Today, 17 December 2021, is the deadline for implementing the EU Whistleblower Directive. So far, only Sweden and Denmark have transposed the Whistleblower Directive into respective national regulations; Portugal managed to pass a law by majority vote of the parliament in time, but the Portuguese transposition law will not enter into force until mid-2022. Germany, on the other hand, is threatened with infringement proceedings as the coalition partners of the old government could not agree on a first draft bill, the so-called Whistleblower Protection Act (WPA) of the Federal Ministry of Justice. However, the recently published coalition deal of the newly elected coalition picks up the issue again, so that new developments on the Whistleblower Protection Act seem to be underway. The coalition agreement commits to implement the directive, which creates a uniform legal framework for the protection of whistleblowers throughout the Union, in a “legally secure and practicable” manner. Germany plans to protect whistleblowers from legal disadvantages not only when reporting breaches of EU law, but also when reporting significant breaches of national regulations or any other significant misconduct, where disclosure is of special public interest.

Companies are thus faced with new compliance challenges. Rather than wait for the transposition of the directive by the German legislator, affected companies should take appropriate measures already today and adapt their compliance systems to avoid liability risks. After all, until transposition by the new German government, employees can already invoke the directive, which is directly applicable insofar as certain obligations are clearly defined. In addition, national law must be interpreted in light of the Whistleblower Directive. Therefore, companies should consider:

  • Who is affected and by when must the new rules be implemented?
  • What exactly needs to be done?
  • Who and what is protected?
  • How are violations sanctioned?
  • What happens next?

Not Only Large Companies Are Affected

The rules apply to all private and public sector companies with over 50 employees. Companies in the financial sector are obliged to introduce an internal whistleblowing system even regardless of their number of employees.

However, there are some differences in terms of deadlines: Companies with more than 250 employees should already comply with essential parameters of the Directive now, i.e. even before the Directive is transposed into German law. Smaller companies with 50 to 249 employees have some more time; they benefit from a grace period until 17 December 2023 to set up the required reporting infrastructure.

Generally, companies are free to use existing or new internal organisational structures for the implementation or to commission independent third parties, such as law firms, as reporting offices.

Establishment of a Reporting Infrastructure – Internal and External Reporting Channels for Whistleblowers

The Whistleblower Directive obliges companies to set up an internal reporting system. This is intended to provide whistleblowers with a secure communication channel for any information about violations of EU law. The reporting system must provide the possibility to submit information both under disclosure of the identity of the whistleblower or anonymously, verbally or in writing, all while guaranteeing confidentiality regarding the whistleblower’s identity as well as that of any third parties mentioned in the report.

The Directive entails specific requirements for the design of the reporting system and subsequent investigation procedure:

Receipt must be confirmed to the whistleblower within seven days after his report. Upon receiving a report, a company must start (and complete) an internal investigation within a reasonable period of time. After three months at the latest, the whistleblower must be provided with a status update. To make the procedure as transparent as possible, extensive documentation obligations are put in place. Internal reporting systems do not necessarily have to be created anew by each company. It is also possible to adapt and expand already established sector-specific information regimes (for example, according to the provisions of the Money Laundering Act).

Whistleblowers may also turn to external reporting bodies. The Whistleblower Directive obliges Member States to enable the receipt and processing of information on violations of EU law via governmental offices. The German draft bill provides for the establishment of specialised central reporting offices at federal level and optionally also at state level. For breaches in the financial sector, the Federal Financial Supervisory Authority known as BaFin is to become the competent external reporting office. It remains to be seen what role other supervisory bodies (e.g., the complaints office of the data protection authority) will play. For cartel violations, the whistleblower hotline of the Federal Cartel Office might qualify as an external reporting office.

Wide Scope of Protection for Whistleblowers

The directive is intended to protect everyone who, by virtue of their profession, has privileged access to internal business affairs and insights into possible EU law infringements. In addition to employees in the private or public sector this includes the self-employed, subcontractors, or suppliers.

The directive protects notifications of a wide range of infringements of European regulations, e.g., antitrust and public procurement law, environmental and consumer protection, financial regulations and data protection law.

The Directive protects whistleblower making use of reporting systems in good faith, i.e. on reasonable grounds to believe that the reported information is accurate and relates to a violation of the designated EU acts. Essentially, the whistleblower is protected from retaliation in form of unjustified detrimental measures based on the report as well as potential liability for breaches of confidentiality and non-disclosure obligations. If the whistleblower experiences reprisals, such as salary cuts or bullying by the employer within a short time after the report, the employer must prove there is no causal link. The burden of proof is thus reversed in favor of the whistleblower.

Impending Fines

So far, the lack of internal reporting systems is not subject to fines. Nonetheless, companies are best advised to create the necessary internal structures in order to prevent whistleblowers from directly contacting external reporting offices or the public. Above all, this is a way of reputational damage control.

Upon transposition of the Whistleblower Directive into German law, fines will likely be imposed if the whistleblowing process is obstructed or reprisals are taken against whistleblowers acting in good faith. The draft bill of the WPA already defined such administrative offences punishable up to 100,000.00 Euros.

Transposition to be expected by Germany’s newly elected traffic light coalition

We expect the traffic light coalition to soon publish a draft according to which not only violations of EU law but also of national law can be reported, provided such disclosure is of special public interest. So far, there are only very few sector-specific rules in favour of whistleblowers in Germany.

For companies, the bureaucratic burden and implementation efforts brought along by the Whistleblower Directive should not be underestimated. However, establishing efficient whistleblower channels will increase trust in internal compliance structures. Some issues still need to be resolved before the WPA will eventually be passed by the German parliament. Nonetheless, it will pay off to familiarise oneself with the new re-quirements and to at least set up the necessary reporting channels as soon as possible, even if the channels may not “go live” until later.