Whistleblower Protection Act will regulate reporting of violations of the law in companies and organizations

On July 27, 2022, the German government presented the “Draft Bill for Better Protection of Whistleblowers and for the Implementation of the Directive on the Protection of Persons Reporting Violations of Union Law”. The Whistleblower Protection Act (HinSchG) is intended to transpose EU Directive 2019/1937 into national law. The EU Directive states that: “[...] potential whistleblowers [are] often reluctant to report their concerns or suspicions for fear of reprisals. [There is] increasing recognition of the need for balanced and effective whistleblower protection.” Due to the delay in German legislation, the EU already initiated formal infringement proceedings in February 2022, so that a swift conclusion of the legislative process is now to be expected. Therefore, companies, organizations, as well as authorities should start preparing for the new regulations.

With the current bill the government even goes beyond the requirements of the EU Directive. The act is intended to cover not only violations of EU law, but also certain areas of national law, such as money laundering, corruption, tax fraud and environmental protection.

Employees, but also customers or suppliers, who notice violations of the law or even criminal offenses in the course of their cooperation and consequently want to report them, could come into conflict with the duty of confidentiality or the protection of secrets. The company, on the other hand, must have an interest in having malpractices uncovered and eliminated, but may shy away from criminal consequences and certainly from a public debate about them. This is particularly the case if internal information that is critical to the company's success becomes public in this context. The act provides a solution for this and is intended above all to create legal certainty.

At the same time, however, new pitfalls are emerging. As Bitkom CEO Dr. Bernhard Rohleder explained, also on July 27: “The current time pressure must not, however, lead to these important regulations resulting in new legal uncertainties because details and existing regulations are not sufficiently taken into account. This is especially true when it comes to data protection. [...] And in order to reduce the implementation effort, especially for small and medium-sized companies, the required data protection impact assessment should already be carried out during the legislative process [...].”

This fear is probably directed at the design of the (internal company) reporting offices, to which the bill ascribes central importance. On the one hand, they are intended to mitigate employees' conflict between their desire to report and their duty of confidentiality, and on the other hand, they give companies and organizations the chance to act before the violation is in the hands of the public prosecutor or becomes public. Provision is made not only for a central reporting office at the Federal Ministry of Justice, but also and above all for an obligation to have internal reporting offices within companies:

• Organizations with 50 or more employees will be required to set up an internal reporting office. Organizations with up to a maximum of 250 employees will have until December 2023 to do so and may also set up joint reporting offices.
• Larger companies must immediately comply with the obligation to establish a reporting office.
• All companies can also entrust third parties, such as law firms, with the tasks of an internal reporting office.
• Failure to establish a reporting office may result in a fine of up to €20,000.
• Internal and external reporting channels are placed on an equal footing. This means that internal reporting offices do not have priority over external reporting offices.
• The bill currently on the table does not stipulate any obligation for anonymous reporting options. However, the recommendation here is clear: Only anonymity creates sufficient trust to reduce the fear of reprisals following a report.

It should be noted that reports under the HinSchG are explicitly also data protection violations (violations of the provisions of the EU General Data Protection Regulation [GDPR]). This again reveals the tension between data protection and HinSchG. The confidentiality requirement from the HinschG is in clear conflict with the data subject rights from the GDPR. These data protection issues, which still lead to discussions today for less complex topics, must be answered in the organizational context. This means that data protection must be involved in the establishment of the whistleblower system from the very beginning.

For the internal reporting office to actually contribute to an effective fight against malpractice, it must be known within the company or organization, be capable of acting and be trustworthy for the whistleblower or whistleblowers. This requires some organizational effort. Setting up an anonymous reporting facility and using personnel who are not affiliated with the company can make a significant contribution to this. In this way, third parties with a proven track record of ensuring a high level of information security and data protection can become a reliable partner.

In detail, the bill provides for the following regulations for the internal reporting office:

• It must be possible to report violations of the law verbally, in writing and in person.
• Upon receipt of a tip, the reporting office must acknowledge receipt within seven days.
• After acknowledgment of receipt, the reporting office must respond to the tip within three months, informing the whistleblower of the intended measures and giving reasons for them.
• All tips must be documented.
• For data protection reasons, the identity of the whistleblower(s) may only be known to the responsible processor(s).
• The internal reporting office must be independent and free of conflicts of interest.
• The employees of the reporting office must be specially trained for their tasks and, in particular, must be informed about the data protection regulations.

In addition to establishing reporting offices and associated processes, companies should above all create a trusting corporate culture so that potential whistleblowers make use of the reporting offices in the first place. Nevertheless, anonymity will become the prerequisite.

Organizations that now establish professional, task-related, trusted internal reporting offices will have an instrument that enables them to act quickly and confidently. The new law will not only protect whistleblowers, but also help protect companies and organizations from betrayal of business-critical information and unnecessary damage to their image.

Note: On February 10, the Bundesrat (upper house of the German parliament) refused to approve the bill. As a result, the draft passed by the Bundestag (lower house of the German parliament) in December 2022 will probably go to the Mediation Committee.

Sources:

 ^[1] https://www.bmj.de/SharedDocs/Gesetzgebungsverfahren/Dokumente/RegE_Hinweisgeberschutz.pdf?__blob=publicationFile&v=2 (accessed on 28.07.2022)

^[2]  https://eur-lex.europa.eu/legal-​content/DE/TXT/HTML/?uri=CELEX:32019L1937&from=en (accessed on 28.07.2022)

^[3] https://www.bitkom.org/Presse/Presseinformation/Umsetzung-​EU-Richtlinie-Schutz-fuer-Whistleblower (accessed on 28.07.2022)