On March 5, 2012, the Committee of Labor and Social Affairs of the German Parliament (Deutscher Bundestag) held a hearing on a draft bill on whistleblowing (17/8567) introduced by the Social Democrat Party as well as on a proposal of the left-wing party DIE LINKE (17/6492). So far, Germany has not introduced specific whistleblowing statutes, but rather handles whistleblowing issues on a case law basis. The draft legislation presented contains extensive provisions protecting whistleblowers in German enterprises.
The Committee has appointed Hogan Lovells lawyer Tim Wybitul as official expert for a hearing on whistleblowing provisions. Tim has particular expertise in the field of German and EU data privacy. Among the other experts heard were representatives of the German employers’ association, the Federation of German Trade Unions, and Josef Winter, Chief Compliance Officer and Klaus Moosmayer, Chief Counsel Compliance of Siemens AG, as well as other data privacy and employment law experts.
Most experts agreed that legislation protecting whistleblowers acting in good faith would be preferable to the current unsettled legal situation. At present, whistleblowers acting in good faith are protected by Section 612a of the German Civil Code, which generally prohibits retaliation against employees who lawfully exert their employee rights.
The draft legislation presented does not contain specific data privacy provisions, which was strongly criticized by several experts. There are few data processing issues in Germany which cause as much controversy as internal whistleblowing structures. Whistleblowing should be regarded as a means to demonstrate grievances, which is rightfully an issue of adherence to legal obligations and not of “telling on” or denouncing, which implicates the target’s ability to know and confront the accuser. However, because of concerns relating to the view of whistleblowing as denouncing, European and, in particular, German supervisory authorities for data protection often view internal whistleblowing structures implemented by enterprises with skepticism. For instance, German data protection supervisory authorities have published a working paper on internal whistleblowing structures, which states that information provided by whistleblowers on an anonymous basis should be permissible only under extraordinary circumstances. Moreover, the working paper states that the implementation of internal whistleblowing structures requires prior formal examination (Vorabkontrolle) by the internal data protection officer of the controller.
The German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG") is counted among the strictest data privacy jurisdictions globally. The BDSG sees enterprises entertaining internal whistleblowing structures as data controllers responsible for the adherence to all applicable data privacy rules. The processing of personal data is generally prohibited by the BDSG, unless the processing is justified by German or EU statutory provisions. Sarbanes Oxley reporting obligations or other foreign statutes are not regarded as permission statutes in the light of the BDSG, but respective whistleblowing duties may be taken into account when applying German data privacy rules. In contexts other than whistleblowing rhe data subject may consent to the processing of his or her data, but this would require specific consent. So in the whistleblowing context, some view the subjects of whistleblowing complaints as having to provide consent to the processing of the personal data about them.
The processing of personal data of employees in the context of internal whistleblowing may be permitted by Section 32 BDSG, which requires a thorough balancing of interests in each individual case. Section 32 BDSG is generally considered to be too vague and imprecise to provide clear guidelines as to what data processing is permissible in a whistleblowing context. Hence, under currently applicable German data privacy laws, the permissibility of each instance of data processing involved in operating an internal whistleblowing system needs to be thoroughly analyzed. This pertains, in particular, to whistleblowing structures permitting cross border transfer of personal data outside the EU, which are highly criticized by German data protection supervisory authorities. A draft bill on employee data protection by the German Government is expected to be enacted in 2012 – unfortunately this draft bill does not cover data privacy in internal whistleblower structures.
In light of the described unclear legal position with regard to the compliance of internal whistleblowing structures with German data privacy law, several experts strongly suggested that any German whistleblowing regime should describe permissible processes and clear guidelines for the implementation and operation of whistleblowing structures.
The German Parliament is going to deliberate on the opinions provided during the Committee hearing before deciding on how to proceed with the draft legislation.