Second attempt: Draft of a new Whistle-blower Protection Act
The transposition period of the EU Whistle-blower Directive ("EU WBD") has already expired in December 2021 without transposi-tion into German law. For this reason, the EU Commission initiated infringement proceed-ings against Germany as well as against several other EU member states in Janu-ary 2022.
After a draft bill to implement the EU WBD failed in the last legislative period, the Federal Ministry of Justice presented a new draft bill for a Whistleblower Protection Act ("Draft WBPA") on April 13, 2022. Interested parties have until May 11, 2022, to comment on the draft. According to press reports, the WBPA is to be enacted in the summer of 2022. Compared to the EU WBD and the last draft, the new draft bill provides for an expansion of the scope of application and the program of obligations of companies concerned. Against this background, concerned companies that already have a whistleblower system in place are advised to examine the need for adaptation to the requirements of the Act in a timely manner. Companies setting up an internal reporting office for the first time should already start thinking about a structure suitable for them. If necessary, the "accompanying documentation" of each whistleblower system must also be adapted or newly created (guidelines for whistleblowers; internal guidelines and training for the staff handling reports; data protection impact assessment; erasure concept; privacy statements, etc.).
I. Personal and temporal scope of application
The draft bill aims to protect individuals who, in connection with their professional activities, have obtained information about breaches of certain legal provisions and report or disclose such breaches. Therefore, the draft bill is, in principle, relevant for any company.
The key element of the draft is the obligation, regulated by statute for the first time, of so-called "employing parties", which usually have a staff of at least 50, to set up an internal reporting channel for whistleblowers. Employing parties are individuals, legal entities under public and private law and associations of persons who employ at least one person. For employers with 250 or more employees, the obligation will apply as soon as the law comes into force, i.e. presumably as early as 2022. In contrast, companies that usually have a staff of 50 to 249 have until December 17, 2023, to set up the internal reporting channel. For certain employing parties, in particular in the financial and insurance sectors, the obligation to set up an internal reporting office applies irrespective of the number of employees as of the entry into force of the Act.
II. Substantive scope of application
Due to the legislative competence of the EU legislator, which is limited to EU law, the EU WBD only obliges the EU member states to legally guarantee the protection of whistleblowers who report information on breaches of certain enumerated requirements of Union law. Immediately after the enactment of the EU WBD, there was an intensive discussion in Germany as to whether the national legislator should extend this protection to infringements of national law by means of an extensive implementation of the Directive. According to media reports, the draft bill from 2021 and thus also the timely implementation of the EU WBD failed due to resistance to such an extension of the material scope of application.
The draft bill now presented also provides for a significant expansion of the substantive scope of application compared to the requirements of the EU WBD:
1. Protected reporting content
The Act's protections are intended to cover reports and disclosures of information that relate to specific breaches. This is to include
- Violations which are punishable under criminal law
- Violations which are subject to a fine, to the extent the violated regulation serves to protect life, limb or health or the rights of employees or their representative bodies, as well as
- Violations affecting specific areas of the law listed in a catalogue. It covers federal, state and Union legislation on, among other things, combating money laundering and terrorist financing, requirements relating to product safety, environmental protection, food and feed safety, protection of privacy in electronic communications, protection of personal data within the scope of the GDPR, regulation of shareholders' rights, auditing of public interest undertakings and accounting for certain companies and institutions. In this respect, the protected interest of the infringed provision is irrelevant.
The idea behind this regulatory technique is to protect whistleblowers when they report serious breaches. Violations of criminal law provisions are always classified as significant breaches, breaches of administrative offence provisions only if they serve to protect high-value legal interests. In addition, the EU WBD requires that infringements of Union law be included with regard to certain enumerated areas of the law. The legislator has extended the protection to national legislation. In determining the areas of law covered, it has oriented itself to the requirements of the Directive, but in some cases has also exceeded the scope required by EU law in order to avoid contradictions.
In any case, reports on breaches in the area of so-called ABC compliance (corruption and bribery; cartel violations; money laundering, etc.) are protected.
A breach within the meaning of the draft bill is an act or omission in the course of a professional, business or official activity which is either unlawful and relates to the covered provisions or areas of the law or is abusive because it is contrary to the object or purpose of the covered provision or area of law.
Only reasonable suspicion or knowledge of actual or potential breaches, as well as attempts to conceal such breaches that have already been committed or are very likely to occur, are protected. This means that vague assumptions or speculations without sufficient factual indications as well as indications of obvious petty cases are not sufficient. Companies can filter these out as part of the plausibility check to be carried out first after receipt of a report and do not need to pursue them further.
Whether a breach relates to a covered legal provision and its reporting or disclosure thus falls within the substantive scope of the draft bill can be difficult to assess in detail. For legal laypersons, especially, without legal assistance it is hardly feasible to assess, for example, to which area of the law an infringement relates or whether an infringed administrative offence serves one of the protected interests covered.
A remedy may be the obligation of the external reporting office to present the prerequisites for protection under the Act within the framework of their internet presence. However, it remains to be seen to what extent these will differ in practice from a mere reproduction of the wording of the Act. Since such official notices are also not binding in the interpretation of the law, a considerable legal uncertainty factor remains for whistleblowers and concerned companies alike. The purpose of the law, to create a sufficient degree of security for whistleblowers, is thus already missed at the first level if it is not apparent to them in cases of doubt whether the law applies at all. With regard to the obligated companies, at least the assumption of an unavoidable error of prohibition suggests itself if they rely on the practical advice of the external reporting offices when implementing the legal requirements.
III. Admissibility of the establishment of central reporting offices in company groups
From the company's point of view, the central obligation of the Act is the establishment of internal reporting channels. Contrary to what was demanded by the European Commission in connection with the EU WBD in the summer of 2021 and therefore also feared by many in Germany, the draft bill allows for the establishment of central reporting offices in company groups. The European Commission had published several letters at the end of 2021 stating that companies with 250 or more employees should not share resources in relation to internal reporting systems and that a central reporting channel of the holding company could only be operated in a complementary and parallel manner alongside a local reporting channel at subsidiary level.
According to the draft bill, the internal reporting office can also be established at a "third party". According to the legislative history of the draft bill, in addition to the already widespread outsourcing of reporting channels to external service providers and law firms, the establishment of a group-wide reporting office at a group company is also permissible. It should be noted, however, that the individual obligated companies continue to bear the original responsibility for the proper operation and implementation of the reporting procedure. Therefore, if a centrally established reporting office is not operated properly, all obligated group companies may ultimately face a fine. It remains to be seen whether this interpretation of the group parent company as a "third party" will stand up under European law.
Medium-sized employers, usually employing a staff of between 50 and 249, can set up and operate a joint unit for receiving reports and for follow-up measures, as required by the Directive.
Allowing the establishment of central reporting offices in company groups will enable companies with more than 3,000 or 1,000 employees, respectively, that are required by the Act on the Entrepreneurial Duty of Care in Supply Chains to establish a complaints mechanism for reporting of certain human rights and environmental risks and breaches from January 1, 2023, and January 1, 2024, respectively, to establish an integrated reporting channel that covers all legal obligations.
When implementing whistleblower systems at company group level, companies operating across borders must bear in mind that other member states or countries may have different requirements in terms of content and that the internal reporting system must also take these into account.
IV. Structuring the internal reporting procedure
The draft bill leaves the obligated employing parties considerable freedom with regard to the organization of the internal reporting office. At the same time, these are the first comprehensive legal requirements in this context. The current practice standards on whistleblowing systems (e.g. ISO/FDIS 37002 of August 2021 or DICO standard on whistleblowing systems of March 2021) can therefore no longer be used 1:1 in the future to set up a whistleblowing system in a legally compliant manner, but will probably have to be adapted in some parts to the new law.
Companies are recommended to stipulate the primary and ultimate responsibilities for receiving and reviewing reports, the predefined processes, the follow-up decisions as well as the escalation, documentation and reporting mechanisms in an internal policy: On the one hand, there is agreement in case law and legal literature that the definition of clear and unambiguous responsibilities is a central element of an effective compliance organization. This means that appropriate documentation not only has a regulatory function, but also a liability-relief function. On the other hand, the case managers should be made aware of the detailed procedural and documentation requirements of the draft bill in terms of a clear and unambiguous description of the process. In particular, it also seems sensible to define those cases in which immediate measures may have to be taken to protect legal interests or reputation and to clearly define the process of the plausibility check and the criteria for discontinuing or continuing the internal clarification measures.
1. Staffing requirements
The tasks of the internal reporting office can be assigned to individual persons, departments or even external third parties (such as lawyers). The decision should be made on the basis of the organizational structure and size of a company as well as the type of activity carried out. Costs as well as the accessibility and independence of the reporting office should also be included in the consideration.
If a company decides against outsourcing to an external ombudsman office or person, the following applies: The appointed persons may also perform other tasks and duties in addition to their activities for the internal reporting office and, for example, also act in a dual capacity as data protection officer, compliance officer or integrity officer. Especially in smaller companies, such a dual function is reasonable.
Regardless of the organizational structure of the internal reporting office, the independence of the employees working there must be ensured at all times. Conflicts of interest must be excluded. The persons entrusted with the function must have the necessary expertise to perform the tasks assigned to the reporting office. This can be ensured through training, for example.
It is already common practice to recruit the in-house staff handling reports not from operational functions, but mainly from central functions such as the compliance, legal and HR departments.
2. Addressees of the internal reporting channel
The main addressees of the internal reporting channel are the workers and temporary workers employed by the company. Optionally, an extension is also possible to other individuals who are in contact with the obligated enterprise in the course of their professional activities, such as self-employed persons working for the enterprise, persons whose employment relationship has been terminated in the meantime or persons employed by contractors or suppliers of the undertaking.
Reporting channels must be designed, established and operated in such a way as to protect at all times the confidentiality of the identity of the whistleblower as well as of third parties incriminated or named in the report. For this purpose, the group of persons who have access to incoming reports is to be limited to the employees involved in processing the reports (establishment of a strict need-to-know principle).
Exceptions to the confidentiality requirement apply, on the one hand, in the case of intentional or negligent false reports, in order to enable the assertion of claims for damages by those affected against the whistleblower. On the other hand, the disclosure of information about the identity of the whistleblower to the competent authorities and courts in ongoing investigative, administrative or judicial proceedings is permissible. Provided that the success of follow-up measures or further investigations is not jeopardized by this, the whistleblower is to be informed of the disclosure of the information in these cases. Disclosure is also permissible if it is necessary for follow-up measures or if it is carried out with the consent of the party concerned.
Companies must also take into account the general data protection requirements (especially according to the GDPR). As a rule, it is necessary to carry out a data protection impact assessment and to prepare privacy statements and an erasure concept.
4. Structure of the internal reporting channel
The reporting channels must allow for the receipt of reports either orally (by telephone or by means of another type of voice transmission) or in text form (for example, by e-mail, fax, letter or via an online tool).
At the whistleblower's request, a personal meeting must also be held with the responsible office in the company.
Companies that wish to cover the requirements of §§ 8, 9 SCA at the same time within the framework of an integrated whistleblower system must also note that this complaint mechanism must be "barrier-free".
5. No obligation to allow anonymous reports
In order to avoid the risk of overloading the new whistleblower protection system and to wait for the first experiences of both internal and external reporting offices, the legislator has not provided for an obligation to process anonymous reports. This would entail considerable additional costs for the necessary technical equipment.
According to the draft bill, the obligated companies are thus free to decide whether to open the internal reporting channels also for anonymous reports. The advantages and disadvantages of allowing anonymous reporting should therefore be weighed against each other in individual cases and – if available – agreed with the works council. The acceptance of anonymous reports can be expected to increase the attractiveness of the internal reporting channel. Anonymous whistleblowers also fall under the legal protection provisions if their initially concealed identity becomes known. However, the disadvantages of anonymous reports are also obvious: Without knowledge of the whistleblower’s identity, no measures can be taken to protect against misuse of the internal reporting channel and to protect wrongly accused persons.
6. Procedure after receipt of a report
a. Acknowledgement of receipt
The receipt of a report by the reporting office must be acknowledged to the whistleblower within seven days at the latest.
Companies should ensure with regard to organization that the acknowledgement of receipt is given to every whistleblower – except in completely obvious, blatant cases of abuse such as formal insults without any substance. If the whistleblower has provided the information anonymously or if the company does not have a means of contact, the acknowledgement obligation does not apply due to impossibility.
b. Substantive review and follow-up measures
The Act provides as a mandatory process step that the internal reporting office checks whether the case falls within the substantive scope of application of the Act and whether the report is plausible. It has to maintain contact with the whistleblower. If necessary, it must ask the whistleblower for further information.
If the substantive scope of application of the Act is not opened, the obligations under the draft bill cease to apply, but not automatically all compliance obligations. Even a report that does not fall within the substantive scope of the Act can be cause for further clarification of the facts.
If the report proves to be unfounded or not sufficiently plausible during the plausibility check, the internal reporting office can close the case. It has to inform the whistleblower of the receipt of the report and the conclusion of the proceedings as well as the reasons therefor.
If the report stands up to the plausibility check, the reporting office must take appropriate follow-up measures. As follow-up measures, the draft bill provides for (i) further clarification of the facts, in particular through internal investigation, questioning of persons or work units concerned, (ii) referral to another competent body, (iii) closure of the proceedings for lack of evidence or for other reasons, such as refutation of the report, and (iv) referral to a competent authority for further investigation. All measures are to be decided by the responsible departments in the company at their due discretion. An obligation to refer a case to a competent authority for the purpose of further investigation will only be assumed in very exceptional cases. The general principle is that the company has a wide discretion as to whether it involves a competent authority.
Companies should instruct the staff handling reports to carry out a preliminary or plausibility check after receiving a report. In the case of corporations, the legality principle results in the general principle of "clarify, stop, punish" as well as the zero-tolerance dogma with regard to (possible) compliance breaches. If the reported suspicion is substantiated in the course of the preliminary or plausibility check, i.e. if it turns out that (i) it is based on a specific factual core, (ii) a legal violation in the sphere of the company appears to be possible and not entirely improbable, and (iii) it is relevant from a compliance point of view, further internal clarification measures must be carried out – ideally in accordance with the internal guidelines for internal investigations that ideally are set forth in writing in the form of a policy.
If the report turns out to be inaccurate, if it cannot be further investigated due to lack of evidence or if the breach has been remedied, the reporting office may close the procedure.
The reporting office has to be granted the necessary powers to take follow-up measures.
As a general rule, the reporting office must provide the whistleblower with feedback on the follow-up measures taken and those still planned within three months of acknowledgement of receipt or, if receipt has not been acknowledged, no later than three months and seven days after receipt of the report. The reasons for the follow-up measures have to be disclosed in the feedback.
However, feedback may only be provided to the extent that it does not affect internal investigations and the rights of individuals concerned.
If an external third party, e.g. a lawyer or ombudsman, is entrusted with the tasks of the internal reporting office, close cooperation between the third party and the company must be ensured, as the internal reporting office is not only obliged to receive and document the reports, but also to take appropriate follow-up measures. It must be clearly defined which tasks are performed by the third party and which are performed within the company. If this is not the case, the company has failed to set up the internal reporting office properly. It is to be expected that the external providers of online tools, such as EQS or LegalTegrity, will promptly integrate deadline calculators into their tools so that the employees handling reports are automatically reminded of the feedback deadline.
d. Documentation and erasure
The reporting office has to document incoming reports in a permanently retrievable manner while observing the confidentiality requirement.
In order to fulfil this obligation as well as for prevention of their own liability and defense against possible accusations of inactivity or organizational culpability, companies should ensure that not only the report itself, but also the measures and steps taken with respect to each report and the course of the proceedings are documented – in compliance with the confidentiality principle and the data protection requirements, in particular the erasure concept.
The report has to be kept for two years after the end of the proceedings. The documentation must then be deleted.
This regulation regarding erasure periods must be observed when creating or adapting erasure concepts. If the company allows reporting by telephone, the detailed legal requirements for documenting such reports should be considered in the internal policy and in the training of the staff handling reports.
7. Provision of information
Reporting offices must also provide clear and easily accessible information on external reporting offices to enable whistleblowers to make an informed choice between internal and external reporting offices. This can be done, for example, on a generally accessible website, on the intranet or by posting notices.
This obligation to provide information on external reporting offices is a novelty for all companies concerned. Companies are recommended to simultaneously publish rules of procedure or information on the functioning of the internal reporting office on the company's homepage. This information should in any case be available in German and English.
8. Relationship to other regulations
a. Special legal regulations on whistleblowing
Although German law does not yet provide for a general legal obligation to establish internal reporting offices and to protect whistleblowers, special laws already contain such requirements in individual cases. The draft bill stipulates that some of these laws have priority. For example, the provisions on whistleblowing under the Money Laundering Act, the Banking Act (KWG), the Securities Trading Act (WpHG), the Insurance Supervision Act (VAG), the Investment Code (KAGB) and the Securities Exchange Act (BörsG) remain unaffected. Companies obliged under these laws must therefore continue to comply with the special legal requirements. A new aspect is that the provisions of the WBPA are to apply in addition.
It is noteworthy that the Draft WBPA does not stipulate a precedence of all special-law provisions on internal reporting channels. Not listed, for example, are the requirements for the establishment of a complaints mechanism according to the new SCA. It remains to be seen whether, in the course of the legislative process, regulations not yet covered will be subsequently added. It is not clear from the draft bill whether the omission is a drafting error or whether it was deliberate and, in this respect, precedence over the WBPA is not intended.
Companies that will be subject to the WBPA in the future should check whether other, overriding special legal provisions on the establishment of an internal reporting channel and whistleblower protection apply to them.
b. Security interests, confidentiality and secrecy obligations
National and international case law shows that the whistleblower's interest in reporting often collides with his or her obligations of confidentiality and secrecy. The draft bill resolves this conflict as follows:
- If a report or disclosure concerns information on particularly significant security interests or obligations of secrecy or confidentiality, it is excluded from the scope of application of the Act. This concerns, for example, information relating to national security interests, confidentiality obligations for the protection of classified information and information subject to certain confidentiality obligations such as medical, notarial and legal professional confidentiality. The contractual duty of confidentiality of persons who carry out auxiliary activities to such professions is also covered in this respect. This means that in these cases a whistleblower is not entitled to protection.
- With regard to information containing a trade secret, the report or disclosure is generally permissible if the whistleblower had reasonable grounds to believe that the passing on or disclosure of the specific content of the information is necessary to uncover the breach and that the information is true and concerns a breach that falls within the scope of the law. The same applies to information that is subject to other contractual or statutory duties of confidentiality.
V. External reporting channels
In addition to the obligation of companies to establish internal reporting channels, the draft bill provides for the establishment of external reporting offices at the Federal Office of Justice, the Financial Supervisory Authority (BaFin) and the Federal Cartel Office as well as another external reporting office for reports concerning these external reporting offices. In addition, each federal state may set up its own reporting office concerning state and municipal government.
The fact that instead of a central reporting office various reporting offices are established with different responsibilities unnecessarily complicates the external reporting process for whistleblowers.
VI. Relationship between internal and external reporting
The whistleblower is free to choose whether to first contact an internal or directly an external reporting office.
The wording of the draft bill as well as its legislative history leave open whether an internal report has a blocking effect on the external reporting proceedings and a whistleblower must first wait for the outcome of the internal proceedings before contacting the external reporting office. The draft provides that if a breach reported internally is not remedied, the whistleblower is free to make an external report. This wording supports the assumption of a blocking effect.
Completely different principles than for the use of internal and external reporting channels apply to the disclosure of reports. Disclosure means making information available to the public, i.e. in particular to the press or in social media. Disclosure is only permissible as a last resort. Accordingly, protection under the Act in cases of disclosure only applies subject to additional requirements. To this end, the whistleblower must
- either have initially issued an external report without appropriate follow-up measures having been taken or the whistleblower having received feedback on such follow-up measures, or
- have sufficient reason to believe that the breach poses an imminent and obvious threat to the public interest, that there is a risk of reprisals in the event of an external report or that the external reporting procedure is unsuitable for other reasons (e.g. suppression of evidence, inadmissible collusion).
The free choice granted to the whistleblower between external and internal reporting as well as the regulation on disclosure indirectly exert considerable pressure on a concerned company to make the internal reporting procedure as attractive and efficient as possible for whistleblowers.
Only if a report is first made internally does the company concerned retain control over the proceedings and can initially investigate an allegation itself and independently control the public presentation and, if necessary, the cooperation with authorities. In contrast, disclosure of the allegation can give rise to considerable disadvantages. Thus, even if ultimately unfounded accusations become known, there is a risk of a significant loss of reputation. However, according to the concept underlying the draft bill, the concerned company's possibilities of exerting influence are limited in this respect. The requirements for a permissible disclosure lie almost exclusively within the sphere of the external reporting office. If the external reporting offices to be newly established are not adequately staffed and financed, there is a risk that these authorities will be overburdened. This is particularly problematic in light of the fact that even exceeding the deadline for feedback of three months, in complex cases of six months, entitles the whistleblower to disclosure. Companies therefore only have the option to encourage whistleblowers to use the internal channel or to seek cooperation with the external reporting channel.
VIII. Protection of the whistleblower and third parties1. Requirements for protection
The whistleblower is subject to the protection of the Act in the case of an internal or external report as well as in the case of disclosure if, at the time of the report or disclosure, he or she had reasonable grounds to believe that the information was true and concerned breaches falling within the scope of application of the Act.
2. Scope of protection
The draft bill provides for mandatory protections in favor of whistleblowers.
a. Exclusion of responsibility
Accordingly, the responsibility of a whistleblower for obtaining or accessing information is excluded if the obtaining or accessing itself does not constitute an independent criminal offence. Responsibility for passing on the information in the context of the report or disclosure is also excluded.
b. Prohibition of reprisals
Reprisals as well as their attempt or threat against the whistleblower are prohibited. Reprisals are defined as acts or omissions in connection with professional activity which are a reaction to a report or disclosure and which cause or may cause the whistleblower to suffer an unjustified detriment.
In contrast to the EU WBD, the draft bill does not contain any examples of reprisals, but is limited to a legal definition. However, by way of interpretation in conformity with European law, it can be assumed that the extensive example cases specified in the EU WBD also meet the requirements of the definition of reprisal under German law. According to this, inadmissible reprisals include, among other things, suspensions, dismissals, demotions, denial of promotions, reallocation of tasks, changes in the place of work or working hours, salary reductions, negative performance appraisals and disciplinary measures.
In favor of the whistleblower, a reversal of the burden of proof is to apply in implementation of a corresponding recommendation of the EU WBD. According to this recommendation, if a whistleblower suffers any detriment following a report or disclosure in a professional context, this is presumed to be a case of reprisal. It is up to the person causing the detriment to prove that the detriment is justified or not based on the report or disclosure.
c. Compensation for damages after reprisals
The perpetrator of a prohibited reprisal is to be obliged to compensate the whistleblower for the resulting damage. However, a claim for the establishment of a professional relationship or for career advancement is excluded.
3. Protection of third parties
Not only the whistleblowers themselves are awarded the protection provided for, but in principle also such natural persons
- who confidentially assist the whistleblower in reporting or disclosing in a professional context,
- who are associated with the whistleblower and suffer reprisals as a result of the report or disclosure in a professional context, and
- legal entities, partnerships with legal capacity and associations of persons that are legally associated with the whistleblower, with whom the whistleblower is employed or with whom the whistleblower is otherwise associated in a professional context.
IX. Consequences of a false report
In the event of the reporting or disclosure of incorrect information, the whistleblower is to be held liable for damages if there is intent or gross negligence on his/her part.
According to the legislative history of the draft, this does not preclude the assertion of damages under competing bases for claims also in cases of simple negligence.
Furthermore, knowingly disclosing incorrect information constitutes an administrative offence and can be punished with a fine of up to EUR 20,000.
X. Sanctions for breaches
Obstructing a report or communication between the whistleblower and the reporting office, conducting a reprisal and failing to maintain confidentiality are administrative offences under the draft bill, punishable by a fine of up to EUR 100,000, or up to EUR 1 million if a legal entity or association of persons is sanctioned.
The breach of the obligation to establish and operate an internal reporting office may be punished with a fine of up to EUR 20,000.