Primarily due to the implementation deadline for the EU Whistleblower Directive (Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law), which expires on 17 December 2021, the question of whether and how to introduce whistleblowing systems currently plays a major role for companies. This issue affects every sector of industry, including tech companies. The questions we are asked in this context are always the same: When will the German implementation law for the EU Whistleblower Directive come into force? Are we already directly obliged to implement a whistleblowing system due to the EU Directive? Can we implement a central whistleblowing system for the entire group? We would now like to provide some answers:

1. What does the EU Whistleblower Directive regulate?

From the perspective of the European legislator, notifications and disclosures by whistleblowers are an effective instrument for uncovering violations of the law. However, it is assumed that potential whistleblowers have so far been reluctant to report their suspicions for fear of retaliation. The EU Whistleblower Directive therefore sets a uniform minimum standard for the protection of whistleblowers across the Union, so that they are no longer inhibited from reporting or disclosing in the future. Not only employees are protected, but also third parties who have some connection to the company, such as freelancers or suppliers. However, not every (private sector) company falls within the scope of the Directive, because it is only applicable to those with more than 250 employees. From the end of 2023, this threshold will drop to 50 employees. Medium-sized companies therefore have a bit more time. The decisive factor however is each individual company and not the group taken as a whole.

In terms of content, the Directive provides that in the future there should be a tripartite reporting system consisting of a (company) internal reporting channel, an external reporting channel (the competent authority) and the possibility of disclosure to the general public. If this tripartite reporting system exists, the whistleblower may only go public if the other two reporting channels have been exhausted. However, the EU Directive leaves open whether the whistleblower must always turn to the internal reporting body or whether he or she can also go directly to the external reporting body. The national legislator is free to standardise this in the implementation law. Other important provisions of the EU Directive are the feedback requirement and the confidentiality requirement, which must be observed in the implementation law, if it is to be passed in Germany.

2. What has happened to the German implementation law?

Since the EU Directive is not directly applicable in principle, the German legislator has had two years to pass a national implementation law. This deadline is 17 December 2021, but there is still no such law in Germany. The last draft bill failed due to the following two points of contention: On the one hand, the German law was intended to protect whistleblowers not only when reporting violations of EU law, but also when reporting violations of national law. On the other hand, the draft of the implementation law provided that whistleblowers do not have to make an internal report first, but can immediately contact the external reporting body (the Federal Financial Supervisory Authority was proposed). The former governing coalition was unable to reach an agreement on both points.

Now the newly appointed federal government is called upon to implement the EU Directive as quickly as possible. In its Coalition Agreement, it states: “We will implement the EU Whistleblower Directive in a legally secure and practicable manner. Whistleblowers must be protected from legal disadvantages not only when reporting violations of EU law, but also significant violations of regulations or other significant misconduct, the disclosure of which is particularly in the public interest.”

3. Should companies be proactive or take their time?

What does this mean for companies? Can they or should they just wait until there is a new bill or law? The clear answer is: no. This is because regardless of the implementation law, there are good reasons to introduce a whistleblowing system right now:

a) Whistleblowing system as part of a compliance management system

On the one hand, and this is often forgotten in the discussion, the whistleblowing system is part of an efficient compliance management system. If you imagine the structure of the compliance management system, which is based on the three principles of prevent, detect, respond, the whistleblowing system is one of the most important implementing measures of the second principle (detect) and is firmly anchored there. For this reason, every compliance due diligence in an M&A transaction already includes a standardised question about the existence of such a system. The buyer must know which measures are already in place and where there is a need for improvement post-closing. This is because anyone who is serious about their compliance management system should also have a whistleblowing system in place, if the company is a certain size, through which all compliance-relevant facts can be reported. The structure of this whistleblowing system can then be completely independent of the EU Directive or the corresponding implementation law. Instead, the whistleblowing system must adhere to the general compliance standard. Therefore, the question of whether only certain violations may be reported via the whistleblowing system cannot arise for companies at all. Otherwise, it would be left to the individual employee to assess whether any misconduct he or she notices in the company actually constitutes a qualified violation of the law within the meaning of the EU Directive, or whether it is instead a violation from another area of law not explicitly mentioned in the EU Directive, or whether the misconduct merely constitutes unethical behaviour below the threshold of a violation of the law. This carries a great risk that an employee would prefer not make a report at all because he or she does not know exactly whether the conduct to be reported is actually a violation of the law and therefore should have been reported. This uncertainty could discourage employees from reporting.

Whistleblowing systems are therefore already considered best practice today. The ISO 37002:2021 Standard “Whistleblowing management systems – Guidelines” provides guidelines for an effective whistleblowing system. Likewise, the practical guidance published in November 2021 by the German Federal Cartel Office on early deletion from the competition register due to self-cleaning considers a whistleblower system to be an “important factor for the assessment of effective compliance”. Last but not least, the Supply Chain Due Diligence Act, which has already been adopted and will come into force on 1 January 2023, also introduces a whistleblower system under the heading “Complaints Procedure” in Section 8.

b) Legal regulations

The other reason to introduce a whistleblowing system now is that an implementation law will inevitably be enacted and it is just a question of “when”. As long as there is no such law, there is a heated discussion about the direct applicability of the EU Directive, which is always possible if a country does not implement a Directive. However, this direct applicability is linked to certain conditions. In this respect, there is currently disagreement as to whether these conditions are met. However, this current situation carries the risk that a whistleblower will invoke direct applicability in a dispute and prevail. To prevent this, companies are advised to act now.

4. So what is to be done?

As is always the case with compliance measures, there are three phases in the implementation of a whistleblowing system: The preparation phase, the implementation phase and the control phase. In the preparation phase, the basic prerequisites for implementation must be created. This means that the management must be convinced of the introduction and that the type of whistleblowing system, especially the provider of the technical solution, is chosen. In addition, it is advisable to carry out an initial risk analysis. Whilst not an absolute must, it is very useful to better identify the risks in a company. This can give an initial idea of where the true cause of trouble lies and who is best placed behind the whistleblowing system with what expertise. This is followed by the implementation phase. Here, particular attention must be paid to the requirements under company law, employment law and data protection law that are placed on the introduction of a whistleblowing system. But even after implementation, the task is not complete, because every compliance measure must always be checked for its effectiveness and adjusted if necessary.

5. One group, one whistleblowing system?

At present, corporate groups are particularly concerned with the question of whether they can introduce a central whistleblowing system that applies equally to all group companies. Although this seems practicable, it is difficult for two reasons. First of all, there is a new opinion of the EU Commission which states that a group-wide whistleblowing system is inadmissible. Only medium-sized subsidiaries (50 to 249 employees) should be allowed to pool their resources, at least partially. According to this, the receipt of reports and the conduct of investigations for several legal entities can be assigned to a selected group company. In addition, medium-sized subsidiaries should be able to benefit from the capacities of the parent company for an internal investigation following the report. However, this only applies under the condition that the separate reporting channels of the individual subsidiaries remain in place, that the whistleblower is informed about the submission of his or her report to another subsidiary and that he or she agrees to this. This means that in any case, a separate reporting body is still required for each company. The second reason why a one-size-fits-all solution often fails is that there are numerous different legal requirements in the individual EU countries, which do not implement the Directive in a uniform manner. Even outside the EU, the legal requirements in the individual jurisdictions are very differently structured. Finally, cultural differences may well play a role here as well. So what is the advice to corporations to deal with this logistical burden? They should start by implementing a whistleblowing system for a company in one country. Often this will be in the country of the corporate headquarters, but it could also be the country of a central subsidiary. This basic whistleblowing system should then be reviewed by local lawyers in each of the group’s other jurisdictions and adapted only to the extent that is absolutely necessary. The local lawyers should also be coordinated by a contact person who is informed about the status of the various implementations in the companies and countries. In this way, a global system can be implemented with as little effort as possible for corporate groups, which incorporates the mandatory legal requirements in the various countries.

Lessons Learned: The introduction of whistleblowing systems should not be put on the back burner. Even if the German implementation law is still a long time coming, action should be taken now. A whistleblowing system is already considered best practice today and is also provided for under the German Supply Chain Due Diligence Act. The waiting game is therefore no longer an option.