The Second Attempt: Ministerial Draft Bill of the Whistleblower Protection Law Presented
The second attempt: Last week, the German Federal Ministry of Justice presented ministerial draft bill of the Whistleblower Protection Law to implement the EU Whistleblower Directive.
Introduction
In a second attempt and with the promise to better protect whistleblowers, the Federal Ministry of Justice is again taking up the plan to now transpose the EU Directive on the Protection of Whistleblowers (Directive (EU) 2019/1937, hereinafter the “EU Whistleblower Directive”) into national law (see our blog posts of March 18, 2019, October 9, 2019, and our update of February 18, 2021). Federal Minister of Justice Marco Buschmann (FDP), to this end, submitted a ministerial draft bill on whistleblower protection (HinSchG-E) to the ministries for voting. This draft law corresponds in essential parts to the draft law from the previous legislative period, which ultimately fell victim to discontinuity due to disagreements within the Grand Coalition concerning the scope of application and the excessive implementation of the EU Whistleblower Directive.
It is to be hoped that the legislative process will proceed quickly in what is now the second attempt – it is said that the law will come into force in this fall –, since it recently became known that the European Commission had initiated infringement proceedings against the Federal Republic of Germany for failure to transpose the EU Directive into national law on time.
The Federal Minister of Justice’s draft bill, which has not yet been published, contains the following key provisions, among others:
Extension of the Material Scope of Application to National Law
Similar to the first draft law, the new HinSchG-E also extends the material scope of application to the reporting and disclosure of certain violations of national law. Whereas in the previous legislative period the CDU/CSU had vehemently opposed extending the scope of application to include violations of national law not specified by the Directive, the current HinSchG draft provides for the inclusion of all criminal offenses and certain administrative offenses. The explanatory memorandum to the law states that this is intended to avoid contradictory interpretations and to make practical application more manageable both for persons providing information and for the reporting offices. In contrast to the previous draft, however, violations subject to fines are to be included only if the violated norm serves to protect life, limb or health or to protect the rights of employees and their representative bodies. In addition, the HinSchG-E also includes a catalog of other legal violations to combat certain dangers envisaged in the EU Whistleblower Directive (such as money laundering, product, traffic and food safety), however, it goes in part beyond the catalog of the EU Whistleblower Directive, which is limited to the EU’s legislative competence (such as violations to regulate the rights of shareholders of a stock corporation).
Internal and External Reporting Systems
The HinSchG-E provides for two equally valid reporting channels in the form of an internal reporting channel within the company or the authority and an external reporting channel with an independent body, between which the whistleblower can freely choose. This is one of the fundamental requirements of the EU Directive and in this respect represents a change to the previous case law of the German Federal Labor Court, which gave priority to the use of internal reporting channels as long as this was not unreasonable for the whistleblower (cf. BAG, ruling dated July 3, 2003 – 2 AZR 235/02). Both reporting channels must maintain confidentiality.
As far as the implementation deadlines are concerned, natural and legal persons under private law, partnerships with legal capacity and other associations of persons with at least 250 employees are obliged to set up an internal reporting system for their employees from the time the HinSchG-E comes into force. Organizational units with 50 employees, on the other hand, will not be subject to this obligation until December 17, 2023. Certain organizational units, such as securities services companies or credit and financial services institutions, will be subject to this obligation regardless of the number of their employees. For employers under public law, the highest federal or state authorities designate organizational units to operate internal reporting offices.
The draft expressly permits the transfer of the tasks of an internal reporting office to external third parties, such as lawyers, but emphasizes that in this case companies are not released from their obligation to take appropriate measures themselves to remedy any infringement.
Centralized System for Group Companies
The explanations on centralized systems for corporate groups will also trigger further discussion. Only recently, in June 2021, the EU Commission – following several inquiries from various corporate groups – issued a clear rejection of centrally controlled whistleblowing systems in corporate groups.
The draft law does not seem to follow this path. Although somewhat hidden, it is only in the explanatory memorandum to Section 14 (1) HinSchG-E that the draft law clarifies that an independent, confidential reporting office can be set up in corporate groups to act on behalf of several independent companies within the group. This is to be welcomed. The memorandum further clarifies that the original responsibility for remediation and following up a violation should always remain with the respective company itself. In any case, the independence of the central reporting office and the confidentiality of the identity of the person providing the information must be guaranteed. The current version of the draft thus expressly permits the establishment and operation of a central group reporting office – whether by the parent company, subsidiary or affiliate – and thus answers the fundamental question of whether.
However, the question of the specific structure of this group reporting office remains unanswered. According to the wording of the law, the possibility of transferring the tasks of an internal reporting office refers to the “tasks of the internal reporting office”, which according to Sec. 13 HinSchG-E also includes conducting the internal investigation and taking follow-up measures. However, since the responsibility and obligation to remedy the infringement remain expressly with the relevant company, it remains to be seen how the legislator intends to structure the central reporting office. Particular attention will have to be paid to the monitoring of this central office by the respective group companies concerned, which will in fact result in a legally required monitoring of the parent company by a subsidiary, but also to the reporting obligations to the group management briefly mentioned in the explanatory memorandum to the law, as well as to the guarantee of the mandatory independence and confidentiality.
In the case of (EU) multinational situations, the explanatory memorandum to the law points out that the law of the respective member state always applies, which, in view of the possible differences in the transposition of the EU Directive into national law and in view of the varying specifications where member states can make use of their own regulatory competence, also raises questions about the concrete design of a reporting office that is subject to several European transposition laws. The explanatory memorandum to the law recognizes this problem without shedding any light on it.
Implementation of Anonymous Reporting Systems Optional
The EU Whistleblower Directive left it up to the member states to decide whether anonymous reports should be accepted and followed up, and thus whether anonymous whistleblowers should enjoy the protection of the Directive. This point has now been taken up by the HinSchG-E, which clarifies that it is up to those obliged to set up hotlines to create anonymous reporting channels. In any case, neither internal nor external reporting channels are obligated to process anonymous reports. According to the explanatory memorandum, the aim is to avoid overburdening the whistleblower protection system and to wait for initial experience to be gained.
Public Disclosure as a Last Resort
Similar to the previous draft law, the current HinSchG-E sets out the requirements according to which whistleblowers are covered by the scope of protection of the law who do not report information about breaches via internal or external channels but make it directly available to the public (media, social networks). In line with the EU Whistleblower Directive, this should only be possible under narrow conditions, as a last resort and as a subordinate measure, for example if the whistleblower has not received any feedback – including on follow-up measures – within the specified period after reporting a breach to an external reporting office. The same applies if the whistleblower had sufficient reason to believe that there was a risk of irreparable damage or that evidence could be suppressed or destroyed. Of course, the person providing the information only enjoys the protection of the law if he or she was in good faith about the accuracy of the information.
Outlook
Companies with at least 250 employees that have not yet set up a whistleblower system – according to the explanatory memorandum to the law, there are still just over 4,300 – should urgently address the issue and set up an internal whistleblower system that complies with the requirements of the future law.
The restriction of the scope of application to violations of specific national laws may be questioned, as this entails the risk that not all allegations to be reported will be covered. This in turn means that the person making the report would have to subject the content of the report to a legal assessment in order to find out whether he or she enjoys protection against retaliation, which is the intention of the law. In practice, most companies have made their whistleblower systems available for reporting violations of internal compliance guidelines anyway, so that at least this reporting is possible. The fact that no obligation to maintain systems for anonymous reports and their processing is codified may also be critical for the whistleblower. In contrast, many companies have already implemented an anonymous reporting system in order to keep the hurdles for reporting misconduct as low as possible, which is in the interest of the company. After all, anonymous but plausible reports will not be completely ignored in the future, insofar as there is a de facto duty of disclosure resulting from general compliance requirements. It also remains to be seen whether whistleblowers will actually be deterred from reporting wrongdoing and violations.
The legislator’s apparent attitude toward the establishment of central reporting offices is very welcome, even though the draft law is silent on their concrete design. For corporations, in particular, it can be attractive to set up a centrally operating office that has the necessary resources, expertise and indispensable experience in the area of internal investigations. In addition, whistleblowers will often have some interest in “skipping” their local unit and having the factual investigation in the hands of a corporate parent.
For companies with an effective compliance management system, of which a functioning whistleblower system that upholds the basic principles is a component, the changes outlined may “merely” provide clarity. It is, of course, advisable to review existing systems to ensure their future legal compliance.
We will be happy to assist you as experienced consultants at any time.