This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Internal investigations have long been part of the corporate and criminal law landscape in Germany, increasingly so since the Siemens, Ferrostaal and other landmark investigations, and more recently Volkswagen and several financial institutions. Over the last couple of years, an increasing extraterritorial reach of foreign judicial and administrative agencies like the DOJ and the SEC in the US and the SFO in the UK eventually led to a better multinational cooperation among law enforcement agencies. Recent developments include a targeted focus on the investigation of senior management (the ‘Yates’ Memorandum of September 2015) and generally more enforcement action with higher penalties. The coalition agreement of the federal government in Germany has put also the enactment of a corporate criminal liability on its agenda, although so far the government has failed to progress with it. Understanding the legal framework and practical aspects of internal investigations in Germany is, therefore, of increasing importance to a growing number of German corporates, their senior management, compliance and legal officers, and their advisers.
Duty to investigate
It is the legal duty of management and supervisory boards of German companies to ensure that the company and its employees are acting in compliance with applicable law. This duty includes the installation and maintenance of a robust compliance organisation, together with effective controls, preventive measures and also the capability to conduct internal investigations to detect, adjust and remediate wrongdoings.
In case of alleged or suspected employee misconduct or non-compliant procedures within the company, it is the obligation of management to conduct an adequate internal investigation into the matter, which depending on the individual circumstances may vary in terms of intensity and resources.
Failure to do so may expose management to the risk of (i) civil liability claims for losses incurred by the company, (ii) criminal prosecution for embezzlement under section 266 of the Criminal Code, and (iii) personal administrative fines of up to €1 million for a violation of section 130 of the Administrative Fines Act. Board members may face a similar risk for failure to adequately supervise management or investigate and remediate alleged misconduct or non-compliant procedures.
The internal investigation itself has to be conducted in compliance with applicable laws, namely labour law and data protection law.
German data protection laws are rather stringent compared to other jurisdictions, even within the EU. However, the EU recently introduced new data protection legislation and on 14 April 2016, the European Parliament adapted the respective Regulation and Directive, which will have to be implemented on national levels by April 2018. The new EU legislation is in many instances adopting the ‘German standard’. An important point to note is that the new rules provide that companies can be fined up to 5 per cent of their annual global turnover, so compliance with applicable data protection rules will become increasingly important also from a financial perspective.
Permission for use of personal data
The German Federal Data Protection Act restricts the sourcing, processing, review, storage, transfer and reporting of personal data. Any such use of personal data will be prohibited unless there is a statutory authorisation or the individual has given his or her consent to the use of his or her personal data.
In an internal investigation, relying on the consent of the employee is often not a preferred and reliable way and only used as last resort or if the document or email review shall be occurring quickly in a cooperative and friendly context. That is because an employee is not obliged to grant his or her consent, refusal to do so cannot be held against him or her, and the employee can withdraw his or her consent at any time.
The application of statutory authorisations will have to involve a balancing test between the legitimate interests of the company in sourcing and using the personal data and the privacy interests of the employee. A use of personal data is only permitted if the company interests prevail and if the proposed investigative measure (ie, intended use of the personal data) is proportionate in relation to the investigative purpose. The use of personal data and the amount of data must be kept to the necessary minimum and be minimally invasive. The balancing decision and its reasoning must be carefully documented for each investigative measure. Such balancing decisions and the investigative measures relating to the use of personal data should preferably be embedded in an overall data protection concept (involving the company’s data protection officer) detailing the collection of the data by the forensic services firm, the transfer of the data to a secure server, the processing, searching, review and analysis of the data, and the ultimate secure deletion of the data after conclusion of the internal investigation and review process.
Investigative data searches into employee data fall under specific requirements under the Federal Data Protection Act. Searches into employee emails require documentable suspicion of criminal conduct. Where the employee is suspected of criminal conduct, the balancing decision must detail the underlying facts and circumstances for such suspicion; in such case, the interests of the company will likely prevail over the privacy interests of the employee.
Note that the company’s works council will have to be consulted with respect to email reviews to avoid potential conflicts with labour relations provided for by the Works Constitution Act. For larger groups of companies or larger investigations, it is therefore recommendable to conclude a works council agreement (Investigation Guideline) well ahead of time regulating the collection, processing, searching, review and analysis of employee electronic data and other related measures. The involvement of the works council can then be limited to the mere information of certain defined measures and some controls.
Data flow among group companies and advisers
If the data are hosted and held by several companies of a group and are to be transferred to the investigating company and possibly its advisers, then appropriate data processing and transfer arrangements should be put in place to assure that investigative data sourcing and transferring is in compliance with data protection laws. As will be discussed below, in cases of data transfers to countries outside the EU with inadequate data protection levels, special data transfer agreements need to be entered into, to assure compliance with EU and German requirements, in particular under the new perspectives provided by the CJEU in its Schrems decision.
Permissions for cross-border data flow
Provided that adequate EU standard data transfer agreements (DTAs) are in place between the parties to the flow of data, cross-border data transfers are permitted inside the EU and to a few white-listed countries with perceived adequate levels of data protection. A cross-border transfer is also permitted where the data protection authorities (DPAs) permit the transfer according to Binding Corporate Rules effectively mirroring the data protection standard of the German entity for the receiving group entity. A transfer would further be possibly for important public interest grounds or a legal claims defence, and of course with the consent of the data subject.
For cross-border transfers in non-EU countries that are not white-listed, the practice has long been to rely on DTAs to create an acceptable level of data protection at the cross-border recipient of data. For data transfers into the US, companies have been operating under the ‘Safe Harbor’ concept, which has effectively been voided by the European Court of Justice in October 2015. While the EU and the US announced a new ‘Privacy Shield’ concept in February 2016, it will take another couple of months until the final implementation of the Privacy Shield becomes available. Until then, companies are probably best advised to continue to use the European Commission’s Standard Contractual Clauses or Binding Corporate Rules with adaptations and additional safeguards, as required under the auspices of the Schrems decision.
Communication of personal data to authorities in non-EU countries (US) as part of a voluntary cooperation
In principle, there is no barrier against data transfer in the context of a defence in public investigations by virtue of data protection laws. That changes if the data are transferred as part of a voluntary submission, in an attempt to benefit from a cooperation with authorities. To assure an adequate data protection level in those situations, the following understandings should be reached with the recipient authorities beforehand: there will be no data sweeps; the data transfer will occur in context (only) with a specific investigative interest in a specific public proceeding against the data controller or its parent; there shall be no proliferation of data; names of employees will be redacted; if the recipient authority (eg, the DOJ or SEC) insists, a disclosure may be justified though; FOIA (Freedom of Information Act) requests will be denied by the recipient authority.
Labour law considerations
Involvement of works council
Where a company has a works council, it is highly recommended practice to involve them from the very start of an internal investigation. Management and external counsel should give them comfort that the company will respect the works council’s and the employees’ rights, including with respect to data protection. Assurance that the works council is ‘on board’ can facilitate an internal investigation significantly and actually encourage employees to cooperate. By contrast, a hostile works council can cause serious problems to an internal investigation from delaying it to blocking single measures and leaking information to the press.
While the internal investigation as such generally does not require the works council’s consent, it has a participation right in case of (i) the collection, search and review of employees’ email data, (ii) the use of standardised questionnaires or technical means, and (iii) any actions with collective effect for a larger number of employees.
The works council has a corresponding right to be informed of any of the foregoing measures. Typically, one would also inform the works council about employee interviews and the related subject matter. However, the works council has no right to attend interviews.
In practice, and as mentioned above, it may be advisable to enter into a special agreement with the works council regulating the collection, processing, review and analysis of employee electronic data and other related measures (Investigation Guideline). The involvement of the works council can then be limited to the mere information of certain defined measures.
Employee duty to cooperate
Current employees have a contractual duty to attend interviews and to answer all work-related questions correctly and completely without limitation. This also applies to facts and circumstances where a truthful answer may lead to a dismissal of the employee; whether this applies in case of self-incrimination in relation to a crime has to be decided on case-by-case basis. The general view is that the obligation to testify diminishes with growing distance of the employee to the persons and circumstances concerned in the daily work environment. The duty to attend and answer questions does not apply to former employees. The company does not have to inform the employee about the content of the interview or any questions in advance.
No right to presence of counsel or works council
Generally, employees have no right to the presence of counsel or a member of the works council. The presence of a works council member in a confidential interview may well destroy the privilege protection because the works council does not enjoy a legal privilege under German law and has the duty to report to its constituency as well. Depending on the individual circumstances and where a potential self-incrimination may be involved, the company should provide independent legal counsel to assure that employees feel safe and can be as forthcoming as is reasonably possible.
Damage claims against employees and leniency programmes
Management has to pursue substantiated damage claims against employees, and the board against management, unless otherwise mandated by prevailing material interests of the company, such as an interest in the success of the investigation (leniency), or avoiding negative publicity or negative effects on business. In order to entice employees to come forward with information, the company may grant leniency (waiver of damage claims and dismissal rights) to individual employees or install a leniency and whistleblower programme for a wider group of employees. Leniency programmes should be used sparingly and only after some time and with a view on the potential impact on ongoing public prosecutor investigations.
In interviews conducted by external counsel, it is standard practice to have an ‘Upjohn’ procedure at the beginning of the interview and inform the employee, among other things, that (i) investigating counsel is not acting for the employee but for the company, (ii) the interview and its contents are confidential and privileged, (iii) this privilege belongs to and may be waived by the company, not the employee, and (iv) the company may decide to share the contents of the interview with domestic and foreign public authorities.
Whether formal written records are taken, shared with and signed by the interviewee or whether external counsel simply takes internal notes which are not shared with the interviewee is a question to be decided in the individual investigation at hand. In cases involving parallel investigations against the company by the public prosecutor or governmental or regulatory authorities, it may be advisable to have only internal notes of external counsel as their work product which may be subject to attorney-client privilege vis-à-vis the authorities (note that this does not apply to notes of in-house counsel).
The attorney-client privilege under German law protects (i) attorneys and auditors from having to testify against or relating to their own client, and (ii) documents obtained or created by, or communication with, external lawyers or auditors that are stored in the external lawyer’s or auditor’s offices from seizure or attachment by the public authorities. Communication or documents in possession of the client are generally not protected. Documents created by and communication with in-house counsel are also not protected.
Self-reporting, cooperation, fines and settlement
Generally, there is no obligation for German companies to self-report to or cooperate with public prosecutors or other law enforcement agencies. In practice, however, German companies will often seek to proactively report wrongdoings to the authorities because of a specialty in the German Fiscal Code (section 153) according to which a taxpayer and its legal representatives are obliged to inform the tax authorities about a previously filed incorrect tax return before the end of the assessment period for such tax return. Domestic or foreign bribery payments will often have been booked as tax-deductible expenses, thus rendering the relevant tax return false. If management uncovers such bribery payments and fails to report the resulting change in tax-deductible expenses to the tax authorities, management may be committing a criminal offence (tax evasion) which can be punished with up to several years in prison. Once the tax authority learns about the alteration and underlying bribery payments, it is then obliged to notify the competent public prosecutor.
Other instances of self-reporting or notification exist in certain regulated industries (eg, financial services) with respect to the reporting of criminal offences and other misconduct to the regulator. Self-reporting may also be necessary under domestic or foreign public procurement laws to avoid debarment or black-listing. The company may also be required to self-report to law enforcement agencies and prosecutors under the laws of foreign jurisdictions.
Based on the various existing self-reporting requirements and the likelihood that the prosecutor or law enforcement agencies will learn of misconduct, companies may often choose to voluntarily self-report to and cooperate with the authorities. In addition, cooperation with law enforcement authorities is often a substantial mitigating factor to reduce the company’s exposure to administrative fines and disgorgement of profits and also the exposure of its employees. In a global investigation, the need to obtain ‘cooperation credits’ will also drive any cooperation with the local authorities and prosecutors in Germany. In September 2015, the US DOJ in its ‘Yates Memorandum’ announced a targeted focus on investigation of senior management and reinforced its position that companies subject to investigation in the US are required to disclose respective misconduct. The UK (SFO) has recently taken a similar approach. Under applicable German labour and corporate law, the reporting of management and employees to the public authorities may require a prior balancing decision and strong proof of the underlying facts.
Thus, pros and cons of a voluntary cooperation with law enforcement agencies and coordination of the internal investigation with them should be considered early on when designing the investigation plan and strategy. An increasingly important factor is also the growing cooperation among law enforcement agencies in Germany, the UK and the US.
German anti-bribery and corruption laws
German law considers three kinds of bribery: (i) bribery of public officials, (ii) commercial bribery (ie, bribery of employees or agents of a business relating to the purchase of goods or services), and (iii) bribery of members of legislative bodies. As mentioned above, the relevant acts of bribery by the employee may often also constitute embezzlement or fraud and, as bribes are not tax-deductible (since the mid-nineties), also result in tax fraud.
Fines and disgorgement of profits
While there is no criminal liability for companies in Germany, prosecutors can hold a company administratively liable for criminal or administrative offences of its directors and legal representatives or other persons with managerial and/or supervisory power (section 30 Administrative Fines Act). The mere administrative fines have a maximum of €10 million for every committed administrative or criminal offence. In addition, and this is usually the more painful sanction against companies, the administrative penalty can include the disgorgement of profits and, in some cases, forfeiture of assets. Under federal case law, a company may be subject to forfeiture of all direct and indirect profits resulting from a bribery. When calculating the amount of the profit, costs and expenses may not be deducted. Applying these principles, German prosecutors have issued some of the largest corporate penalties in foreign bribery cases worldwide over the last couple of years (Siemens, Ferrostaal, several financial institutions and the current discussions regarding Volkswagen).
Settlements and DPAs
Under German criminal procedure rules, a settlement in the form of defence prosecution agreements (DPAs) is currently not possible. A settlement with a Germany company occurs in the form of a negotiated ‘deal’ between the public prosecution and the company, resulting in the issuance of an administrative (sanctions) order which the company will not challenge. Most of the prominent foreign bribery cases against German corporates ended with settlements which proved to be a successful concept to book the public prosecution and the companies involved. Because of the ability to sanction companies with the disgorgement or confiscation of profits without any specific limit, companies are willing to cooperate with the courts and public prosecutors to reach a settlement. While there is no ability for the prosecutor or court to issue formal orders to compensate victims, make donations to charitable institutions, or implement a robust and effective compliance programme, the willingness of the company to undertake the above steps will be decisive for the public prosecutors to either settle the case with an out-of-court administrative order or go to court.
The landmark case for settlement agreements in foreign bribery investigations in Germany is still the Siemens case. Siemens decided to fully cooperate with the Munich prosecutor as well as the DOJ and the SEC. This resulted in coordinated investigations of the three law enforcement agencies on the one hand and in parallel a full internal investigation by Siemens itself. After roughly two years, Siemens had settled the German investigations by means of two sanctioning orders: one in the amount of €201 million consisting of a €1 million fine and €200 million disgorgement of profits; and another one in the amount of €395 million consisting of a €0.25 million fine and over €394 million disgorgement of profits.
Other similar settlements followed (MAN, Ferrostaal, Thyssen-Krupp). As shown above, any settlement discussions will focus on the disgorgement of profit element of a corporate sanctioning order. Prosecutors have a discretion to reduce the penalties and while there are no express guidelines (yet) will look to the level and cooperation of the company, the timing of any early self-reporting and the efforts undertaken by the company to take remediating action and to install effective compliance and internal audit organisations.