German law distinguishes between criminal offences (Straftaten) and administrative offences (Ordnungswidrigkeiten). Administrative offences do not incur criminal liability, but as they constitute breaches of regulatory law, they can be sanctioned with a fine.
Felonies and Misdemeanours
Criminal offences can be classified as either felonies or misdemeanours. A felony is punishable by at least one year’s imprisonment, while a misdemeanour is punishable by imprisonment or a fine. For example, violating an arms embargo under Section 17(1) Foreign Trade and Payments Act (Außenwirtschaftsgesetz – AWG) is a felony. The most “common” white-collar offences are, however, in most cases misdemeanours (eg, fraud, tax evasion, bribery, embezzlement, money laundering).
Constituent Elements of a Criminal Offence
For an act or omission (ie, a failure to act in a situation where the law imposes a duty to act) to constitute a criminal offence, the following three conditions must be met:
Attempted Criminal and Administrative Offences
Liability for an attempted criminal offence can be incurred if the offence in question is a felony. Attempted misdemeanours and administrative offences are not criminal offences unless expressly provided for by law.
For administrative offences this is rarely the case. An example is the imposition of a fine for attempting to import or export market regulation goods without authorisation (Section 36(5) Market Organisation Act).
Although many white-collar offences are misdemeanours, in most cases criminal liability for attempt may be incurred – eg, attempted fraud or tax evasion.
In a criminal investigation, the prosecutor gathers evidence to determine whether the initial factual indications that a criminal offence has been committed meet the standard required to request an indictment: the probability of a conviction must be higher than the probability of an acquittal – ie, more than 50%. The prosecutor must remain objective and consider all relevant facts, including those that may exonerate the suspect.
Reasonable Doubt
During the criminal trial, the court investigates the evidence ex officio. If there is a reasonable doubt – eg, if not all factual requirements for a conviction have been established, the court must find in favour of the defendant.
In administrative fine proceedings, which are quasi-criminal in nature, the presumption of innocence applies. The public prosecutor or the competent regulatory authority carries the burden of proof.
Regulatory Documentation Requirements – A Reversal of the Burden of Proof?
In certain areas of administrative law, companies may have to comply with extensive documentation requirements. For example, under the GDPR, companies must demonstrate compliance (Article 5(2) GDPR). Inadequate documentation can result in fines.
Although this cannot be reconciled with the presumption of innocence, which is also guaranteed under EU law (Article 48 CFR), data protection authorities regularly invoke Article 5(2) GDPR to alleviate their burden of proof in fine proceedings. If the data controller does not hand over the documents after being requested to do so by the competent data protection authority, the latter could deem this as a separate breach of Article 5(2) GDPR and subsequently impose a fine.
The statute of limitations for criminal offences varies depending on the severity of the penalty. For example, the statute of limitations for offences punishable by a maximum term of imprisonment of more than one year but less than five years is five years (eg, fraud), while the statute of limitations for offences punishable by a maximum term of imprisonment of less than one year or a fine is three years (eg, a negligent breach of accounting obligations, Section 283b(2) StGB).
Criminal Offences
Generally, the duration of the statute of limitations does not depend on the severity of the criminal offence in question. For example, the limitation period for both simple and severe cases of fraud is five years, albeit the maximum term of imprisonment differs respectively. Exceptions may apply if provided for by law. A notable exception in the area of white-collar crime relates to aggravated tax evasion, for which the statute of limitations has been significantly extended in recent years.
The limitation period commences only once the offence is “completed”. In cases of white-collar offences committed by omission, this may take a long time. Omissions are not considered “completed” until the perpetrator’s duty to act has ceased.
The statute of limitations can be suspended or interrupted. For instance, the statute of limitations in cases of tax evasion can be suspended following an adjournment of the criminal investigation by the public prosecutor or an adjournment of the criminal proceedings by the criminal court for the duration of the conclusion of a taxation procedure by the tax authorities (Section 396 AO). The statute of limitations is interrupted by measures taken by the public prosecutor’s office (eg, raids). For each measure, the limitation period begins to run anew. However, at some point in time (eg, when twice the statutory limitation period has elapsed) the prosecution of an offence is irrevocably barred (absolute limitation).
Administrative Offences
The statute of limitations for administrative offences ranges from six months to three years, depending on the fine to be incurred. The rules governing the start, suspension, and interruption of this limitation period generally mirror those that apply to criminal offences.
Territorial Scope of German Criminal Law
The territorial scope of German criminal law is governed by the principle of territoriality; ie, the offence in question must have been committed on German territory.
Certain white-collar offences may fall within the territorial scope of German criminal law even if committed abroad.
Bribery of Foreign Officials
In the area of anti-corruption, companies should be aware that bribing foreign public officials (eg, facilitation payments at border crossings) can incur criminal liability under Section 335a StGB. Criminalising bribery of both national/EU, as well as foreign officials, expands the territorial reach of Germany’s anti-bribery law enforcement.
Extraterritorial Reach of the EPPO
The European Public Prosecutor’s Office (EPPO) is charged with the prosecution of criminal offences affecting the financial interests of the EU (eg, misappropriation of EU funds). EPPO prosecutions are conducted by member states’ national public prosecutors who simultaneously serve as “European Delegated Prosecutors”. Their investigations are decentralised, giving the EPPO a substantial extraterritorial reach across member states. German Delegated European Prosecutors do not have to rely on mutual legal assistance but may simply assign investigative measures to Delegated European Prosecutors in other member states.
Mutual Legal Assistance Treaties and Cross-Border Co-operation
German authorities co-operate with law enforcement agencies around the world. Under the German Act on International Mutual Assistance in Criminal Matters, a suspect can be extradited, if the respective act also constitutes a criminal offence under German law. The offence must be punishable by a minimum of one year of imprisonment, which is the case for most white-collar criminal offences in Germany.
At the EU level, law enforcement authorities co-operate closely. A key instrument is the European Arrest Warrant, which simplifies extraditions within the EU.
The EU’s Supranational Law Enforcement Authorities
Companies need to be aware that, in certain cases, they may face supranational law enforcement authorities operating across EU member states (eg, EPPO, Europol, Eurojust).
The EPPO, for example, had opened 1,371 investigations (58% more than in 2022) by the end of 2023, reaching a total of 1,927 active investigations. Moreover, it has concluded a multitude of working arrangements with non-EU law enforcement authorities (eg, the US DOJ). In 2023, there were 176 ongoing EPPO investigations in Germany related to an estimated EUR2.8 billion in damages.
Cross-Border Access to E-evidence
The EU has recently adopted the E-Evidence Regulation, which will be applicable as of 18 August 2026. It provides law enforcement in all EU member states with cross-border access to electronic evidence held by service providers (eg, email services, cloud providers).
Legal entities cannot be held criminally liable under German law. A draft Corporate Sanctions Act (Verbandssanktionengesetz – VerSanG), which sought to introduce a corporate criminal liability, did not enter into law.
Corporate Fines
Under Section 30 German Act on Regulatory Offences (Ordnungswidrigkeitengesetz – OWiG), companies may be subject to fines by way of attribution: if a representative of the company has committed a criminal or administrative offence, the respective offence may be attributed to the company and a corporate fine can be imposed.
The individual who commits the criminal or administrative offence must qualify as a “representative” of the company. This includes individuals who have supervisory functions, like members of the supervisory board or the company’s compliance officer. To attribute the offence to the company, it must have been committed in violation of duties that the company is bound to fulfil or the offence has enriched or was committed with the intent to enrich the company.
Breach of Supervisory Duties
A breach of supervisory duties by a member of management may suffice for the company to incur a corporate fine. Under Section 130 OWiG, it constitutes an administrative offence, which in turn may be attributed to the company, if the “owner” of the company – ie, the respective legal entity represented by its members of management, does not take sufficient care to ensure that its employees comply with the duties incumbent on the company and, as a result, an offence is committed which would have been prevented or significantly impeded by proper supervision. Ultimately, viewed from the perspective of a prosecutor or a regulatory authority, Section 130 OWiG serves as a key gateway for the imposition of corporate fines.
Registration of Corporate Fines
The imposition of a corporate fine may be registered in:
Offences Committed Prior to a Merger or Acquisition
Under German law, a successor entity may be fined for offences committed by the target entity prior to a merger or acquisition. Section 30(2)(a) OWiG allows for a fine to be imposed on the successor entity. However, the legal successor standard in most cases does not apply to spin-offs where the original legal entity continues to exist.
(“Non-conviction-Based”) Confiscation of Assets
German law also provides for the confiscation of assets the company has obtained from the crime (Section 73 et seq. StGB) or administrative offence (Section 29a OWiG) – eg, funds gained from contracts obtained through bribery.
German law also provides for a so-called “non-conviction based” confiscation of assets (Section 76a StGB, Section 29a (5) OWiG) – eg, if the criminal or regulatory investigation is discontinued (see 2.5 Prosecution).
In Germany, unlike the USA, sentencing is not governed by guidelines. The sentence must reflect the defendant’s degree of culpability (Section 46(1) StGB). Within the penalty range provided for in the respective criminal provision, the court must weigh both aggravating and mitigating factors.
Mitigating Factors
The following mitigating factors are particularly relevant to the sentencing of white-collar criminal offences:
Assessment of Fines for Administrative Offences
Generally, it is important to note that under German law corporate fines aim at extracting the commercial profits resulting from the offence. Section 17 OWiG sets out the criteria for assessing fines for administrative offences as well as the minimum or maximum level of fines if the respective regulatory statute does not provide for a distinct minimum/maximum amount. Criteria for the assessment of a fine under Section 17(3) OWiG are the significance of the administrative offence in question as well as the perpetrator’s financial circumstances. In terms of the perpetrator’s financial circumstances, income, existing assets and existing financial liabilities are of particular importance.
Level of Corporate Fines
In Germany, corporate fines have increased dramatically over the last decade. In some cases, companies have been fined hundreds of millions of euros.
Corporate fines are calculated as follows:
Corporate fines consist of two components:
The extraction of profits aims at exceeding the level of profits incurred. As a result, the total sum of a fine may substantially exceed the legally prescribed maximum.
Existence of an Effective Compliance Programme
According to a 2017 ruling by the Federal Court of Justice, the existence of an effective compliance programme is a mitigating factor to consider when assessing the level of a corporate fine. Moreover, remedial measures taken after identifying flaws in the compliance programme may lead to a reduction of the fine.
The existence of a compliance programme is also expressly considered a mitigating factor in the assessment of antitrust fines (Section 81d(1) No 5 GWB). Fines imposed under the new Supply Chain Due Dilligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG) may be reduced if remedial measures are implemented (Section 24(4) No 7 LkSG).
Distinct Guidelines Issued by Regulatory Authorities
Some supervisory authorities may rely on their own, distinct guidelines for the assessment of fines (eg, the European Data Protection Board’s guidelines for the calculation of GDPR fines).
Compensation claims by victims of a criminal or administrative offence may typically arise under Section 826 or 823(2) German Civil Code in connection with the violation of a protective statute (ie, the criminal or regulatory statute that was violated).
Class Actions
Whether a white-collar criminal or administrative offence may also trigger a class action, depends on the applicability of the respective collective remedy. Generally, collective remedies are available under the Capital Markets Model Case Act and the new Consumer Rights Enforcement Act.
Victim Compensation
German criminal law is based on the principle that “crimes should not pay”. Therefore, the law generally provides mechanisms for the state to confiscate the proceeds of crime and return them to the victim of the crime or forfeit them to the state.
In the area of white-collar crime, Section 153a(1) No 1 German Code of Criminal Procedure (StPO) is particularly relevant. The public prosecutor may discontinue a criminal investigation under the condition that the perpetrator compensates the victim for the damage caused.
In addition, assets that have been confiscated as proceeds of the crime (see 1.5 Corporate and Personal Liability) can be returned to the victim (Section 459h StPO).
More generally, German law provides for a victim-offender mediation mechanism (Section 46a StGB) as well as a right to compensation for victims of violent crime under the Crime Victims Compensation Act.
Adhesion Procedure
Finally, German criminal procedural law provides for a so-called adhesion procedure: instead of pursuing a claim in civil proceedings, victims can claim civil damages before the criminal court. However, this is quite rarely used in white-collar cases.
Criminal investigations are mainly conducted by the public prosecutor’s offices, of which there are a total of 116 in all German states. They are assisted by the police, which carries out investigative measures. Another investigatory authority to be reckoned with, especially in cases of alleged money laundering, is the Federal Criminal Police Office (Bundeskriminalamt – BKA).
For an alleged tax evasion, the tax authorities are also authorised to conduct criminal investigations under Section 386 Fiscal Code (Abgabenordnung – AO) and have the same rights as the public prosecutor’s office. However, the latter can take over at any point in time.
White-Collar Crime Divisions
There are specialised divisions within public prosecutor’s offices that focus exclusively on investigating white-collar crime. These divisions may also employ economic and accounting experts. Within the police there are also investigation units, which are specially trained for white-collar crime cases.
Moreover, there are specialised courts for white-collar crime. They have a distinct jurisdiction over certain white-collar offences (eg, embezzlement, if the case in question requires special knowledge of commercial practices).
Facing Multiple Fronts
Companies subjected to a white-collar investigation in Germany will find themselves facing multiple fronts. For example, an investigation into alleged social security fraud and a corresponding allegation of income tax evasion, will, at the outset, involve the tax authorities. They may then hand over the investigation to the public prosecutor’s office, which is in turn assisted by the customs authorities as well as the social security services. This could lead to a situation where, for example, when reaching a settlement with the tax authorities, companies also must consider the implications on a settlement with the social security services, and vice versa, while also considering the impact on the ongoing criminal investigation.
A criminal investigation is initiated by the public prosecutor’s office if there are factual indications (obtained through – eg, criminal complaints or whistle-blowers) that a criminal offence has been committed.
Initiating a Criminal Investigation
Certain criminal offences may only be prosecuted following a formal request by an eligible party, usually the victim. For some offences, a formal request for prosecution is an absolute prerequisite. For other offences, even if a formal application is required and was not filed, the prosecutor may still initiate an investigation if there is a significant public interest. For example, in cases of bribery in the private sector, either a competitor has filed a formal request, or the prosecutor establishes a significant public interest (eg, if substantial damage was caused).
Audits by Regulatory Authorities
In some cases, an audit may be the trigger for a regulatory authority to initiate an investigation into a regulatory offence. For example, data protection authorities regularly audit companies and subsequently take action.
Law enforcement authorities have a wide range of investigative measures at their disposal. This includes, inter alia, raids, seizures, questioning of witnesses or the interception of telecommunications and capture of usage data from telemedia services.
Production Orders
The public prosecutor or the police may, without requiring a court order, request documents or data from a company. When responding to a production order, companies must keep the following in mind:
Raids and Seizures of Documents
A public prosecutor’s office may raid company premises and seize documents. Both measures require substantial factual indications that a criminal offence was committed. To conduct a raid, law enforcement must obtain a search warrant. Only in exigent circumstances can a company’s premises be raided without obtaining a court order. In these cases, it is possible to request a judicial review whether or not the standard of “exigent circumstances” was met. Even if a judge should decide that the raid was unlawful, the evidence collected may still be admissible in court later on. In Germany, the fruit of the poisonous tree doctrine does not apply.
Questioning of Employees
Employees may be questioned by both the public prosecutor and the police. Nevertheless, witnesses are only obliged to appear and provide testimony if they are subpoenaed by the public prosecutor’s office, or the police’s subpoena was ordered by the public prosecutor’s office.
An employee is legally required to testify, unless they have a right to refuse testimony (eg, if they invoke the right against self-incrimination). The duty to testify also applies to employees who have signed an NDA.
Prosecutors usually also subpoena former employees or members of management. By pursuing this course of action, they hope, for example, to gain material information on the whereabouts of missing assets.
Under German law, there are no express statutory requirements requiring companies to conduct an internal investigation. Although there is no distinct legal framework, there are certain, informal, established practices, which may also differ regionally depending on the competent public prosecutor’s office. Thus, conducting an internal investigation in Germany requires a company to manage a public prosecutor’s office’s expectations with respect to these established practices.
However, under both Section 93 German Stock Corporation Act (Aktiengesetz – AktG) and Section 130 OWiG (see 1.5 Corporate and Personal Liability), the board must investigate whether there are sufficient factual indications of criminal or regulatory misconduct. Otherwise, board members may incur civil liability and/or risk committing an administrative offence under Section 130 OWiG. With respect to the scope of an internal investigation, a board may decide, at its discretion (business judgement rule), to what extent potential misconduct is investigated.
Strategic Considerations
An internal investigation may provide the necessary basis for closing gaps in a company’s compliance programme and, subsequently, implementing remedial measures. Both may be considered mitigating factors in the assessment of corporate fines (see 1.6 Sentencing and Penalties). For example, the LkSG expressly recognises efforts to investigate an infringement as a mitigating factor.
Conducting an Internal Investigation in Germany
When conducting an internal investigation, companies will need to consider the following.
Criminal investigations are governed by the principle of mandatory prosecution. If a prosecutor becomes aware of factual indications that give rise to a preliminary suspicion that an offence was committed, they must investigate.
Discontinuation of a Criminal Investigation
In certain cases, prosecutors have discretion to discontinue an investigation. Highly relevant for the pre-trial resolution of white-collar investigations (see 2.6 Deferred Prosecution) is the prosecutor’s power to discontinue an investigation under the condition of the payment of a monetary penalty. A discontinuation is also possible once, following an indictment, the criminal proceedings have already been opened by the criminal court.
Margin of Discretion in Fine Proceedings
In contrast to a criminal investigation, the authorities have a wide margin of discretion whether to initiate or terminate fine proceedings for administrative offences.
German law does not provide for a distinct mechanism for a pre-trial resolution between the suspect and the prosecution (eg, a deferred prosecution agreement). Nonetheless, there are ways to resolve a white-collar criminal investigation without a trial. The most common method of resolving such an investigation without a trial is for the prosecutor to discontinue the investigation.
Discontinuation of a Criminal Investigation Against Individuals
In many white-collar cases, an important objective will be to achieve a discontinuation of the investigation in return for the payment of a monetary penalty. Such a discontinuation does not constitute an admission of guilt. It is to be regarded as a mere procedural dismissal of the investigation.
A discontinuation has a beneficial impact on additional repercussions (eg, no registration in the Competition Register for Public Procurement; see 1.5 Corporate and Personal Liability).
“Non-conviction-based” Imposition of a Corporate Fine or Confiscation of Assets
Although the criminal investigation against individual members of management was discontinued, the public prosecutor’s office may still, on a “non-conviction basis”, impose a corporate fine or confiscate company assets (see 1.5 Corporate and Personal Liability).
Corporate Fraud Offences
Criminal liability for fraud may arise if the assets of another person are damaged by creating or perpetuating an error under false pretences or by distorting or suppressing true facts with the intent of gaining an unlawful benefit. The punishment is either imprisonment for up to five years or a fine. Aggravated fraud (eg, causing a significant financial loss of at least EUR50,000) is punishable by imprisonment for at least six months and up to ten years.
Criminal liability may also be incurred for subsidy fraud, capital investment fraud, insurance fraud, credit fraud or social security fraud.
Embezzlement
Whoever intentionally breaches a fiduciary duty, leading to damage to another person’s or entity’s assets, for whose property interests they were responsible, may be held criminally liable for embezzlement.
There is some debate as to whether the failure of a board to pursue damage claims against an employee who has committed a criminal offence constitutes a breach of a fiduciary duty resulting in criminal liability for embezzlement. Ultimately, the board’s margin of discretion under Section 93 AktG requires, on a case-by-case basis, an assessment of the potential damage claim and a comprehensive risk analysis (eg, significant factors affecting the welfare of the company may outweigh claiming damages).
Bribery in the Private Sector
Under Section 299 StGB, criminal liability for both active (ie, as a benefactor) and passive (ie, as a recipient) bribery in the private sector may be incurred if a benefit is granted or accepted as consideration for according an unfair preference to another in the competitive purchase of goods or services in Germany or abroad.
One of the principal constitutive elements is the existence of an (implied) agreement between the recipient and the benefactor that the benefit is given/received as (illegal) consideration for granting an unfair advantage.
Bribery in the Public Sector
Both “active” (Sections 333, 334 StGB) and “passive” bribery (Sections 331, 332 StGB) of public officials are criminal offences. The term “public official” is very broad and covers any person who is either a civil servant or a judge, carries out other public official functions or has otherwise been appointed to serve with a public agency or has been commissioned to perform public administrative services.
Public official also pertains to “European officials” – eg, officials of the EC. Additionally, criminal liability is extended to the bribery of foreign public officials (see 1.4 Extraterritorial Reach and Cross-Border Co-operation).
Facilitation Payments
The term facilitation payment is used to describe a payment, usually of a small amount, to a public official which is not provided for by law and is intended to induce the latter to expedite an official act. Facilitation payments are regarded as bribes and may trigger criminal liability.
“Socially Acceptable” Benefits?
While immaterial benefits may qualify as bribes and result in criminal liability, “socially acceptable” benefits may be exempt. They are of a small monetary value and granted out of common courtesy (eg, giveaways as part of corporate hospitality). Whether a benefit is socially acceptable requires a case-by-case analysis of its value and context. The standards for social acceptability are generally higher for bribery in the public sector.
Anti-bribery Compliance Programme
Generally, there is no express legal obligation to implement an anti-bribery compliance programme.
Financial institutions, however, must institute an organisational structure that complies with applicable legal requirements (Section 25a German Banking Act (Kreditwesengesetz - KWG)), as well as a risk management plan to prevent, inter alia, bribery and corruption.
Under Section 93 AktG (see 3.1 Criminal Company Law and Corporate Fraud) board members must prevent criminal misconduct, including corruption and bribery. The implementation of an anti-bribery compliance programme not only helps to prevent such misconduct but can also be used as a defence against claims of violating Section 130 of the OWiG, potentially avoiding a corporate fine (see 4.1 White-Collar Defences). Furthermore, having a dedicated anti-bribery compliance programme in place can also lead to a reduction in fines (see 1.6 Sentencing and Penalties).
Bribery and Tax Evasion
If a benefit is deemed to constitute a bribe, a company is prohibited from deducting the benefit and related expenses from its taxable income. In this respect, German tax law provides for an information exchange. The tax authorities are obliged to inform the public prosecutor’s office of suspected bribery payments. Conversely, a prosecutor must inform the tax authorities regarding any tax offences related to bribery payments.
Impact on Public Procurement
Pursuant to Section 123 German Competition Act (Gesetz gegen Wettbewerbsbeschränkungen – GWB), public contracting authorities must exclude a company from participating in a tender award procedure if they are aware that a person, whose conduct is attributable to the company, was convicted or fined under Section 30 OWiG for bribery.
Criminal and administrative offences in relation to insider dealing and market abuse are laid out in Section 119, 120 German Securities Trading Act (Wertpapierhandelsgesetz – WpHG). Their constituent elements are largely determined by reference to the EU’s Market Abuse Regulation (MAR).
Insider Dealing
Under Section 119 (3) WpHG (in conjunction with Article 14 MAR) it constitutes a criminal offence if a natural person intentionally:
If insider dealing is committed negligently, it constitutes an administrative offence under Section 120(14) WpHG, which can incur fines.
Market Abuse
Under Section 119(1) WpHG, intentionally influencing stock exchange or market prices constitutes a criminal offence. If, however, there is no influence on market prices or it cannot be proven, the act in question may nevertheless qualify as an administrative offence.
The BaFin’s Involvement
In most cases, the German Federal Financial Supervisory Authority (BaFin) files a criminal complaint with the competent public prosecutor’s office. The latter conducts the respective criminal investigation. However, the prosecutor is legally required to involve the BaFin in the investigation (eg, the BaFin must be heard if the prosecutor is considering a discontinuation). The BaFin is also the competent supervisory authority for both the regulatory investigation and the ancillary fine proceedings.
Criminal Banking Law
CEOs of financial institutions may incur criminal liability under Section 54a KWG if they fail to implement the risk-management processes prescribed by the KWG, which, in turn, results in an existential threat to the respective institution.
Constituent Elements of Tax Evasion
A person is deemed to have committed tax evasion if they intentionally submit an incorrect/incomplete tax return or fail to submit a tax return despite being legally obliged to do so, resulting in an understatement of tax. Intent also pertains to conditional intent (see 1.1 Criminal Offences). Grossly negligent tax evasion is an administrative offence punishable by a fine.
Specific Guidelines for Criminal Penalties
Tax evasion is punishable by imprisonment for up to five years or a fine.
There are, different from German criminal law more generally (see 1.6 Sentencing and Penalties), guidelines for the assessment of penalties, which can be derived from the case law of the Federal Court of Justice. For example, if the evaded taxes amount to more than EUR1 million, generally, a prison sentence without parole will be imposed.
Voluntary Self-Disclosure
A voluntary self-disclosure can exempt one from criminal prosecution if the following prerequisites are met:
Tax Compliance
There is no express legal requirement to establish a tax compliance programme. However, pursuant to a Fiscal Code Application Decree issued by the Federal Ministry of Finance, the existence of a tax compliance programme may be an indicator of a lack of intent or (gross) negligence to commit tax evasion, notwithstanding an individual case-by-case assessment.
Tax Settlements
It is possible to conclude a settlement with the tax authorities regarding the assessment of outstanding taxes. Tax settlements are not legally binding for the prosecutor conducting the criminal investigation. Nonetheless, the main objective of a successful defence will be to achieve both a discontinuation of the criminal investigation (see 2.5 Prosecution) and a settlement with the tax authorities.
Violations of Financial Disclosure Obligations
Members of the board and/or the supervisory board can be sentenced to imprisonment for up to one year or a fine if they misrepresent a company’s circumstances in its annual financial statements (Section 331(1) HGB). Note, however, that the breach of disclosure obligations must be severe to incur criminal liability.
In addition, under Section 332(1) HGB, statutory auditors, who incorrectly report the results of an audit of annual (non-)financial statements, may be sentenced to imprisonment for up to three years or fined.
Violations of financial disclosure requirements under the HGB may also constitute administrative offences under Section 334 HGB.
Violations of Accounting Obligations
Under Section 283(1) No 5-7, 283b StGB a penalty of imprisonment for up to five years or a fine may be imposed for a breach of accounting obligations. Criminal liability may only be incurred if the perpetrator has suspended their payments or if insolvency proceedings have been opened against their assets or if the application to open insolvency proceedings has been rejected for a lack of assets.
Anti-competitive practices under Article 101 Treaty on the Functioning of the EU (TFEU) or the abuse of a dominant market position under Article 102 TFEU, may incur fines. At a national level, the FCO may impose fines for violations of national competition rules under Section 81(1) to (3) GWB.
If the underlying conduct rises to the level of collusion/bid-rigging, criminal liability may be incurred (Section 298 StGB).
Antitrust Fines
EU antitrust fines are imposed on the basis of a fine liability concept substantially broader than Section 30 OWiG (see 1.5 Corporate and Personal Liability). The EC may impose fines on “undertakings”. Thus, a parent company can be held liable for antitrust infringements committed by its subsidiary, provided that it exercises decisive influence over the latter. The EC must attribute an “intentional” or “negligent” infringement by a natural person. In contrast to Section 30 OWiG, this may be any employee acting on behalf of the “undertaking”.
Partially aligning with the EU’s antitrust liability concept, Section 81a(1) GWB enables the FCO to impose a fine on the group parent company but also on other group companies, insofar as (in)direct decisive influence was exercised on the management of the entity involved. This substantially deviates from Section 30, 130 OWiG, as it enables the imposition of a fine on the parent company, without attributing the respective infringement to a “representative” of the parent company.
Digital Markets Act
The Digital Markets Act which, for the most part, became applicable in May 2023, requires online platform services (“gatekeepers”) to abstain from certain practices on digital markets. Non-compliance may incur (hefty) fines of up to 10% or, in cases of repeated infringements, of up to 20%, of a gatekeeper’s worldwide annual turnover.
Criminal Offences With a Nexus to Consumer Protection
Strictly speaking, German law does not entail a distinct body of “consumer criminal law”. The most noteworthy criminal offence with a nexus to consumer protection is Section 16 Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG), which penalises:
Criminal Liability for Defective Products
Criminal liability for causing bodily harm (by omission) may be incurred for placing defective products (products of such a nature that their intended use creates health risks for consumers) on the market, which caused physical injuries.
Main Cybercrime Offences
The main cybercrime offences are the following.
Co-operation Obligations of Telecommunications Providers
In the context of a cybercrime investigation – eg, in cases of severe computer fraud, law enforcement can intercept the telecommunications of potential suspects. Under Section 100a(4) StPO, a public prosecutor may require a telecommunications service provider to assist them in the interception of telecommunications. Telecommunications service providers not only have to assess the extent to which they are obliged to co-operate under Section 100a(4) StPO, but also ensure compliance with the GDPR.
Protection of Company Secrets
Under Section 23 German Law on the Protection of Trade Secrets, a breach of company secrets constitutes a criminal offence. No criminal liability is incurred if the disclosure of a company secret serves a legitimate interest – eg, is covered by the right to freedom of speech or freedom of the press.
Under Section 17 AWG, the violation of an arms embargo constitutes a criminal offence punishable by at least one year and up to ten years of imprisonment. Reckless violations may incur a prison sentence of up to three years or a fine.
Intentional violations of EU sanctions and export control requirements under the Foreign Trade and Payments Ordinance are punishable by imprisonment for between three months and five years. This also pertains to cases in which the company’s management acted with conditional intent only.
Negligent violations of EU Sanctions and export control rules may qualify as administrative offences (Section 19 AWG). Self-disclosure in relation to certain administrative offences committed negligently may exempt one from fines (Section 22(4) AWG).
An act of “concealment” may trigger criminal liability in different respects.
Concealment of Facts/Evidence Material to a Criminal Investigation
Concealing facts or evidence material to a criminal investigation may amount to obstruction of justice, for which the penalty is imprisonment for up to five years or a fine.
During an internal investigation, members of management may become aware of criminal offences committed by employees of the company. The question may arise whether they must file a corresponding criminal complaint.
Generally, they will not incur criminal liability for an obstruction of justice by omission, as they lack the requisite duty to act.
Under Section 93(1) AktG, it is at the board’s discretion whether and how it sanctions employee misconduct. In certain severe cases, the margin of discretion may be limited and, with respect to potential criminal liability for embezzlement (see 3.1 Criminal Company Law and Corporate Fraud), can require the pursuit of damages claims against the respective employee. It may hypothetically be necessary for the board to file a criminal complaint if the latter is deemed material to the pursuit of a claim for damages. However, even in such cases, the board retains its discretionary power (eg, taking into account reputational risks).
Concealment as a Requisite Act to Fraud Offences or Money Laundering
An act of “concealment” may also trigger criminal liability in relation to corporate fraud offences (see 3.1 Criminal Company Law and Corporate Fraud). This may, for example, be the case for fraud by omission, where the perpetrator, with the intent of gaining a benefit, does not disclose certain facts when duty-bound to do so.
If the act of “concealment” relates to obfuscating the illegal origin of an asset, the perpetrator may incur criminal liability for money laundering (see 3.13 Money Laundering).
Criminal liability can be incurred for aiding and abetting another person to commit a criminal offence. If, for example, bribery committed abroad is aided by an act committed in Germany (eg, provision of funds within a German parent company for foreign business transactions of a German employee), criminal liability may be incurred under German law. The act of assisting another incurs the same criminal penalty as the principal perpetrator, yet the criminal court is legally obliged to mitigate the penalty.
Criminal Liability
Natural persons can be held criminally liable for money laundering if they introduce illegally generated assets into the legal, financial and economic cycle. Whoever conceals an object derived from an unlawful act, transfers it with the intention of preventing its discovery, procures it for themselves or a third party, or keeps it for themselves or a third party, if they knew its origin at the time they obtained it, can be punished by imprisonment for up to five years or by a fine.
In March 2021, Germany adopted an all-crimes approach, meaning that all criminal offences may constitute suitable predicate offences. Being recklessly unaware of the illegal origin of funds may also incur criminal liability. The latter, in combination with an all-crimes approach, has substantially expanded criminal liability for money laundering.
Regulatory Requirements
The German AML Act (Geldwäschegesetz – GwG) requires obliged entities (eg, credit institutions, financial services institutions) to establish effective risk management systems appropriate for the nature and size of their business to prevent money laundering and terrorist financing. The GwG requires risk analyses, establishing internal safeguards, conducting customer due diligence and filing suspicious activity reports.
Germany also operates a transparency register on companies’ ultimate beneficial owners (UBOs). In August 2021, its scope was expanded. Almost all legal entities in Germany (with some exceptions) must report their UBOs.
In cases of non-compliance, for particularly grave and systematic offences and for certain obliged entities, the maximum fine is between EUR1–5 million, or 10% of annual turnover in the preceding year, whichever is higher.
Effective Compliance Programme as a Defence?
The existence of an effective compliance programme can be a defence against an alleged breach of supervisory duties under Section 130 OWiG. The failed draft for a VerSanG expressly provided for an effective compliance programme to be considered as a mitigating factor (see 1.5 Corporate and Personal Liability), which showcases that there is awareness in Germany that this should be a statutory requirement.
The authorities often infer from the (mere) existence of an offence, a corresponding breach of supervisory duties. Such an inference, however, is not permissible and can be rebutted by demonstrating the effectiveness of the company’s compliance programme. Under Section 130 OWiG, members of management must implement the following measures:
Even if a company’s compliance system has evident flaws, it may be possible to obtain a (substantial) fine reduction by demonstrating remedial measures designed to prevent future criminal or regulatory misconduct (see 1.6 Sentencing and Penalties).
Co-operation With Law Enforcement From the Outset?
In certain cases, the key to a successful defence may be co-operating with law enforcement from the outset of a criminal investigation (eg, by aligning the scope of an internal investigation with the prosecutor’s investigation). This may have a substantial impact on the pre-trial resolution of the criminal investigation (see 2.5 Prosecution) and/or a reduction of the corporate fine. However, in some cases, the better strategy may be to mount a robust defence from the outset of a criminal investigation rather than to co-operate.
In Germany, there are no (de-minimis) exceptions for white-collar offences.
Plea Agreements
Under Section 257c StPO, the criminal court, the prosecutor and the defendant may enter into a plea agreement. In return for a confession, an agreement may be reached, for example, on the severity of the sentence. The possibility of entering into a plea agreement does not alter the duty of the criminal court to investigate the facts of the case ex officio. Even if a confession was made as part of a plea bargain, the court must still examine its authenticity.
Plea bargaining is also possible in administrative offence proceedings as Section 257c StPO also applies to fines (eg, an agreement on the amount of the fine may be reached).
Co-operation
Co-operation with law enforcement can be a mitigating factor in the assessment of a penalty. However, since deferred prosecution agreements are not provided for under German law, companies must be aware that even if they co-operate, there is no guarantee that the authorities will not carry out coercive measures.
Self-Disclosure
Voluntary self-disclosure is expressly provided for certain white-collar offences, such as tax evasion, social security fraud, subsidy fraud or money laundering. Nonetheless, strict requirements will have to be met for a self-disclosure to be fully valid and exempt from prosecution. Voluntary self-disclosure may generally be considered as a mitigating factor in the assessment of penalties.
Leniency
The FCO has a leniency policy for horizontal restraints of competition. The first applicant is granted full immunity from fines if he or she provides material information and continuously co-operates. Other cartel participants who apply for leniency at a later stage may receive a reduced fine.
On 2 July 2023, Germany adopted its first distinct legal framework on whistle-blower protection, the Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG).
Scope of the HinSchG
Companies – ie, the individual legal entity qualifying as the respective employer within the scope of the HinSchG, with more than 50 employees – must establish internal reporting channels. The HinSchG also provides for designated external reporting bodies (eg, the FCO).
The HinSchG encompasses criminal and certain administrative offences. Individuals are only subject to the protection standards of the HinSchG if they report information through the reporting channels prescribed by the HinSchG or, if certain conditions are met, publicly.
Whistle-Blower Protection Under the HinSchG
Under the HinSchG, whistle-blowers are protected as follows:
Feldmühleplatz 1
40545
Düsseldorf
Germany
+49 211 4979-310
+49 211 49 79 103
daniel.travers@freshfields.com www.freshfields.comWhite-Collar and Regulatory Enforcement on the Rise – Recent Trends and Developments in a Nutshell
In Germany, companies face a variety of white-collar and regulatory enforcement challenges. There have been major developments in “traditional” areas of white-collar crime, such as corruption or money-laundering. However, companies must also watch out for trends emerging more recently, such as environmental, social and governance (ESG) compliance risks or potential exposure to significant fines under legislative acts stemming from the EU’s digital strategy. Finally, current developments regarding artificial intelligence (AI) create new dangers and risks that have to be addressed.
But First: Some German Peculiarities
Before taking a closer look at current trends and developments, companies need to be aware of the following distinct characteristics of white collar and regulatory investigations in Germany:
ESG Risks Are Gaining Traction
In Germany, ESG issues are garnering increasing attention from both the legislature and law enforcement.
On 1 January 2023, the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG) entered into force and imposed an expansive set of due diligence obligations on companies with more than 3,000 employees. On 1 January 2024, the personal scope of the act has extended to those with more than 1,000 employees. The obligations range from initial risk assessments to third-party due diligence and reporting requirements. The risks of non-compliance with the LkSG are significant: the LkSG’s supervisory authority, the Federal Office of Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle – BAFA), can impose fines of up to 2% of a company’s average annual turnover. In 2023, it conducted 486 inspections and dealt with 38 complaints. The first sanctions are yet to be announced. The BAFA, however, visibly intensified its monitoring activities in the first half of 2024 by requesting insight into the risk management systems of selected companies.
In addition, the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) entered into force on 25 July 2024 after long negotiations. Compared to the original draft, which applied to companies with over 250 employees and a net worldwide turnover of over EUR40 million (with at least 50% of this generated in certain sectors), the number of affected companies was significantly reduced. For violations of the CSDDD, companies could face fines of up to 5% of worldwide annual turnover and incur civil liability for damages. The LkSG will have to be amended within the transposition period ending on 26 June 2026.
Sustainability is becoming increasingly significant for companies in the way they are perceived by customers, investors, and employees. Companies are under growing pressure to make ambitious claims about their sustainability goals. Correspondingly, companies attempting to cultivate a favourable perception of themselves, or their products might (inadvertently) risk making false statements about their adherence to ESG standards – commonly referred to as “greenwashing”.
Greenwashing may not only lead to reputational damage but, potentially, also trigger criminal liability. Natural persons may be held criminally liable for fraud (Section 263 StGB) against customers or at least capital investment fraud (Section 264a StGB) if they make incorrect advantageous statements to, or conceal disadvantageous facts from, a larger circle of investors. The information must be material to the investor’s decision (ie, an informed and prudent investor would take the information into account when making an investment). Incorrect information on ESG criteria may meet those prerequisites. On 16 January and 1 February 2024, the public prosecutor’s office in Frankfurt conducted two raids on the premises of a German asset manager in the context of its investigation regarding capital investment fraud by “greenwashing”, after the German asset manager already received a USD25 million fine from the U.S. Securities and Exchange Commission in September 2023.
Criminal liability and fines for greenwashing allegations may also be incurred in relation to the disclosure of inaccurate financial records. Section 289c(2) No 1 German Commercial Code (Handelsgesetzbuch – HGB) requires capital market-orientated companies’ non-financial statements to refer to their environmental matters (eg, use of renewables). A false non-financial statement constitutes a criminal offence (Section 331(1) No 1 HGB), which is punishable by a maximum term of imprisonment of three years or a fine, as well as an administrative offence (Section 334(1) No 3 HGB). On 5 January 2023, the EU’s Corporate Sustainability Reporting Directive (CSRD) entered into force. Its personal and material scope is significantly broader than the reporting requirements currently applicable under the HGB. On 22 March 2024, the Federal Ministry of Justice published a draft for a German transposition act which revises the relevant norms and therefore expands the risks of fines for companies and criminal liability for members of management. It shall be passed by the end of 2024.
Environmental criminal law enforcement may also be on the rise. German law provides for environmental criminal offences (Section 324 et seqq. StGB, and several environmental statutes – eg, Section 27 et seqq. German Chemicals Act). Violations of environmental statutes may qualify as administrative offences. At present, according to a study conducted by the German Environmental Agency in 2021, the level of enforcement of environmental offences is low. The study identified insufficient law enforcement resources as the primary cause. However, this may change.
On 11 April 2024, the new EU Environmental Crime Directive was adopted and entered into force on 20 May 2024, replacing the 2008 legislation. Besides defining environmental crime more precisely, adding new types of offences (eg, illegal timber trade), introducing “qualified offences” (eg, causing substantial damage) and determining minimum maximum sentences for individuals and companies, the directive also requires member states to ramp up their law enforcement’s resources (eg, provide adequate training). Germany has already taken its own measures to address the shortcomings in the spirit of anticipatory obedience – eg, by establishing a Central Office for the Prosecution of Environmental Crime in North Rhine-Westphalia (ZeUK NRW) in November 2023.
Moreover, companies may face ESG compliance risks in relation to:
Given the wide range of criminal and regulatory risks associated with ESG issues, it is not surprising that a survey among German companies, conducted by the German Institute for Compliance in 2022, ranked ESG issues in second place as a future trigger for internal investigations. When conducting ESG investigations, companies will have to consider, inter alia, the key points outlined below.
Germany is Ramping up its AML Enforcement
In recent years, the German legislature has continuously reshaped the German anti-money laundering (AML) landscape. In March 2021, the criminal provision governing money laundering was expanded by integrating an all-crimes approach – ie, any criminal offence is a suitable predicate offence. Prior to that, money laundering was primarily an offence associated with organised crime, as only certain serious crimes qualified as predicate offences. Moreover, in August 2021, the scope of reporting obligations to the German Transparency Register was extended.
In 2022, the Financial Action Task Force (FATF), an international AML watchdog, criticised Germany for not doing enough to combat money laundering. Although the FATF commended the adoption of an all-crimes approach and the expansion of the transparency register, it criticised the lack of co-ordination between Germany’s many federal, state and local AML regulators.
Following up on the FATF’s criticism, in July 2023, the German Ministry of Finance proposed a draft Combatting Financial Crimes Act (Finanzkriminalitätsbekämpfungsgesetz – FKBG), the core of which would be the creation of a Federal Bureau of Financial Intelligence (Bundesamt zur Bekämpfung der Finanzkriminalität – BBF). The establishment of the BBF would merge the powers to supervise money laundering, prosecute financial crime and investigate suspicious financial transactions into a single federal authority.
From 2025 onwards, the Financial Intelligence Unit and the Central Authority for the Enforcement of Sanctions would be integrated into the BBF. Within the BBF, a Money Laundering Investigation Centre will be established, which will focus on investigating significant international money laundering cases. In addition, the BBF will include a Central Office for AML Supervision, which will be responsible for co-ordinating AML enforcement in the non-financial sector (eg, used car dealers) across all German states.
On 26 June 2024, the draft FKBG – which was adopted by the German government in October 2023 – met the approval of the Parliament’s finance committee, so a parliamentary resolution is to be expected soon. It will likely be put on the agenda in conjunction with the discussion of the draft Combatting Concealment of Assets Act (Vermögensverschleierungsbekämpfungsgesetz – VVBG) which was published by the German Ministry of Finance on 23 April 2024. The draft VVBG is meant to provide law enforcement with a new instrument for finance investigations that was originally meant to be part of the FKBG, namely the possibility to seize suspicious assets comparable to “Unexplained Wealth Orders” in the UK. So far, the preventive seizure of assets depends on the existence of a sufficient initial suspicion regarding a specific criminal offence that is also pursuable.
Newly established supervisory authorities tend to make use of the powers granted to them. Once the draft FKBG enters into force, companies should reassess whether the AML compliance programmes they have in place meet current German regulatory standards.
Draft EU Anti-Corruption Directive: Expanding Criminal Liability for Bribery in Germany
On 3 May 2023, the EC introduced a draft EU Anti-Corruption Directive which was approved with minor changes by the Council of the European Union on 14 June 2024. The paper will form the basis for negotiations with the EP, which already presented its own position in February 2024. Even though the minimum lengths for the maximum terms of imprisonment have been lowered significantly compared to the EC’s proposal, the draft will still have implications for Germany’s current criminal law provisions governing private and public sector bribery as it intends to criminalise the act of “trading in influence”: German law would need to provide for another separate criminal offence, which penalises the exertion of influence on third parties to obtain an advantage from a public official.
Intricacies of GDPR Fine Proceedings Under German Law
Ever since the adoption of the EU’s General Data Protection Regulation (GDPR) in 2018, German Data Protection Authorities (DPAs) have repeatedly demonstrated their willingness to impose multi-million-euro fines (eg, in 2020, a company received a EUR35.3 million fine). Although the GDPR has been in force for six years, companies still had to contend with significant legal uncertainties regarding GDPR fine proceedings under German law until very recently.
Since German law does not recognise corporate criminal liability (see above), it was disputed whether a DPA must prove that the GDPR violation is linked to a culpable act or omission by a representative of the company. The majority of German DPAs argued that companies can be held directly liable under the GDPR, while company representatives held the opposite view. In 2019, the Berlin DPA imposed a fine of EUR14.5 million on a real estate company. The Berlin DPA did not establish a breach of duty on the part of a board member or legal representative of the company but held the entity directly liable for the alleged GDPR violation. The case ended up at the Berlin Appellate Court, which submitted it to the Court of Justice of the European Union (CJEU) in December 2021. On 5 December 2023, the CJEU finally issued its preliminary ruling and thereby clarified the prerequisites for the imposition of GDPR fines against legal entities: while it agreed with the Berlin DPAs that companies can be held directly liable under the GDPR and there is no room for German peculiarities, it stated, however, that the ability to impose fines is limited to provably intentional and negligent breaches of the GDPR. Hence DPAs can only dispense with the need to name individual actors but not rely on the principle of “strict liability”, as they contended in January 2023. In practice, the standards that will be applied to the proof of fault remain to be seen. The Berlin Appellate Court did not touch on the subject in its final decision from 22 January 2024.
The landmark ruling will have a significant impact on future defence strategies in GDPR fine proceedings in Germany. While the CJEU has not created any additional compliance obligations, a successful defence will crucially depend on the existence of an effective data protection compliance management system to exculpate the company from the allegation of negligence as the breach may then be seen as an outlier that could not possibly have been avoided.
The EU’s Digital Strategy Adds Another Layer of Compliance Risks and Regulatory Enforcement
At its core, the EU’s Digital Strategy is a comprehensive package of legislative initiatives aimed at regulating the digital economy. The extensive regulatory requirements, ranging from data and cyber regulation to regulation of digital platforms and services, to AI regulation, will affect most businesses in one way or another. These new regulatory requirements are accompanied by severe penalties:
By way of example, the DSA, which is meant to promote fairness and transparency in digital services and platforms across the EU and tackle illegal content, contains expansive due diligence and transparency obligations and information requirements for providers. For example, according to Article 18, providers of hosting services that become aware of any information giving rise to a suspicion that certain criminal offences have taken place, are taking place or are likely to take place, must inform the law enforcement or judicial authorities of the concerned member state. Germany’s implementation law (Digitale-Dienste-Gesetz – DDS) entered into force on 14 May 2024.
Since 25 August 2023, the DSA has already applied to very large online platforms (VLOPs) and very large search engines (VLOSEs) – ie, those which have a number of average monthly active recipients of the service (MAR) in the EU equal to or higher than 45 million, and are designated as such by the EC. The EC has been very active in the first year of DSA enforcement, issuing over 50 requests for information and commencing formal investigations against five services, which is equivalent to 20% of all VLOPs and VLOSEs designated by the EC. Instead of pursuing every service under every relevant angle, there seem to be strategically selected targets for specific issues to make use of the mechanism of deterrence. As child safety and content moderation have been present on the political agenda even before the DSA came into force, the EC focuses on these topics, in particular.
Since 17 February 2024, the general DSA rules (the DSA also contains specific rules that apply to VLOPs and VLOSEs only) also apply to providers with less than 45 million MAR. The supervision of these “smaller” providers and the enforcement of the DSA rules fall under the responsibility of the individual member states, which have set up national Digital Services Coordinators (DSC) for this purpose. In Germany, this task is carried out by the “Bundesnetzagentur”, which started its work in May 2024 and already announced that it will “take action against providers” who fail to comply with the DSA.
Another piece of EU legislation aiming to tackle specific dangers of digital services was the Child Sexual Abuse Regulation (CSAR), which was proposed by the EC on 11 May 2022. It envisaged obligations for virtually every digital communication service to scan its users’ messages, calls, photo uploads and other personal content systematically for child abuse material and cyber grooming. Under the proposed legislation, penalties for non-compliance could reach up to 6% of the annual income or global turnover of the preceding business year. Unlike the DSA, however, the CSAR was not able to find a majority, so the vote in the EU Council originally scheduled for 20 June 2024 was cancelled at the last minute. Germany, amongst others, was expected to abstain or oppose the law. While everyone agreed that keeping children safe online is a valid concern, the draft was widely criticised as amounting to groundless mass surveillance. Additionally, the effectiveness of the measures was questioned: German law enforcement authorities warned that the law would make it harder to find and prosecute actual perpetrators.
Cross-Border Access to E-evidence
Beyond extensively regulating the digital economy, the EU has adopted a legal framework that facilitates cross-border access to electronic evidence across EU member states on 28 June 2023. In July 2024, the Federal Ministry of Justice submitted a draft for an implementation law to interdepartmental co-ordination.
Under the E-Evidence Regulation, which applies as of 18 August 2026 following a three-year transition period, law enforcement authorities can obtain electronic evidence from “service providers which offer services in the Union”, without having to rely on conventional mutual legal assistance mechanisms. They may request data irrespective of the existence of corresponding procedural provisions in another member state which, considering that Germany has substantially expanded its national procedural law with respect to e-evidence in recent years, significantly extends the reach of German law enforcement. Besides the “European Production Order”, the regulation also creates the instrument of a “European Preservation Order”, which gives law enforcement authorities the competence to demand the preservation of data that may be the object of a Production Order later.
According to Article 3(1) No 3, the term ”service provider” means any natural or legal person that provides electronic communication services, internet domain name and IP numbering services or other “information society services” that enable their users to communicate with each other or make it possible to store or otherwise process data on behalf of the users to whom the service is provided, provided that the storage of data is a defining component of the service provided to the user, with the explicit exception of financial services.
As this definition is not entirely self-explanatory and details are disputed, companies will have to examine carefully whether they fall within the personal scope of the regulation to make sure that they are prepared to react adequately to incoming Production or Preservation Orders. In that respect it is also noteworthy that service providers are obliged to name a representative within the EU if they offer services in a member state and non-compliance can result in fines of up to 2% of a company’s worldwide turnover in the previous year.
Whistle-Blower Protection in Germany
On 2 July 2023, the German Whistle-Blower Protection Act (Hinweisgeberschutzgesetz – HinSchG), which transposed the EU Whistleblower Protection Directive into national law, entered into force. Companies (ie, the individual legal entity qualifying as the respective employer in scope of the HinSchG) with more than 50 employees will be required to set up an internal reporting body. In addition, the HinSchG establishes external reporting channels – eg, the FCO’s external reporting office. The HinSchG covers whistleblowing in connection with criminal and, in certain cases, administrative offences as well as violations of EU law. Non-compliance with the HinSchG can result in fines of up to EUR50,000. Also, to avoid potential reputational damages, it is in a company’s best interest to set up internal reporting channels, rather than having employees disclosing potential misconduct externally. The HinSchG will eventually have a significant impact on the number of internal investigations. Between 2 July and 31 December 2023, 410 reports were made through the new external reporting office. These numbers are rising – with 279 reports in the first two months of 2024.
On 3 July 2024, the EC adopted a report assessing the implementation and application of the Whistleblower Protection Directive in EU member states, which will most likely also lead to changes to the German transposition act. For example, the EC stated clearly that the directive leaves no room for intragroup exemptions from the obligation to set up internal reporting bodies for every company. While the text of the HinSchG itself does not explicitly permit centralised reporting bodies within corporate groups, the explanatory memorandum declares that the German legislature presumes that such a set-up would comply with the Act.
Possibilities and Challenges of AI
Just like any other area of law, white-collar crime and compliance will be affected by the recent developments regarding AI, and Germany will be no exception. While new software tools already show promising results when it comes to document review and potentially provide even more valuable help for lawyers in the future, the quick rise of AI technologies will also lead to new challenges for companies. In addition to enhancing the effectiveness of intentional criminal activities, AI will introduce complex evaluation and demarcation issues, particularly concerning negligence (eg, regarding harmful actions of self-driving cars or incitement to self-harm by chatbots). Companies may be faced with an abundance of artificially created seemingly plausible false claims regarding compliance issues and costly follow-ups. The legislature will also have to decide on various ethical questions regarding the use of AI in criminal proceedings (eg, for determining the risk of absconding or re-offending).
As the extent of the new technical possibilities becomes more and more apparent, the first legislative acts have emerged. On 1 August 2024, the European Artificial Intelligence Act (AI Act) entered into force. It addresses potential risks to citizens’ health, safety and fundamental rights, and provides developers and professional deployers with clear requirements and obligations. According to Article 99(1), member states are obliged to lay down rules on penalties and other enforcement measures applicable to infringements of the regulation. An example would be the violation of the transparency obligations contained in Article 50(4) in relation to so-called deepfakes (AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful): Deployers must mark deepfakes in such a way that they are recognisable to consumers.
As spreading “deepfakes” by deployers who are natural persons using AI systems in the course of purely personal non-professional activities is currently only punishable if the definition of another, non-specific criminal offence is fulfilled (eg, use for a fraudulent purpose), the German Federal Assembly passed a Bavarian draft for a new Section 201b StGB on 5 July 2024, which would punish the violation of another person’s personality rights by means of digital fakes with a fine or imprisonment for up to two years or even five if a particularly intimate area of life is affected. It remains to be seen how the German Bundestag will rule on this proposed legislation.
Feldmühleplatz 1
40545
Düsseldorf
Germany
+49 211 4979-310
+49 211 49 79 10 3
daniel.travers@freshfields.com www.freshfields.com