This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Internal investigations have long been part of the corporate and criminal law landscape in Germany, increasingly so since the Siemens, Ferrostaal and other landmark investigations, and more recently Volkswagen and several financial institutions. Over the past couple of years, an increasing extraterritorial reach of foreign judicial and administrative agencies like the DOJ and the SEC in the US and the SFO in the UK eventually led to better multinational cooperation among law enforcement agencies. Recent developments include a targeted focus on the investigation of senior management (the ‘Yates’ Memorandum of September 2015) and generally more enforcement action with higher penalties. The current federal government in Germany had put the enactment of a corporate criminal liability on its agenda, although so far it has failed to progress with it, and given the upcoming German elections at the end of September, it is unlikely that this situation will change over the next year or two. Understanding the legal framework and practical aspects of internal investigations in Germany is, therefore, of increasing importance to a growing number of German corporates, their senior management, compliance and legal officers, and their advisers.
Duty to investigate
It is the legal duty of management and, with respect to management, supervisory boards of German companies to ensure that the company and its employees are acting in compliance with applicable law. This duty includes the installation and maintenance of a robust compliance organisation, together with effective controls, preventive measures and also the capability to conduct internal investigations to detect, rectify and remediate wrongdoings.
In case of suspected employee misconduct or non-compliant procedures within the company, it is the obligation of management to conduct an adequate internal investigation into the matter, which depending on the individual circumstances may vary in terms of intensity and resources.
Failure to do so may expose management to the risk of (1) civil liability claims for losses incurred by the company, (2) criminal prosecution for embezzlement under section 266 of the Criminal Code, and (3) personal administrative fines of up to €1 million for a violation of section 130 of the Administrative Fines Act. Supervisory board members may face a similar risk for failure to adequately supervise management or investigate and remediate alleged misconduct or non-compliant procedures.
The internal investigation itself has to be conducted in compliance with applicable laws, in particular data protection law and labour law.
German data protection laws are rather stringent compared to other jurisdictions, even within the EU. However, the EU recently introduced new data protection legislation and on 14 April 2016, the European Parliament adapted the respective Regulation, which will have to be implemented on national levels by April 2018. The new EU legislation is in many instances adopting the ‘German standard’. An important point to note is that the new rules provide that companies can be fined the greater of €20 million and 4 per cent of annual global turnover, so compliance with applicable data protection rules will become increasingly important also from a financial perspective.
Permission for use of personal data
The German Federal Data Protection Act restricts the sourcing, processing, review, storage, transfer and reporting of personal data. Any such use of personal data will be prohibited unless there is a statutory authorisation or the individual has given his or her consent to the use of his or her personal data.
In an internal investigation, relying on the consent of the employee is often not a preferred and reliable way. That is because an employee is not obliged to grant his or her consent, refusal to do so cannot be held against him or her, and the employee can withdraw his or her consent at any time.
The application of statutory authorisations will have to involve a balancing test between the legitimate interests of the company in sourcing and using the personal data and the privacy interests of the employee. A use of personal data is only permitted if the company interests prevail and if the proposed investigative measure (ie.., intended use of the personal data) is proportionate in relation to the investigative purpose. The use of personal data and the amount of data must be kept to the necessary minimum and be minimally invasive. The balancing decision and its reasoning must be carefully documented for each investigative measure. Such balancing decisions and the investigative measures relating to the use of personal data should preferably be embedded in an overall data protection concept (involving the company’s data protection officer) detailing the collection of the data by the forensic services firm, the transfer of the data to a secure server, the processing, searching, review and analysis of the data, and the ultimate secure deletion of the data after conclusion of the internal investigation and review process.
Investigative data searches into employee data fall under specific requirements under the Federal Data Protection Act. Searches into employee emails require documentable suspicion of criminal conduct. Where the employee is suspected of criminal conduct, the balancing decision must detail the underlying facts and circumstances for such suspicion; in such case, the interests of the company will in many instances prevail over the privacy interests of the employee.
Note that the company’s works council will have to be consulted with respect to email reviews to avoid potential conflicts with labour relations provided for by the Works Constitution Act. For larger groups of companies or larger investigations, it is therefore recommendable to conclude a shop agreement (Investigation Guideline) with the works council well ahead of time regulating the collection, processing, searching, review and analysis of employee data and other related measures. The involvement of the works council can then be limited to certain pre-defined measures.
Data flow among group companies and advisers
If the data are hosted and held by several companies of a group and are to be transferred to the investigating company and possibly its advisers, then appropriate data processing and transfer arrangements should be put in place to assure that investigative data sourcing and transferring is in compliance with data protection laws. As will be discussed below, in cases of data transfers to countries outside the EU with inadequate data protection levels, special data transfer agreements need to be entered into, to ensure compliance with EU and German requirements, in particular under the new perspectives provided by the CJEU in its Schrems decision.
Permissions for cross-border data flow
Provided that adequate EU standard data transfer agreements (DTAs) are in place between the parties to the flow of data, cross-border data transfers are permitted between EU member states and a few white-listed countries with perceived adequate levels of data protection. A cross-border transfer is also permitted where the data protection authorities permit the transfer according to Binding Corporate Rules effectively mirroring the data protection standard of the German entity for the receiving group entity. A cross-border transfer between authorities would further be possible for important public interest grounds or a legal claims defence, and of course with the consent of the data subject.
For cross-border transfers into non-EU countries that are not white-listed, the practice has long been to rely on DTAs to create an acceptable level of data protection at the cross-border recipient of data. For data transfers into the US, companies have been operating under the ‘Safe Harbour’ concept, which has effectively been voided by the European Court of Justice in October 2015. In February 2016, the EU and the US agreed a new ‘Privacy Shield’ concept, allowing US companies to move information from an EU subsidiary to the US parent company in line with EU data protection laws, which became available to US companies for registration in August 2016. Since then, companies have relied on Privacy Shield for sending data into the US for business purposes, including internal and governmental investigations. After the US enacted new rules in January 2017 allowing the NSA to access EU citizens’ data without first obtaining a warrant, the European Parliament by resolution of 6 April 2017 requested that the European Commission conducts a robust assessment of the Privacy Shield; the Commission is set to review Privacy Shield in September 2017. If the Commission suspends or repeals Privacy Shield, US companies have to put other mechanisms in place to transfer data across the Atlantic in line with EU law, such as using the EU model clauses or Binding Corporate Rules with adaptations and additional safeguards, as required under the auspices of the Schrems decision.
Communication of personal data to authorities in non-EU countries (US) as part of a voluntary cooperation
In principle, there is no barrier against data transfer in the context of a defence in public investigations by virtue of data protection laws. That changes if the data are transferred as part of a voluntary submission, in an attempt to benefit from cooperation with authorities. To assure an adequate data protection level, the following understandings should be reached with the recipient authorities beforehand: there will be no data sweeps; the data transfer will occur in context (only) with a specific investigative interest in a specific public proceeding against the data controller or its parent; there shall be no proliferation of data; names of employees will be redacted; if the recipient authority (eg, the DOJ or SEC) insists, a disclosure may be justified though; the Freedom of Information Act (FOIA) requests will be denied by the recipient authority.
Labour law considerations
Involvement of works council
Where a company has a works council, it is highly recommended practice to involve them from the very start of an internal investigation. Management and external counsel should give them comfort that the company will respect the works council’s and the employees’ rights, including with respect to data protection. Assurance that the works council is ‘on board’ can facilitate an internal investigation significantly and actually encourage employees to cooperate. By contrast, a hostile works council can cause serious problems to an internal investigation from delaying it to blocking single measures and leaking information to the press.
While the internal investigation as such generally does not require the works council’s consent, it has a participation right in case of (1) the collection, search and review of employees’ email data, (2) the use of standardised questionnaires or technical means, and (3) any actions with collective effect for a larger number of employees.
The works council has a corresponding right to be informed of any of the foregoing measures. Typically, one would also inform the works council about employee interviews and the related subject matter. However, the works council has no right to attend interviews.
In practice, and as mentioned above, it may be advisable to enter into a special shop agreement with the works council regulating the collection, processing, review and analysis of employee electronic data and other related measures (Investigation Guideline). The involvement of the works council can then be limited to the mere information of certain defined measures.
Employee duty to cooperate
Current employees have a duty under their employment contracts to attend interviews and to answer all work-related questions correctly and completely without limitation. This also applies to facts and circumstances where a truthful answer may lead to a dismissal of the employee; whether this applies in case of self-incrimination in relation to a crime has to be decided on case-by-case basis. The general view is that the obligation to testify diminishes with growing distance of the employee to the persons and circumstances concerned in the daily work environment. The duty to attend and answer questions does not apply to former employees. The company does not have to inform the employee about the content of the interview or any questions in advance.
No right to presence of counsel or works council
Generally, employees have no right to the presence of counsel or a member of the works council. The presence of a works council member in a confidential interview may well destroy the privilege protection because the works council does not enjoy a legal privilege under German law and has the duty to report to its constituency as well. Depending on the individual circumstances and where a potential self-incrimination may be involved, the company should provide independent legal counsel to ensure that employees feel safe and can be as forthcoming as is reasonably possible.
Damage claims against employees and leniency programmes
Management has to pursue substantiated damage claims against employees, and the board against management, unless otherwise mandated by prevailing material interests of the company, such as an interest in the success of the investigation (leniency), or avoiding negative publicity or negative effects on business. In order to entice employees to come forward with information, the company may grant leniency (waiver of damage claims and dismissal rights) to individual employees or install a leniency and whistleblower programme for a wider group of employees. Leniency programmes should be used sparingly and only after some time and with a view on the potential impact on ongoing public prosecutor investigations.
In interviews conducted by external counsel, it is standard practice to have an ‘Upjohn’ warning at the beginning of the interview and inform the employee, among other things, that (1) investigating counsel is not acting for the employee but for the company, (2) the interview and its contents are confidential and privileged, (3) this privilege belongs to and may be waived by the company, not the employee, and (4) the company may decide to share the contents of the interview with domestic and foreign public authorities.
Whether formal written records are taken, shared with and signed by the interviewee or whether external counsel simply takes internal notes that are not shared with the interviewee is a question to be decided in the individual investigation at hand. In cases involving parallel investigations against the company by the public prosecutor or governmental or regulatory authorities, it may be advisable to have only internal notes of external counsel as their work product that is protected by attorney-client privilege in relation to the authorities (note that this does not apply to notes of in-house counsel).
The attorney-client privilege under German law protects (1) attorneys and auditors from having to testify against or relating to their own client, and (2) documents obtained or created by, or communication with, external lawyers or auditors that are stored in the external lawyer’s or auditor’s offices from seizure or attachment by the public authorities. The privilege pertains only to the particular attorney-client relationship and communication resulting from this relationship, including attorney work product. Importantly, in criminal proceedings privilege attaches only to communication with external counsel, but not with (admitted or non-admitted) in-house counsel. Communication or documents in possession of the client (or in-house counsel) are generally not protected.
Recently, there were a couple of highly publicised raids of German law firms conducting internal investigations, including in the Volkswagen emissions scandal. As a general rule, third-party documents and evidence other than attorney-client communication or work product can be seized from a German attorney like from any other person. The search of a German law office can be admissible if the seized evidence is not covered by legal privilege, but pertains to third persons or does not qualify as protected attorney-client communication or attorney work product. As a hypothetical, in an investigation directed against (known or unknown) individuals at a company who are not represented by the company’s lawyer, a search and seizure at the law offices relating to the investigation against such individuals would, as such, not breach a privilege between the company and its lawyers with respect to an ongoing (separate) investigation against the company. That said, the prosecutor would generally be prohibited from using any privileged documents seized in the raid at the law offices in any investigation or proceeding against the company represented by the lawyer. Absent clear rules on a federal level, German courts still differ as to the privilege protection of investigation reports in the possession of external law firms. In 2010, the Hamburg Regional Court ruled in proceedings against HSH Nordbank that the seizure of internal investigation documents from its external attorney was lawful, whereas in 2012 the Mannheim Regional Court protected an internal investigation report from seizure on the basis of new law. In 2015, the Braunschweig Regional Court extended the privilege protection from seizure to documents in the possession of the company that were prepared for legal defense purposes in anticipation of not yet instigated proceedings.
In the past, the German legal system did not provide a comprehensive protection of whistleblowers from retaliation. Only recently did the German legislator enact a EU-driven rule that protects whistleblowers informing the German financial supervisory authority about actual or suspected breaches of financial supervisory provisions. No such explicit rule exists for anti-bribery and other compliance violations. The Bremen Administrative Court in a decision from September 2015 in the area of public civil service found that whistleblower protection from retaliation can be derived from constitutional principles and the employer’s duty of care. The principles of that decision should also apply in cases where a private company has anti-corruption guidelines and a whistleblower hotline installed.
On the other hand, the Bochum Regional Court ruled in March 2016 that whistleblower documents, which are in possession of an external lawyer acting as designated Ombudsperson for a company to receive whistleblower reports, are not privileged and can be ceased by the prosecutor in spite of a promised or expected confidential treatment of the whistleblower information. The court argued that the Ombudsperson was acting on behalf of the client company which prevented it to have a privileged attorney-client relationship with the whistleblower at the same time. Companies might therefore want to alert potential whistleblowers that their information might be subject to seizure by the public prosecutor.
Self-reporting, cooperation, fines and settlement
Generally, there is no obligation for German companies to self-report to or cooperate with public prosecutors or other law enforcement agencies. In practice, however, German companies will often seek to proactively report wrongdoings to the authorities because of a specialty in the German Fiscal Code (section 153) according to which a taxpayer and its legal representatives are obliged to inform the tax authorities about a previously filed incorrect tax return before the end of the assessment period for such tax return. Domestic or foreign bribery payments will often have been booked as tax-deductible expenses, thus rendering the relevant tax return false. If management uncovers such bribery payments and fails to report the resulting change in tax-deductible expenses to the tax authorities, management may be committing a criminal offence (tax evasion) which can be punished with up to several years in prison. Once the tax authority learns about the alteration and underlying bribery payments, it is then obliged to notify the competent public prosecutor.
Other instances of self-reporting or notification exist in certain regulated industries (eg, financial services) with respect to the reporting of criminal offences and other misconduct to the regulator. Self-reporting may also be necessary under domestic or foreign public procurement laws to avoid black-listing. The company may also be required to self-report to law enforcement agencies and prosecutors under the laws of foreign jurisdictions.
Based on the various existing self-reporting requirements and the likelihood that the prosecutor or law enforcement agencies will learn of misconduct, companies may often choose to voluntarily self-report to and cooperate with the authorities. In addition, cooperation with law enforcement authorities is often a substantial mitigating factor to reduce the company’s exposure to administrative fines and disgorgement of profits and also the exposure of its employees. In a global investigation, the need to obtain ‘cooperation credits’ with foreign authorities will also drive any cooperation with the local authorities and prosecutors in Germany. In September 2015, the US DOJ in its ‘Yates Memorandum’ announced a targeted focus on investigation of senior management and reinforced its position that companies subject to investigation in the US are required to disclose respective misconduct. The UK (SFO) has recently taken a similar approach. Under applicable German labour and corporate law, the reporting of management and employees to the public authorities may require a prior balancing decision and strong proof of the underlying facts.
Thus, pros and cons of a voluntary cooperation with law enforcement agencies and coordination of the internal investigation with them should be considered early on when designing the investigation plan and strategy. An increasingly important factor is also the growing cooperation among law enforcement agencies in Germany, the UK and the US.
Termination request in NYDFS consent order
German companies should be mindful that certain measures agreed with foreign authorities to settle or mitigate penalties and other claims may not be enforceable in Germany. In July 2016, the Higher Labour Court of the State of Hesse found the termination of a German bank employee to be unlawful under German law although the bank had issued the termination upon request of the New York State Department of Financial Services (NYDFS). In addition to payment of a substantial fine, the bank had agreed in the NYDFS consent order to take all necessary steps to terminate a certain employee in Germany, whom the US authorities had found responsible for the sanctions violations. Such or similar requested undertakings might often also be part of deferred prosecution agreements with the DOJ or other settlements with foreign authorities.
German anti-bribery and corruption laws
German law considers three kinds of bribery: (1) bribery of public officials, (2) commercial bribery (ie, bribery of employees or agents of a business relating to the purchase of goods or services), and (3) bribery of members of legislative bodies. As mentioned above, the relevant acts of bribery by the employee may often also constitute embezzlement or fraud and, as bribes are not tax-deductible, also result in tax fraud.
Fines and disgorgement of profits
While there is no criminal liability for companies in Germany, prosecutors can hold a company administratively liable for criminal or administrative offences of its directors and legal representatives or other persons with managerial or supervisory power (section 30 of the Administrative Fines Act). The mere administrative fines have a maximum of €10 million for every committed administrative or criminal offence. In addition, and this is usually the more painful sanction against companies, the administrative penalty can include the disgorgement of profits and, in some cases, forfeiture of assets. Under federal case law, a company may be subject to forfeiture of all direct and indirect profits resulting from a bribery. When calculating the amount of the profit, costs and expenses may not be deducted. Applying these principles, German prosecutors have issued some of the largest corporate penalties in foreign bribery cases worldwide over the past couple of years (Siemens, Ferrostaal, several financial institutions).
Settlements and DPAs
Under German criminal procedure rules, a settlement in the form of deferred prosecution agreements or non-prosecution agreements is currently not possible. A settlement with a Germany company occurs in the form of a negotiated ‘deal’ between the public prosecution and the company, resulting in the issuance of an administrative (sanctions) order that the company will not challenge. Most of the prominent foreign bribery cases against German corporates ended with settlements that proved to be a successful concept to both the public prosecution and the companies involved. Because of the ability to sanction companies with the disgorgement or confiscation of profits without any specific limit, companies are willing to cooperate with the courts and public prosecutors to reach a settlement. While there is no ability for the prosecutor or court to issue formal orders to compensate victims, make donations to charitable institutions, or implement a robust and effective compliance programme, the willingness of the company to undertake the above steps will be decisive for the public prosecutors to either settle the case with an out-of-court administrative order or go to court.
The landmark case for settlement agreements in foreign bribery investigations in Germany is still the Siemens case. Siemens decided to fully cooperate with the Munich prosecutor as well as the DOJ and the SEC. This resulted in coordinated investigations of the three law enforcement agencies on the one hand and in parallel a full internal investigation by Siemens itself. After roughly two years, Siemens had settled the German investigations by means of two sanctioning orders: one in the amount of €201 million consisting of a €1 million fine and €200 million disgorgement of profits; and another one in the amount of €395 million consisting of a €0.25 million fine and over €394 million disgorgement of profits.
Other similar settlements followed (MAN, Ferrostaal, Thyssen-Krupp). As shown above, any settlement discussions will focus on the disgorgement of profit element of a corporate sanctioning order. Prosecutors have a discretion to reduce the penalties and, while there are no express guidelines, will look to the level and cooperation of the company, the timing of any early self-reporting and the efforts undertaken by the company to take remediating action and to install effective compliance and internal audit organisations.