG-E) includes all persons who have obtained information about violations in their professional environment. The concept of “connection with professional activity” is to be understood broadly and interpreted in light of all relevant circumstances. It is not merely reduced to the formal employment or service relationship, but also includes, for example, activities of employee representatives. A connection with the professional activity is to be assumed if current or also previous professional activities are affected and a person providing information could be exposed to reprisals if he or she were to report information obtained about violations. This is intended to protect the broadest possible group of people who have access to information about violations due to their professional activities, regardless of the nature of these activities and whether or not they are remunerated.
The material scope of application (Section 2 of the HinSchG-E) goes beyond Union law. In addition to violations of Union law covered by the Directive, the HinSchG-E also covers violations of national criminal provisions and provisions subject to fines (insofar as the provision serves to protect life, limb or health or to protect the rights of employees or their representative bodies). The draft bill thus meets the expectations for comprehensive protection of whistleblowers and follows other Member States.
Companies with generally ≥ 50 employees are required to set up an internal reporting office to which employees can turn (Sec. 12 (1), (2) HinSchG-E), with the longer implementation deadline of December 17, 2023 applying to companies with 50 to 249 employees. Certain companies in the financial services sector (e.g., credit institutions) are required to establish internal reporting offices, regardless of their number of employees.
The internal whistleblowing system must be made accessible to employees. However, companies can also open up their whistleblowing system to third parties to illustrate their compliance awareness. This is particularly useful for companies which, due to their number of employees, fall under the German Supply Chain Compliance Obligations Act (Lieferkettensorgfaltspflichtengesetz – LkSG) and must in any case set up a complaints procedure which is not restricted to employees.
The EU Whistleblower Directive had given member states the option of obliging the companies concerned to accept anonymous tips. The draft bill from 2020 did not make use of this option. The main reason was the concern that this would encourage denunciations. This was already criticized by experts and NGOs at the time, because anonymity means additional protection for whistleblowers and previous empirical studies have not identified a discernible increase in denunciations due to permitted anonymous tips. The draft bill leaves it up to the companies to decide whether they want to accept and process anonymous tips. It is advisable to also allow anonymous reports in order to keep the inhibition threshold for submitting a report as low as possible. Opening up this option also makes sense because anonymous whistleblowers whose identity has become known also enjoy whistleblower protection, according to the draft’s explanatory memorandum.
Right to choose between internal and external reporting (Sec. 7 HinSchG-E): Whistleblowers are provided with two equally valid reporting channels, internal and external, between which they can freely choose (Secs. 7 to 31 HinSchG-E). Whistleblowers can contact an external reporting office directly or after first contacting an internal reporting office. Whistleblowers may choose the reporting channel that is most appropriate in light of the case-specific circumstances. The provision is clarifying and implements Article 10 of the European HinSch-RL.
Provided that whistleblowers comply with the requirements of the HinSchG-E for reporting or disclosure, they will be extensively protected against reprisals such as dismissal or other disadvantages (§§ 33 to 39 HinSchG-E). The draft bill implements the reversal of the burden of proof provided for in the HinSch-RL. According to this, if a disadvantage is suffered after a report or disclosure, it is presumed that this disadvantage is a prohibited reprisal (e.g. termination of an employment relationship or a warning in the employment relationship). It is then up to the employer to prove that it was based on sufficiently justified grounds or was not based on the report or disclosure (Sec. 36 (2) HinSchG-E). In this regard, the draft explanatory memorandum states that the whistleblower must demonstrate and prove that a measure constitutes a disadvantage. In particular, in the case of the non-conversion of a fixed-term contract or the “denial” of a promotion, the whistleblower must prove that he or she was justified in expecting to be offered a permanent employment contract or the promotion.
If the prohibition of reprisals is violated, the whistleblower has a claim for damages against the perpetrator (Section 37 HinSchG-E). However, there is no entitlement to the establishment of an employment relationship or to career advancement.
The prerequisite for protection is, among other things, that the whistleblower had sufficient reason to believe at the time of the report that the reported information was true and concerned violations that fall within the scope of the law (Section 33 (1) HinSchG-E). The draft bill regrettably adopts the vague legal terms of the HinSch-RL instead of linking to the familiar fault standards of intent and negligence. According to the draft explanatory memorandum, there must be actual evidence of a violation; speculation or frivolous reports without a reasonable effort at verification are not protected. In the event of a deliberate or grossly negligent false report, the whistleblower is liable for damages. As already stated in the HinSchG Directive, the draft bill is ambivalent about the consideration of the motivation of the whistleblower. The explanatory memorandum to the draft states that the subjective motives of the whistleblower do not play a role. Elsewhere, however, it is stated that persons who report abusive or maliciously incorrect information are not protected. In this respect, it does not seem out of the question to consider the motivation of the whistleblower when assessing the “sufficient reason”.
The HinSchG-E contains mandatory procedural requirements for the operation of internal reporting channels:
Maintaining the confidentiality of the whistleblower and the person(s) affected by the report (Section 8 HinSchG-E). For a whistleblower protection system to be effective and functional, it is essential that the identities of all persons affected by a report are largely protected. In order to keep the circle of persons who have knowledge of the identities of the persons affected by the report as small as possible, sentence 2 stipulates that the identities may only become known to the persons actually responsible. This limits the passing on of a report received within the reporting office to what is absolutely necessary.
Compliance with documentation obligations, including the obligation to delete documentation after two years following the conclusion of the procedure (Section 11 HinSchG-E). The EU Whistleblower Directive stipulates that reports may only be kept for as long as is necessary and proportionate to meet the requirements set out by the Directive. The new draft bill now mandates deletion of documentation no later than two years after the conclusion of the proceedings. By contrast, Art. 17 GDPR grants data subjects a right to have their data deleted as soon as it is no longer necessary for the original purpose of processing. While the two-year deadline in the draft bill is to be welcomed from a practical perspective, there are doubts as to whether this deadline can be reconciled with applicable data protection law and the EU Whistleblower Directive.
Internal reporting channels must allow reports to be made verbally or in text form (Section 16 (3) sentence 1 HinSchG-E).
At the whistleblower’s request, a personal meeting must be guaranteed within a reasonable time (Section 16 (3) sentence 2 HinSchG-E).
There is no obligation to enable anonymous whistleblowing (Section 16 (1) sentence 3 HinSchG-E).
Acknowledgement of receipt of the report must be provided after seven days at the latest (Section 17 (1) no. 1 HinSchG-E).
The tasks of the reporting office are: Checking the admissibility of the subject of the report and the validity of the allegations made, contacting the whistleblower and, if necessary, requesting further information (Section 17 (1) Nos. 2-5 HinSchG-E). Taking follow-up measures (e.g., internal investigation, discontinuation of investigation, forwarding of information to authorities) pursuant to Section 17 (1) No. 6, Section 18 HinSchG-E: Internal reporting offices have the task of investigating reports, verifying their validity and helping to remedy any violations. To this end, they can, in particular, conduct internal investigations and contact the persons and entities concerned. If it is not possible to further investigate or remedy the reported violation internally, the matter can be passed on to a competent authority for further investigation, subject to compliance with confidentiality requirements. Feedback to whistleblowers on planned and already taken follow-up measures as well as reasons for these measures must be provided within three months after confirmation of receipt (Section 17 (2) HinSchG-E).
Operation of the whistleblowing office by an independent and competent person or department (performance of other tasks is permissible, i.e. operation of the whistleblowing office can be one of several activities) – Section 15 HinSchG-E. Care must be taken to ensure that the independence of the internal reporting office is guaranteed and that conflicts of interest are thus avoided. In this respect, it would be conceivable, for example in the case of smaller employers, to entrust the person of the corruption officer, the integrity officer or the data protection officer with the task.
Provision of clear and easily accessible information (e.g. via homepage or intranet) on external (national) reporting channels as well as reporting points at European institutions (e.g. at OLAF, ESMA) – Section 13 (2) HinSchG-E. To enable whistleblowers to exercise their right to choose between internal and external reporting and to make an informed decision, clear and easily accessible information on relevant external reporting channels must be made available to employees.
Facilitation for companies with 50-249 employees through permissible sharing of resources by means of a joint whistleblowing office (Sec. 14 (1) HinSchG-E). The joint whistleblowing office may be authorized to receive information and to take certain follow-up measures (especially clarification measures). However, each employer remains obligated to take measures to eliminate the violation and to report back to the whistleblower.
Outsourcing of the “internal” whistleblowing unit to “third parties” is permissible (e.g. ombudspersons, companies belonging to the group, such as the parent company, cf. p. 86 of the HinSchG-E) – Section 14 (1) HinSchG-E. However, the operation of the hotline and the taking of necessary follow-up measures may not be completely outsourced to third parties (no transfer of responsibility to third parties). The original responsibility for maintaining confidentiality when processing the report and for remedying the breach always remains with the obligated employer. Close coordination is therefore required between the employer and the third party, for example with regard to internal investigations and measures to eliminate the misconduct.
Fines: The newly created fine provisions standardized in Section 40 (2) HinSchG-E go beyond the HinSch-RL and are particularly explosive in practice. A fine of up to EUR 100,000 will be imposed on anyone who prevents (or attempts to prevent) a report or subsequent communication, anyone who takes (or attempts to take) prohibited reprisals, or anyone who intentionally or negligently disregards the confidentiality requirement. In addition, unlike the HinSch-RL, the draft bill also provides for a fine of up to EUR 20,000 for failure to establish and operate an internal reporting system. Sections 30, 130 OWiG apply via Section 40 (5) last sentence HinSchG-E. Consequently, legal entities can be sanctioned with a fine if a management person has committed the administrative offense. At the same time, violations of supervisory duties can be sanctioned. In particular, due to the reference to Section 30 OWiG, there is a possibility that the maximum limit for fines will increase tenfold for certain violations.
Group-wide whistleblowing systems:
Contrary to what many feared and the European Commission demanded in connection with the European Whistleblower Protection Directive, according to the draft bill it will be possible to set up the whistleblower system centrally within the Group. This clarification is also very welcome in view of the fact that companies with at least 3,000 employees will also be required under the German Supply Chain Duty of Care Act (Lieferkettensorgfaltspflichtengesetz – LkSG) from January 1, 2023 to set up an internal complaints procedure – at the company’s discretion – throughout the Group.
The draft bill provides that an independent and confidential reporting office can also be set up at another group company as a “third party” within the meaning of Art. 8(5) HinSch-RL, which can act for several independent companies in the group. In this context, it is necessary that the original responsibility for the follow-up and remediation of violations remains with the respective commissioning subsidiary. This applies equally to support provided by external law firms, for example, and to support provided within the group (cf. p. 85 of the Explanatory Memorandum). Accordingly, group-wide reporting systems for all employees would continue to be permissible. When the reports are processed by the central reporting office, it would act for the respective legally independent subsidiaries (i.e. on their behalf). There would be no transfer of responsibility.
In the case of processing by a central reporting office, internal separation according to the respective subsidiaries must be ensured. The confidential processing of whistleblowing must also be ensured. Reporting (while maintaining the confidentiality of the identity of the whistleblower) to the Group Executive Board should only be carried out by or on behalf of the respective Group company.
Example: A group parent company has a compliance department. The subsidiary with 500 employees has not created any independent compliance functions. According to the draft explanatory memorandum to the HinSchG-E, the compliance department of the group parent company is an independent third party that can receive incoming reports on behalf of the subsidiary and – separated by company – process them confidentially. However, the reversion to group functions must not be equated with a transfer of responsibility. The original responsibility for stopping violations remains with each (Group) company.
To cut a long story short, the impact of the German Whistleblower Protection Act on D&O claims practice remains to be seen with interest.