On 12 May 2023, the Whistleblower Protection Act (Hinweisgeberschutzgesetz) has passed the German legislative process and will now be forwarded to the Federal President for promulgation as part of the "Bill for improving the protection of whistleblowers and implementing the EU Directive on the protection of persons who report breaches of EU law". The law will enter into force one month after its promulgation, presumably in June 2023.
The first attempts to adopt the Whistleblower Protection Act failed earlier this year, when Germany's second legislative chamber (the Bundesrat) rejected its approval. After months of political controversy the governing coalition and the main opposition party as well as the legislative chambers now reached common ground to improve whistleblower protection. To this end, the Whistleblower Protection Act provides for far-reaching organisational and procedural obligations for German-based companies:
The Whistleblower Protection Act has a broad scope. It applies if individuals become aware of information concerning violations in an occupational context. Violations include: criminal offences, administrative offences (provided that the violated provisions protect life, limb, health, or the rights of workers or their representative bodies) and violations of EU and national laws in certain areas such as environmental protection or consumer protection, as well as abusive tax structuring. The violations have to be committed in carrying out official duties, economic activities or occupational activities. Being aware of information relating to a violation does not require having actual knowledge of a committed violation. Instead, a reasonable suspicion of a violation that is very likely to be committed in the future, or even efforts to conceal a violation, are deemed sufficient for the new law to apply. For employers, this creates a material risk of employees lawfully leaking highly sensitive business information based on reasonable, but unfounded suspicions, i.e. without any violation whatsoever actually occurring.
In principle, all German-based employers with at least 50 employees have to set up and operate internal reporting channels. Private employers with 50 to 249 employees have until 17 December 2023 to set up the required structures. Certain industries, e.g. investment service providers and capital management companies, have to set up reporting channels immediately irrespective of their size, once the new law enters into force. Internal reporting channels can be operated either by the employer's sufficiently qualified staff, or by a third party. Employers with 50 to 249 employees can also set up joint reporting channels together with other employers, while larger employers have to operate their own reporting channel. According to the explanatory memorandum accompanying the law, group companies can implement a group-wide central reporting channel if further conditions are met. Internal reporting channels should also process anonymous reports, although there is no obligation to design the reporting channels in a way that they allow the submission of anonymous reports.
Certain federal and state authorities have to implement external reporting channels. Whistleblowers may choose whether to report internally or externally but are encouraged to use internal channels where a violation can be effectively remediated internally and no retaliation has to be apprehended. Employers, as well as public authorities receiving a report, have to provide feedback to the whistleblower within quite strict timelines and take appropriate follow-up measures, which may include the opening of an internal investigation or referral of the proceedings to a competent authority. In external reporting, the public authority may compel the company concerned to provide information. All reports must be documented in a permanently retrievable manner. In principle, the information has to be deleted three years after completion of the process but may be kept for longer if required to comply with legal obligations in a proportionate way. The identity of the whistleblower must be kept confidential throughout the entire process of follow-up measures, unless one of the narrow exceptions under the new law applies. If the whistleblower does not receive appropriate feedback from the public authority on the report in good time, he/she may lawfully disclose the relevant information to the general public. The same disclosure right applies in other circumstances defined by the law, e.g. in cases where the whistleblower may face retaliation in the context of external reporting.
The law provides several protections for whistleblowers. For these to apply, it is sufficient that the whistleblower has reason to believe that the information to be reported or disclosed is true, irrespective of whether it actually is or not. The protections afforded to whistleblowers under the new law include an exclusion of liability and a prohibition of retaliation. Employers who retaliate have to compensate the whistleblower concerned for the damage suffered including compensation for non-pecuniary losses. If an employer takes measures that adversely affect a whistleblower and the whistleblower asserts that this is due to his reporting, the law provides for an assumption that the employer has illegally retaliated against the whistleblower, shifting the burden of proof onto the employer to demonstrate that the measures were legally justified or unrelated to the whistleblowing.
The law also provides for a comprehensive list of fines. A fine of up to €50,000 may be imposed for hindering or attempting to hinder reporting. The same applies to any retaliation, as well as to unjustified disclosures of the whistleblower’s identity. In the latter circumstance, even a reckless or negligent violation can be punished. A fine of €20,000 can be imposed in the event that the employer fails to set up internal reporting channels, or does so inadequately – however, this provision will only enter into force six months after the remainder of the law has entered into force. In certain circumstances, fines may be increased tenfold for companies.