Caution when designing whistleblowing tools

Not only since the Edward Snowden case has the topic of whistleblowing attracted higher attention among legal practitioners. This instrument to detect and investigate wrongdoing or misconduct, especially in companies, has been well known and proven for years, especially in the U.S. legal sphere. In Europe, there are ever more statutory provisions in this area as well. When implementing a whistleblowing system, in particular a whistleblowing hotline, companies need to consider various aspects to be able to actually harvest the fruits of such a defense system in terms of employment law.

Photo credit: everythingpossible – fotolia.com

It is evident that every company with a certain degree of internationality must implement an effective compliance system nowadays. Without such a system, they are risking serious disadvantages, especially in the U.S., that may easily result in fines or compensation of damages. A whistleblowing hotline represents a component of such a compliance system that is certainly not insignificant. Appropriate hotlines (or websites) are widely used in practice. Their purpose is to enable employees to reveal wrongdoing of any kind, such as criminal misconduct by the company itself or by individual employees, to a specific unit in the company (depending on the extent and severity of the misconduct, such reports may even be required in some cases). This unit is set up to receive information and to take corrective action where necessary. In some instances, major investigations may be initiated. Typically, the Chief Compliance Officer is ultimately responsible for this unit in an organization.

It is not only since the GDPR entered into force that companies have had to consider whether such hotlines should be operated by the company itself or by third-party providers, and whether this should be done on an anonymous or personalized basis. Accordingly, different sets of data protection requirements will have to be observed. Finally, companies also need to align differing interests – the interests of the whistleblower, the interests of the accused individual(s), and the interests of the injured individual, where that person is not identical with the whistleblower.

Particularly to encourage whistleblowers to report wrongdoing and thus to be able to prove the effectiveness of the compliance system if necessary, many companies opt for an anonymized setup, where whistleblowers are not obligated to disclose personal data about themselves when submitting reports.

Anonymous whistleblowing tools frequently lead to practical problems for companies, though – the procedural verifiability in the context of possible dismissal protection trials. Experience shows that “compliance cases” usually result in the company carrying out a considerable amount of investigations to clarify the facts of the case after reporting to then either verify the report or not at the end of this process. If companies are able to verify the information, they are usually forced to dismiss the violator(s). In a subsequent dismissal protection trial, companies must be able to prove the misconduct of the dismissed employee(s) in the trial; otherwise, they will lose the dismissal protection trial. Generally, the internal investigations should provide sufficient evidence to prove the misconduct in the trial, for example by identifying other colleagues as witnesses or by securing additional documentation. Where, however, the whistleblower’s testimony is the only suitable evidence to justify the dismissal, companies have a major problem with an anonymous whistleblower tool: they cannot name the witness. Without questioning the witness, labor courts cannot provide grounds as to why a dismissal should be legally effective.

Consequently, the tediously installed and costly compliance system, in particular the whistleblowing tool, may turn out not be effective at all. Whether such a, sometimes ineffective, compliance system is legally sufficient, must be adjudged in the individual case, depending on governing rules and regulations.

Within the scope of the technical design of an anonymized compliance system, it should therefore be considered whether to integrate an option according to which, in the event of a situation of lack of evidence, (anonymized) reference is made to whistleblowers, where they are informed of the lack of evidence and its consequences, so that whistleblowers may be ready to disclose their identity if necessary. It goes without saying that such notifications may only be added to the system after all options of obtaining evidence have been exhausted and the investigation of the facts of the case has been completed.

Regrettably, practice shows that “standard” whistleblowing tools neither considered the potential lack of evidence nor – and this is then consistent at least – made allowances for appropriate options for companies to point this out.

Conclusion:

The introduction of a compliance system in businesses is absolute standard nowadays. When designing such systems, it needs to be considered which information such a system is supposed to provide. Finally, the system must be technically set up to guarantee this.

Once the operationally intended part is finalized, the technical implementation also needs to consider the various legal implications. Only such a structured approach promises the establishment of an effective compliance system.