At the European level, Directive (EU) 2019/1937 (the “Directive”) requires Member States to implement transformation and protection laws for so-called “whistleblowers” at the national level. The previous government of the Federal Republic of Germany submitted a draft at the end of 2020, which ultimately failed due to differences of opinion within the coalition at the time. However, the Directive had to be implemented by December 17, 2021, which is why the European Commission initiated infringement proceedings against Germany, among others, in January/February of this year.
On April 13, 2022, the new Federal Minister of Justice, Marco Buschmann (Liberal Democratic Party), presented a new draft bill on the Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG). It is expected that the draft bill will pass the legislative process in June and that the new law will enter into force at some point during the fall of 2022. In the following, the content of the draft is examined in more detail, and the draft provisions are highlighted in terms of advantages and disadvantages for practice.
Inconsistent scope of application
On the one hand, the scope of application of the new draft HinSchG exceeds the requirements of the Directive; on the other hand, the draft falls short in certain parts.
The personal scope of application is very broad. All whistleblowers from the private and the entire public sector fall within the scope of the draft HinSchG.
As far as the obligation to establish an internal reporting office is concerned, the draft proposal in 2022 has remained unchanged from the requirements of the Directive. (Subsidiary) companies with more than 50 employees must therefore set up an internal reporting office. For companies with between 50 and 249 employees, a grace period for establishment will apply until December 17, 2023. If companies have fewer than 50 employees, the voluntary establishment of an internal reporting office shall only be considered. In such a case, there is no obligation to do so. Some companies in the financial services sector (e.g., financial institutions) are required to establish internal reporting offices regardless of their number of employees.
With regard to the substantive scope of application, the new draft deviates from the draft presented in 2020. On the one hand, the new draft restricts the substantive scope of application. Whereas previously “all violations of regulations subject to criminal penalties and fines” were covered, the imposition of fines is now limited. Now, only those violations are included where the violated regulations serve to protect life, limb, health or the rights of employees or representative bodies. On the other hand, the scope of application greatly exceeds what is required by the Directive. The latter limited its reporting obligations and the protection of whistleblowers to violations of European regulations. However, the draft HinSchG provides for listed areas of law (e.g. public procurement or environmental law) above all that violations of German regulations are also to be reported equally and that whistleblowers are to be protected accordingly.
Changes to the responsible reporting office
Under the draft of the former black-red coalition, the Federal Data Protection Commissioner (Bundesdatenschutzbeauftragter) was to be responsible for external reports on compliance cases. The new draft from 2022 stipulates that the Federal Ministry of Justice itself should now act as the external reporting office.
Since 2021, the European Commission has been opposed to companies solely setting up central reporting offices at group level, which would then be responsible for all group companies with more than 249 employees. Instead, the Commission has been calling for separate reporting offices for each subsidiary. The 2022 draft takes a different approach and now stipulates that the central reporting offices should remain in place within the group, but be set up as “third parties”, which should also be responsible for other group companies. In addition, the limitation to affiliates with at least 249 employees has been omitted. Instead, the draft now defines subsidiaries affiliated with companies as “third parties” within the meaning of art. 8 para. 5 sentence 1 of the Directive, which can also undertake the reporting office for affiliated companies “on their behalf”.
Companies are subject to the principle of equivalence between internal and external reporting bodies (Sec. 19 of the draft HinSchG), according to which the employee is free to choose the body to which he or she wishes to report the possible violation. The new draft thus relativizes the previous tendency of the Federal Labor Court to recognize the obligation on the part of employees to first visit the company’s internal office. The draft has not taken this explicit decision into account at any point. Likewise, the Directive required the establishment of an internal reporting office with the purpose of being a first point of contact for employees. It was the intention that primarily a report should be made to an internal reporting office and that the whistleblower, in the event that his or her report is not followed up, should subsequently consult an external reporting office as well. Although reporting to an external office should be possible without restrictions or hindrances, it should be the last step. On the one hand, it should be possible for employees to report internal violations of regulations without reprisals, and on the other hand, it should be possible for employers to clarify and, if necessary, solve any problems internally with the available resources before they leak out. This mindset and purpose are missing from the new draft bill. Critics of this equalization argue that a valid clarification of the suspicion could have been prioritized with internal knowledge and internal resources without involving the Federal Ministry of Justice as an external body. Since the draft HinSchG does not require any mandatory truthfulness as long as the whistleblower is in good faith, this would not sufficiently strengthen the purpose of the law and the Directive to protect all parties involved in possible compliance cases.
Rather, the current draft of the HinSchG (HinschG-E) protects whistleblowers in the event of negligence of their disclosures, with the consequence that no legal certainty remains for companies. Critics therefore consider the protective purpose of the draft HinSchG-E to be overstretched in favor of the whistleblower.
It is partially possible to share existing resources among group companies, such as for the receipt of reports or for measures on follow-up investigations. For example, companies with up to 249 employees can share resources, while companies with 250 or more employees need their own reporting and investigation bodies. In this regard, the EU Commission has been very strict since 2021. However, the whistleblower himself does not learn anything about shared resources among the companies.
Internal reporting channels can even be operated by external third parties (e.g. a parent company, see page 85 of the draft HinSchG). However, the original responsibility always remains with the company and is never transferred to third parties.
According to the new draft HinSchG, the external reporting office, which is now to be located at the Federal Ministry of Justice instead of at the Federal Data Protection Commissioner, must be detached from the other ministry apparatus. The welcomed purpose of this organizational separation is to simplify access for whistleblowers without having to clarify questions of competence beforehand. However, except where specifically determined by law, there is no right to anonymity at the external reporting office.
Protection of the whistleblower
The most important provisions of the new draft HinSchG revolve around the protection of whistleblowers themselves, which up to now is regulated only inconsistently in Germany. Whistleblowers in companies must not be subjected to reprisals or disadvantages as a result of their reports, and threats or attempts to do so are also prohibited. This includes, for example, refusal of training or promotion, or unfavorable transfers, warnings and bullying.
In order to strengthen the position of whistleblowers and to ensure that the prohibitions of disadvantages and discrimination are not just toothless tigers, Section 36 para. 2 of the draft HinSchG contains a reversal of the burden of proof, providing great benefits for whistleblowers. The whistleblower must prove that he or she has experienced a disadvantage. However, companies must then demonstrate and, if necessary, prove that the personnel measures in question are not related to reports of possible breaches of European or national regulations. Nevertheless, companies are not entirely without protection. The obligation to pay damages exists on both sides, should on the one hand the whistleblowers experience disadvantages due to their reports, or on the other hand the companies are wrongly reported due to false information. All viable reports therefore require actual evidence, while vague assumptions are not sufficient.
In all cases, the identities of the whistleblower and of third parties involved are to be protected. However, anonymity is not granted in order to protect against false suspicions. In this respect, NGOs and experts have already criticized the old draft in 2020 for not deriving from the Directive the obligation for companies to accept anonymous tips. The failure to use the explicit exemption in the Directive was based on the assumption that this would lead to denunciations.
However, the critics have stated that it is precisely the anonymity of tips that protects the whistleblowers as much as possible and that studies on this argument could not prove an increased willingness to denounce.
Consequences for reported breaches
The catalog under Section 40 of the draft HinSchG contains sanctions to protect the whistleblower as well as the reporting process. A fine of up to €100,000 may be imposed if a report is obstructed or the whistleblower is subjected to reprisals. The attempt to carry out reprisals or the intentional or negligent violation of the confidentiality of the identity of the whistleblower and of persons concerned is also punishable. Other violations, such as failure to establish internal reporting offices, are punishable by fines of up to €20,000. Due to the reference in Section 40 of the draft HinSchG to section 30 para. 2 sentence 3 German Law on Regulatory Offences (Ordnungswidrigkeitengesetz – OwiG), the fine can amount to up to €1 million for companies due to the tenfold increase.
Thus, the fines are essentially unchanged compared to the old draft from 2020. Criticism nevertheless expresses that according to the very broad regulations almost everything can be punished with very sensitive fines resulting in the fact that the protective purpose of the HinSchG is strongly exhausted and is not always attained by the sanctions.
This is also reflected in the fact that companies are justifiably placed in a weaker position compared to whistleblowers due to the aforementioned reversal of the burden of proof. On the other hand, the draft HinSchG does not change the standard of liability for negligent or deliberate misinformation by whistleblowers themselves. The Directive may have been ill-conceived in this regard, because the leverage for gross negligence and intentional misinformation alone seems unnecessarily generous, considering the possible personal and corporate consequences if whistleblowers do not have to fear any consequences for their negligent expression of suspicions of violations of regulations so long as the level of gross negligence is not reached). This is despite the fact that the protective purpose of the Directive extends to all parties involved, not just whistleblowers.
Due to the considerable threat of high fines, companies should assess whether they already meet the requirements of the new HinSchG before it enters into force, in particular regarding the establishment of an internal reporting channel. Especially the extension of the scope of application to also include violations of national regulations holds the potential for frequent whistleblowing levies. If the reporting channels are not fully developed, companies risk attracting the unnecessary attention of the regulatory authorities.
The responsibilities of the internal and external fine channels are clearly regulated, much to the advantage of day-to-day practice. Both the documentation and the handling of confidentiality of personal data should nevertheless be taken seriously and be ensured.
To the advantage of companies, the draft HinSchG does not contain an obligation to accept anonymous reports. Even if the confidentiality of the identity of the whistleblower is strictly protected, there will be an inhibition threshold in the future to actually submit reports to the company. In the end, however, it makes no difference whether anonymous or identifiable reports are submitted, as the known identity must remain strictly confidential and is subject to severe fines. Therefore, companies are required to decide for themselves whether they want to give their employees the opportunity to make anonymous reports.
Overall, the new draft HinSchG is noticeably company-friendly. This applies in particular to the introduction of the possibility of setting up an internal reporting office as a “third party” at another group company, which would then be responsible for several independent companies in the group. Although the original responsibility remains with the subsidiaries even if the parent company’s central reporting office takes over the processing of reports for them, this is primarily of administrative advantage for the companies. The argument in favor of internal reporting offices, namely that (subsidiary) companies should first be able to use internal instruments and internal knowledge to follow up on tips before they reach external reporting offices, fades if it is then possible for companies to have internal reporting offices in other group companies. From the perspective of the whistleblower, the reporting office will presumably still be outsourced and thus appear external.
This definition of central reporting channels as “third parties” is an interpretation which the European Commission has not previously specified or shared. It remains to be seen whether the new draft for national design is in accordance with European law and does not end up before the European Court of Justice.