At European and national level, discussions have been going on for years on how best to protect the so-called whistleblowers from being victims of retaliation measures by those whose actions they have uncovered. Whistleblowers are persons who, as "insiders" (such as employees) disclose dubious practices of the institutions they serve. Here we think first and foremost of persons such as Edward Snowden, whose disclosures were directed against state measures. But the Panama Papers, the Luxembourg Papers and many more are also findings that have been disclosed by whistleblowers.
In Europe and Germany whistleblowers are sometimes seen as "traitors". At any rate, they must expect dismissal and criminal proceedings, when they involve the public and/or authorities, without having previously tried to fight against the undesirable developments internally in the company. In the discussions about the introduction of European whistleblower protection, the sticking points that individual member states strongly disagreed about were usually
- the relevance of the whistleblower's motivation to disclose data (the honest fight for the good or dishonest desire for revenge),
- the acquisition of knowledge (lawful or unlawful, for example through inadmissible copying of data records) and
- the question of whether whistleblowers must first take internal steps before informing the authorities and/or the public.
On March 12, 2019, an agreement was reached between representatives of the EU states and the European Parliament. The compromise reached essentially provides for the following regulations:
- Companies with more than 50 employees or more than EUR 10 million in sales, as well as companies that have such an obligation under other legislation (especially the financial sector), will in future be obligated to set up an internal whistleblowing hotline.
- Whistleblower protection applies to (suspected) infringements of certain aspects of EU law (i.e. unlawful acts), but also in the case of merely (suspected) immoral (nevertheless legally permissible) conduct.
- Employees, self-employed persons, managing directors, board members, shareholders, trainees, subcontractors as well as applicants are protected - the personal scope of application is therefore conceivably broad.
- There is no compelling obligation to first use the internal whistleblower system; instead, the whistleblower is in a large number of cases entitled to directly intervene with public authorities or the public, for example, if the company has no whistleblower system or if he/she has reasonable grounds to believe that an internal reporting would be detrimental to any investigation by the competent authorities, etc.
- In addition, whistleblowers should be protected against retaliation (for example, dismissals, transfers, etc.). For this purpose, whistleblowers have access to free advice; moreover, the breach of a given confidentiality obligation is deemed justified by the whistleblowing; furthermore, there is a reversal of the burden of proof in court proceedings regarding an (alleged) retaliation against whistleblowers, so that in future employers must prove that their actions are not sanctions for blowing the whistle.
- It also seeks to establish effective sanctions against natural or legal persons seeking reprisals against whistleblowers.
- In addition, the anonymity of whistleblowers should be ensured by appropriate measures.
The draft directive itself therefore stipulates that companies should now establish internal whistleblower systems as soon as possible, at the latest within the two-year implementation deadline. It is already foreseeable that the draft directive and its implementation will lead to considerable legal discussions and questions.
But there are also other issues arising as a result. The General Data Protection Regulation has established a comprehensive right to information of employees regarding the data stored about them by the company (Art. 15 GDPR). The State Labor Court of Baden-Wuerttemberg (Ruling of 12.28.2018 - 17 Sat 11/18) has recently ruled that a company should provide a staff member with comprehensive information on the data stored about her, which was collected on the basis of an internal reporting investigation and ultimately sanctions. In other words: In the specific case, according to the LAG Baden-Württemberg, a culprit, who was held accountable on the basis of an internal whistleblower, was able to enforce the disclosure of the name and circumstances of the internal whistleblower in court. The reason for this was allegedly the unspecific defense against the right to information on part of the employer.
It will be exciting to see how the General Data Protection Regulation can be aligned with the Whistleblowing Directive and national implementation legislation. This is all the more so since the Business Secrets Act passed on March 21, 2019, now requires employers to take appropriate measures to protect confidentiality (see our Update Compliance no. 5/2019); without such protective measures, there is no protected secret whose leaking / disclosure could lead to sanctions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.