Old Wine in New Bottles – A Journey from 2021 to 2023
The world has changed in the last three years since the pandemic hit. While pandemic-related topics like occupational health and safety or data protection were still present at the beginning of 2022, they were no longer at the forefront of people’s minds. Instead, cybersecurity became a greater priority due to the changing geopolitical situation.
2021 saw the end of the deadline for transposing the EU Whistleblowing Directive into national law. And after 24 EU Member States failed to transpose the Whistleblowing Directive correctly or at all as of December 17, 2021, the European Commission launched corresponding infringement proceedings before the European Court of Justice (CJEU). Afterwards, whistleblowing became an important topic that accompanied us throughout 2022. It was also one of the hottest topics of conversation at all major compliance events.
The Supply Chain Duty of Care Act (Lieferkettensorgfaltspflichtengesetz- LkSG) was another topic from 2021 that was on the agendas of almost every compliance conference. The act was passed in the summer of 2021. The tasks in 2022 were to anchor a company’s corresponding due diligence obligations through appropriate processes and governance.
First things first: Why should companies care about whistleblowing?
Whistleblowing is essential for any company that wants to promote a culture of accountability and integrity. There are multiple reasons why whistleblowing is important:
- Exposing wrongdoings: Whistleblowing can help expose unethical or illegal activities that might otherwise remain hidden and bring them to the attention of relevant stakeholders and authorities. It can lead to corrective action being taken and prevent further harm.
- Accountability and transparency: Whistleblowing can increase accountability and transparency in organisations. It can deter employees from engaging in unethical or illegal behaviours and promote a culture of integrity and ethical conduct.
- Protection of public interest: Whistleblowing can serve the public interest by exposing fraud, waste, and abuse of power and preventing harm to individuals, society, and the environment.
The purpose of the EU Whistleblowing Directive is to enable whistleblowers to raise their concerns without fear and provide them with greater protection.
And similar to data protection, whistleblowing also gained new momentum in the spring of 2022 when the long-awaited draft bill for a Whistleblower Protection Act (HinSchG) was published. And it had a lot to live up to.
The draft law went far beyond the minimum requirements of the directive in many respects. For example, the scope of the HinSchG is much broader and not limited to reporting violations of European law but a variety of criminal and administrative offences.
The business community saw the draft as an “almost obsessive legislative over-reach“. The EU Commission also took umbrage at the German draft and criticised it in two statements.
- The criticism was on the German approach, which states that a single central reporting channel is sufficient in corporate groups and incompatible with the Whistleblowing Directive. Instead, each company, even within a group, would have to set up its own separate reporting channel.
- Compliance practitioners also criticised the requirement that anonymous reports should not be processed – a criticism we absolutely agree with. Experience shows that whistleblowing systems should be designed to be as low-threshold as possible. The government‘s fear of a flood of unjustified reports and denunciation to justify such regulation is also contradicted by relevant current studies.
The revised draft laws published during 2022 took up some of the criticism voiced. For example, information received anonymously from internal and external channels must also be processed – including an obligation to set up anonymous reporting channels.
The voices from Brussels were also supposedly heard: The directive allows outsourcing reporting channels to external third parties. The current draft law takes advantage of this. It enables a central reporting office to the extent that the respective group companies outsource these functions to another company as a “third party“. Only time will tell whether this construct will stand up or be ruled contrary to European law by the CJEU.
The German law was expected to enter into force in spring 2023. However, it failed epically to pass the second parliament chamber (“Bundesrat”) in February 2023. Incidentally, Germany is not alone. So far, 19 member states (including France, Denmark, and Sweden) have implemented the directive. And parliamentary deliberations are still underway in 8 countries.