The EU Whistleblower Protection Directive and its implementation in national law: What lies ahead for companies?

The EU Directive: The Directive is in the context of a paradigm shift in law enforcement policy – in Europe and also in Germany. The aim of the Directive is – as described in its Art. 1 – “to improve the enforcement of Union law and policies in specific areas by setting common minimum standards ensuring a high level of protection for persons reporting infringements of Union law”. These requirements are intended to preventively transfer the enforcement of European law from the state to the legal entities as a matter of their own. By specifically mandating that reporting channels and case management be implemented and maintained

Status of the legislative procedure: the directive was adopted in the so-called triolog procedure and entered into force on 16.12.2019 with an implementation period of two years.

• Implementation status in the EU: 19 out of 27 EU member states have already started implementation. In some cases, we are already further along than in Germany, especially in the area of in the Nordic countries.

• Draft bill: In Germany, the Ministry of Justice and the Ministry of Labor are working on the draft bill. However, due to the complexity and uncharted territory of whistleblower protection, a draft released to the public is not yet available. The goal is to meet the implementation timeline by the end of 2021 (Dec. 17, 2021). Due to the many challenges of implementation, it is not yet possible to give an exact date for an official draft bill. The BMAS and the BMJV are in consultation with the federal government on this. For some time now, however, the “Draft Law for Better Protection of Whistleblowers and for the Implementation of the Directive on the Protection of Persons Reporting Violations of Union Law” (Whistleblower Protection Act) has been circulating. Subject to possible amendments, the present draft shows where the journey may lead for German companies.

Core requirements: Of the core requirements of the EU Whistleblowing Directive and its planned implementation in German law, a few points can be singled out:

• All companies, so-called employers, regardless of their legal form or sector, and also public administration, courts and municipalities, so-called departments, will in future be obliged to set up a whistleblower system. That already from 50 employees. Legislation in Germany extends it further for certain companies within the scope of the WPHG, BörsG, KWG, and VAG. In the public sector, for example, state law should regulate municipalities.

• The scope of the Directive covers whistleblowers in the private and public sectors. For the public sector, this means all employees who receive information in a professional context: Civil servants, public employees. This applies accordingly in the private sector. Important: It is a broad scope – employees of a business partner of the company must also be able to report.

• With regard to the reports covered, it was to be expected that not only violations of EU law but also violations of national law would fall within the scope of the Whistleblower Protection Act. This requirement, which is not uncontroversial in the political arena, means that the reporting channels must be open to all violations that are subject to penalties or fines and must not only cover EU law violations.

• There is an EU requirement for dealing with anonymous tips Germany is not required to open reporting channels for anonymous tips. It is only explicitly clarified that external reporting offices do not have to follow up on anonymous tips. This statement is not found for internal hotlines. In any case, the anonymous whistleblower is protected if his identity comes to light.

• With regard to the handling of reported cases, there are precise EU requirements with feedback and documentation obligations, which are implemented accordingly at national level.

• Finally, obligations are imposed to protect the whistleblower, the fulfillment of which must be proven in case of doubt. The reversal of the burden of proof to the detriment of the so-called employers and service providers is provided for accordingly in the draft bill.

• However, there is no whistleblower protection in principle if the whistleblower reports particularly protected information. There is also no protection if the whistleblower goes directly to the public, so-called disclosure. He is only protected if he has previously unsuccessfully submitted an external report to an External Reporting Office to be set up by the state (Federal Data Protection Commissioner, the BaFin and, if applicable, state authorities). Finally, there is no whistleblower protection if the whistleblower intentionally or grossly negligently reports inaccurate information. Then he is even obliged to compensate for the damage incurred.

Implementation period and market impact: The deadline for transposing the EU directive into national law is December 2021. For companies with up to 249 employees, however, the requirements are not expected to take effect this year, but rather in 2023. It would be good to clarify whether headcount is calculated by headcount or by Full Time Equivalents. In any case, the new legal situation will have an impact on very many companies in the short and medium term.

• According to our estimates, there are probably 50,000 companies in the EU with more than 250 employees; in Germany alone, there are probably 17,000 companies. Here, the obligations take effect from the end of this year. If only half of them have to make adjustments, e.g. introduce a digital system, that’s more than 25,000 companies across the EU in the short and medium term.

• For smaller companies, the obligation comes later. According to our estimates, around 250,000 companies in the EU have more than 50 employees (for Germany, the figure is probably around 65,000). If only a quarter of them intend to implement a sustainable implementation, e.g., to introduce a digital system, that’s more than 15,000 companies in the long term.

• In our view, the requirements of the future Whistleblower Protection Act will also have a formative effect worldwide The DOJ requires whistleblower systems as a hallmark of a compliance management system via the FCPA also extraterritorially. The EU and German legislators provide precise guidelines for the design of the whistleblower system. If a company introduces a group-wide system internationally, it should not be possible to apply lower compliance requirements within the company in countries outside the EU than for the European companies.

Employers and departments are well advised to use the time until the mandatory regulations come into force to adapt existing whistleblower systems to the future requirements or to introduce adequate whistleblower systems. Among the various whistleblowing channels, we believe that an IT-based solution will prevail in Europe. When setting up and operating whistleblower systems, there are other legal requirements to be observed in addition to the above. In particular, data protection, which is essentially about the handling of personal data: Here there is an orientation guide from the state data protection authorities. In addition, the implementation and regular operation of the system must take into account company co-determination, company law and, where applicable, local regulations.

With EQS Group, KPMG Law has a strong alliance partner at its side – one of the five most relevant IT solution providers in the European market, with global reach. We thus believe that we are well equipped to support employers and departments with a holistic compliance solution, the globally available KPMG Integrity Service, during implementation and regular operation.